IRISSCON 2012

Click on images for larger versions
It's that time of year again. This year's IRISS Cybercrime Conference took place in the same venue as last year, The Berkely Court Hotel, now known as the Clyde Court, in Dublin 4. You can get the programme and speaker bios at the link above, so I'm not going to repeat them below. As of 3/12/12 you can also access most of the presentations through the above link.

As with last year's conference, there was an impressive array of speakers at the main session which, again, was very well attended, despite a mandatory fee this year replacing last year's voluntry contribution. As you will gather from the picture above, I turned up very early.

Next door to the main room was the traditional hacking competition which went on right through the day in parallel with the main sessions. More on this later. But, for now, back to the beginning in the main room.

Brian Honan, of IRISS, welcomed the attendees for an early morning start to a packed day. Brian is the lynchpin of the event and he is helped by an enthusiastic band of volunteers. The rising reputation of the event is such that it can attract top notch practitioner speakers from abroad as well as the support of those at home.

Presentations are authoratative, crisp and always delivered within the time allotted.

Brian (left) and Gordon Smith, the IT journalist who comperes the day, also tweet their way through the sessions as do many in the audience. Check out the conference hashtag.

I reported in extenso on last year's conference, which was my first. This year I intend just hitting what for me were the highlights and, where available, I'll link to presentations or commentary.

The most emotionally challenging session promised to be Michael Moran's Tackling Online Crimes against Children. And so it proved. Michael's down to earth and friendly manner of presentation took not one whit from the viciousness of his subject matter. He came with a health warning: if you thought what was coming might be too much for you to bear, you were quite in order to take a pinkelpause at this juncture. Nobody would think the worse of you.

I'll wager there was more than myself with a tear running down their cheek at the end of the presentation.

Michael had circulated a link to the NYT in advance of the conference. This was to a piece by an employment agony aunt, responding to an employee who wondered what they should do after finding inappropriate images of children on their boss's computer. The advice, after much tossing and turning, was to do nothing.

I couldn't believe it. And I was all fired up to see how this advance piece of homework could be defended by the speaker on the day. Thankfully, it was made perfectly clear, in a quiet steely voice, that this was precisely what not to do. Further damage to children was what was at stake here and any self respecting and concerned person was under a moral, and possibly legal, obligation to report their findings to their national abuse enforcement centre.

And the audience was left in no doubt that they were at the head of the queue of those relied on to shine the light on this stuff, wherever it emerged.

One of the hard bits was Michael's emphasis on the prevalence of "pre-speech" as opposed to "pre-pubescent" material. This sickening feature underlined his central contention that what we are dealing with is not just pornography; it is not pornography at all; it is child abuse.

Somewhere in the middle of all this emotional turmoil, we also heard stories of hard slog traditional detective work: images where backgrounds were analysed for the locations of rocks or trees; common backgrounds which identified serial abusers, and so on.

It's just as well the session lasted only half an hour. It was tough going even at that. All credit to Michael for a magnificent if disturbing presentation.

It then fell to Gordon to provide the link in to the next speaker: Neira Jones, who would talk on Incident Response and the Social Media.

While Brian was linking up the hardware, I was fleetingly thinking of Brigitte Bardot, and then we launched into a very tight and structured presentation which demanded all my attention.

Neira took the audience through the various stages of responding to a security breach. The key was to have at least a web page template prepared in advance, and, when a breach occurred, to feed in as much information as possible about the breach. Then the various social media could be used to direct people to the web page. That way the company stayed in control and stood a reasonable chance of maintaining the trust of its customers.

Otherwise the public will be directed by Google to other sources of information and speculation and the company will be on the back foot responding to its irate customers.

The company should always be up front with information on the latest developments and give a full frontal apology. It's not enough to blame the mess on someone else, such as a firm to which you have outsourced your security or your processing.

Neira took the example of the theft of some millions of passwords last June where LinkdIn's response was tardy, incomplete, and self-serving. They had lost the plot from the outset.

While I was listening to this I was wondering why she had not based her example on the recent appalling reaction of Ulster Bank (a rival of Neira's own Barclays) to its problems which caused huge hardship to a whack of its customers. It then struck me that the Ulster thing was a monsterous cock-up rather than a breach of security. However, all of her advice, in terms of response, was equally relevant to the Ulster case. This is an infographic presentation of that advice.

