back to article GCHQ cyber-chief slams security outfits peddling 'medieval witchcraft'

The chief technical director of GCHQ's National Cyber Security Centre has rebuked infosec companies for spreading fear, uncertainty and doubt about hackers to sell products. At the Enigma 2017 conference this week, Dr Ian Levy said world-plus-dog were trying to flog security defenses to tackle "advanced persistent threats," …

  1. amanfromMars 1 Silver badge

    Do they lead where angels fear to tread or just follow crazy orders ......??

    GCHQ ..... Defending the Indefensible and Inequitable, and let us suggest that be akin to a perverse fiat capitalist money system and corrupt political incorrect and inept establishment model, is the Abiding Pervasive Treat which just keeps on giving the reasons for active dissent and quiet deep revolution, intelligent madness and idealistic mayhem ?

    Now, if that be true, or even should it contain any grains of truth, is an enemy identified at the top in the rank and file for vanquishing? To ignore the weakness is a stupid madness confirmed and highlighted as being systemic in established models, and that is stupendously massive vulnerability for exploitation open to all manner of interested and interesting state and non-state actor type entities.

    1. tr1ck5t3r
      Trollface

      Re: Do they lead where angels fear to tread or just follow crazy orders ......??

      The fact they are accusing security outfits as peddling nonsense, is a GCHQ chief in denial. No he (Robert Hannigan) stepped down suddenly due to family reasons.

      Did Russia hack and rewrite his speech notes before he put himself on the parapet?

      Have the media been reporting fake news about Russia hacking, and if so who is driving this Russian Hacking meme, someone called Andrew Parker MI5 perhaps?

      Or maybe the truth is these spooks never had the best people as the brightest all sought positions with tech firms in an earthquake zone chasing money, meaning Govt can only get convicted criminals with IT experience to work for the "Ministry of Justice" at best.

      What does that say about the current state of affairs?

      Even the hackers working for media outfits are earning better money than GCHQ employee's, but then what can you expect when the Royal Marines can not even keep track of weapons & ammunition stolen from right under their noses.

      Looks like a Grunt exposed the slap dash methods of the MOD Top Brass!

      1. amanfromMars 1 Silver badge

        Re: Do they lead where angels fear to tread or just follow crazy orders ......??

        Kettle Black Pot all spring to mind, Dr Levy, regarding that “medieval witchcraft” being peddled by others.

        With all the GCHQ is supposed to be able to do, virtually unknown and practically undetectable by others, and let us assume that it is everything that would be needed to be done to deliver an omnipotent omniscience anywhere and everywhere, then it does reveal a distinct lack of intelligence in future application of programs with intelligence for leaderships gifted with secret intelligence services and compendia of hearts and minds operations for launching with media manipulated puppets.

        And such, as long as it remains so obvious a deficit and disability in the field, will be always a subject and object to be attacked and tested by systems into such projects which be more advanced and enlightened.

        If you aint leading where all can follow are you bound to be rendered ineffective and considered compromised and pwnd by agents with hidden failing agendas. And that is the black pot which GCHQ is kettled in.

        And that is a result and problem which is entirely due to a lack of leadership right at the top of such services and of everything everywhere using and effected by its services.

        J'accuse. The evidence as presented by everyday chaotic news is overwhelming.

  2. taxman

    Bad news

    Inland Revenue service? That's not existed for over 10 years.

    If it refers to HMRC then they "got off their arse" and implemented DMARC and SPF back in 2013 and have been trying to get others to follow suit. Looks like their actions have been noticed and now NCSC have taken up the baton.

  3. Anonymous Coward
    Anonymous Coward

    "Levy’s talk was interrupted by a rather irate conference attendee who accused the agency of setting up a system that could possibly be used for censorship, similar to the UK’s infamous anti-porn firewall."

    Therein lies the rub - there almost certainly would be pressure for it to be compromised for such a purpose.

    Theresa May is the latest of many in successive governments who appear to regard access to information to be their prerogative and not for lesser mortals.

    With religious and nationalistic beliefs once again threatening to be the driving force in politics then it is a case of trading liberty for the poisoned apple promise of security.

    1. Peter 26

      This needs to be run by the private sector, not GCHQ. Why has this not happened? Why have they had to implement their own systems?

