Last Friday, Digital Britain supremo Lord Carter unveiled a Digital Rights Agency (DRA) “straw man”, inviting public views as to whether it should be, “torched, tolerated or a touchstone for the start point of constructive debate and design."

The responses should address what role any DRA, “should play in protecting and promoting the legal use of copyright content online, and how industry, consumer groups and government can work together to create an environment where investment in creativity is rewarded,” said Carter.

However, it looks like the two main points in the punt for public comment are: who exactly is going to fund this agency, and who will have the clout to legally enforce any decisions the DRA needs to pronounce on. And does it become an independent industry body with back-up legal powers held by Ofcom? Presumably Lord Carter will pronounce more authoritatively in the final Digital Britain report due in the summer, but this particular “straw man” consultation will end on 30 March.

Coincidentally, anybody watching ITV1 the night before the unveiling of the DRA proposal, would have seen that classic British horror film The Wicker Man, with Edward Woodward’s god-fearing police officer uncovering pagan rituals and other shenanigans on a Scottish Isle while investigating a missing person.

One of the “other shenanigans” involves being tempted by Britt Eckland dancing naked in the room next to the one Woodward is trying to sleep in. I suspect Lord Carter has yet to be similarly tempted, but he should know that Woodward, the government’s official in that film, ends up being burnt alive in a 60 foot high wicker man at the end of the movie.

Lord Carter is unlikely to suffer the same fate, but the proposals for any DRA just might.

By Dave Bailey

Some of the stuff I hear at security events is interesting, thought provoking, pertinent and pretty useful for our readers. Most of it though is grandmother-sucking-eggs type stuff. And yet it still apparently needs to be said. At the ISSE conference this year, which has always claimed to have one of the more discerning audiences on the security conference circuit – the great and good from the information security community – one or two presentations fell into the latter category.

Case in point: A presentation on security for small and medium-sized enterprises (SMEs) by a researcher from Cardiff University told us that, um, SMEs aren’t very good at security. Well, to be fair there was a little more to it than that. Specific points he raised from his research were that very few have requirements in place for security, few people test their backup data, even if they actually backup, and most tellingly, only around a quarter said they actually know what information assets they have. A bit worrying, especially when you consider that SMEs, as we’ve all heard, employ about two-thirds of the workforce and contribute in total more to the economy than large organisations.

And then the more useful stuff for chief IT security officers: Obviously many in the security industry get a lot of value from sharing best practice, looking at the things their peers are doing that have proven to work. And so Roland Muller, corporate information security officer from Daimler Financial Services, explained the value of security assessments in a multinational organisation. To put it simply - it’s very valuable, according to Roland. But the key points he made for anyone wanting to do similar were:

1)    Get management buy-in for any security assessment scheme

2)    Link it to international standards, rather than a local approach.

3)    Maintain regular contact with management and local security guys, “the people who are always the victims”, according to Muller.

4)    User education is vital – “Policies are written by security guys for security guys. You need a simple way to bring the message to people”

By Phil Muncaster

A couple of weeke ago a Computing reader wrote to the editor:

"Mike Byrne is concerned that he might one day have to present his ID card when buying petrol.  He need not worry - this is not necessary.  At Birchhanger Green services on the M11 I recently observed a notice that all registration numbers are checked against the Police National Computer (PNC) before the pump is enabled - and that this information will be retained."

Interesting.

Private sector bodies are not meant to have access to the PNC – indeed to do so would be illegal.

It turns out the system under discussion is known as ANPR – automatic number plate recognition. ANPR was widely installed at petrol stations around the country to prevent petrol theft, according to the National Policing Improvement Agency.

But who runs it? Go to the local force, they said.

So I rang Essex police. They said ANPR systems are run by the petrol companies, not the police, and this wasn't specific to Essex, it was the same all around the country.

Worried, I rang Shell, Esso and BP. All referred me to an organisation called BOSS – the British Oil Security Syndicate.

BOSS director Kevin Eastwood told me that these are all police systems, installed by private contractors.

Turns out that the systems examine a vehicle's licence plate against the PNC WITHOUT giving the cashier, or the petrol company, access to the database. 

The driver is then cleared or flagged, and the cashier has the option to enable the pump. The whole process takes a matter of seconds.

Interestingly, it seems that should a car do a runner, the cashier then has the option of adding the record to a police database.

So although Shell / Esso / BP employees cannot access the database, they can add records to it by flagging cars that have done a runner.

It is only the police who can run and can access the database.

I rang Essex police back to confirm this: I'm still waiting for them to get back to me.

So if you ever feel that Big Brother is out to get you, you can take small comfort in the fact that he is a more disorganised and lumbering beast than you might expect.

By Tom Young

Apparently, 45 per cent of women and 10 per cent of men were happy to give up their email system passwords in exchange for a bar of chocolate at a London railway station.

Infosecurity Europe surveyed 576 office workers at Liverpool Street station, asking for names, passwords, phone numbers and dates of birth.