The keynote speaker at the conference was Marcus J Ranum, who has been a leader in the cyber security area for the last 30 years. He was speaking on Cyberwar in the Era of Stuxnet. His interest in the area embraces the wider politics as well as the technicalities of cyberwar. He took as his text the Geneva Convention and its relevance in today's cyber environment. He examined how it is being breached daily by the major powers, with particular reference to his own country, the USA.

He pointed out that the Convention did not refer to war as such, only to conflict, and participants in a conflict had rights. He trashed the conceit of the Bush administration in attempting to get round the Convention by defining "alleged terrorists" as a new class of "enemy combatants" and thereby enabling the administration to detain civilians indefinitely without trial.

The Convention was clear in its prohibition of the targetting of civilian installations. But this was being done all the time. And even where military installations were being targetted, shared bandwidth could mean that the functioning of civilian facilities, such as hospitals, was put at risk.

He drew attention to the anomaly of Hilary Clinton's call for China to be punished for mounting cyber attacks on USA assets, while, at the same time, the USA was releasing Stuxnet into cyberspace in an attempt to sabotage Iranian civil facilities. It was quite clear he considered that the Convention would view this as a war crime.

Gavin O'Gorman took us on a trip Investigating Law Enforcement themed Ransomeware. This stuff is usually picked up off porn sites. Your computer freezes and you can't access its contents, but you get a very official message which includes, in the Irish case, the Garda logo. This tells you that you have been a bad boy and you will have to pay to have your computer freed up.

The perpetrators have ingenious and safe ways of getting hold of your money and in almost all cases, even after paying up, your computer remains frozen. Welcome to the big bad world of cybercrime.

In what may turn out to be one of the most relevant presentations to the Conference, Mathieu Gorge warned that security in the Irish cyber infrastructure was not up to scratch and a successful attack could lead to a loss of credibility in the sector with many of the current multinationals moving out. This is not alarmism. Mathieu's credentials are impeccable. He has an international reputation and, for the last number of years, through Infosecurity Ireland (ISI), he has been attempting to promote interaction and cooperation across the sector to develop Ireland as a centre of excellence in information security. In my view there are serious lessons to be learned here from the recent collapse of the Irish financial sector and it is getting very late in the day.

A major benefit of the Conference is the intensive networking that goes on during the coffee and lunchtime breaks. And afterwards in the bar, it must be said. People, including the most sought after, are very accessible. Even a non-professional like me could manage a long and animated conversation with Marcus Ranum, with a piece of video footage thrown in. I say thrown in because the sound quality in particular is pretty shit. I should have got him into the abandoned main room with a bit of quiet. Anyway, I'm linking to it just to prove I'm not spinning a yarn.

Meanwhile, next door in ROOM 101,the hackers were hard at work. This year's challenge was world domination. A number of servers represented countries around the world, and the objective was for each team to see how many servers they could capture while also defending those already captured. Points were given for each minute's possession of a server.

The results were even more dramatic than an Ireland/Fiji rugby scoreboard - 513:10.

And the winners (above) took the trophy for the fourth successive year.

A subsidiary challenge was to turn of the Zombie's mobile phone without touching it. A vulnerability had to be identified and exploited. As it turned out there was a three way tie in this one as the phone took a while to turn off and three teams hit the target during this critical period. The problem was solved with a conventional cyber-runoff.

There is a serious purpose to all this fancyful stuff. The goal of the Cyber Security Challenge is to identify Ireland's top cyber security experts. Teams compete against each other in a controlled environment to determine which one will be the first to exploit weaknesses in a number of systems and declare victory. Competitors see how attackers could gain access to their systems and how to prevent such attacks from impacting their network.

And, as Brian remarked, if you hire any of the successful competitors, you get what it says on the tin and bucketfulls more besides.

The challenge was run by The Honeynet Chapter and they got great feedback on the day.


I attended on behalf of
.

L'Amitié

Click on image for larger version of text
I came across this the other day and thought it worth sharing.

In 1963, many moons ago, I was an "au pair" boy in France. They called the male of the species "moniteur" and, as well as looking after four young lads, aged between 9 and 15, I was to teach them sailing, tennis, and, of course, English.

