On becoming a Glass Room Ingenius

I RARELY LOOK at email newsletters, even the ones I’ve subscribed to, but in September I opened ‘In The Loop’ from a Berlin technology collective called Tactical Tech, and inside was a dream opportunity to build on work begun during my sabbatical.

BE AN INGENIUS FOR THE GLASS ROOM LONDON
The Ingenius is the glue that holds The Glass Room together. We’re recruiting individuals who we can train up with tech, privacy and data skills in order to support The Glass Room exhibition (coming to London in October 2017). As an Ingenius you’d receive four days of training before carrying out a series of shifts in The Glass Room where you’d be on hand to answer questions, give advice, run workshops, and get people excited about digital security.

Having spent the first eight months of 2017 studying cybersecurity and cleaning up my own online practices, I had started offering free help sessions in our local café. Engagement was poor – it turns out that free infosec sessions aren’t in demand because busy people tend to put these things on the backburner and just hope they don’t get hacked in the meantime.

Francis Clarke, who co-runs the Birmingham Open Rights Group which campaigns around citizens’ digital rights, warned me that topics like infosec and data privacy were a hard sell. Friends and family confirmed it with ‘I don’t care if I get sent a few contextual ads’ or ‘I have nothing to hide’.

So how do you get people to become aware and start to care about their online practices?

Answer: The Glass Room.

***

The Glass Room – presented by Mozilla and curated by Tactical Tech – in every way resembles a bright, shiny tech store inviting passers-by in to check out its wares. Yet another shop on a busy London street. But the items on show are not gadgets but exhibits that help people look into their online lives and think more critically about their interactions with everyday digital services.

To be honest, I mostly saw The Glass Room as providing a readymade audience who were up for talking about this stuff because talking would enable me to get everything I’d been learning out of my head and also level up on my own understanding of the issues.

I didn’t think I would stand a chance of being selected but I applied anyway. I’ve listed some of the questions from the application and my (short version) answers for a bit more context on why I started on this journey – otherwise feel free to skip ahead.

Why are you interested in becoming an Ingenius? (provide 3 reasons)

Individually – I was blown away by Edward Snowden’s revelations and the Citizenfour documentary. I have been data detoxing and self-training in infosec, and I’m very interested in the engagement tools and workshop resources.

Locally – I’m involved in several campaigns. I want to help individuals and campaigners know how to keep their data and communications private and secure.

Nationally/internationally – I’m concerned with the normalisation of surveillance (both governmental and commercial) and how the line is constantly being redrawn in their favour. I would like to understand more about the politics of data and how to think about it more equitably in terms of the trade-offs concerned with policing, sensitive data sharing, commercial data capture and the individual right to privacy.

What do you think about the current state of privacy online?

I have concerns both about privacy clampdowns by governments and mass surveillance by commerce. I love the internet but find the fact that I have to jump through so many hoops to avoid being tracked or identified worrying. I feel I am part of some subversive resistance just to have control of my own data and this is intensifying as I have a writing project that I want to keep anonymous (almost impossible I since have discovered).  I’m also concerned that enacting the paths to anonymity may flag me on a list and that this may be used against me at some future point, especially if there is no context in the data.

I think our right to privacy is disappearing and the biggest issue is getting people to care enough to even talk about that. We seem to be giving up our privacy willingly because of a lack of digital literacy about how our information is being used, the dominance of data brokers such as Google and Facebook (for whom we are the product), the lack of transparency about how algorithms are processing our data, and so on. The issue feels buried and those who control information too powerful to stop.

How would you take the experience and learning as an Ingenius forward?

I’ll be taking it into my local community through advice surgeries in cafés and libraries. There seems to be little privacy/security support for individuals, activists, campaigners and small businesses. I also hope it will give me the wider knowledge to become more involved with Birmingham Open Rights group, which operates at a more political level.

Finally, I aim to connect more widely online around these topics and investigate options for setting up something to help people in Birmingham if I can find suitable collaborators.

***

I’M IN!

This is one of those things that will completely take me out of my comfort zone but will also likely be one of the best things ever.

***

THE GLASS ROOM when it ran in New York City saw 10,000 come through the doors. In London, on the busy Charing Cross Road, just up from Leicester Square, the figure was close to 20,000.

I was fretting  about all sorts of things before my first shift, mostly about standing on my feet and talking to people all day – normally I sit at a desk and say nothing for eight hours that isn’t typed. I was also nervous that despite the excellent four days of Glass Room training, I wouldn’t know enough to answer all the random questions of ‘the general public’, who might be anything from shy to panicked to supertechy.

But it was fine. More than fine, it was exhilarating, like the opening night of a show you’ve been rehearsing for weeks. If anything, I had to dial it back so that visitors would have a chance to figure things out for themselves. The team were lovely and the other Ingeniuses supportive and funny. Most importantly, the visiting public loved it, with 100-strong queues to get in during the final weekend of the exhibition.

It must be a complete rarity for people to want to come in, peruse and engage with items about wireless signals, data capture and metadata. But by materialising the invisible, people were able to socialise around the physical objects and ask questions about the issues that might affect them, or about the way big data and AI is affecting human society.

Day after day, people wandered in off the street and began playing with the interactive items in particular: facial recognition to find their online lookalikes, nine volumes of leaked passwords to find their password, newsfeed scanning to find the value of their data, the stinky Smell Dating exhibit to find out who they were attracted to from the raw exposed data of three-day-old T-shirts (c’mon people – add some metaphorical deodorant to your online interactions!).

