Wednesday, 30 December 2015

2016: Year of the Red Fire Monkey

2016 has some interesting features with a leap year, the summer olympics in Rio and the space craft Juno hopefully arriving on Jupiter.

In Chinese culture the New Year in February moves from the year of the sheep to the year of the red fire monkey. Much more exciting.

In the digital space I am going to make a few general predictions for review this time next year (hopefully broadly worded so that a degree of success can be claimed in any event).

1. Security of digital IP will move further up the agenda with large scale hacks continuing. Awareness will grow that increased resource needs to be applied to this sector and business models altered. Technology only solutions will be seen to be only one part of the puzzle.
2. The internet of things will accelerate even faster which feeds into point 1 above.
3. Automation via intelligent software will advance even more quickly biting into certain job sectors and again feeding into point 1. Analog only & and human heavy administrative models will be severely squeezed.
4. Governments will seek & secure much greater control over the internet via legislation and the sins of the past will weigh heavily on them in the freedom & privacy versus security debate.
5. A major consumer brand in the digital space will run out of cash due to an inability to monetize its user base
6. The fastest revenue growth will be in automated software based models with worldwide application requiring minimal human input. Some stars will emerge in this area in 2016.
7. The digital single market will play a role in the debate over whether the UK should stay in the EU and David Cameron will secure enough concessions for the UK to vote to remain in. With France sniffing around the politics of Le Pen, Germany would be insane to let the UK leave.

To end on a high note have a few laughs courtesy of Modern Family via YouTube..............

Tuesday, 22 December 2015

Information control: individual trust in the state

2015 may been seen as the year when the state started to try to regain control over the internet.

In the UK we have the Investigatory Powers Bill, in Europe the new Data Protection Act and in the US the Cyber Security Act.

Going the other way the United Nations chipped in with a Draft Resolution supporting freedom of the internet from state control and stressing the need for freedom of expression, privacy and right to peaceful assembly.

Arguably everything was going along quite nicely with massive levels of state surveillance going on undetected until Edward Snowden decided enough was enough in what are supposed to be liberal democracies. Hero or villain he certainly made an impact.

Quite clearly the internet should not be a free for all and the state should be able to check for illegal activity in a reasonable way to protect national security and be able to stop blatantly illegal activity quickly. Incidents in Paris and elsewhere in the world make an unanswerable case.

However, at the other end of the scale, petty and vindictive activities of the type described re Constable Savage below (Happy Xmas) are facilitated by mass surveillance and should be clearly ruled out.   The odd bad apple who misuses state surveillance powers for their own ends needs to be dealt with as harshly as the journalists put through hell on phone hacking charges.

The elephant in the room is a question of trust by the individual in the state and the importance therefore that the state does not abuse the surveillance powers it is granting to itself.

Friday, 18 December 2015

The Force Awakens - but not on YouTube

The much anticipated new Star Wars movie "The Force Awakens" provides an opportunity to get a snapshot of how effective the various anti-piracy initiatives of the Hollywood Studios are at this point.

The movie opened simultaneously worldwide which removes massive unmet demand spikes in delayed territories. The preview evening on Thursday night was reported to generate $50-55 million and the opening weekend looks to be on course the break the current revenue record of $208.8m held by Jurassic World.

A quick review of Google with a request for a free download of the new movie showed the following options on page one suggesting that perhaps Darth Vader / Kylo Ren is not managing the anti-piracy initiatives on the Google search platform.

Some links look to have been removed using the Google DMCA process but this is limited at this point to 8 against the identified search terms

YouTube by contrast seems very much under control with very little in the way of rebel activity being tolerated.

So a very brief summary would conclude that the "legitimate" platforms such as YouTube are under control, the outer reaches of the web are clearly not and the movie is likely to break all box office records.

Just for fun the best piece of Star Wars tribute video ever (IMO)

Thursday, 17 December 2015

The liability aspect of handling personal data - 4% of turnover

It seems that Europe has had enough of companies processing personal data without appropriate consideration and safeguards in place.

Earlier this week wording was agreed for new data protection legislation which is expected to come into force in 2 years.

