Monthly Archives: June 2016

Investigatory Powers Bill passes and your job just got a lot harder

Written as editor of the New Statesman’s NS Tech and first published here.

The controversial Investigatory Powers Bill has been passed by parliament, with 444 MPs voting in favour, including many from the Labour Party, versus just 69 against.

While many in the tech industry have raised concerns about the cost implications and technical challenges of the new powers, this was not enough to persuade lawmakers.

Concessions made in the bill mean that technology companies will not have to build de facto backdoors into encryption software, but judges can demand that firms write software to help them access communications.

Public and private databases will be open to access by the security services, and provisions have been made for the hacking of devices of people who are not direct suspects of a crime.

Internet Service Providers will have to keep databases of things like people’s web and app browsing history, but the government says it will reimburse them for the cost of complying.

Bowing to pressure from the Joint Committee on Human Rights, a review of the bulk collection and retention of data has been ordered and will be conducted by David Anderson QC, an independent reviewer of terrorism laws.

He has already raised concerns about whether the legislation breaches human rights laws.

Jim Killock, executive director of internet rights organisation Open Rights Group, said: “The IP Bill’s powers are too broad and permit the surveillance of citizens whether or not they are suspected of wrongdoing. Surveillance should be targeted at those who are suspected of a crime.”

An internal government report leaked to The Intercept by Ed Snowden this week acknowledges that mass surveillance can even cost lives.

The draft bill now heads to be considered and voted on in the House of Lords, which has recently been unconvinced by a number of government proposals.

So who gets fired when Mark Zuckerberg gets hacked?

Written as editor of the New Statesman’s NS Tech and first published here.

We’ve seen millions of passwords compromised across huge sites like LinkedInMyspace and Tumblr in the last few months. And just this weekend, the London Stock Exchange was hijacked by Anonymous as part of its campaign against large corporations.

Now, in what should raise a loud alarm for people everywhere, the CEO of a company that manages the private lives of more than 1 billion people, Mark Zuckerberg, has apparently fallen victim to hackers.

According to the BBC, the trail likely leads back to the 2012 LinkedIn hack, which continues to resurface every time the hackers are able to decode another lot of passwords.

The first 13 million sets of details leaked had, helpfully to both themselves and the hackers, used the platform’s name to help them remember their password, so they were the easiest targets.

But, using a ‘reverse trapdoor’ or ‘rainbow table’ as it’s called in the trade, hackers can just sit back and use a precomputed program to test out all possible password combinations. With enough time and computing power, it looks like they’ve been able to crack Zuck’s password, which it appears he was using across Twitter and Pinterest too.

“Password sharing is a huge faux pas and a recipe for disaster,” David Shearer, CEO of cyber skills certifier ISC2 tells NS Tech, with a knowing smile.

“Come on, there are password vaults out there! It’s getting increasingly difficult to fight the questions after someone, who appears to be you, has been doing things on your account.”

Those questions must be a million times harder to answer if you’re… Mark Zuckerberg.

Too little, too late from tech cos

This series of hacks is prompting companies across the world to update their security systems.

But changes like those being made by Microsoft, where it updates its list of banned passwords after cross-referencing with the latest haul posted online, or even biometrics like those being trialled at Google, are criticised by the crypto community.

“The main reason Microsoft is getting you to create a ‘really strong password’, is to protect them,” explains Brian Spector, CEO of London-based cryptography startup MIRACL.

“The more complicated the password is, the more time it takes to crack, so they’re just pushing the burden of using their service onto you because they haven’t got anything better.

“Google’s plan doesn’t represent a leap in technology, it’s just something they can do, based on the position they’re in, to mine data on you,” he adds. “It’s not going to fix anybody else’s problems and it likely violates EU privacy regulations. So the jury’s out.”

What companies like MIRACL say they are doing is getting rid of both digital certificates, which have proven to be vulnerable to digital forgery, as well as the need to keep password-based databases ‘somewhere safe’.

Pairing, as it’s called, based on elliptic curves, was just about impossible 15 years ago. But through some very complicated maths, it’s enabling ‘something you have, a key, plus something you know, a PIN’, to arrive online for normal people in a similar way to using an ATM in real life.

“The biggest challenge to the cyber security industry is that there’s now a ubiquity of technology, from smartphones to the Internet of Things, Internet of Everything, smart cities, smart nations, even, and the workforce is just trying to keep up,” says Shearer, whose organisation has certified some 114,000 IT folks around the world.

1.5 million cyber jobs going unfilled

“There are going to be 1.5 million jobs that come available between now and 2020, we have an ageing workforce who are increasingly suffering burnout and we don’t have a wave of young people to replace them,” Shearer warns.

“Ultimately, CEOs get fired for cyber security issues because right now, cyber security staff have no authority within businesses, the reporting lines are unclear and there’s no global standard for how this all works in practice.”

Mark Zuckerberg is unlikely to get fired for something that ultimately doesn’t seem like it was a problem with Facebook’s security, particularly as he’s in charge.

But it’s a rather embarrassing, even dangerous, if the CEO of one of the world’s biggest personal data companies fails Cyber Skills 101. The company’s shareholders will no doubt be asking questions.

Thankfully, our friends over at the New Statesman have prepared a list of nine quick, effective ways to protect your privacy online, which it seems like *some of us, Mark* are still in need of.

GE’s billion-dollar IoT startup – a massive bid to avoid the fate of the telcos

Written as editor of the New Statesman’s NS Tech and first published here.

On the face of it, it’s really not like General Electric, one of the world’s largest companies with interests across huge industries including finance, aircraft engines and healthcare, has anything to worry about.

Indeed, it was one of the founding members listed on the Dow index – and it’s still there – no mean feat after 120 years.