They also spent time tuning into the trailers for highly  surveillant products and brands, and watching an actor reading Amazon Kindle’s terms and conditions (just under nine hours, even in the bath).

And they gathered en masse around the table-sized visualisations of Google’s vast Alphabet Empire that goes way beyond a search engine, Amazon’s future Hive factory run mostly by drones and other robots, Microsoft’s side investment into remote-controlled fertility chips, Apple’s 3D pie charts of turnover and tax avoided, and Facebook founder Mark Zuckerberg’s House where you can buy total privacy for just $30 million.

***

THERE WERE THREE themed areas to explore inside The Glass Room, with three further spaces to go deeper and find out more:

  1. Something to hide – understanding the value of your data and also what you are not hiding.
  2. We know you – showing what the big five of GAFAM (Google, Amazon, Facebook, Apple and Microsoft) are doing with the billions they make from your online interactions with them.
  3. Big mother – when technology decides to solve society’s problems (helping refugees, spotting illegal immigrants, health sensors for the elderly, DNA analysis to discover your roots), the effect can be chilling.
  4. Open the box – a browsing space on the mezzanine floor full of animations to explain what goes on behind the screen interface.
  5. Data Detox Bar – the empowerment station where people could get an eight-day Data Detox Kit (now online here) and ask Ingeniuses questions about the exhibition and issues raised.
  6. Basement area – an event space hosting a daily schedule of expert talks, films and hour-long workshops put on by the Ingeniuses.

During the curator’s tour by Tactical Tech co-founder Marek Tuszynski, what impressed me most was the framing for The Glass Room. This is not a top-down dictation of what to think but a laying out of the cards for you to decide where you draw the line in the battle between convenience and privacy, risk and reward.

I handed out kit after kit to people who were unaware of the data traces they were creating simply by going about their normal connected life, or unaware that there are alternatives where the default isn’t set to total data capture for future brokerage.

Some people needed talking down after seeing the exhibition, some asked how to protect their kids, others were already paranoid and trying to go off the grid or added their own stories of life in a quantified society.

***

THERE ARE THREE LESSONS I’ve taken away from my experience in The Glass Room to apply to any future sessions I might hold on these topics:

  1. Materialise the invisible – bring physical objects (art, prototypes, kits, display devices) so that people can interact and discuss, not just read, listen or be told.

2. Find the ‘why’ – most people are unaware of, or unconcerned about, the level of data and metadata they produce until they see how it is aggregated and used to profile, score and predict them. Finding out what people care about is where the conversation really starts.

3. More empowerment and empathy, less evangelism– don’t overload people with too many options or strategies for resistance, or polarise them with your own activist viewpoint. Meet them where they are at. Think small changes over time.

***

IT’S BEEN A MONTH SINCE The Glass Room and I’m proud of stepping up as an Ingenius and of overcoming my own fears and ‘imposter syndrome’.

As well as doing nine shifts at The Glass Room, I also ran two workshops on Investigating Metadata, despite being nervous as hell about public speaking. There are eight workshops modules in Tactical Tech’s resources so it would be interesting to work these up into a local training offering if any Brummies are interested in collaborating on this.

I wrote a blog post for NESTA about The Glass Room – you can read it here: Bringing the data privacy debate to the high street.

I did the Data Detox Surgery at an exhibition called Instructions for Humans at Birmingham Open Media, and also set up a mini version of The Glass Room with some pop-up resources from Tactical Tech – there’s a write-up about that here. The Ingenius training gave me the confidence and knowledge to lead this.

Leo from Birmingham ORG has also had Glass Room training so we will be looking for opportunities to set up the full pop-up version of The Glass Room in Birmingham in 2018. Get in touch if you’re interested– it needs to be a place with good footfall, somewhere like the Bullring or the Library of Birmingham perhaps, but we’re open to ideas.

There’s also a more commercial idea, which arose at the Data Detox Surgery, to develop this as an employee engagement mechanism within companies to help make their staff more cyber-secure. If employees learn more about their own data privacy and can workshop some of the issues around data collection, then they are more likely to care about company processes around data security and privacy. In short, if they understand the personal risks, they will be more security-conscious when working with customer or commercial data.

As ever, watch this space, or get in touch if you think any of this should be taken to a coffee shop for further discussion and development. You can also connect with me on Twitter if you want to follow this journey more remotely.

Thanks for staying to the end.

 

Happy 30th to Acorns Cotteridge – a note from the founder’s daughter

Acorns Cotteridge 30th Anniversary attendeesIt was 30 years ago, in September 1987, that my mother, Ann Cullinan, opened the first-ever Acorns Children’s Hospice Shop in Cotteridge, South Birmingham. There are now three hospices and 57 shops, and next year Acorns hopes to reach 60 shops. It is a fantastic legacy of which I’m sure she would be very proud.

Sadly, today also marks the 16th anniversary of her death, and in a week or so, the 16th anniversary of her fundraising funeral, for she used the occasion to make one last appeal for a different charity: the Huntington’s Disease Association.

I was honoured to be asked to visit the Acorns Cotteridge shop to say a few words and help kick off the 30th-year celebrations. It was lovely to meet people who had known Mum, meet the new shop manager, volunteers and Acorns senior management, and also to catch up with family friend Ivor Gornall, who was one of the original ‘Ann’s Army’ volunteers. And it was great to see how the charity is moving forward and building on its early foundations.