The teaching is another story and I have briefly touched on that part of my life as a language teacher here.

The point of this post is simply to share the gift they gave me when I was leaving (above).

O&M

Click image for a larger version

You're as busy as hell trying to catch up with your work. Your responsibilities have been increased and your staff reduced. Deadlines are screaming at you. Then you remember you're supposed to be submitting progress reports all along the way.

The last straw.

So what do you do?

Take a valium, ink your quill, and write the following:

These papers should have been earlier transmitted, but from the constant pressure of business, and the want of regular assistance, it was not practicable.

And that is exactly what Colonel Benjamin Fisher told the Secretary for the Military in June 1804 (above).

Colonel Fisher had been entrusted with the speedy construction of the 26 Martello Towers, and associated batteries, intended to defend Dublin Bay against an imminent French seaborne invasion.

What he could have said was:

Reports? What reports? Fcuk off, can't you see I'm busy building Martello Towers.

Sir!

Good on ya, Benjie.

ANIMA

Photo: Brian Kelly
ANIMA is a chamber choir and this was their first concert in Clontarf.

They sing a wide range of music and have performed at a number of Dublin venues, including the Peppercannister Church and St. Nicholas of Myra in Francis St.

They were formed in 2008, and in 2011 won first prize in both the Chamber Music and Sacred Music Competitions at the AIMS Choral Festival in New Ross.

Today's venue in St. John's Church on Seafield Road was ideal for their type of music and the church was packed.

Under their conductor, Bernard Sexton, they performed a suite of English folk songs arranged by John Rutter and entitled The Sprig of Thyme. This included such well known titles as The Keel Row, I know where I'm Going and The Sally Gardens, but my own favourite was The Willow Tree which I thought brought out the best in the choir.

They are very controlled, with a wide dynamic range and voices which blend beautifully. I preferred the passages when the full choir was singing to those limited to individual parts.

They also sang arrangements of Ave Verum Corpus and The Stabat Mater by Bernard Sexton, their conductor, and these also brought out the best in the choir.

I wasn't terribly gone on their third item: Two Elizabethan Lyrics by Nils Lyndberg - settings of A Ditty by Sir Philip Sydney and Sonnett XVIII by Shakespeare. To my ear these sounded a bit like test pieces rather than entertainment, but the choir rendered them to perfection.

The piano score in the Rutter suite was innovative and varied and a strong counterpoint to the choir. Accompanist Danusia Oslizlok's stylish rendering provided a neat continuity through the folk songs.

Ray Watson, as compere, blended so well into the setting that I initially thought he was the Vicar until I recognised his voice.

A most enjoyable afternoon and I look forward to the choir's Christmas Concert at the same venue on 16 December (3pm start).

The Fourth Programme

Ireland's Third Programme for Economic and Social Development expired at the end of 1972.

I was working in the area at the time and decided to design a cover for its successor. A laborious task in the days of Letraset.

For my inspiration I drew on that magnificent blow for Irish freedom, struck some years earlier on 8 March 1966, when Nelson was blown off his Pillar in the middle of the night. The Irish army blew up the remainder of the Pillar itself a week later, and City Hall moved in with the wrecker's ball to pulverise its base the following morning.

It would take a further 30 years or so before the resonance of this imagery found traction as the hubris of the Celtic Tiger led us to take the wrecker's ball to our own economy.

May we rest in peace.

Gutenberg

I printed the above notice myself, in moveable type, on a roller proofer in the National Print Museum in the Garrison Chapel of Dublin's Beggars Bush Barracks.

This is a place full of old magic. It starts with a working wooden replica of Gutenberg's original printing press and goes on from there.

This is the roller proofer I printed the notice on.

And this is a top view, with the moveable type in the chase and the pad fully inked with the hand ink roller resting on it.

To be fair, the only piece of composing I actually did was my own name. The rest of the type had already been assembled in the chase. I inserted the name, the qoins were tightened, I inked the type with the hand ink roller, placed the paper on the type, rolled the pressure roller over and back, and became a wanted man.

The place is an aladdin's cave of print. There are moveable type machines and a linotype machine just like in the newspaper works in the movies. There are even humble Adanas like the one I had myself. And at the other end of the scale, the machine in the far corner which takes an unpronounceable size of paper, so big it can't be got in Ireland. It's an old Imperial measure, bigger than A1, and it prints 16 A5 pages of a book on one side of a single sheet.