That’s particularly impressive because it’s the only original business that’s still listed there. In fact, as much as sounding like an outstanding success story, that could also make a company feel pretty vulnerable.

GE has a surprisingly diverse portfolio, no doubt one reason it’s staved off business failure where perhaps the now-defunct US Leather Company failed.

However, just as the telecoms providers were sitting pretty 15 years ago with a mobile revolution staring them in the… pipes, OTT utilities are arriving and GE does not want to be the ‘Vodafone of energy’.

Sure we still use telcos, we still need them in many cases, but we don’t want them to come any closer than we need them to.

Current

General Electric took a bit of a punt last year when it announced it’d be putting $1bn into an internal startup, Current, which is focused on using smart technology and data to help huge companies reduce, produce and shift energy use.

Current brings together a number of different GE business units – LED lighting, energy storage, solar, electric charging and analytics software, in the shape of its platform Predix – to help “liberate companies from peak demand usage” and ultimately cuts costs.

Evidence suggests that many consumers aren’t particularly sold on the benefits of the smart home yet, beyond their beloved TV sets, although this is likely to change in the age of smart home metering. But, in the meantime, businesses are finding it increasingly hard to say no to an investment that’ll ultimately help them reduce their overheads.

Where ‘Software as a Service’ took companies like Oracle some time to come around to, ‘Energy as a Service’ is something GE Current is hoping to get its head around quickly enough to keep its century-old brand relevant.

“GE’s aim is to be a digital software company – and a top 10 software company in five to 10 years,” Pete Lau, head of EMEA at GE Current, boldly told NS Tech.

With 330,000 staff worldwide, organisational change must be a mammoth task, but in the “startup atmosphere” created at Current, things are sounding more promising.

“The huge opportunity with the advent of the industrial internet is working out how we connect the digital world to the industrial world. Current is a microcosm for what GE is trying to do, trying to be.”

Staying current

In a post-product age, the cloud-based Predix platform that captures, stores and analyses data from anything connected to the web, is the real killer app for Current.

“We all have to adapt with the times and while there’s always going to be a big market in GE for tangible sales, software complements this offering, letting us provide more services in the future.”

Not only did Current start with $1bn in revenues from the folded-in business units, and has GE’s balance sheet to fall back on, it’s also launched with top-tier global customers.

That’s Walgreens, Simon Property Group, which runs a host of US shopping malls, Hilton Worldwide, JPMorgan Chase, Hospital Corporation of America and Intel.

All of these companies have huge footprints, meaning massive energy usage and legacy systems scattered across the globe.

Current’s pilots have so far tried to help smooth out city traffic flows, and help emergency services attend to gun-related crimes, using LED street lights and noise sensors, respectively. It’s also offering ‘Finance as a Service’ for companies looking to do things like retrofit with LED lighting.

“The moves that GE is making reflect both the opportunity and the imperative to adapt to a market that is changing now more than it has in the last century,” David Kelnar, head of research at London-based venture capital firm MMC Ventures, explains to NS Tech.

He says that utilities’ tech spend between now and 2020 is increasing 2.5 per cent per year, but software spend is increasing by 8 per cent each year – so there’s a lot of money up for grabs.

“One key area is CRM. Digital customer engagement is rising in importance for utilities because they need to close the gap in customer experience versus other consumer-facing industries, meet regulatory requirements and drive their users towards self-service in order to cut costs.

“This is a period of transformational change, where the industry is expanding to include people who generate energy themselves, as well as those who are now managing their energy more actively.

“In the UK, the ‘big six’ too are trying to change from being energy suppliers to providers of a broader range of products and services,” Kelnar adds.

“When your customers and the market are asking for it, what you see is other huge companies trying to get into it, that’s why IoT is becoming a market trend,” Lau agrees.

As well as competitive efforts within its own industry, and from the likes of Samsung and Intel from a slightly different angle, challenges remain around security and interoperability.

“We’re only six months in but we think we’re very well positioned because of our global reach and our resources,” Lau concludes.

That’s about as bold as you can be when you’re a startup backed by GE.

techUK says Investigatory Powers Bill still poses a threat to the digital economy

Written as editor of the New Statesman’s NS Tech and first published here.

The Investigatory Powers Bill has now received a full going over by the Joint Committee on Human Rights, and a trove of new amendments have arrived from MPs ahead of its first proper debate in parliament next week.

These include a wide range of small changes to language, as well as: a proposal to set up an Investigatory Powers Commission, rather than simply appointing a Commissioner; a plan to restrict data interception warrants in relation to trade union activity and MPs’ communications; and making it a very clear offence to misuse the powers outlined.

The Joint Committee on Human Rights has said it: “welcomes the steps which the Bill takes towards providing a clear and transparent legal basis for the investigatory powers already used by the security and intelligence agencies and law enforcement authorities, and towards enhanced safeguards”.

“But the Bill could be improved to enhance further the compatibility of the legal framework with human rights,” the committee’s report explains.

It says it found that bulk interception is not “inherently incompatible with the right to privacy” but this should now be referred to the Independent Reviewer of Terrorism Legislation before the Bill completes its journey through parliament.

techUK’s head of cyber and national security Talal Rajab has said that while the recognition of privacy concerns has offered a “step in the right direction” for companies providing digital products and services, “we’re not out of the woods yet”.

“Many of the concerns raised by the tech industry, particularly around Internet Connection Records, encryption and the extraterritorial application of the Bill, require further scrutiny and clarity,” he said.

“Failure to do so will make it harder for government to achieve its aim of delivering world-leading legislation – one which underpins rather than undermines the UK’s world-leading digital economy.”

Many of the amendments proposed deal with small points of language, rather than the technical or cost issues consistently raised by tech firms – and the subsequent trust issues that could be created with customers by the government’s demands for access to data.