STE WILLIAMS

Research In Motion is finally set to offer the Indian authorities a permanent system for access to its consumer-focused messaging services with the installation of new Mumbai-based servers.

The Times of India was given a government briefing on the matter. It claimed that the servers have been inspected by government officials and that permission would shortly be granted by the BlackBerry maker for lawful interception of messages if the intelligence agencies there suspect terrorist or other serious illegal activity is being conducted via the platform.

The news comes a few months after a Wall Street Journal report claimed that a monitoring facility had already opened in Mumbai to deal with any requests from the authorities. The Reg is still waiting to hear back from RIM on whether the two stories are linked.

It is also believed that RIM was co-operating with the authorities before this on ad hoc requests to access any email or BBM messages sent over its consumer service.

The Indian reports also claim that the government has backed down on its demands to gain access to BlackBerry Enterprise Service (BES) messages. RIM rightly always maintained that it couldn’t provide access to content running on its corporate service because it didn’t hold the encryption keys – they reside with the sponsoring organisation or business.

Intelligence Bureau director Nehchal Sandhu admitted to the paper that such corporate communications were not of “high concern” anyway from a security standpoint.

However, RIM has reportedly reached an agreement with the government which effectively pushes responsibility for providing access to BES communications down to the service provider level.

The report said that the government would be tapping up mobile operators like Vodafone, Airtel and RCom for a list of the approximately 5,000 BES servers in the country and their locations.

However, while the deal will enable RIM to comply with local laws while washing its hands of the tricky BES problem, it remains unclear how the network operators will be any more able to provide access to BES – given that the encryption keys remain in the hands of their customers.

It’s not all about RIM, of course. The report revealed that the Nokia Push Mail service would be targeted next by the Department of Telecommunications.

Other online communications giants including Yahoo!, Google and Skype are also thought to be in dialogue with the authorities over providing more local services which can be brought under the same strict guidelines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/21/rim_india_bbn_server/

Blighty’s Border Force is to be divorced from the UKBA following a series of embarrassing passport check gaffes last summer, the Home Secretary Theresa May told MPs yesterday.

“[F]rom 1 March, the UK Border Force will be split from UKBA and will become a separate operational command, with its own ethos of law enforcement, led by its own Director General, and accountable directly to ministers,” said the minister, who issued a border security statement in the Palace of Westminster on Monday afternoon.

It was revealed in November 2011 that during the busy summer months, immigration border guards had been told to ignore biometric chips on the passports of non-eurozone citizens.

Staff were also told to stop cross-checking personal information and fingerprints against a Home Office database of terror suspects and illegal immigrants.

MPs demanded answers from May in the Commons and on the home affairs select committee, and asked the Home Secretary to explain the relaxation of some border control procedures under her watch.

In the Commons yesterday, May reiterated that she hadn’t given “ministerial consent” to the UK Border Force chief, Brodie Clark, who eventually quit his job following the political fiasco.

The Cabinet minister admitted at the time that “biometric checks were abandoned on a regular basis” but claimed she had never authorised such action.

The row was ignited last autumn, after it was revealed that May had sanctioned a pilot that commenced in July last year that was intended to target what the politico described as “high-risk passengers” entering UK ports.

She insisted that Clark had overstepped the mark by further relaxing passport check controls without first consulting May.

The minister told MPs yesterday that independent chief inspector of the UKBA, John Vine, had completed his report on the passport checks cockup.

Vine found that the “Secure ID – the system for checking the fingerprints of foreign nationals who require a visa to come to Britain – was suspended on a number of occasions without ministerial approval,” May said.

The Home Secretary added:

In May 2011 – when officials asked for permission to sometimes suspend Secure ID checks – I explicitly refused. Despite that clear instruction, the Vine Report finds that Secure ID checks continued to be suspended at Heathrow.

The Report also confirms that checks on the biometric chip – which contains a second photograph and no further information – were sometimes suspended without ministerial approval.

May said that it was necessary to split the UKBA and the Border Force into two and added that just making changes at management level was not enough for an organisation blighted with problems from the moment it was founded in 2008. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/21/theresa_may_splits_up_border_agency/

An obviously infringing Pokemon iOS port briefly found its way to number two in the iTunes paid app chart, in the USA, despite having nothing to do with Nintendo and garnering buckets of negative reviews.