Researchers also collected names and telephone numbers from 60 per cent of men and 62 per cent of women who thought they would be entered into a draw to win a trip to Paris.

While it would seem that Londoners are becoming less gullible – overall 64 per cent of people were happy to exchange their password details for a bar of chocolate when the survey was conducted in 2007 - respondents had to be subsequently told that they'd inadvertently participated in a survey.

I’m all for raising awareness of data security and I’m sure the survey gave a couple of hundred people something to think about, but this research cannot paint a true picture. It only represents the behaviour of a few people that allow themselves to be quizzed. I wouldn’t mind betting that people who don’t talk to strangers are less likely to disclose their personal information.

And what really baffles me is that there is a Thorntons at Liverpool Street anyway. Has the credit crunch got that bad?

By Janie Davies

Politicians are very convincing people - it's their job. Never have an argument with a politician; they are professionals. Not only will they destroy your argument, they will make you like silly by getting everyone to laugh at you.

Moral positions that I have spent years presuming to be true have been destroyed in seconds by a well constructed political argument on BBC Question Time.

I've recently been thinking all this goes to show that moral force is dictated by the strength of your voice rather than any notion of right and wrong - but this is all undermined when you get your facts wrong.

All this was proved very forcefully to me when I realised after questioning him at a Microsoft event that  shadow home secretary David Davis doesn't know his stuff when it comes to ID cards.

First, my position:

I'm not pro ID cards, but I think a lot of the arguments against them are based on fundamental misunderstandings as to their purpose.

Second, Davis' position:

He thinks it's dangerous to have so much information in one place, and thinks it "personally wrong" on a "philosophical level,"

What then is the difference ethically between a biometric passport and an ID card?

"It's the central holding of information. Carrying something which has a thumbprint or an iris scan is fine," said Davis.

Ah. Gosh. Can it be true that the shadow home secretary - the strongest voice in criticising government policy this country has after Tory leader David Cameron - doesn't know that those with biometric passports will have their details put onto the National Identity Register under current government plans - a key part of the scheme?

It seems so.

Lord Toby Harris, a peer on the House of Lords science and technology committee, was quick to pounce, saying there were not any essential ethical differences, for the reasons outlined above.

Davis kept on smiling.

Nobody seemed to notice.

How often are "philosophical" and "moral" arguments used to convey a weight of sincerity on issues that are being manipulated for political ends?

Do (successful) politicians actually believe in anything?

By Tom Young

Phishing – the notorious ruination of luddite police officers and pensioners who wander online – has been widely covered in the IT press over the past three years or so.

This is largely thanks to some well-oiled press machines in the IT security market – these companies have some money to burn.

Phishing also makes it into the red top and mid-market national tabloids from time to time.

For example, see Big phish in the Mirror or Bank details being sold over the internet for just £1 in the Daily Mail.

Both articles were driven by security vendors.

And there was even a leader in the Sun - Something phishy afoot .

Now you wouldn't know it from reading the IT press – or indeed the national press – but phishing has been significantly reduced in the last year.

According to banking industry body Apacs – a highly reliable barometer -  online banking fraud losses in 2007 were £22.6m - 33 per cent less than in 2006.

And yet the security company press releases still continue to churn out. Here's an excerpt from a recent one from RSA – which came out the same week as the Apacs figures:

"RSA has seen a growing number of phishing groups or networks that utilise botnets of proxies and Fast-Flux techniques. Since RSA first flagged these new trends in December 2007, it has identified five new phishing networks that rely on hijacked proxies. RSA expects this trend to continue in 2008," it said.

It was reported with headlines such as: Banks under attack: Phishing on the rise and Phishers widen attacks on banking industry by other IT news sites, and Phishing attacks hit six-month high on our own site Computing.co.uk.

This is in no way a highbrow criticism of the journalists – I have written countless versions of similar stories in the past, sometimes with far more sensationalist headlines than these. I am merely pointing out how someone who did not understand the technicalities might get a skewed perspective of the problem – especially if they only read the headline.

The stories are entirely accurate – but don't point out the difference between the number of phishing emails sent out and the number that successfully scam money.

Improvements in technologies such as fraud detection and two-factor authentication have reduced the amount of successful scams.

In his book Flat Earth News, which angered many journalists, Nick Davies finds that more than half of national newspaper stories consisted mainly of wire copy and /or PR material.

And interestingly, his book highlights the fact that recycling scare stories is a particular danger when it comes to technology – precisely because people (both the public and journalists) don't really understand the issues.

So the millennium bug produced the headlines:

‘National Health Service patients could die’ (Telegraph).

‘Banks could collapse’ (Guardian)

‘Riots, terrorism and a health crisis’ (Sunday Mirror)

‘Pensions contributions could be wiped out’ (Independent)

‘Nato alert over Russian missile millennium bug’ (Times).

The government spent millions on the problem as a result. Countries such as Russia, Italy and Korea who spent next to nothing on fixing the bug suffered hardly any ill effects.