I’ve edited the video clips together to include a few others who spoke on the day – it’s just under nine minutes – and one for the family record as well as Acorns. The transcript of my talk is also below.

I’ve blogged about Mum’s involvement in Acorns as the Founder of the Acorns Children’s Hospice Shops previously, and my own visit to Acorns in Selly Oak, which was quite emotional – you can read about it here.

I feel I’ve become a bit of a historian or documenter of that period of Acorns’ history on Mum’s behalf. I have kept all her press clippings, letters and photos, and look forward to continue sharing these so that Acorns’ beginnings as the charity that Birmingham took to its heart won’t be lost.

Video

Transcript

In Feb 1986 Acorns became a family affair when our mother Ann Cullinan and two friends from Cadbury’s decided to raise £3,000 for the new Children’s Hospice Appeal.

My brother’s main memories are a front room full of black bags, being a phone secretary jotting down all the messages, and still wearing his fave jumper from “Anne’s Boutique.”

My sister brought her young daughters to help cut ribbons and open shops. She remembers when the scout hut with hundreds of donations was burned down a week or so before a new shop opened, and Mum using the fire as a PR strategy to get into the newspapers. She ended up with twice the donations.

I was a teenager at the time and helped collect donations, sort clothes and do the colouring in on posters.

But we weren’t the only ones galvanised into action. Ann’s Army – also known as the AA team – were a band of around 30 volunteers and helpers, many of them fellow employees and friends from Cadbury’s. Mum was known as The Commander in Chief and, although she was actually quite a shy person, she was determined – in fact, she like a woman possessed when it came to fundraising for Acorns. She always said she could never ask for anything for herself but she could ask for everything for the children and families who would desperately needed the new hospice.

Some examples of those crazy times –

  • Shops never had an opening, they had a GRAND opening
  • barge pulls
  • antique road shows
  • a giant turkey auction –
  • discos
  • belly dancers
  • marching majorettes –
  • fashion shows
  • rocking horse rides
  • the BRMB Walkathon –
  • letters went out to Adrian Cadbury, local business, Princess Diana
  • celebrity casts from the Xmas panto were roped in
  • photo opps, radio broadcasts and handwritten press releases

Mum was always sitting quietly writing with pen and pad in her armchair slowly changing the world one letter at a time. And such direct letters!

People always said yes. She would just look straight into people’s eyes, tell them what she was raising funds for, smile – then wait. She would unleash this massive human warmth that made people feel good about giving. If she needed a van, one would appear; a shop, one would become available; some carpet, she’d get the number for the NEC and somehow end up with thousands of square yards of conference carpet.

It was fun. But always driven by the kids who needed care.

To put a couple of figures on those early days:

  • From a £3k initial target, a cheque for £20,800 was presented to the trustees by Les Dawson and Ruth Madoc within a year.
  • The first shop, in 15 weeks, raised £30,000 – around £2000 turnover per week.
  • A year later it had contributed £100,000 (Sept 1988)
  • By 1990 Ann’s Army had raised £350,000, had opened in Stirchley and were ready to open a third shop in Kings Heath.

All voluntary.

I know she would be so proud of what has been achieved since that first shop opened 30 years. I have some photos and letters and posters showing the fundraising work of those early days, and a picture of the first Cotteridge shop volunteers if anyone would like to see them.

I am honoured to be invited here to represent the Founder of the Acorns Children’s Hospice Shops, and the involvement of Ann’s Army of volunteers. Mum always brought it back to the children so I’ll finish with her words to the volunteers 28 years ago:

” Since we opened our first temporary shop we have, by our combined efforts, contributed nearly £200,000 to help those unfortunate children and their families get support and be given respite care. I have witnessed the relief and gratitude by parents who are using Acorns and its facilities. I wish it were possible for each of you to do the same. Whilst the staff at Acorns may have direct contact with the children, you are an essential part of the team. Without your efforts, life would be much more difficult for all concerned.” [Ann Cullinan, 15/9/89]

Thank you.

How to make your cybersecurity event more engaging

I’m fascinated by how cybersecurity enthusiasts and organisers present and run their events, as that seems to be crucial in (a) getting people to come along, (b) triggering action.

I attended three cybersecurity events in September – Cryptoparty London, Cy3sec and Cybersecurity for ‘Real People’ – and learnt a lot from how they engage, or don’t. Conclusion: Infosec events need to be a LOT more practical and engaging and to deliver on what they promise. Drinks/snacks also help with after-work events.

1. Cryptoparty London

Cryptoparty London

Organised by:

A tech consultancy and a civil rights group put together the London event but this is just part of a larger decentralized movement of CryptoParties with events happening all over the world. “The goal is to pass on knowledge about protecting yourself in the digital space. This can include encrypted communication, preventing being tracked while browsing the web, and general security advice regarding computers and smartphones.”

https://www.cryptoparty.in/london 

Approach

Put it in a bar, call it a ‘party’, have infosec-themed cocktails, offer interactive break-out workshops (on Tor browser, Bitcoin, email encryption and smartphone surveillance) and lightning talks with a stage and large screen, surveillance-based visuals, digital art and music. September was the tester – it went very well and is now going monthly.