Key wording is that personal data must be "processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".

The agreed wording identifies the types of issues that companies might consider to meet this threshold;

1. Pseudonymisation / encryption of personal data
2. Ability to ensure ongoing confidentiality, integrity, availability and resilience
3. Data restoration post breach
4. Regular testing

The bottom line is that the profitability of data processing will drop as the costs of maintaining a secure digital environment are material and most businesses will face additional compliance costs. As a minimum companies who process personal data will require either in house or as a contractor an individual who can assess digital security risks sensibly and address problems (a data protection officer).

Amusingly the governments have secured broad exceptions to these rules even though they tend to make the greatest howlers in this area - see Edward Snowden.

On that note a clip from Catch 22...............

Wednesday, 16 December 2015

EU starts to get to grips with the Digital Age - new data protection rules text agreed

Despite a lot of lobbying activity from "big data" the EU has managed to agree the text of a new data protection framework with new rules to come into force in 2018.

The previous directive was established in 1995 which is now a world away in terms of technology and data storage.

The key difference is that companies can be fined up to 4% of turnover for failing to comply and in particular for failing to keep personal data safe.

The chain of liability also extends beyond the data controller to any data processors and third parties involved. The significance of the latest hacks would be much greater and more financially punitive for those attacked and their suppliers if they had failed to adequately protect data.

Other elements are the right to be forgotten (or erasure), the need for a data protection officer, the requirement to report breaches, parental consent for 13-16 year olds to use social media, a single supervisory authority and some rights regarding portability of content.

No doubt much will be lost in translation into local legislation and if the UK votes to exit the EU this will be rather irrelevant.

However hats off to MEP Jan Philipp Albrecht for guiding this through the European Parliament. It is far from perfect but does seem a reasonable attempt to bring legislation up to date with the Digital Age and force companies who harvest our data to take reasonable steps to protect it.

Monday, 14 December 2015

Top Hack of 2015 ? Tesla Model S

In the past I have been referred to as a "bit of a hacker" but that was before Edward Snowden decided to be a hero / villain (delete as preferred) and change the landscape & narrative completely.

Some of the hacks of 2015 can be listed as worthy of mention - here goes - Ashley Madison, V tech, Vodafone, Talk Talk, JD Wetherspoon, Office of Personnel Management, Anthem, Premera, IRS, Slack, the FBI portal, Car Phone Warehouse, Samsung and Hilton. This does not include the long running media company hacks of live feeds by sites such as CricFree.

Without a clear definition of Hack it is very difficult to identify a winner. The OED defines hacker as below

This leaves a lot of room for manoeuvre and does not necessarily suggest that hacking breaks the law.

With that latitude my favourite is the hack of the Tesla Model S by Marc Rogers and Kevin Mahaffey - watch the video below.

Wednesday, 9 December 2015

Spear phishing cyber attacks successful 17-35% of the time

In mythology mermaids would lure sailors onto the rocks with the beauty of their singing.

Today spear phishers target companies and individuals with custom made malware that provides full system access. This is delivered mostly via email which appears legitimate and entices the receiver to click on a link of some kind in return for information or reward.

Once clicked systems can be completely taken over and valuable IP taken and the reputation of the company trashed.

As the attack is custom made automated detection systems mostly miss the threat as they cannot by definition exist on any previous scanning database

No real surprise then that according to Arun Vishwanath, Associate Professor at the University of Buffalo, these attacks are so successful. In 2014 there were apparently 400 million cyber attacks in the USA so the scale of this threat is huge (a favourite term of that odd man Donald Trump)

The easiest defence against spear phishing  is never to open an email from someone you don't know and most particularly not to click on links of files within that email. It is also necessary to check exact email addresses as spear phishers are keen on email addresses that look very similar to addresses you might know.

That coming awareness will badly damage email marketing and introduce some healthy caution into how companies and individuals manage their digital affairs. Slapping on a free anti-virus and hoping for the best will start to look negligent.

Tuesday, 8 December 2015

Polestar going down ?

