Profile picture
Alec Muffett @AlecMuffett
, 27 tweets, 17 min read Read on Twitter
THREAD: QUESTION FOR ALL SECURITY PEOPLE — in this day and age, would you buy a single-vendor IT security solution which advertised itself as "the gold standard" for data security protection?

Would you give that claim any credence whatsoever?
The infosec world has a long-established term for such glib claims: "Snake Oil" - this terminology goes back to the 1990s or earlier, for vendors who were selling sub-par cryptography as "military-grade" or other supposed but meaningless description interhack.net/people/cmcurti…
Particularly telling for "Snake Oil" are the words and phrases that are used to describe the security solution, process, or tool, its development, mechanism, or vendor:

* "Trust Us, We Know What We're Doing"
* "Unbreakability"
* "Military Grade"

interhack.net/people/cmcurti…
Why is this relevant? Because this is EXACTLY what Lord Ashton of Hyde, on behalf of HM Government, has pitched to the House of Lords, as the mechanism for protection of #AgeVerification processes and (impt) metadata:
hansard.parliament.uk/Lords/2018-12-…
Let's spell this out: the UK Government, in pursuit of rapidly enabling the @BBFC to get stuck into #AgeVerification (AV), are resorting to snake-oil salesmanship in order to sidestep their egregious irresponsibility in not addressing data protection during the development of AV.
These are the notes from the Lords' discussions earlier this week; there is much to criticise (even somewhat the noble lord, Lord Paddick, who made the least-bad of the contributions) - but especially this, from Lord Ashton of Hyde:
hansard.parliament.uk/Lords/2018-12-…
What this refers to is that the #AgeVerification regulator — the British Board of Film Classification — have acknowledged that they "know porn when they see it" but also that they are entirely clueless about information security… so they've brought a consultancy in. In private.
The @OpenRightsGroup have been pursuing this matter for two years now, that the mandated deployment of #AgeVerification ("it's voluntary, but in an involuntary kind of way") will bring about @ashleymadison-type data breaches of metadata en.wikipedia.org/wiki/Ashley_Ma…
This is not a trivial matter: breaches of matters concerning the sex life or sexual orientation of ordinary people — let alone celebrities — can and have led to relationship breakup, even suicide. bbc.co.uk/news/technolog…
And how do such breaches occur? Because of simple security errors — stuff like: bad access management, bad operational security, leaks of metadata, excessive/permanent logging of metadata, not installing patches.

In short: "Good Housekeeping".

bbc.co.uk/news/technolog…
But if you read the discussion relating to "data protection" and #AgeVerification, you'll see — somewhat understandably — some misdirection. Most of the discussion of AV Data Protection is focused upon the MEANS of Age Verification. Little is about "what happens after":
Thus we see #AgeVerification vendors who pitch themselves as "secure and anonymous" because they use (e.g.) a #blockchain as part of their AV process. That sounds sexy &cool, but it does not mean that the backend database instance is not directly connected to the internet:
Aside: That MongoDB, incidentally, is run by the @BBFC and was discovered by Gareth Llewellyn at Ablative Hosting; tweet below. I wonder if its presence on the internet is in line with a "gold standard" on security? (ans: probably not)
So: where we are is that the @BBFC have recognised that there is a potential suicide risk over leaks of private data held by #AgeVerification providers, and have brought in private consultants to develop a "security standard" which will be "voluntary" for AV Providers to adopt.
I wrote an entire essay[1] about the risk, earlier this week, but here's the punchline:

* We need public input into the #AgeVerification Data Protection Standard

* We need it to be mandatory

[1] medium.com/@alecmuffett/h…
The Government & the @BBFC hate the idea of "mandatory" security requirements for protection of #AgeVerification data, because they cannot enforce mandatory data protection regimes cross-borders (e.g.: the USA) and see mandatory security as an impediment to the adoption of AV.
But (per above) if you accept that #AgeVerification metadata — that you repeatedly/weekly/daily age-verify to a gay-porn site, for instance — IF that is data which "concerns a person's sex life or sexual orientation"— then it is even called-out for special treatment in the DPA:
Civil Society have spent YEARS trying to get solid protection for metadata; all of the regulators (notably @ICOnews / the Information Commissioner) have made reams of regulation about it, including #GDPR
…but it seems that if you throw a blockchain or app on the front of it, and say "we're protecting children" then everyone stops caring & you can do whatever you like with zero consideration from Government… until the last minute, until organisations like @OpenRightsGroup object
And it's hard to object when you are arguing with people who genuinely are trying to do what they think is the right thing for kids … but who have no clue about how technology works, or else are being lobbied by startups who see opportunities for regulatory capture:
Because don't be fooled: on the surface this is all about protecting children, but just underneath this is all about making huge amounts of money with the whip hand of Government backing you up. It's protecting children in one sense, and it's a protection racket in another.
Aside: If you're interested in a long read on how the whole edifice of #AgeVerification can go wrong, here's an article from about 2 years ago, of which only the details of some of the actors & front-end technologies have significantly changed: medium.com/@alecmuffett/o…
Conclusion: #AgeVerification data and metadata is too valuable to be left protected by a (snake-oil) "gold standard" which is developed in-private and then thrown over the wall to industry, which then MAY adopt it on a voluntary basis.
Apart from any other reason: with #AgeVerification data breaches, the *general public* carry the burden of risk; yes the GDPR means that fines can be levied upon companies which fail to protect… but once the information leaks, it's gone ("outed"?) forever.
Again, there is precedent for the impossibility of putting sexual data back into the data protection bottle: the Moseley case; the fact that there's a Wikipedia page at all, is an exemplar:
en.wikipedia.org/wiki/Mosley_v_…
The @OpenRightsGroup has been leading this matter, raising these concerns for 2 years now. The nearest anyone has gotten to *actually* addressing the risk is the @BBFC getting some big-name consultancy in, which will not suffice as above. The people who will lose, are the public.
Confirmation:
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Alec Muffett
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#AgeVerification #blockchain #GDPR

More from @AlecMuffett see all

Profile picture
justsecurity.org/62114/give-gho…
1/ Applying this idea to WhatsApp, it would mean that—upon receiving a court order—the company would be required to convert a 1-on-1 conversation into a group chat, with the government as the third member of the chat. But that’s not all.
2/ In WhatsApp’s UX, users can verify the security of a conversation by comparing “security codes” within the app. So for the ghost to work, there would have to be a way of forcing both users’ clients to lie to them by showing a falsified security code, ...
Read 39 tweets
Profile picture
@breenemachine @alexstamos 1/ Well, I've been doing this stuff to 30 years and still learn every day/week; that said, the generalities are several thousand years old and after a while you will see the same issues coming up in new clothes. But you can read around the topic in your own time. […]
@breenemachine @alexstamos 2/ Maybe half of the people I have worked with in infosec have been CS students. There is no barrier to entry. I have worked with chemists, physicists (me = astronomer), med students, linguists, performing arts students, english lit majors, and some have have no college degree.
@breenemachine @alexstamos 3/ There are 2x main paths to learning: 1 is to seek formal education - cyber-this, ethical-hacking-that - and it's fine. You'll learn, but if you only learn "security stuff" then you'll be a pentester, and I love pentesters but lord, we have enough already.
Read 17 tweets
Profile picture
@NCSC Hey Mat; your categorisation has issues at the very first hurdle - understandable considering that it comes from a perspective of attribution. In the private sector it's rarely about how godlike the attackers are, it's about how long they persist before if they get bored.
@NCSC It's a concrete example of the old joke about "I don't have to outrun the bear, I just have to outrun you" - the private sector is not and should not be collectively responsible for each other's security. As such we strive amongst ourselves to be secure sufficient to our needs.
@NCSC Of course one of the benefits of a "elitism based approach" to qualifying hacking risk is that it sediments GCHQ as role as arbiter of how bad threats are; NCSC becomes a bit like the IOC, vetting the state of the hacker "athletic" field...
Read 7 tweets

Related threads

Profile picture
#Thread of responses from women in aerodynamics to the question, 'what would you like to see in order for women's career progression in your field to be sustained and better supported?'