Pros

  • Beginners welcome
  • Networking, sense of community, expert access
  • Top pedigree of speakers, eg, Silkie Carlo, co-author of Information Security for Journalists
  • A nice dark room and sociable vibe for tired people after work
  • Practical workshops, how-tos and Q&As
  • Stickers and swag on the tables

Cons

  • It’s held in London – I’m in Birmingham
  • It ran way over time so I missed my second workshop
  • Logistics – bar noise/numbers made workshops hard to hear for some
  • Attendees seemed highly engaged and knowledgable already – bar too high for newbies?

Summary

CryptoParty’s main objective is to “tear down the mental walls which prohibit people to even think about these topics” – on that aim, it was definitely the best for engagement and practical learning. I’m now set up on Tor Browser and just wish I could have stayed longer.

2. Cy3Sec

Organised by:

Fizzpop – a popular Birmingham-based maker/hacker group with its own workshop space. Its first cybersecurity workshop was set up on Meetup and is set to run monthly.

https://www.meetup.com/fizzPOP-Birminghams-Makerspace/events/243198601/

Approach

One presenter talking to attendees around a table, small group style. There was a tech fail on the projector front which didn’t help. The speaker was a real-life locksmith so the focus was very much on how the hackers break in. The Meetup blurb said:

“The first hour will be on ‘beginner’ topics, then half an hour to chat, then an hour on a more advanced topic(s). If people want to do a short talk, great. There may be Bluetooth lock picking. There might be hacking a local server. A talk on decapping chips. If you’ve something to teach or explain about, please let us know.”

Pros

  • Beginners welcome
  • Quiet workspace, easy to get involved
  • Unusual angle – locksmith/hacker, physical access to devices
  • Free-roam topics and tech nerd view (how to kill people and start wars through hacking) = an interesting experience!

Cons

  • Attendees were Fizzpop members, a brain surgeon and a someone with a Masters in cybersecurity – not exactly beginners friendly
  • Mostly a one-way talk, lots of assumed knowledge, and attack based with cybersecurity solution more an afterthought
  • Departed from promised structure and timings
  • Sense of being an outsider entering a tech nerd’s member’s club

Summary

I never knew where this session was going or what I was going to get or even when it was going to end. Some structure and communication would really help this session. The Fizzpop-style focus on physical hacking and USB baiting, and ‘how stuff works’ was way above my knowledge grade but learning how to hack could fill a useful gap if done at beginners level and with a sense of playful fun that is the Fizzpop way.

Despite the exclusive feel, I am tempted to go back – albeit with a flask of tea and some biscuits, and just enjoy the random weirdness of Fizzpop life.

3. Cybersecurity for ‘real people’

Birmingham ORG cybersecurityOrganised by:

The Open Rights Group Birmingham – which runs regular events on cybersecurity and data privacy for concerned citizens. It feels more political although the offer is also practical. It campaigns to protect and promote digital rights in Birmingham and beyond. It was also set up on Meetup:

https://www.meetup.com/ORG-Birmingham/events/242706511/

Approach

The purpose was to offer practical cybersecurity advice that ‘real people’, not just digital geeks, can understand and apply in their daily lives. There were two main speakers, a large screen, a Powerpoint presentation and chairs for the audience. Although it was billed as a workshop, it was really more of an advice session/talk, with little opportunity to interact – one of the problems of running through a set of slides.

Pros

  • Beginners welcome – had the most varied mix of people of all three events
  • Darkened room for viewing slides, the acoustics weren’t great though
  • Practical advice on sending secure emails and messages, password managers, Tor browser
  • Beginners friendly – idea of just ‘change one thing’
  • Friendly, open, inclusive vibe
  • Resources posted on the Meetup site (Update: more resources, tips and follow-up from the session have now been posted to ORG B’ham)

Cons

  • More political stance – which may put off some; would be good to know more about the trade-offs not just follow advice blindly
  • Tried to pack too much in – people asking more in-depth questions but no time to cover
  • Top-down talk – less engaging than a practical workshop

Summary

This was my first ORG session and the organisers obviously know their stuff, but it was a skim across the surface and felt like an intro session to a longer course. I think they could increase engagement with less content and more practical focus, and as the session started at 6.30pm, maybe see if they can get sponsorship for some refreshments as most people come directly from work.

The immersive option?

Data privacy is a hard sell, even though it’s one of the biggest issues of our time with surveillance and data capture growing exponentially and often obfuscated and kept out of sight.

Most people know they should do ‘something’ but maybe think it’s too techy, or a hassle, or like me, tell themselves that they’ll get around to it one day and hope they don’t get sprung in the meantime. In short, there are barriers for everyone to overcome.

This next event could be the answer… and I’m pleased to report that I’ve managed to get a spot helping out at The Glass Room London, which opens for three weeks at the end of October.

Curated by Tactical Tech and produced by Mozilla, The Glass Room, was attended by over 10,000 visitors in New York City last year.

It is ALL about the engagement, with people coming in off the street to an immersive, dystopian tech store that exposes the state of their data privacy. Data Detox Kits will be handed out. And there will be interactive exhibits.

It looks really really good, and will be blogged.

End of the sabbatical – so what’s new?

looking ahead
Thinking, thinking…

A year ago yesterday I logged off a seven-year freelance contract and started planning a different life – a healthier one with a better work-life balance preferably, and maybe a change of work focus, and maybe take some time to explore all those things I’d been stacking up on the backburner, fancy stuff like learning Indonesian and skating backwards and the more mundane, like sorting out all my crap and finances.