Reports in the Sunday Times over the weekend suggested that the UK's largest newspaper and magazine printer would be insolvent by Xmas. The source of the information was a leaked report provided by Deloittes. Similar businesses like DC Thomson in Dundee have experienced difficulty as everything switches to digital so is this another classic story of creative destruction ?

The main shareholder in Polestar is Florida based SunCapital who have about $8.9 billion of capital under management. Is it possible that there is another angle to this story and that Sun Capital have spotted that if Polestar goes down then a large number of publishers will not be able to get the paper product to the customers. This would leave them facing liability with consumers and advertisers over the vital Xmas period. Digital is of course a route to market but the subscription rates and advertising rates are still wildly disparate between the two areas with old school publishing commanding much higher rates.

This is an extreme negotiating tactic but may force better commercial terms for Polestar from its key customers who cannot survive without them.

Friday, 4 December 2015

Wetherspoons don't notice major hack for 6 months - proposed European legislation could mean fine of £65 million

Hot on the heels of TalkTalk and Vtech being hacked news emerges that over 650,000 Wetherspoons customers have had personal details stolen.

The hack occurred in mid June of this year with Wetherspoons apparently unaware of this until this week. Anyone using the pub wifi or registering with them has probably had details taken.

This suggests that no active monitoring of the network traffic under Wetherspoon's control was occurring or if it was it was ineffective or the results were kept quiet while the gaps were fixed. Time will tell if Wetherspoons have breached the Data Protection Act as the matter has been reported to the Information Commissioner. Maximum fine is currently £500,000 but proposed European Legislation would bump that up to to £65 million maximum if the hack occurred with the legislation in place.

These hacks are popular as personal details can be sold for about £10 each via the dark web and therefore the Wetherspoons hack is worth about £6 million to the  cyber criminals.

In all probability a hacker wandered into a Wetherspoons with a fast WiFi connection, logged onto the network directly, bypassed security and downloaded the database in about 30 minutes - before he or she had finished their pint (or white wine for the lady).

Organisations handling personal data will need to take a more active approach to prevention and monitoring to avoid big fines and reputational damage.

Thursday, 3 December 2015

Proposed EU Data Protection regulations grow some serious teeth in the Digital Age

It is amazing what people will do to get noticed as this young lady in Thailand demonstrates. At the other end of the scale the smooth law makers within the EU gently slide obligations towards us almost unnoticed.

The Digital Single Market and the associated Data Protection regulations are scheduled to come into force in December 2017 and bring with them a very different regime for managing personal data. Within the UK the Data Protection Act 1998 requires six core principles to be followed. One of these principles is that personal data is kept safe and secure.

The maximum fine under the DPA is £500,000 and therefore while this is a substantial sum it is possibly less than the cost of required data security for a large organisation such as Talk Talk (just for example).

Under the proposed new regime fines can be between 2% and 5% of turnover up to a maximum of £100 million. Using Talk Talk as an example with a turnover of £1.8 billion the maximum theoretical liability would be £90 million. Possibly worth addressing the SQL injection issues then ?

The guiding principle under the proposed new regime looks to be that companies or individuals handling personal data (which is pretty much anything) need to meet "reasonable expectations of data privacy" and liability follows if they do not.

The suggestion is made that encryption is one potential way to meet this requirement but this is not a given. If an encryption system is found to be flawed or have a back door it presumably does not meet this threshold ? Implementing one encryption system is tricky enough but having to change systems in a hurry is breakdown material if encryption is cracked.

Another aspect to the proposed legislation is the right to erasure. This immediately brings to mind the popular club music duo of Andy Bell and Vince Clarke but this was probably not the aim of the law makers involved. The serious point is that information will need to be actively managed so it does not remain for ever which will impose a layer of further cost.

Massive organisations such as Banks, Telcos and ISP's who hold personal data are looking at chunky liabilities and costs as are the the service providers who manage the data.

Within the SME community this will be even more challenging as the IT systems and suppliers often fit into the cheap and cheerful category and don't have much resource to direct at IP and Cyber protection and data management.

For about 15 years there has been a relaxed attitude to IP protection in the Digital Age but post Snowden, Sony Pictures and TalkTalk this is drawing to a close and regulation (with cost) is on its way.