07 August, 2013

If Nats can't pick some one to keep party web sites secure how can we trust their decision for all Govt security?

The National party has decided to let the GCSB do all of Government security. The worry here is that the National Party can't even pick people who can keep their own sites secure from a bunch of script kiddies. Web site security on the whole is far smaller problem than all of Government security, so if they can't pick someone do that how can we have any confidence in their picking of GCSB? Also script kiddies are far easier to defend against than committed Nation State backed adversaries. Their evaluation process for selecting a provider for their Party web sites was obviously flawed and giving the rushed nature of the GCSB bill I can only assume that their evaluation process this time isn't any better.

Surely the best option would be set up the CERT model. CERTs are independent civilian organisations that worry just about computer security and are working well in most other countries other than NZ. CERTs have a sole focus of Computer Security and don't have the distractions of Spying. CERTs also build strong links with government and the private sector which the GCSB isn't currently doing.

07 May, 2013

Open Letter to John Key re Security Bills


With the changes to the GCSB Act and the Wiretapping you are missing the boat. Firstly these are not urgent matters and should go through the democratic process and along for public submissions at the Select Committee stage.

You are also you mixing up spying on NZers and their privacy and cyber security. Opinion in the NZ IT Security community is that the NCSC isn't working and that we need a CERT like every over country. in2security have made this point in Initiative 9 p51 of their "New Zealand Information Security Workforce Development Strategy". If you, as head of NZ security, had engaged at NZ's preeminent security conference Kiwicon or one of the monthly Info Sec Interest Group meetings you would know that community doesn't feel the NCSC isn't working. A CERT is a trusted independent civil organisation model/framework that is working well else where in the world and would be a good base to work from. A proper CERT is what is wanted by the community.

Maybe you would get more help form the Security Community if your Justice Minister didn't say "The ministry and I do not deal with hackers and we do not deal with burglars.". If you want to engage with security researchers you need to talk to them and not flat out say that you won't talk to them.

With the wire tapping can you explain how it is going to work? These days things like HTTPS means that the communication is heavily encrypted between the client and its destination and can not be intercepted along the way and HTTPS has ways of informing the user is a Man in the Middle is taking place. Most servers will belong to overseas organisations and not reside in a NZ thus you don't have jurisdiction to compel the company to decrypt the information for you. So I fail to see what this will gain and what benefit it will give you. Also more and more calls are using VoIP services like Skype and others which are encrypted user to user and even Skype can't decrypt a conversation for you, so again in this day and age what is this wiretapping actually going to do other than make it easy to get the low hanging fruit who already slip up in many others ways?

These changes are large and under urgency I don't feel they will get the scrutiny that they need without public submissions to the select committee and oversight from the privacy commissioner. It will also give you time to start a meaningful dialogue with the NZ IT Security community and help give us the tools that we need to do our job rather than wasting money on things like the NCSC which don't meant our needs.