I’ve spent much of the past year, getting fit – through walking, swimming, Scottish dancing and tai chi – but the biggest health difference has been the ability to leave my screen and just potter. The second biggest revelation was that shorter hours meant less stress-based eating and drinking. I’ve lost a stone. I barely drink. I feel calmer. My neck and shoulders rarely ache and my arms have even redeveloped some muscles.

The big project, the thing I thought I would do was write some kind of memoir based on my travel diaries. That failed fairly quickly. I just couldn’t seem to settle into the slog of a book-length writing project while long solitary screen-based hours were the very thing I was trying to escape. I decided to just explore instead.

One year on, I’ve reinvented this project into a much more fun thing – different ways to mine a diary. Every morning I sit down and carve out something fresh from the diaries, whether that is a code-generated poem or a reworked story in a literary style or a haiku distilled from old travel emails or a vertical date slice juxtaposed with a historical event. I actively look forward to sitting down to work now.

The other big project resulted from the first book I read after stopping full-time work – The Snowden Files on Day Five. I immediately signed up for an OU/Futurelean course on cybersecurity basics, then spent the next year following its advice, from setting up a password manager to sorting out my backups to learning about privacy settings, file and disk encryption, two-factor authentication, PGP, email encryption, Tor browswer and so on. I go to everything I can on infosec to learn more – then I blog it and also share the 101 basics with others in a local café. It’s a fascinating and scary world out there but I’m aiming for practical rather than paranoid.

All this effort has led to something quite exciting…

Yesterday on the anniversary of stopping work I had a phone interview and got the ‘job’ of an Ingenius at the forthcoming tech/art pop-up event, The Glass Room London. Training begins soon and I am very excited to be part of this dystopian tech store where data privacy is the stock in trade. It signals a new beginning, of something, and hopefully something that I can bring back home to Birmingham

So yes, all the big things have changed. I’m earning a fraction of what I used to but I’m healthier and happier for it – I needed to buy time not stuff at this point in life. I’ve also done some mentoring and digital/tech/infosec help sessions and campaigning and protesting, and generally tried to give a little back. I did some long-distance travel, to Eastern Europe by train. I sorted out finances and clutter (ongoing that one). And I met a lot of people in coffee shops to ask their advice.

No, I didn’t write a book, hit my Indonesian 2000-word target (I got to 500 words on my app), invent a moveable maze for rabbits or learn to skate backwards. But I’m ok with that and, besides, there’s still time.

Still my favourite phrase of last year is ‘Everything does change, something is happening’ – it’s still changing and happening now. The sabbatical was slow to start in some ways but it has had a deep impact. The idea of nicking back some of your retirement and living it now is a good one if you can manage it. Because as my hero Ferris Bueller always says:

All my Sabbatical posts are rounded up here.

Seven ways the Bank of England encourages a culture of cybersecurity

Bank-of-England-culture-change-security

“What is important to you?” This is the first question to ask before planning any cybersecurity strategy, according to John Scott, Head of Information Security Education at the Bank of England, talking at the recent Cybersecurity UK Roadshow event in Birmingham (notes here). Because if you don’t know what a client or company values, if you don’t understand their business priorities, you can only talk in absolutes.

As Scott gently points out, 80% of people working in the Security Awareness field come from a background in IT or security and there is tendency to talk in absolutes. While things are moving towards more nuanced conversations around risk, finding people who can both listen and communicate well on this topic can be difficult. The result in many large organisations is an environment of enforced compliance; getting workers to care and engage beyond that is a tough sell.

‘From compliance to culture, awareness to action’ was the title of Scott’s talk. He said compliance and awareness aren’t enough; it’s building a culture of mature security that is required to stay safe. Scott then rated security culture on a scale of -1 (negative behaviours) to 0 (compliance behaviours) to +1 (security maturity and positive behaviours), and outlined the Bank’s encouragement of the following ‘cyber seven’ practices to move from compliance towards maturity (more of which below):

Bank-of-England-cyber-seven

1. Passwords

0 = don’t share passwords

+1 = use a password manager

2. Phishing

0 = don’t click on suspect email links or open attachments.

+1 = report suspicious emails (whether clicked or not)

3. Document classification

0 = classify documents when saved into document management system

+1 = mark docs clearly, dispose of confidential documents safely

4. Clear workspace

0 = don’t leave confidential material on your desk

+1 =  also check printer, whiteboards, keysafe when you leave

5. Remote working

0 = make sure you are not overlooked when working on trains

+1 = keep your remote token separately from your laptop when travelling; report loss of devices immediately

6. Social media

0 = don’t post photos of the Bank on social media or get involved in discussions related to the Bank’s mission on social media without permission

+1 = audit your social media profile – make sure you’re aware of what you and other people are saying about you.

7. Report it

0 = if you see anything that worries you, tell us – ‘See it, Say it!’

+1 = if you’ve done something yourself or caused a problem, report it

This final point raised a lot of questions in the audience – wouldn’t a major breach be a sackable offence, for example? Why would employees admit their error? Scott suggested awareness and education, perhaps telling stories about how coming forward has worked and to try to build trust with your employees.

It’s always better to know that a breach or a vulnerability has occurred so you can address it but you need people to feel secure in coming forward. As the Regional Organised Crime Unit noted in their talks at the roadshow, one of the biggest issues in cybersecurity is the lack of reporting.

Thanks to John Scott and Metsi Technologies for use of the slides.