      1. Anonymous Coward
        Anonymous Coward

        You'd have to explain why you think that, for anybody to get anything from your comment.

      2. tr1ck5t3r

        If you build your own OS & Network, then how can hackers use the usual tricks that work for Windows, Linux, Apple, Android and so on?

        Lets face it, the BT network is and was largely unique until Bell Labs/AT&T started interfering with the UK telecoms infrastructure under the pretence of global standards. Then the Israelis started supplying cards for the telephone exchanges which were prone to failing at the first lightening strike, but these cards also always had to go back to Israel to be fixed.... data harvesting perhaps using common natural phenomena to create the high failure rate? Snowden showed some things haven't changed with regard to intelligence sharing but some cultures are more secretive and paranoid than others for historical reasons.

        If you want an insight into their activities look here at their recruitment pages.

        https://www.gchq-careers.co.uk/departments/applied-research.html

        Typical technologies include OS/Kernel; FPGA; GPU; Bespoke Processors; C/C++; Networking

        Research includes Firmware design; systems architecture.

        So you know when you hear about a new bug affecting an OS or some hardware like this one.

        https://en.wikipedia.org/wiki/Pentium_F00F_bug

        Pay attention to whats not said instead of what is said.

        http://www.drdobbs.com/embedded-systems/the-pentium-f00f-bug/184410555

        They have the resources thanks to the taxpayers to sit there and hack your systems.

        Just why do you pay them money to hack your systems? Are you stupid?

      3. Bluenose

        Why the private sector?

        Are you suggesting we give it to the private sector so they can offshore it somewhere safe like Romania or Bulgaria and of course the private sector would never do anything wrong like misue the information that the can collect or rip off customers for the serivce they provide and then reduce the effectiveness of that service.

        Public sector is not always bad and private sector is not always good. What needs to be established is what works best for all and not the minority whehter they be right wing MPs who want to spy on everyone or money focussed private sector companies who simply want to pay more money to their board members.

      4. Primus Secundus Tertius

        @Peter 26

        "Why ..." may be a rhetorical question, but here is my suugested answer.

        By and large, the private sector does not do deep, fundamental innovation. Minor incremental updates, yes, but real new thinking is rare. They employ doers and sellers, not thinkers.

        So these things need to be hatched in the universities or other research establishments.

    2. netminder

      Sadly, given the actions of State actors like Putin we will soon have neither anyway.

    3. Primus Secundus Tertius

      @AC (1st)

      Outside the technical readership of El Reg there are many people who say internet porn is wrong, it should be stopped, and the techies should stop whingeing and just stop the porn.

      I once read that automatic telephone exchanges were invented by somebody annoyed beyond endurance after his calls to company A were connected to company B because B had bribed the operators. The telephone industry has matured, and the computer industry will have to do the same.

      1. Mage Silver badge
        Headmaster

        Losing Customers: cf fake Domain parking and evil DNS

        Convinced that it should be subscribers, rather than the operator, who chose who was called—anecdotally, Strowger's undertaking business was losing clients to a competitor whose telephone-operator wife was intercepting and redirecting everyone who called Strowger—he first conceived his invention in 1888, and patented the automatic telephone exchange in 1891. It is reported that he initially constructed a model of his invention from a round collar box and some straight pins.

        See Wiki on Almon Strowger

        Certainly that's what I was told in the 1970s,

  4. Anonymous Coward
    Anonymous Coward

    Hackers are not the only threat.

    The secondary reason for any security is now, in my opinion, the defense from our own government, with the snoopers charter, GHCQ infiltrating internet backbones, and the mission creep of internet censorship. Anything statments that comes from GHCQ should be viewed with extreme skepticism.

    1. tr1ck5t3r

      Re: Hackers are not the only threat.

      Misdirection is a valid technique in the dark arts of spying.

      You feel more relaxed and let down your guard if you think they are only hacking network backbones.

      Perhaps consider the fact the US Tech sector is just a PR friendly part of the US Military with spooks from other countries more interested in whats going on in your home than anything else. DO you really think Bill Gates got that knighthood just for MS Windows service to business, or perhaps its really a window into your life?