The yellow framed thing on the wall is a copy of the 1916 Proclamation which is a printing story in its own right.

Check out what's on and pay them a visit. There are tours and demonstrations and exhibitions and workshops. Fabulous.

Jersey (CI)

This post is intended as a short backgrounder on the current situation regarding child abuse in Jersey (CI).

The Background

Behind its façade as a British holiday resort with a taste of France and without the hassle of the French language, Jersey is actually a very different place.

It is small (about 46 square miles / 120 km²). It is parochial, not only in the attitudinal sense of the word. Its administration is significantly based on the parish (of which there are 12 on the island). It is a Crown Dependency, which means it is not, strictly speaking, part of the UK or the EU. Technically the Queen is in charge, and is responsible for good governance on the island, but she normally delegates her authority to the UK Justice Minister. Jersey has its own Parliament, called the States.

Some years ago, individuals involved with the Jersey Sea Cadets were investigated in relation to child sex abuse. Despite suspicions of more serious crimes, there was only one arrest linked to child pornography. However, links to other institutions, including Haut de La Garenne, emerged in the course of the investigation and these were followed up leading to the wider abuse investigation.

That investigation was initially covert as the leading policeman did not want to alert the island's political authorities. Given their suspected complicity in what was going on, they might have been tempted to stymie the investigation. At a later stage the investigation had to go very forcibly public. This time to reassure survivors of abuse that it was serious in getting to the bottom of the problem come hell or high water, and that unlike in the past, the survivors would be taken seriously if they came forward with evidence.

The intense publicity for the investigation was also intended by the police to make it harder for the island's ruling elite to interfere with, or stop, the investigation. It was also intended to put pressure on them to follow up with appropriate action themselves, such as prosecutions, which they had previously been reluctant to do.

During the covert stage of the investigation, and not knowing it was in train, the then Health Minister was conducting some research of his own in response to approaches from survivors. This put him in a position that, when he was asked in the island's parliament if he was satisfied with the island's child protection régime (for which he was responsible), he had to admit that he wasn't. This admission set the cat among the pigeons and the ruling elite had him dismissed shortly afterwards.

Much to the dismay of the authorities, the police investigation then went seriously public and despite its public protestations to the contrary, the ruling elite did everything in its power close down that investigation. The Senior Investigating Officer (Lenny Harper) was shortly due to retire and that probably saved him from the fate of his boss the Police Chief (Graham Power) who was suspended (effectively dismissed) for doing his job without fear or favour. Every effort was then made to rubbish the investigation, shut it down, and slur the officers concerned. Combined with a policy of procrastination and petty harassment, this seemed to be succeeding, at least for the moment.

Now the revelations about Jimmy Savile have once more turned the spotlight on Jersey and it will be up to the people of the island, and the justice campaigners in particular, to ensure that this opportunity to rekindle the investigation is not missed.

The Cover-up

The original abuse scandal has been enormously complicated by the subsequent cover-up. Many of those in power in Jersey, even where not involved in the abuse itself, have become complicit in covering it up. And some of those still in positions of responsibility are themselves alleged to have been involved in the abuse. This has meant that anyone attempting to get to the bottom of it runs straightaway into a brick wall.

So it is not surprising that there has been a concerted effort by the power elite to suppress any real investigation, slur and harass the investigators, and try and avoid any adverse publicity outside Jersey.

The island is a serious "tax haven", used not only by "foreigners" but also by the UK itself. Reputational damage could have serious financial repercussions for the island and the UK. So it is not hard to understand why it is proving so difficult to get the UK authorities, who are effectively responsible for good governance in Jersey, to take action.

On top of this there are serious allegations of UK celebrities, politicians and other authority figures having availed of the pool of abusable children in Jersey. In a disgusting abuse of language these activities have been referred to as perks. It may turn your stomach but it does reflect an attitude that, to judge from the extent of the abuse, was prevalent in many quarters, in both Jersey and the UK.

The Empire strikes back

The Jersey Oligarchy has made every effort possible to suppress knowledge of the abuse and to thwart any attempt to bring the perpetrators to justice.