Notes from Cyber Security UK Roadshow Birmingham

John-Davies-CybersecurityA one-day event held yesterday held at Innovation Birmingham on the Aston Uni campus to help businesses get to grips with cybersecurity. It was organised by Metsi Technologies, and supported by the National Police Chiefs’ Council and Regional Organised Crime Unit (ROCU) in the West Midlands. The Twitter account and hashtag was @cybersec_uk but the backchannel was pretty quiet. Here are my notes.

Cybercrime

The increasing threat of cybercrime runs across a range of levels from nation-state threats to ransomware to IP theft. There were various police chiefs in attendance and the main message seemed to be that cybercrime is massively unreported to police – with the result that sufficient budget isn’t being assigned.

Ashley Bertie, Assistant Police and Crime Commissioner for the West Midlands, sent out a plea to find out what your local police force is doing and engage with their agenda. One available resource that has just launched is the Digital PCSO (Sean Long in the West Midlands) who can go into business organisations, schools and the community and advise on security basics.

John Davies of Pervade Software then introduced the National Cyber Security Strategy, consisting of three main acronyms:

  • NCSC – the National Cyber Security Centre (at GCHQ) – pushes out national strategy.
  • CiSP – Cyber Security Information Sharing Partnership – a place to both get free advice and also report hacks.
  • CES – Cyber Essentials Scheme – certification scheme to show that a business has addressed basic cybersecurity.

Main cybersecurity threats for SMEs

Louis Augarde, lead pen tester for Omni Cyber Security, introduced these as:

  • Ransomware – disruption for financial gain
  • Credentials-based attacks – to gain an entry point
  • Breaches based on known vulnerabilities – often used as a first step to identify weak systems that can be exploited further
  • Phishing emails – to gain credentials and access
  • DDOS – freezes your system temporarily but can also be a smokescreen for more serious attacks

He also introduced me to the idea of baiting, a social engineering tactic to get hold of your personal info by leaving out a USB for people to pick up. Never plug an unknown USB found on the train into your computer!

Cybersecurity help for Birmingham SMEs

If there’s one thing for businesses to do now it is the Cyber Essentials Scheme, said John Davies. Participants address 68 questions on their cybersecurity systems around firewalls, patches, configuration, malware, user accounts and so on. The scheme costs £300 and provides an annual certificate.

The CES process is designed to prevent the vast majority of cyber attacks but also offers a badge to show that a business has made an effort to keep the supply chain more secure.

Other options mentioned include the 80-question IASME governance standard, costing £400, which also looks at data assets, risk assessments, people, policies and disaster recovery. Both CES and IASME were said to be a good foundation in securing businesses and a more achievable alternative to 500+-question ISO27001 international standard.

There is also the newly launched West Midlands Cyber Security Cluster, the 19th in the UK, and people, businesses and organisations can tap into this to get help and advice in tackling cybersec issues. The website looks as if it has teething problems right now so check back later.

Other links mentioned on the day were:

Takeaway quotes and stats

95% of all successful attacks are the result of well-known and entirely preventable vulnerabilities (various reports from 2011)

“Don’t buy the whole onion – security is best built in translucent layers” – Brian Chappell, Beyond Trust, introducing five main layers for organisations wanting simpler security (focus on the high risks, tackle lateral movements of hackers into your system, exercise privilege control, one standard user account for all, configuration management).

The first reported cybercrime was in 1820 – it was the sabotage of some newly invented tech – the Jacquard loom – that automated the weaving process. DCI Rob Harris suggested this was where the term ‘patch’ came from but I’m not convinced that is true.

“Why do they do it? I’ve sat opposite many cyber criminals in my job, some as young as 16, and their answer to this is ‘because they deserve it’.” – National Police Chiefs Council on cyber crime motivation.

“80% of people [in cybersecurity roles] have an IT or security background and they tend to talk in absolutes. You have to find people who can listen and communicate.” – John Scott, Bank of England

GDPR for businesses

Jane Burns of Anthony Collins Solicitors made a valiant attempt at an overview of this super-complicated incoming regulation from May 2018.

The EU GDPR, also being adopted in the UK despite Brexit, offers a whole different world of pain so I’m not going to get into it here but, basically, if you’re not already aware, businesses are going to have to get a whole lot better and more transparent in how they process their data, or they risk big fines, and even worse for some, being cut off from accessing their data for a period of time.

This photo may be useful…

Jane-Burns-GDPR

What does the Bank of England do?

What does the most secure place in England do to prevent cybercrime?

John Scott, Head of Information Security Education at the Bank of England, gave a great presentation on one of the biggest problems facing companies – that of lack of user engagement in an organisation’s cybersecurity practices. He said compliance and awareness aren’t enough; it’s building a culture of mature security that is required to stay safe.

I enjoyed this talk so much I’m going to blog it separately.

Next event: a London CryptoParty on 11 September, a mix of cocktails and practical workshops…

 

 

Tor’s two sides, Amazon’s offline surveillance and how to obfuscate

Interesting links I’ve read this week:

The dilemma of the dark web: protecting neo-Nazis and dissidents alike (Guardian, 23/8/17)

“Perhaps the most important use of Tor, for many of its users, is simply allowing access to the open web in a protected and private manner. The system works by bouncing a request through at least three relays, with each only knowing the positions next to it in the chain: the entry node knows who is asking for a connection, but not where for; the exit node knows what the connection is to but not who wants it; and the middle node only knows to connect the other two.”

Silicon Valley siphons our data like oil. But the deepest drilling has just begun (Guardian, 23/7/17)

“For Silicon Valley, however, anything less than total knowledge of its users represents lost revenue. Any unmonitored moment is a missed opportunity.