Like most journalists I am guilty of what Davies calls “churnalism” as much as anyone – perhaps more so. But from now on - whatever the pressure -  I'm going to try and make an effort to improve, and to make sure I understand the things I'm writing about.

By Tom Young

In last week’s Computing, we discussed consumer confidence online on the back of a YouGov study commissioned by software vendor VeriSign.

According to the report, more than half (57 per cent) of the 2000 consumers polled by the researcher said they are concerned about online crime and an even larger chunk (78 per cent) is concerned about identity theft.

But comparing the results of the research with our real-life online habits paints a confusing picture.

We buy goods online via sites such as TK Maxx, even though the card details of 45 million of its customers were in hackers’ hands for 16 months before the theft was discovered.

We book our holidays from businesses such as Travelodge, that exposed customer data, including credit card details to other customers due to a web site glitch.

Convenience is a very powerful driver of consumer confidence. For many people - myself included - if it means that food delivered to my door is just a few clicks away, I will happily give my name and address to my supermarket of choice. If it means that I won’t need to brave the crowds to buy that pair of shoes, I will definitely buy it online.

Even though we say we are worried about internet crime, we comfortably share all manner of personally identifiable information with social networking sites, retailers, banks and so on. In short, a fair amount of what we do online requires us to disclose personal or financial data, so there is no way out.

And how do we know that we are safe online? I try and look out for the little padlock at the bottom of the screen when I enter my private information on a web site, but is that enough, I wonder? I normally take vendor comments with a pinch of salt.

So research suggests we don’t know what the online security options are and experience suggests we don’t like anything that gets in the way of convenience.

In the meantime, we continue clueless and keep getting supposedly helpful technology we don’t necessarily like, or is inefficient. Attempts to tackle online crime include two-factor authentication tokens, but many claim they that can be easily hacked

Besides, if every bank decides to offer tools such as authentication tokens, am I going to have to use three gadgets if I have three different bank accounts? Forget about it.

By Angelica Mari

If there is such a thing as a security season, it reached its frenzied peak this week. The UK has gone security mad and for the past month or so we have been bombarded with research and theories.

We know, for example, that 25 per cent of organisations do not enforce wireless security policies and that 64 per cent of office workers would be willing to swap their passwords for a bar of chocolate.

With such a furore in the IT industry it would be easy to believe that the security message is universally understood, but facts and figures paint a different picture. Security is still a massive problem and electronic crime is increasing.

According to banking body Apacs, losses from online banking fraud leapt by 44 per cent from £23.2m in 2005 to £33.5m in 2006. And in the same period the number of phishing attacks on banks rose from 1,714 to 14,156.

We are told online security is incredibly important and more needs to be done to secure data and prevent attacks, yet the behaviour of influential bodies is more relaxed.

Take Barclays Bank, for example. Last year it said it was going to issue all of its online banking customers with two-factor authentication devices to reduce phishing and card-not-present fraud. Last week, however, it said only a quarter of those customers – about 500,000 people – will be issued with the devices.

If online crime was so serious six months ago that all customers were to be issued with these devices, why has it become less so?

And then there are the law enforcers. Last year the National Hi-Tech Crime Unit was disbanded, and earlier this month police forces handed over e-crime reporting responsibilities to Apacs.

The message is muddled. Online security must be treated with the same regard as physical security. If the police handed responsibility for burglary reporting to an alarm manufacturers’ body there would be outcry.

If official bodies are not going to lead the way, responsibility falls on the IT and business communities. When two thirds of people are dumb enough to swap passwords for sweets, a lot more work needs to be done.

Businesses need to work harder to enforce the point that security companies need to get back to basics on defining their message if we are to make any headway in combating online crime.

A survey published today about consumer attitudes to data security makes for bleak reading.

Almost three-quarters (72 per cent) of UK consumers are quite happy to have personal and financial information stored on web sites they visit regularly, according to the report published by communications consultancy The Aziz Corporation.

The associated risks are apparently not of sufficient concern to outweigh the convenience factor of having sensitive details held by online retailers, the survey finds.

Two-thirds of respondents (64 per cent) make use of the option of having their credit card and other personal details stored to save time in future.

With such a high proportion of people willing to have such important data held about them, it is no wonder that phishing and online fraud is rife.

While most of the sites holding this data are considered reputable, it is inevitable that the more places personal data is stored, the more at risk it is of being stolen.

We would not leave a note on our front doors pointing to where the spare key is kept and giving the burglar alarm code, so why are we so cavalier about protecting online data?

The same survey says 73 per cent of people admit to not fully understanding the risk of submitting financial details to web sites, and so the blame cannot fully lie with the consumer for its lax attitude.

Organisations working to reduce rocketing e-crime levels must step up their education efforts because the message obviously is not getting through.

If online shoppers carry on with this casual attitude to securing personal information, they are asking for trouble.

It is high time we take our online security as seriously as we do our physical security.