      Whilst you might sense someone staring at you when out & about or from across the office, you sense nothing when that cold dark abyss of the camera in your smart phone is secretly watching your every move, whilst that microphone is recording everything you emit from your orifices.

      Listening in to people when they are asleep is the best because so many people sleep talk when they dream, so you can find out what's on someone's mind, which is why the smartphone is used as an alarm clock more than any other application. Perhaps you have secret pervasion, like sticking things up your bottom? Its all recorded for future posterity.

      I trust you have seen the news? https://www.theregister.co.uk/2017/01/12/never_mind_your_the_devlelopers_maps_and_alarm_clocks_are_the_best_thing_about_mobes/

      Spooks including MI5 & MI6 will play your behaviours more than you think, why do you think they have a close working relationship with escort agencies, sex and blackmail are the two oldest tricks in the book. Something Journo's know only too well, but sometimes they have to resort to drugging their targets in a bid to get them into a compromising situation which might be the "banker" that comes in handy later on in life, and with the best pharmacy in the world of legal and illegal drugs at their disposal, they can do anything they like, after all they make the rules and its all done in secret until the journo's get given a tip off so often seen with public figures including celeb's & politicians stepping out of line.

      Maybe you will think twice next time you read the Daily Mail about some juicy gossip, just what is the real agenda behind the scenes?

      1. Jamie Jones Silver badge
        Unhappy

        Re: Hackers are not the only threat.

        Awwww Mike, still not cured after all these years?

      2. Primus Secundus Tertius

        Re: Hackers are not the only threat.

        @trickster

        Sir or Madam,

        You vastly overestimate the extent to which They are interested in Us. Believe me, I went to a privileged university with some of Them.

        We/Us are merely statistics, 60 million of Us in the UK. Cheap computer hardware is not here to benefit Us but to benefit the Googleocracy that collects statistics about us on a huge scale.

    2. Oh Homer
      Facepalm

      No "advanced persistent threats" here. Honest!

      Says GCHQ, the organisation that probably poses the greatest advanced persistent threat to UK citizens' cybersecurity.

  5. Smooth Newt
    Go

    Diversion ahead

    "Advanced persistent threats" is a term which covers sophisticated state sponsored hacking and pervasive technical surveillance. Misdirection is a form of deception in which the audience's attention is focused on one thing to distract its attention from another. Should I be surprised that an employee of GCHQ wants to downplay GCHQ's core business and divert attention elsewhere.

    1. Paul Crawford Silver badge

      Re: Diversion ahead

      That is indeed possible.

      However, looking at the numerous "advertorial" reports of APT and other malware, often with no real information about the infection vectors, etc, we see from companies selling AV carp, he does have a point that many reported "APT" come down to simple incompetence and a lack of top-level action to deal with it (you know, like budgeting for security and backing up the CSO's policies at a board leve to have them implemented and testedl).

    2. John Smith 19 Gold badge
      Unhappy

      "sophisticated state sponsored hacking and pervasive technical surveillance. "

      Now those are what I'd call Advanced, Persistent Threats.

      Neither look like going away and both attack privacy and anonymity, both of which are essential to allow the democratic process to operate effectively.

    3. Version 1.0 Silver badge

      Re: Diversion ahead

      It's 2017 and this is News?

  6. Destroy All Monsters Silver badge

    Hyping APT

    Churnalists "taking up the flame" of this and that politicial candidate or getting instrumented as mouthpieces of politicial propaganda are as guilty as any of the hoodie hype.

    But in the end, it's all about not getting looted. And this comes down to proper information security governance. Which we ain't gonna get.

  7. Anonymous Coward
    Anonymous Coward

    He needs to start at home

    https://www.ncsc.gov.uk/articles/who-might-be-attacking-you

    1. Doctor Syntax Silver badge

      https://www.ncsc.gov.uk/articles/who-might-be-attacking-you

      What's odd about that? It just has a picture of its author at the top.

    2. Doctor Syntax Silver badge

      Re: Hyping APT

      "And this comes down to proper information security governance. Which we ain't gonna get."

      Until after the event.

      1. John Smith 19 Gold badge
        Unhappy

        "proper information security governance. Which we ain't gonna get." Until after the event.