Despite the fact that the game apparently doesn’t run at all, with the vast majority of the 1,300 reviews stating just that, the Pokemon brand was enough to make thousands of iPhone users shell out a dollar a time just in case Nintendo had decided to ditch its software-to-sell-hardware strategy.

The killer application for a Nintendo DS, if one is around seven, is Pokemon, and perhaps the ageing Mario. Without those two brands, ankle biters can be bought off with a cheapo Android tablet or an iPod Touch, but neither has the magic of Ash Ketchum and his evolving pocket monster mates, not to mention Pikachu.

One can argue that Apple should have spotted that Nintendo was unlikely to have hived off development of an iOS port of its most-valuable property to one Daniel Burford, or released a game that crashes at launch for the vast majority of users – but Apple only takes responsibility when it wishes and it can’t check every IP infringement.

What’s more interesting is the complete failure of the peer-review system, on which app stores such as the Android marketplace are entirely dependent. The Pokemon Yellow game had 1,300 reviews, almost universally negative, but buyers were blinded by the Pokemon brand and the knowledge that they were only risking a dollar.

But that’s not all they were risking: once installed iOS applications have access to all sorts of data, as Path users have discovered, so next time an application like this bubbles to the top it might cost the buyers a lot more than a dollar. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/21/pokemon_apple/

Microsoft has released data showing that Google has been bypassing the user-defined privacy settings in Internet Explorer by using incorrect P3P identification terms.

“When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too?” Dean Hachamovitch, VP of Internet Explorer wrote in a blog post. “We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

Redmond had been rather pleased about the fact that it hadn’t suffered the same kind of problems as Apple against Google’s quest for information on users. But now it claims Google has got to its users, too, by circumventing protections guaranteed by the Platform for Privacy Preferences (P3P) system its browser supports.

The P3P system uses three or four character code chunks to describe the privacy policy of the requester. As an example, Hachamovitch used “TAI,” which indicates “Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.”

However, if the code is not recognized, Internet Explorer will accept it anyway and allow the requester full access to the user for third-party cookie purposes. Google didn’t do this “in a manner consistent with the technology,” Microsoft suggests, as it used the following message:

“P3P: CP=”This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=enanswer=151657 for more info.”

Microsoft described being able to bypass its browser’s privacy settings in this way as “a nuance in the P3P specification,” but as was pointed out by El Reg last year and in academic papers in 2010, it’s a tactic that’s been widely used to circumvent the privacy wishes of the browser user. Microsoft is one of a dwindling band of companies still using P3P, and this latest admission will increase the decay in support.

The news will also come as a fillip to last week’s bipartisan calls for investigations into how Google is bypassing privacy protections on Safari. There’s no word from Google as yet on this, but you can bet it’s not a pretty President’s Day at the Chocolate Factory. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/20/microsoft_google_p3p_flaw/

Analysis UK public-sector unions say that revelations of what the Ministry of Defence (MoD) spends on specialist consultants show that current plans to fire tens of thousands of staff will lead to increased expenditure. Could they be right?

In a word, no. The Guardian reports, in an exclusive of the sort perhaps not hard to obtain when unions see their members’ jobs threatened and those members have access to the figures in question, that internal MoD figures show annual spending on consultants – both technical experts and management types – stands at a whopping £290m. Meanwhile plans are underway to cut 60,000 in-house staff (both uniformed service personnel and civil servants) at the Ministry.

“One of the effects of these cuts is that expenditure actually increases as the MoD has to pay consultants to do the work of those leaving the department,” union man Steve Jary told the Graun.

It’s calculator time. A civil servant is paid on average £22,850 according to the unions. Average pay for the armed forces is if anything a bit lower. Both classes of employee get pensioned off, in the forces never later than age 55, often earlier: in the civil service at normal retirement age. Call it age 60 across the board. Then they will live on and draw their pensions of around £8k in today’s money until they die, maybe at age 80.

In other words a year’s work from a civil servant or serviceman costs something like £31,000 pounds on average. Getting rid of 60,000 of them, then, should save something on the order of £1.86bn a year. Even if current spending on consultants tripled as a result, the public purse would still be approximately a billion pounds a year better off. It would need to septuple before the decision was costing money.

It’s no wonder that the MoD thinks it may be on the verge of actually balancing its books for the first time in decades, though sadly many of the savings aren’t to come from axing the many many thousands of Defence employees who do little or nothing of use. Far too many muscles and teeth – capabilities, in military speak – are being cut off along with the lard at the moment, and often they are the wrong ones to boot.