Amazon is going to show the industry how to monitor more moments: by making corporate surveillance as deeply embedded in our physical environment as it is in our virtual one. Silicon Valley already earns vast sums of money from watching what we do online. Soon it’ll earn even more money from watching what we do offline.

It’s easy to picture how this will work, because the technology already exists. Late last year, Amazon built a “smart” grocery store in Seattle. You don’t have to wait in a checkout line to buy something – you just grab it and walk out of the store. Sensors detect what items you pick up, and you’re charged when you leave.”

How to obfuscate (Nautilus, Issue 49, 29/6/17)

“The solution TrackMeNot offers is not to hide users’ queries from search engines (an impractical method, in view of the need for query satisfaction), but to obfuscate by automatically generating queries from a “seed list” of terms. Initially culled from RSS feeds, these terms evolve so that different users develop different seed lists.

… The activities of individuals are masked by those of many ghosts, making the pattern harder to discern so that it becomes much more difficult to say of any query that it was a product of human intention rather than an automatic output of TrackMeNot. In this way, TrackMeNot extends the role of obfuscation, in some situations, to include plausible deniability.”

The dick* pic guide to government surveillance

* and boob

I had a conversation with a family member recently about my growing interest in cybersecurity and they responded with ‘I’ve got nothing to hide so I’m not worried’. Basically, let the government watch them if it stops terrorists; it’s all good.

For someone who grew up in the 1980s Cold War (but also basically made a second career out of Web 2.0), it’s about how much they are watching, centralised files, a culture of fear, lack of freedom, potential abuse of political power – and trying to understand the trade-offs of privacy versus security when we put our info out there.

I don’t think I have anything to hide either – except when I do – but it’s not about having something to hide, it’s about having something to protect. We’re not just talking about status updates knowingly shared on Facebook, Twitter, etc; the info at risk is also the stuff you think you are keeping private: phone calls, files and photos stored in the cloud, SMS, email.

Getting people to care about surveillance and infosecurity is apparently an issue, with cybersecurity events often struggling to attract an audience. Calling it infosec or cybersecurity is a kiss of death, according to a friend who runs such events. (It’s true: I’m going to an evening event in London because it’s a CryptoParty in a bar with beer sponsors, etc, whereas a day-long ‘cybersecurity roadshow’ in Birmingham was a much harder sell.)

To help with the ‘who cares’ issue, I finally got round to watching John Oliver’s 2015 ‘Last Week Tonight’ interview in Moscow with Edward Snowden – a deliciously awkward affair in which Oliver played a rude, dumb American asking Snowden’s nice, intelligent whistleblower to explain in layman’s terms (‘Can I share my dick pics or not?‘) why they should give a shit about increasing government surveillance powers and his 2013 revelations.

If you haven’t seen it, it’s well worth a watch. My notes below…

Notes: Government Surveillance: Last Week Tonight with John Oliver (HBO)

  • Section 215 of the Patriot Act (created post 9/11, and extended/renewed) requires businesses to hand over ‘any tangible things'(eg telephone records) to protect against international terrorism.
  • Snowden in 2013 revealed this to be used for the mass scooping up of data.
  • Government says it doesn’t abuse its powers + there are restrictions on how/when they can employ surveillance, eg, through the FISA Court, which grants surveillance warrants.
  • Reality is that FISA rarely rejects an application. From 1979 to 2013, it has approved 35,434 application for surveillance and rejected only 12.
  • Snowden: “NSA has the greatest surveillance capabilites that we have ever seen. Now, what they will argue is that they dont use this for nefarious purposes against American citizens. In some ways that is true but the real problem is that they are using these capabilities to make us vulnerable to them, and then saying, well, I have a a gun pointed to your head but I won’t pull the trigger – trust me.”
  • Is anyone having the conversation about where the limits should be, eg, reform of Section 215. Public debate not happening (that care issue again).
  • Oliver asks if it is possible for the public to have a conversation about something that is so complicated we don’t fundamentially understand it? He shows Snowden a video that shows Americans getting upset about the government sharing and looking at their dick pics. The rest of the interview is framed through this simple analogy.

Can they see my dick?

Section 702 surveillance – yes – through bulk collection if an emailed image crosses a border in some way and is caught on a database.

Executive Order 12333 – yes – the NSA uses this order when others aren’t aggressive enough, so if a Gmailed pic is sent even to a fellow American, it will be stored on Google server, and Google may move this data from data centre to data centre – the US government can capture that if it moves outside of US even temporarily.

PRISM – yes – it captures your info with the agreed help/involvement of government deputies/sheriffs such as Yahoo, FB, Google.

Upstream collection – yes – they can ‘snatch your junk’ as it transits the internet.

MYSTIC – if describing your junk on the phone, yes. Collects content as well in some countries, eg, The Bahamas.

Section 215 metadata – no, but can tell who you are sharing junk pics with (eg a penis enlargement centre).

So what next?

Snowden says: “You shouldn’t change your behaviour because a government agency somewhere is doing the wrong thing. … If we sacrifice our values because we are afraid, we don’t care about those values very much.”