A small number of people have, by now, been successfully prosecuted, but these prosecutions were initiated during the earlier investigation where they were aggressively promoted by Graham Power and Lenny Harper. This stream has now dried up.

One of the first people, in recent times, to fall foul of the régime was the then Senator Stuart Syvret. The doyen of the States (Jersey Parliament) he was effectively the Health Minister and, as such, responsible for the child protection service. His refusal to sign a blank cheque endorsing the service led to his dismissal from the States and a subsequent campaign of harassment, including an illegal police raid on his house, which has not abated. He was jailed twice in circumstances where others would have been given a slap on the wrist or not even prosecuted in the first place.

He has purposely contested to the limit any court action taken against him with a view to drawing wider attention to the operation of the system of "justice" on the island, including the misuse of the data protection legislation.

He is currently working on a legal case against the authorities to take to Europe. This will have to have gone through the Jersey and UK systems first, and this is taking huge time and effort on his part. At one stage he "escaped" to London but is now back in Jersey, and, as far as I know, living on social welfare. Major elements in the case he is preparing are the lack of separation of powers in Jersey, the extreme conflicts of interest within the justice system and the sheer perversity with which the law is applied to opponents of the régime.

Then there was Lenny Harper, Senior Investigating Officer in the child abuse investigation. Lenny is something else. A Northern Irish Protestant married to a Roman Catholic, with a previous career in the RUC and the Met, he was originally recruited to clean up the island. Well, at least I think that's what he thought at the time. When he set about his job with objective enthusiasm, all hell broke loose. He conducted arms raids across the island, revealing large firearms stashes rising in seriousness right up to the level of a rocket launcher.

When he got to the abuse investigation he set to it with a will. Initially the investigation itself was not revealed even to the authorities, for the very good reason that many of them were implicated, or at least complicit in the cover-up. When it had gained enough momentum the investigation was revealed in the full glare of publicity. This had two main aims: first, to thwart any effort by the administration to wind it up or suppress it, and, equally important, to convince survivors that, this time, it was for real. They would be listened to and their complaints would be pursued no matter where they led. The strategy was a good one and Lenny gained the trust of all of those who were genuinely concerned to see justice done. Lenny retired before the investigation was fully completed and the authorities have persistently attempted to slur him ever since. Anyone who has read his published commentaries or seen him on video or read the exposés of what is going on, will have no difficulty in concluding that he was an exceptional police officer doing a magnificent job in the teeth of vicious and unrelenting opposition from the island's political elite

Lenny's boss, the Chief of Police, Graham Power, backed him all the way. Graham had also come from the "mainland", and again from reading his affidavits and commentaries, it is clear that he was an exemplary officer. Not exactly what the régime had in mind, however, and when he refused to become involved in the administration's attempt to sack the Health Minister, he was himself sacked (suspended) soon afterwards. Both he and Lenny were replaced by officers who immediately set about rubbishing the abuse enquiry.

One of them even resorted to leaking information, designed to undermine that enquiry, to a hostile mainland journalist. This is a crime without any public interest defence. I mention this because Stuart Syret has been prosecuted for leaking material for which there was a self-evident public interest defence which was refused by the local judicial system. This ended in Stuart going to prison while no action was taken in the case of the police officer.

Just so you get the atmosphere in which a lot of this was taking place, Frank Walker, then Chief Minister, accused Stuart Syvret, on a BBC Panorama programme, of "shafting Jersey" by his revelations. Clearly, avoiding reputational damage took precedence over any idea of justice or compassion. This seems to be a standard institutional response in such cases (vide the Vatican and the RCC hierarchy throughout the world).

Separation of Powers

Jersey probably has more in common with a feudal state than with a modern democratic one. Particular families have long wielded effective power. There is no formal separation of powers such as one might expect in a modern democratic state. The executive, parliament, judicial system, and public prosecutor are all part of the same amorphous mass. This makes for a highly politicised justice system, and it explains much of the tension between the police and the prosecution service during the tenure of Power and Harper, officers who were attuned to the UK system and who were taken aback at the extent of political interference in the judicial and policing areas in Jersey.

It is against this background that Stuart Syvret is attempting to involve Europe in the Jersey scene and that Power and Harper had to resort to stratagems to secure the prosecution of sex abuse offenders.