Then, it would be lovely to think that the vanishing 60,000 would include at least a few thousand surplus military officers at the senior ranks of commander/lieutenant-colonel/wing-commander and above, plus corresponding civil-service mandarins and grandees. But history doesn’t suggest any such positive outcome. Astonishingly the chair polishing, rubber-desk-johnny colonels and captains and wingcos – very few officers at these ranks work in combat units – have managed to swell their numbers by several per cent over the past decade, even as the junior officers and enlisted ranks have been decimated.

Based on the years 2000-2011 (during which 30,000 service personnel were cut but the MoD gained 270-odd posts for officers of grade OF-4 and OF-5) the disappearance of 60,000 bodies overall will probably mean that the MoD gains at least another 500 well-paid and luxuriously pensioned colonels or equivalent.

There’s a prospect which might find taxpayers and public-sector unions in agreement for once, if not for positive reasons. ®

Full disclosure: Lewis Page is just bitter. Had he stayed in the Service he would certainly have been a lieutenant-commander now by time served, quite probably a commander (not so much because he was a great naval officer, even less so because his superiors considered him one, but purely and simply because so many of his generation left in disgust and as a result – combined with the increased numbers of senior billets – almost everybody who stayed has been promoted). Instead like a fool he’s in the private sector paying for the commanders’ fat salaries, pensions, boarding school fees etc.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/20/mod_contractors_vs_staff/

Google is developing a password-generating tool that will bolt into its Chrome browser.

The technology is designed to painlessly create hard-to-guess passwords when users sign up to websites. Whenever a site presents surfers with a field requiring a password, Chrome will display a key icon, giving users the option of allowing the browser to generate the secret for them. This password, provided a user accepts it and it meets the site’s security criteria, is reused next time the site is accessed.

Google is positioning the technology as an interim workaround for the well-known shortcomings of asking humans to come up with memorable non-trivial passwords, until more websites support OpenID, which Google views as a long-term solution to the problem.*

The ad brokering giant neatly summarises the pitfalls of password use that makes its tool potentially useful:

Passwords are not a very good form of authentication. They are easy to use but they are trivial to steal, either through phishing, malware, or a malicious/incompetent site owner (Gawker, Sony, etc.) Furthermore, since people are so apt to reuse passwords losing one password leaks a substantial amount of your internet identity.

The interim solution, while easier for some than using existing browser-based tools (Password Manager and Browser Sync), is certainly not without its shortcomings, which Google is trying to resolve or minimise.

The technology works using auto-complete. So any site that omits support for auto-complete can’t be protected. “Maybe we can get users to re-authenticate to the browser before logging into such sites,” a post on Google’s Chromium developer blog suggests.

Google plans to enable users to see and perhaps export or print saved passwords from a new web service. Access to this feature is likely to be protected by insisting that users switch on two-factor authentication schemes (perhaps requiring a code from an SMS sent to a registered mobile as well as a password) before allowing access to the technology.

Using Chrome to generate passwords might make Google an attractive target if the credentials are stored in the Chocolate Factory’s cloud. Google downplays such concerns, arguing that there’s already a bullseye painted on its back.

“Google is already a high-value target so this shouldn’t change much,” it notes. “Moreover it’s easier for us to make logging into Google more secure via StrongAUTH than have every site on the internet secure itself. At some point in the future it might also be possible for us to automatically change all of a user’s passwords when we realise that their account is hijacked.”

A more detailed explanation of how the technology might work, featuring screenshots, can be found on Google’s Chromium developer blog here. ®

Bootnote

* Mozilla is promoting its own browser-based alternative to usernames and passwords for website logins. Browser ID operates in much the same way as OpenID, which is already supported by many websites such as Twitter and Facebook. Both systems support decentralised authentication, allowing users to consolidate their digital identities, therefore minimising the need to maintain scores of passwords to log into websites.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/20/google_browser_password_generation/

Security watchers are expressing reservations about whitelisting security that Apple plans to integrate with OS X Mountain Lion this summer.

The security feature, dubbed Gatekeeper, restricts the installation of downloaded applications based on their source. Users can choose to accept apps from anywhere (as now) but by default Gatekeeper only lets users install programs downloaded from the Mac App Store or those digitally signed by a registered developer. More cautious users can decide to accept only applications downloaded from the Mac App Store.