My take is:

  • Keep doing what you’re doing but send/share your stuff via more secure platforms
  • Try to understand the lay of the political and digital landscape and don’t give away freedoms that are at risk.
  • Figure out the trade-offs and fight back against government surveillance where it is an invasion into privacy/freedom – I’m not saying terrorist and other threats shouldn’t be addressed, of course not, but scaling up government powers shouldn’t be done thoughtlessly or in knee-jerk reaction to modern threats without a thought for historical ones that threaten all our civic freedoms. Debate publicly and find the line.

Challenge: Get up early for a week

Kings Heath Park
Park report: King’s Heath is my current favourite to walk to. KECH girls are already going to school at 8am, flicking the finger at friends/enemies and checking out the boys. Drivers are driving like arses in 20 zones. It’s warming up for a 27 degree day. Grass is dewy but drying. A bee is hovering and checking me out – probably the smell of Soltan. Baby Driver soundtrack is playing. A hay fever sneeze. End of year accounts await and later an epic Moselele summer singalong. It’s gonna be a good day.

A random wish on my sabbatical list – and one of the toughest for me as a night owl – was to get up at dawn for a week to see what it would feel like and discover if/how it would change my day/life.

With sunrise at 4.45am in June and dawn at 3.55am, this was a bit too much of a stretch. Still, on the week of the longest day of the year I started to go to bed at 10.30pm in order to get up at 6 – three hours earlier than usual.

Three spare hours at the start of a day! What would you do?

Birmingham is a city often maligned and mistaken for a concrete jungle. Its critics are not aware of how much greener it is than, say, London. We have so many tree-lined streets but also a multitude of parks and recs. Within 30 minutes walk of our house, for example, are 12 or so parks: Kings Heath, Highbury, Cannon Hill, Holder’s Lane playing fields, Row Heath playing fields, Hazelwell, Stirchley, Muntz, Cotteridge, Cadbury’s ladies recreation ground, Bournville and Raddlebarn/Selly Park.

Waterwise, there is also the Lifford Reservoir, the Rea Valley Route, and the Worcester and Birmingham Canal. And, of course, my local Hazelwell Allotments to which I have the key.

I didn’t consciously set out to explore the parks and open spaces of south Birmingham in the early morning hours but it was a natural consequence of walking any short distance. The sun was shining, most people were still asleep or at breakfast, the day felt fresh and new. I downloaded a playlist on to my phone and started walking wherever (admittedly sometimes singing, dance-walking or air-drumming) to the beat of the music.

Here’s what I saw…

Hazelwell Allotments
Cotteridge Park
Muntz Park
Cadbury’s Ladies Rec
Rea Valley Route
Birmingham and Worcester Canal at the Lifford Curve
River Bourn at Stirchley Park and a shadow-me on the bridge

The walking felt good, the views were uplifting, the day started with a feel-good factor, and the music was a key part of the experience, giving me a lift and making me walk further and further, for an hour or more at a time. Coming home, my tea and toast never tasted so good. I even fitted in a meditation for extra deep levels of calm and relaxation, or visited a friend for a tea. And I still haven’t got over the weird feeling of having done so much and it being only 8 o’clock.

There were some downsides: losing my creative time at the end of the night and needing a nap to get through the day. But…

At the end of the week I was convinced enough to keep going with this new regime of getting up early Monday to Friday (and lying in at the weekends). Sunset walks were added, walks with friends and some trips further afield…

Harborne Walkway with Danni and Emma – a disused railway line close to the centre of Brum
Cannon Hill Park
Cannon Hill Park
Holders Lane playing fields and a paddle in the River Rea with sis
Kinver Edge walk with bro
Kinver Edge Rock Houses and breakfast overlooking the Black Country

On one walk I even discovered a secret canary yellow canalside breakfast caff in Stirchley, called the Barge Thru Café. It caused quite the stir on Twitter and I felt a little Lewis and Clark, discovering new things in an area where everything seems to be known. A breakfast expedition with other Stirchillians is already being planned – and if not a walk, an approach by raft or inflatable like the pioneers we aren’t. The adventure continues.

Brazilian-looking cafe at Stirchley ‘marina end’ – an unexpected find

And so…

It has had a big effect on me, and my mental and phyiscal health, this getting up early malarkey. This is the call to action bit. Is anyone else interested in an early morning walk around the B13, B14, B29, B30 post codes – there are some areas I don’t want to venture alone, namely the canals and commons.

Get in touch if you do.

Since Snowden… a visit to Infosecurity Europe 2017

Fiona Cullinan, Infosec Europe 2017

‘Since Snowden’ has become a bit of a catchphrase for me after his revelations in 2013 about the mass government surveillance of our data. Since Snowden I’ve watched Citizenfour, read The Snowden Files, completed two OU cybersecurity courses, joined ORG Birmingham, learnt how to use PGP encryption, risk-audited my personal info and started putting some basic processes in place so I am more in control of my data.

This is something I hope to starting helping other people with, so if you have a question about passwords managers or how to risk-assess your info, for example, get in touch. I’m still learning so it’s basic guidance only and probably best done at a friendly local level than in any official capacity.

Last month I also attended two days of Infosec Europe, the largest event of its kind in Europe featuring a conference programme, 360+ exhibitors and around 15,000 visitors. It was very much aimed at larger organisations and since I’m at the individual and SME level, there was some disconnect.

That said it was probably one of the best conferences I’ve attended outside of SXSW and I came away with a lot of info and contacts – enough to know that this is going to remain a definite interest of mine for some time to come.

So I’ve started a Twitter list of Women in Infosec because I missed that session at #infosec17.

And collected a few conference links for reading and reference:

Hello Infosec World.