security

On June 1st 2012 the Dutch government's Parliamentary working group on government IT-projects held a hearing of experts. My written contribution below. Capture of videostream... (in Dutch). Dutch journalist Brenno de Winter published his thoughts here.

Introduction - IT and the Dutch national government
Universality is an assumption of astrophysics that states that all phenomena, everywhere, behave as we observe them from Earth. I'm assuming that phenomena I have observed in specific government IT projects also occur in government IT projects that I have less infromation about (this is usually caused by the poor implementation of Freedom Of Information Acts, see the notes of Mr de Winter).

IT project management is currently based on a rather naive model of reality - "smart entrepreneurs compete on a level playing field for the favours of the government, which then procures with insight and vision." However, this model does not adequately predict the observed outcome of the projects. Whence this group.

Another model would be "a corrupt swamp with the wrong incentives, populated by sharks and incompetent clowns". This model has the advantage of perfectly predicting the observed outcomes.

<originally a webwereld column in Dutch>

Over nine years ago, I was talking to Kees Vendrik <Dutch MP) about the broken Dutch software market. Not only was it impossible to buy a top brand laptop without buying a Microsoft Windows licence, it was also impossible to visit many websites (municipalities, Dutch railways and many others) without using Internet Explorer. The latter area has greatly improved and I can lead my life using my OS and browser of choice. Only occasionally do I have to just swallow a Windows licence when buying a new laptop. Not much has improved in that area. Our national dependence on products such as MS Office has not really diminished either, despite all the wishes of our Parliament and its related governments policies.

Meanwhile, the technological seismic shift that frightened Bill Gates so much back in '95 (the web makes the operating system irrelevant) is fast becoming reality. Almost all new developments discussed by IT power players and specialists are web-based or based on open specifications and the most commonly used applications are running quite well as service in a browser.

My grandmother was born in 1920 and left school at the age of 12 to work in her father's shop.  She has never used a computer (but has tried an iPod for audio books). She is now 90 and is still interested in what I do.

Usually I just quickly skip over the technical aspects, because it's difficult for her to understand. The “why” is much more relevant. Privacy, civil rights and the control of your own details/information. She understands this easily, without having to follow all the technical details of open source codes and cryptography.

Last Sunday, Bits of Freedom in Amsterdam  organized a lecture and discussion with Prof. Eben Moglen, a former programmer who is now a law professor and advocate for the use of free software. Part of his lecture was about the risks of cloud computing (see a previous lecture in New York on the same theme).

On October 14th The Club of Amsterdam is meeting to discuss 'the future of hacking'.

The term hacking (and hacker) means very different things to different people. Most will associate the term with computer-enabled crime; from Russian mobsters stealing western credit cards to spammers sending billions of unwanted email advertisements for Viagra to Chinese intelligence employees attempting to break into NATO computers. For those calling themselves hacker (or being called hackers by their peers) hacking just refers to the creative use of technology, any technology, to do new and unexpected things.

The Dutch Journal for Surgeons, publishes an article written by my collegue Younass and myself. We wrote this article to further explain some of the points we made during our  keynote at the natinal Convention of Surgeons last month. The entire article here in English and Dutch, the PDF of the journal here. Background links and articles here (mostly Dutch).

Younass Aboulghit and Arjen Kamphuis

We live at a time when information technology is drastically changing our lives. We can see the digital process all around us in information systems and the change in our working procedures. People always expect to be able to get information quickly and share it with each other if it's important. In healthcare there are opportunities and a new generation of patients has high expectations. The question is: how do we embrace the potential of information technology while maintaining quality and professionalism? How do we prevent the indiscriminate use of IT making the work of the specialist more difficult, rather than easier? That things can go badly wrong with healthcare projects has been demonstrated with the case of the Electronic Health Records (EHR).

<webwereld column - in Dutch>

Computer viruses and palliatives against them are a growing threat to high-tech care. There is a classic solution for the old problem of a vulnerable mono-culture: diversity.

Last Monday alarm bells went off in many IT departments. A viral infection on Windows XP computers was initially caused by an anti-virus update from McAfee. The update made part of the system appear to be a threat and system file protection software made the system unusable, a type of auto-immune disease.

On 17th September Gendo held a workshop for the Cascadis Webmasterclass meeting. Arjen Kamphuis and Menso Heus gave attendees a broad overview of what the security landscape is like, what are the common threats and what participants could do about it.

The German Chaos Computer Club, the oldest and largest hacker group of Europe, made available to the public the fingerprint of the German Minister Schäuble for the Interior. They wanted to show how easy it is to obtain someone's identity when identity is based on fingerprints.

The German government is preparing to build a national database containing the fingerprints of all its citizens for the purposes of fraud-prevention and national security. Minister Schäuble is very angry about the release of his fingerprints and has stated he will take legal measures against the CCC. Dutch hacker Rop Gongrijp pointed out that the Minister's anger was curious since it was the minister after all who wanted to collect the fingerprints of over 82 million Germans and the CCC only collected one.

The German Chaos Computer Club, the oldest and largest hacker group of Europe, made available to the public the fingerprint of the German Minister Schäuble for the Interior. They wanted to show how easy it is to obtain someone's identity when identity is based on fingerprints.

The German government is preparing to build a national database containing the fingerprints of all its citizens for the purposes of fraud-prevention and national security. Minister Schäuble is very angry about the release of his fingerprints and has stated he will take legal measures against the CCC. Dutch hacker Rop Gongrijp pointed out that the Minister's anger was curious since it was the minister after all who wanted to collect the fingerprints of over 82 million Germans and the CCC only collected one.

What experts foresaw last December and the Dutch research institute TNO denies was possible in their recent report has been done. The deepest level of data-encryption on the NXP Mifare RFID chip has been hacked. Cash from cards can now be copied to other cards through cloning and that makes this system utterly unsuitable for serious applications involving real people and real money.

What experts foresaw last December and the Dutch research institute TNO denies was possible in their recent report has been done. The deepest level of data-encryption on the NXP Mifare RFID chip has been hacked. Cash from cards can now be copied to other cards through cloning and that makes this system utterly unsuitable for serious applications involving real people and real money.

Bruce Schneier just posted a really good explanation about "the difference between feeling and reality in security". It is one of those articles I wish I'd written. Not because there is a great new nugget of insight in it but because it explains some very basic problems in thinking about security so very well.

The gist of the article is that as people living in modern environments we can have a hard time accurately estimating realistic trade offs between risks and reward. When the world was closely resembling the world we had developed in as a species we were better at it. Our brains were supported by millions of years of evolution in correctly estimating the risk versus rewards of certain actions. There's food here and a lion, should I stay or run? The specimens who made bad trade-off calls died of hunger or lions. The ones making good calls had many babies.

Bruce Schneier just posted a really good explanation about "the difference between feeling and reality in security". It is one of those articles I wish I'd written. Not because there is a great new nugget of insight in it but because it explains some very basic problems in thinking about security so very well.

The gist of the article is that as people living in modern environments we can have a hard time accurately estimating realistic trade offs between risks and reward. When the world was closely resembling the world we had developed in as a species we were better at it. Our brains were supported by millions of years of evolution in correctly estimating the risk versus rewards of certain actions. There's food here and a lion, should I stay or run? The specimens who made bad trade-off calls died of hunger or lions. The ones making good calls had many babies.

Diebold votingcomputers leak critical info, messing up the whole charade around the 2008 US Presidential election. What is the world coming to if one cannot trust the Overlords to keep a simple secret?