The technology is designed to make it harder to trick Mac fans into installing Trojans. Apple is essentially acting to nip the problem of scareware scams and the like on Macs in the bud, before Apple-targeting malware gets out of control.

From a system security perspective that’s a laudable aim but there may be less palatable consequences.

The move could be a step along the road to making OS X as closed to unapproved developers as iOS.

“Gatekeeper also begins to solidify Mac’s walled garden,” Sean Sullivan, a security advisor at F-Secure notes. “In the future, when Apple decides to further close its platform, device drivers could also be required to use Apple Developer IDs. Apple is famous for its focus on user experience, and it isn’t really very difficult to imagine it revoking third-party peripheral drivers in order to ‘secure’ that experience.”

Gatekeeper is billed as offering: “More control for you” – “I keep reading it as: more control – over – you,” Sullivan observes wryly. “By 2014, I expect somebody out there will be jailbreaking their Mac…”

Aside from these political issues, other security watchers warn that Apple’s implementation of whitelisting technology may be flawed.

Chester Wisniewski of Sophos notes that the technology only looks at executable files downloaded via the internet. That means files from USB drives, CD/DVD/BR or even network shares “will all install and run without being screened”. In addition, other potentially malicious files might be missed, he says.

“Gatekeeper code signing only applies to executable files, meaning anything that is not itself a Trojan – like malicious PDFs, Flash, shell scripts and Java – will still be able to be exploited without triggering a prompt,” Wisniewski warns.

Gatekeeper is based on the same LSQuarantine technology previously used by Apple in XProtect, a basic anti-malware system built into recent releases of Mac OS X since August 2009.

Wisniewski is supportive of Apple’s objectives in developing Gatekeeper but dismissive of its initial efforts, which he categorises as a failure. “I think Apple is really on to something here if they implemented this feature in a more comprehensive manner,” Wisniewski concludes. “I give them an A for what they want to accomplish, but sadly only a D- on implementation.” ®

Bootnote

Computer security historians would be interested to note that 20 years ago there was an anti-virus program for Mac, also called Gatekeeper. The software, developed by independent programmer Chris Johnson, was shelved many years ago.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/20/apple_gatekeeper/

Google is once again under fire after a Stanford researcher discovered that the search giant and other advertising outfits have circumnavigated the privacy settings of millions of Apple Safari users.

According to the Wall Street Journal, Google, Vibrant Media Inc, WPP PLC’s Media Innovation Group LLC and Gannett Co.’s PointRoll Inc used code that “tricked” Safari into allowing users to have their online browsing habits tracked.

Apple’s browser blocks most tracking by default with exceptions for websites that, for example, require interaction from a user – such as the filling in of an online form. Google claimed in a statement that the WSJ had “mischaraterised” the code used by the ad companies.

“We used known Safari functionality to provide features that signed-in Google users had enabled,” the Chocolate Factory said. “It’s important to stress that these advertising cookies do not collect personal information.”

However, US lawmakers have once again expressed their concerns about Google’s data-handling behaviour. A letter to the Federal Trade Commission penned by three Congressmen on Friday [PDF] demanded to know what – if anything – the regulator planned to do in response to Google’s latest privacy gaffe.

Apple, meanwhile, told the WSJ that it was “working to put a stop” to the functionality that allowed Google and others to bypass the browser’s privacy settings.

Google has since disabled the code, which installed a temporary cookie on the phones or computers of Safari users; the search biz’s brainiacs had embedded code into some of its ads that fooled the Apple browser into thinking that a form was being submitted to Google.

Microsoft couldn’t resist having yet another dig at its rival. Redmond – which makes tons of cash out of advertising – said in a blog post:

If you find this type of behavior alarming and want to protect your confidential information and privacy while you’re online, there are alternatives for you.

Windows Internet Explorer is the browser that respects your privacy. Through unique built in features like Tracking Protection and other privacy features in IE9, you are in control of who is tracking your actions online. Not Google. Not advertisers. Just you.

On 1 March, Google will be cutting and shutting most of its privacy policies into one terms-of-service document, in part to help the company cross-pollinate its ads on products such as YouTube. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/20/google_bypasses_apple_safari_privacy/

A British computer science student was jailed for eight months on Friday for hacking into the internal network at Facebook.