        Sadly not necessarily even then.

  8. Stuart 22

    Stupid Telco

    "He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it."

    Not the one who lost their CEO this week?

    1. Anonymous Coward
      Anonymous Coward

      Re: Stupid Telco

      They told him is was doubly best, not to Talk about it.

  9. Roj Blake Silver badge

    Medieval Witchcraft?

    What's medieval witchcraft is the claim that encryption with backdoors is still secure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Medieval Witchcraft?

      > What's medieval witchcraft is the claim that encryption with backdoors is still secure.

      That's not witchcraft, that's Intelligent Design! (After all there is some truth in herbal remedies)

    2. allthecoolshortnamesweretaken

      Re: Medieval Witchcraft?

      Well, what about contemporary witchcraft then?

  10. junglesnot

    I think I might be developing dyslexia: every time I see the word "Usenix", I read it as "Unisex".

    1. Rich 11 Silver badge

      What's unisex? Sex on a unicycle? Two institutions of higher education spawning a business venture? Something involving ponies with the horn?

    2. Anonymous Coward
      Anonymous Coward

      "every time I see the word "Usenix", I read it as "Unisex"."

      That's okay. Every time I see the word Windows I think; let's bust through them and get to the outside! And don't get me started on raspberry pies...

    3. allthecoolshortnamesweretaken

      Oh, I'm so glad I's not just me!

      Every time I see 'usenix enigma' my brain will convert it into 'unisex enema'.

  11. Anonymous Coward
    Anonymous Coward

    He doesn't seem to know what the words "medieval" or "witchcraft" actually mean.

    1. Rich 11 Silver badge

      False advertising.

    2. Doctor Syntax Silver badge

      "He doesn't seem to know what the words "medieval" or "witchcraft" actually mean."

      Medieval witchcraft is probably the code name for one of GCHQ's operations.

      1. allthecoolshortnamesweretaken

        In "Tinker, Taylor, Soldier, Spy", "witchcraft" was the material gained from source "Merlin". Which turned out to be an operation to undermine the service and to protect a mole inside it.

  12. Anonymous Coward
    Anonymous Coward

    It's more like snake oil than witchcraft

    I get the point, but using religious hate-speech weakens it somewhat.

  13. This post has been deleted by its author

  14. x 7

    what UK porn firewall?

    My porn downloads quite nicely thank you

    1. Anonymous Coward
      Anonymous Coward

      Your porn may download ok. My isp is blocking it. Every time I try to download porn on my connection I have trouble with it staying up.

      1. Korev Silver badge
        Coat

        Oh come on, it's not that hard...

      2. d3vy Silver badge

        Maybe your pipes not fat enough?

  15. Black Rat

    adequate pernicious toe-rags

    Seriously with comments like that and they wonder why they cannot attract new talent. Then again maybe it's a recruitment test, a challenge for those with the stones to go after the GCHQ firewall.

  16. Camilla Smythe

    Hello. Pleased to be telling you...

    My name is Ian from Microsoft GCHQ and your computer is reporting back to us it is having problems so I am here to fix it for you. Please to be pressing the Windows Key and R.

  17. james 68

    Whatever it takes to make a sale

    Only tangentially related:

    When working in an all girls secondary school in Belfast I got a call from the headmistress to attend a meeting because she couldn't understand the reams of buzzwords the contractor was spouting. As it turns out the meeting was for migrating to a hosted cloud system. As the head technician I should have been there in the first place but the headmistress "hadn't wanted to bother me" which was foolish.

    I listened to the guys bullshit for maybe half an hour and it was painfully clear that he had no idea what he was talking about. I then asked him if the school would be connected by a secure VPN, he didn't know. I asked what kind and strength of encryption was used both on the connection and stored data, again no clue. Annoyed by this point I pressed him on how exactly his company guaranteed the data concerning 400+ young girls would be secure considering that if it went into the wild the school would be the one held legally responsible, It was at this point that he started waffling about "security through obscurity" and I got up and walked out taking the headmistress with me.

    This cloud company btw came supposedly vetted and rated for security by the NI education authority.

    From what I heard at that meeting, waving chicken bones while humming cumbaya would have been more effective.