The Media

The media in Jersey is a sort of unfunny joke. The Jersey Evening Post, the island's only newpaper, is a creature of the establishment. Full stop. Surprisingly, so is BBC Jersey. The local station seems to have the same relationship with Auntie that Stormont had with Westminster in the bad old days: do what you like as long as you don't rock the mainland boat. Channel TV, part of the ITV network, seems no better.

The extent to which the Jersey authorities take for granted their right to control the mainstream media was thrown into sharp relief recently. They contrived to get the UK authorities to deny access to the UK (and Jersey) to a US financial journalist in good standing, Leah McGrath Goodman. She was beginning to turn her attention to the sex-abuse cover-up. This has seriously backfired as her disgraceful detention at Heathrow airport, and subsequent expulsion from the UK, has only drawn serious international attention to the strange goings-on on the island.

The Bloggers

The lack of proper media has led to the rise of the Jersey bloggers. They are now many but three in particular merit mention.

Ex-Senator Stuart Syvret, mentioned also above, has been blogging since 2008. His blog is a commentary on the current state of affairs in Jersey with particular reference to the sex-abuse cover-up. He occasionally has a go at other scandals as well. He is well informed and has the confidence of the survivors. He tilts outrageously at the establishment including at individuals, safe (so far) in the knowledge that he is right and that any effort to sue him would do more damage to the complainant than to him. One of his campaigns relates to a nurse who is alleged to have murdered a number of people in a Jersey hospital and who is now in the UK, apparently still operating as a nurse. It is thought that Stuart is currently subject to a supergag order in relation to this case.

Voice for Children has been blogging since 2007 and in recent times has had a serious impact with high quality video interviews with people in power in Jersey (those willing to participate) and others, such as Graham Power and Lenny Harper, currently outside the island. In a fascinating development, VFC has also succeeded in covering sessions of relevant parliamentary committees, such as Scrutiny (the equivalent of our powerful Public Accounts Committee). These videos have been first class and would be a credit to any professional TV station. But of course the Jersey mainstram media run a mile from this sort of stuff. VFC also developed a style in doorstepping which is very effective. The videos are all preceded by a short station identification animation, which equates Jersey with North Korea, and which has yet to fail to make me smile.

Rico Sorda has reluctantly become an investigative journalist and has broken a number of stories, involving leaked documents or the assiduous marshalling of known facts. He has also been doing some live video transmissions including taking text questions from viewers in real time.

The bloggers have the administration worried as hell. They are pounding away on the home front, being leaked material which leakers will not entrust to the compromised mainstream media, and they are building up an international following. They are really bringing home to the administration that "no man is an island", particularly in this internet age. They are engaged in a cooperative rather than a competitive exercise and are quite happy to refer readers to each other or to other local blogs, such as, for example, that of States member Trevor Pitman.

The Savile case

Up to very recently, there seemed to have been a prospect that, despite the efforts of the bloggers and the survivors, the whole thing might just go away. The administration introduced a compensation scheme which they hoped would put the survivors to bed, so to speak, and they have been dithering about a Commission of Inquiry, all the while attempting to dilute its terms of reference to keep it out of harm's way.

Now, hopefully, as a result of the Savile revelations, all this is changing. The UK and international media are once again taking a close look at Jersey. Savile was a frequent visitor to the island. His mother is said to have lived there. He is now beginning to be named in individual complaints and those in which he had been named previously are now being taken more seriously.

The aim now should be not just to document Savile's activities and bring some sort of closure to his victims, but to use this opportunity to root out those, still living and in positions of power, who are guilty of abuse or complicit in covering it up.

Personal

I'll end on a personal note.

I worked in Jersey during the Summer of 1961 and fell in love with the place - more with the north than with the south, but however. I took the night shot below of Gorey Castle (Mont Orgeuil as it is appropriately known). I was proud of the shot and produced it a few years ago in a comment on a Jersey blog. For me it symbolised a majestic and romantic vision of this beautiful island.

It wasn't long before another contributor to the blog revealed that for her the picture had no such benign connotations. She had been an inmate in Haut de la Garenne, a short distance away, and that was the sight that confronted the children as they made their way to get the bus into St. Helier.

A seriously conflicted symbol then.