Glenn Mangham, 26, previously pleaded guilty to hacking into the social networking site between April and May last year. The incident created a flap at Facebook amid fears that hackers were attempting to extract the software blueprints of the website.

Mangham slurped Facebook’s source code, hoping to work on it at some later date for the web behemoth. The prosecution accepted that Mangham’s actions were not maliciously intended but said they were unauthorised. The student attempted to hide his tracks, a factor that was taken by the court as evidence that he knew what he was doing was wrong.

The intrusion was detected by Facebook and reported to the FBI, which passed the case over to the British police. They traced the hack back to Mangham’s parents’ house in York, leading to a raid last June and the subsequent prosecution of the undergraduate geek. Mangham claimed he had been motivated by a desire to help Facebook improve its security, something he had previously done with Yahoo!

The prosecution disputed this interpretation of events, arguing Mangham’s actions were clearly malign. “He acted with determination and undoubted ingenuity and it was sophisticated, it was calculating,” prosecuting counsel Sandip Patel told London’s Southwark Crown Court. “This represents the most extensive and grave incident of social media hacking to be brought before the British courts.”

In sentencing, Judge Alistair McCreath told Mangham his actions were anything but far from harmless and had “real consequences and very serious potential consequences” for Facebook, the BBC reports.

“You and others who are tempted to act as you did really must understand how serious this is,” the judge said. “The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I’m afraid a prison sentence is inevitable.”

Facebook stressed that no user data was involved in the breach, which cost the social network an estimated $200,000 in investigation costs and other expenses.

“We applaud the efforts of the Metropolitan Police and the Crown Prosecution Service in this case, which did not involve any compromise of personal user data,” the social network said in a statement. “We take any attempt to gain unauthorised access to our network very seriously, and we work closely with law enforcement authorities to ensure that offenders are brought to justice.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/20/facebook_hacker_jailed/

Google is developing a password-generating tool that will bolt into its Chrome browser.

The technology is designed to painlessly create hard-to-guess passwords when users sign up to websites. Whenever a site presents surfers with a field requiring a password, Chrome will display a key icon, giving users the option of allowing the browser to generate the secret for them. This password, provided a user accepts it and it meets the site’s security criteria, is reused next time the site is accessed.

Google is positioning the technology as an interim workaround for the well-known shortcomings of asking humans to come up with memorable non-trivial passwords, until more websites support OpenID, which Google views as a long-term solution to the problem.*

The ad brokering giant neatly summarises the pitfalls of password use that makes its tool potentially useful:

Passwords are not a very good form of authentication. They are easy to use but they are trivial to steal, either through phishing, malware, or a malicious/incompetent site owner (Gawker, Sony, etc.) Furthermore, since people are so apt to reuse passwords losing one password leaks a substantial amount of your internet identity.

The interim solution, while easier for some than using existing browser-based tools (Password Manager and Browser Sync), is certainly not without its shortcomings, which Google is trying to resolve or minimise.

The technology works using auto-complete. So any site that omits support for auto-complete can’t be protected. “Maybe we can get users to re-authenticate to the browser before logging into such sites,” a post on Google’s Chromium developer blog suggests.

Google plans to enable users to see and perhaps export or print saved passwords from a new web service. Access to this feature is likely to be protected by insisting that users switch on two-factor authentication schemes (perhaps requiring a code from an SMS sent to a registered mobile as well as a password) before allowing access to the technology.

Using Chrome to generate passwords might make Google an attractive target if the credentials are stored in the Chocolate Factory’s cloud. Google downplays such concerns, arguing that there’s already a bullseye painted on its back.

“Google is already a high-value target so this shouldn’t change much,” it notes. “Moreover it’s easier for us to make logging into Google more secure via StrongAUTH than have every site on the internet secure itself. At some point in the future it might also be possible for us to automatically change all of a user’s passwords when we realise that their account is hijacked.”

A more detailed explanation of how the technology might work, featuring screenshots, can be found on Google’s Chromium developer blog here. ®

Bootnote

* Mozilla is promoting its own browser-based alternative to usernames and passwords for website logins. Browser ID operates in much the same way as OpenID, which is already supported by many websites such as Twitter and Facebook. Both systems support decentralised authentication, allowing users to consolidate their digital identities, therefore minimising the need to maintain scores of passwords to log into websites.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/20/google_browser_password_generation/