    The overall view of many companies concerning security, when they really should know better, is woeful.

    1. Mage Silver badge

      Re: Whatever it takes to make a sale

      I gave a presentation once.

      The chairman of the board complained that it was over the top security and lock down. He said most students wouldn't have a clue how to hack stuff.

      I pointed out:

      a) They could look it up on the internet.

      b) What about the other expert students? Were they trustworthy? It only needed one expert bad egg, and he might even explain it to the others.

      Despite being the most expensive, we got the contract.

      1. Alan Brown Silver badge

        Re: Whatever it takes to make a sale

        There's the other side to this too:

        mid 1990s:

        A school I was providing connectivity and doing consult work for (mostly for free) switched to another ISP without telling me. First I knew of problems was when I discovered the admin and student networks had been physically connected together (no vlans) and something on the LAN was RIPing itself as a default router. Digging into the issue showed that a fly-by-night outfit had shown up during summer break when only the core admin staff were around and offered a "fantastic deal" on wiring up the classrooms plus connecting them to an ISP based about 500km away (this was in the days when ISPs were usually local outfits). The School Administrator had taken them up on the deal without bothering to consult with the IT staff. (It wasn't any kind of cheap, they'd used nasty wee 10MB/s hubs in a flat network connecting 150+ systems together, well beyond ethernet distance specs, hadn't even bothered using separate subnets for the staff and student systems and charged them top dollar for a 3rd rate installation, dropping another router on the network without disconnecting our one.)

        Upon warning the School Administrator (who's supposed to cover business and legal aspects of operation and be aware of liability law) in writing that:

        1: The ISP agreement they'd signed up for was 5 times my charges.

        2: That it was only a matter of time before the more enterprising students would hack into the admin network

        3: That if they were lucky those students would only change their own grades.

        4: They risked major expense and litigation if anyone's privacy was breached.

        I was shown the door, fairly unsurprisingly.

        This was despite having been discussing security arrangements for such a connection for about a year beforehand with staff who were supposed to be in charge of developing networking. We'd been making plans to roll out physically separated networks and 100Mb/s managed switches everywhere in conjunction with one of the local networking specialists (not just vlans - not secure enough in everyone's eyes at the time) specifically to ensure that confidential data wouldn't leak and to keep porn out of the network. They were caught by surprise as much as I was and the worst thing was that the total cost of doing it the right way with companies which were supportive would have been cheaper than the deal agreed over the summer by that one administrator.

        Somehow the staff did manage to block the ISP switch (by all accounts at this stage the administrator was huffing at them more loudly than Donald Trump if my name was mentioned), but shortly afterwards their connection was switched to a 3rd ISP, amid claims that ISP had offered them a deal which was half the cost of getting leased lines from the local telco, let alone anything else.

        18 months later the school was in the news for having been hacked (by a student, of course) and student/staff personal information circulated, leading to problems with bullying targets and their families being heavily victimised on their home phone numbers even after those numbers had been changed.

        At that point the school's public liability insurer discovered a copy of the letter I'd written(*) and decided the school's policy was null and void. It ended up being quite expensive for them (several million dollars) and the administrator was heavily censured by the board of governors. Despite that, security problems continued for several years afterwards until she was replaced and the school was ordered by the education department to sort its shit out.

        (*) Someone sent them a copy and it wasn't me.

        I don't know what the moral of this story is, other than "be vigilant" - because once someone's absolutely cocked things up and they're in a position up the food chain, they'd rather pretend that everyone else is wrong and they're right.

        Another similar saga in another school in the same town had a meeting between the school's "IT lead", myself and employees of a government research institute discussing how to get the school online (the school wouldn't be paying for this, it was donated effort and connection from the institute - one of the director's daughters was a pupil). When the discussion turned to ensuring network security and the various issues with that, the "IT lead" said "I'm in charge here, I don't see what the problem is. You're the technicians and you'll do what I tell you" - at which point we all looked at each other, picked up our stuff and left without saying a word. The school didn't get its free connection.

      2. james 68

        Re: Whatever it takes to make a sale

        @Mage

        That'll be because you showed good sensibility, I applaud you for that. The contractors I've dealt with in the past rarely show anywhere near that level of logical understanding, I wish more were like you in this regard.