Responses incl. career flexibility, mentoring and more women in leadership roles #WomeninSTEM
1. "I think young female engineers need to see more female role models and mentors in my field. Having a visible example of someone that looks like you and is succeeding in their field is important. Having an opportunity to meet with a mentor like that can be very powerful."
2. "I would like to see that any career promotion is based on own merits and value added to the company or the society independently of the gender. I want that women are measured with the same rules as men and are given equal opportunities."
Read 68 tweets
Profile picture
#Thread If I were Obama.
If I was Obama on January 5, 2017 sitting in the WH meeting with my AG, FBI, DOJ, Perkins Coie Counsel, WH counsel, ODNI, CIA etc.. with a portfolio of data we manufactured, collated, paid for and collected and an EO I had just singed in Dec of 2016 (1)
An Executive Order that makes it the law of the land "Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities" calling our #russia and all the entities we referenced in our "Portfolio" (2)
govinfo.gov/content/pkg/FR…
A portfolio we had in our hands that was lack luster, circular and completely manufactured... If I was Obama I would gear up and call upon all those "of our unique and comprehensive system of alliances and partnerships" to join me. To join me (3)
Read 32 tweets
Profile picture
The BBC is running a 'fake news week'. To mark the occasion, I thought I'd do a thread. 'Fake news' is a very unhelpful term, which describes at least three different problems, which have three different solutions. #Thread
There is monetised fabrication. People knowingly pumping out rubbish ('The Pope supports Trump') because it's a way of making money through Facebook / Google's ad-revenue model. My colleague @carljackmiller covered it brilliantly here for @BBCClick bbc.co.uk/news/technolog…
This is driven in part by programmatic advertising: ad-tech follow USERS around, and advertise on sites they visit, irrespective of how truthful it is. This is where tech solutions CAN work - ie de-rank / de-monetise etc. Some evidence that's working too. engadget.com/2018/09/14/fac…
Read 16 tweets
Profile picture
Gold: XAUUSD trading lower this morning in European hours after the weakness see on Friday. Most of the weakness seems to be due to a stronger USD; #gold is up in euro and roughly flat in CNY but DXY is at more than a one-year high.

1/6
Gold: We noted last week that a ‘gap’ had opened on our gold vs DXY chart. That hasn’t closed as such, but the strength in the dollar is dragging #gold lower.

2/6
Real US Treasury rates haven’t moved much in the past few days, but despite the move lower in #gold the gap that we’ve mentioned on a few occasions in the past month is still there.

3/6
Read 7 tweets
Profile picture
Going to "FinTech Forward 2018"? Here is how to prep for the @CFTC's inaugural conference, to have better conversations while there by understanding what is going on in crypto today.

#thread
1/ What are you interested in? Some good topics are: RegTech, digital payments, neo-"gold standard", cryptography, smart-contract virtual machines...
2/ For "RegTech" (technology that enhances regulatory processes) and regular-"Reg": You could, for instance, read up on the new @GeminiDotCom Gemini-Dollar and learn about the 3 layers to their ERC20 smart-contract, designed to help with compliance.
Read 9 tweets
Profile picture
Here are my favorite quotes from this amazing book. #THREAD
1. "Bitcoin can be best understood as distributed software that allows for transfer of value using a currency protected from unexpected inflation without relying on trusted third parties"
2. "While Bitcoin is a new invention of the digital age, the problems it purports to solve - namely, providing a form of money that is under the full command of its owner and likely to hold its value in the long run - are as old as human society itself"
Read 137 tweets

Trending hashtags

#Etoile #Flow #ConversationlaMarketing #CorruptGOP #blockchain #GoLive #VisualMarketing #redditodicittadinanza #digital #Azure #DigitalIndia #Video #TrumpLiesMatter #Communication #Gold #MSDyn365CE #Eolien #TransformingIndia #CyberSecurity #facciamoreteperche #MarketingStrategy #PS18 #MachineLearning #AzureML #mobile

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!