NoticeBored blog

Fascinating BBC report on GCHQ, the UK Government Communications HQ - "GCHQ: Cracking the Code".

There's a nod to Bletchley Park's work cracking Enigma in WWII.

Clifford Cocks talks about inventing PKI "overnight".

GCHQ employees talk enthusiastically about the buzz their work gives them and the 'culture of security' which extends to home life, avoiding any specifics of course.

The reporter and guides describe the 10,000 square metres of computer halls in the centre of the donut, and their dependence on cooling water ...

They mention monitoring Web 2.0, VOIP and other Internet comms globally, and the need to adapt quickly to agile targets exploiting new security technologies and constantly watching for new exploits.

The ethics of snooping/spying and the inevitable privacy compromises that entails get a good mention: the very fact that the program was produced at all is surely a positive sign of GCHQ management and indeed the British government's intent to be more open.

GCHQ people are now 'embedded' with military units deployed around the world, sharing intelligence (no doubt in both directions).

Bonus marks for picking out all the other the physical security controls mentioned throughout the programme, and the social engineering potential of a program like this, no matter how carefully produced and edited.

Labels: Confidentiality, Crypto, Network, Physical, Secrecy, Social engineering

Taken at face value, a claim to have cracked voice encryption programs in minutes sounds pretty melodramatic, when in fact it appears the hacker has merely intercepted the 'plaintext' (plainvoice? Plainaudio? Plaingab?) en route to/from the encryption software at the client end, using a Trojan. The same kind of trick would probably work against most encryption systems unless they physically and logically secure the plaintext streams.

Labels: Confidentiality, Crypto, Physical

As if to mark the release of our latest security awareness module on cryptography*, Stephen Murdoch and Ross Anderson of Cambridge University have released a highly critical report into the security of the Veri fed by Visa and MasterCard SecureCode authentication systems. True to one of the central messages in the awareness materials, their main complaints revolve not around the cryptography, per se, but rather the implementation. It seems the banks, credit card companies, merchants and service providers have failed to pay sufficient attention to the poor human beings who use the system. Human factors significantly weaken a design that probably looks great on paper.

* Not so, of course, it was purely a coincidence.

Labels: Authentication, Awareness, Crypto