        @Alan Brown

        I've had to deal with similar idiocy, more often than I'd like to recount. But you provide a good example of why networks should not only be secured from outside AND inside molestation but be proofed as much as possible against actions by "administration" also.

  18. Anonymous Coward
    Anonymous Coward

    I attended this conference too.

    Though his tone was painfully angsty, I thought the intent of the irate attendee wasn't overly objectionable. The speaker kept referring to the block list as opt-out DNS-based blacklisting that ISPs can choose not to implement. But that doesn't fit with the non-UK ASN IP address phishing blacklisting capability that was mentioned almost in the same breath.

    What's even more interesting is the NCSC's admission of a(n automated?) capability to identify these non-UK hosted phishing sites. The paranoid infosec bod in me thinks that the NCSC is whitewashing GCHQ's bulk interception programmes and is hoping that reaching out to the technical community will win hearts and minds.

  19. Anonymous Coward
    Anonymous Coward

    I believe that GCHQ are equally incentivised to downplay any threat, after all they are interested in using exploits to penetrate our systems, and now they are even able to say what they do for a living is legal!

  20. Helder

    Equivocation - Why its all just "pseudo-security"

    Ever wondered why "cryptography" is full of "gurus", "experts" and considered an "art"? It's to hide the truth that its actually a scientific engineering field, and not a religion. Ever since mathematicians got involved with assumptions of mathematical complexity, the field has gone down a cul-de-sac.

    The difference between military and commercial cryptography, is that military cryptanalysts know what equivocation is, and never use the term "snakeoil". That's because once you understand equivocation, the term "snakeoil" is meaningless, its like calling a car "fast" or "slow", when warp speed is the objective. It's a term used by amateurs.

    Frankly, much of what is taught by academia as security is "pseudo-security", perpetuating a failed mathematical solution that will never solve the security problem. That's why there are no security guarantees to current solutions. Its not the implementations, its the solutions themselves, they have unsound scientific foundations.

    Military Encryption 101:

    1. To say a security system is secure/insecure is pointless, since all systems are absolutely secure, up to a certain length of message/ciphertext called the unicity point. Beyond the unicity point, a cryptosystem has log 0 key/message equivocation. It's breached.

    2. An English message encrypted with AES-256 is secure to 39 characters only. Beyond 39 characters it has an ""insecurity guarantee", and is guaranteed to be broken under brute force (or faster).

    3. For a cipher to be considered "secure", it must have an equivocation greater than 2 for an infinite length message. Searching for a needle in a haystack, is not security, its a security flaw. For such a search to be "secure" there must be at least two needles in the haystack.

    4. Such "unbreakable" systems have existed since 1917 (one time pad) but have limitations.

    5. A new absolutely secure system without limitations has just been invented and patented worldwide (PCT Patent) called "equivocation augmentation".

    The underlying principle is as follows: The cryptosystem key entropy is the fuel of encryption, and is used up encrypting every message character. Equivocation is the fuel gauge. All encryptions under the cipher are secure until the entropy is depleted, and equivocation is equal to zero (This occurs at the unicity distance - the fuel range). Infinite length messages DO NOT NEED infinite length starting keys, one merely needs to "refuel" the cipher key entropy at a faster rate than it can be depleted. This is trivial to accomplish.

    So, whilst current cryptography is not "snakeoil", it is not "secure" either. Like pseudo-random number generators, its "pseudo-security" - looks like the real thing, but isn't - it's fake. Anyone who calls it security, is just perpetuating the fraud.

    Equivocation augmentation will be available soon, everywhere.

    1. Anonymous Coward
      Anonymous Coward

      Re: Equivocation - Why its all just "pseudo-security"

      Nice. Almost doesn't read like complete gibberish. Almost, but not quite.

  21. TheGentlemanHacker

    Noise 1 Signal 0

    He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it. That’s not advanced by any stretch of the imagination, he said.

    MI5 where seen with a directory traversal vulnerability last december, that vulnerability class is easily 3 times the age of SQLI ... so what's his point ?

    ref: https://twitter.com/cyberzeist2/status/804313275982745600

  22. WereWoof

    Not so much Medieval witchcraft as Snake oil.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019