WeekEnd Feature: Making sense of it all.

by Ian Thompson, CCSP Staff Editor
March 20, 2004

Three things struck me this week. No, I’m not talking about a car crash, or errant pedestrian, or anything of a physical nature. The few of you folk who really know what goes on during my commute will, yet again, be amazed at that. Rest assured, I only lay those tales on the most worthy (or nearest at the time)…

No. I’m talking about a few disparate threads that seemed, in my mind, to be linked in a very subtle way. Let’s call it “A weird review of the week’s IT news”, shall we?


Seconds out! Round one…

Naturally, being a weatherworn educationalist (which is code for ‘cynical teacher’), I keep my eye out for articles that have an educational slant to them. Normally, this is with the sole intention of avoiding them, but this time it really caught my eye, jangled my funny bone and made me consider the possibilities of actually taking part in things again. All the following were spotted in the last two issues of ‘Computing’ – an excellent read, and well worth the free subscription for computing professionals. I’ll pop the URLs in the text.

Apparently, “The Training Camp” has introduced a “five-day Certified Ethical Hacker course detailing the tools and techniques used to target corporate networks”. trainingcamp

Don’t feel left out if you’re Stateside – they operate there too, under trainingcamp.net, and have offered the course there since around the beginning of the year.

On the face of it, this seems like a really interesting course. The aim is to teach network managers and other technical staff the techniques and methods used by hackers to attack a company network from an off-site location. Clearly this would save money employing at least some of the skills of the real ethical hackers when it comes to testing the defences of an important system.


Sneakers, anyone?

Actually, the 1992 movie was more about the tension and comedy of dealing with bent government agents who just want to kill people (eh? comedy??), but the idea of employing teams to break in, thus exposing potentially costly weaknesses, has caught on in the real world – without the all-star cast, though.

Normally, I would have just passed this story by, but for such a criminally useful course in security, the ‘checks and measures’ put in place to ensure that the knowledge was not misappropriated are staggering.

 Applicants are asked to pay a lot of money.
 Applicants are asked to sign a legal declaration ..... to be good with their new knowledge.

So that’s good. In fact, it reminded me of learning to drive. You know, hand over a large sum of money (which can be paid in weekly installments if more convenient), then fulfill the practical assessment, after which a document is signed which confirms the new driver will never break the speed limit, use a cell phone whilst cutting through rush-hour city traffic, or park in a disabled bay at the supermarket. How very ‘E.T’ – “Be good, Elliot”. And of course we always keep those promises, don’t we?

I often thought that it would be better if criminals had some sort of professional recognition for their activities. A claim used recently in the courts by one burglar was that he shouldn’t have to face angry residents trying to protect their property during the course of his activities. It was, he said, above the normal occupational hazard faced by other similar trades, which included (in his estimation) firemen, locksmiths, spies and even the police. Following this line of argument naturally leads to the creation of a professional body to govern the continuance of burglary as a ‘trade’, practised by licensed ‘tradesmen’ who could leave their ‘clients’ feeling that little bit more secure in the knowledge that theirs was a “proper job”, and not some shoddy smash-and-grab job by the local junkies.


“Infamy! Infamy! They’ve all got it infamy!”

So this naturally heightened my interest in the subject. I read a story in the following issue about the need for “Hacking Insurance”. It seems that more and more companies are now paying this. It also seems that this isn’t really because hacking is any more of a problem these days (which it is), but that the “boys upstairs” are suddenly switched on to the idea that losing their innermost secrets, jobs, cash or (gasp) membership at the Mercedes Owners golf-club if they are hit. computing.co

I am, of course, thinking of licensing the curriculum for future use as we expand our portfolio of post-16 vocational training – it makes an interesting take on our need to ‘have an impact on the local community’.


Ding! Ding! Round two!

RFID. Wal-Mart customers will no doubt be familiar with this. RIFD stands for ‘Radio Frequency Identification’, and superstores are using them to track the location of stock from the moment it enters the warehouse to the time it leaves the store. See: computing.co
Hopefully, this exit will correlate to a few other things too. Firstly, the store server will have seen the item code pass through the tills. It is still likely that this will be by barcode scanning for the next few years, until the tills switch to RFID scanning instead. Secondly, the till receipt will have been printed. Thirdly, the EFTPOS system will have registered the sale and be preparing to reorder the item. Fourthly, the customer credit card will have agreed transfer of funds. Fifthly, the funds will be transferred from one bank account to another.

This may oversimplify things a little. However, all this information has to be handled, and it needs a lot of processing. There are always benefits, so if the store truly tracks all RFIDs then it can detect thefts before the culprit reaches the store doorway. It is also possible that the process of buying the goods is much more slick – the RFIDs allow the store to total the purchases before the checkout, where the simple process of fund-transfer takes place. Even this may be automated, just as in some fuel stations, or tollbooths.

Then, once you’ve got the stuff out of the store, the manufacturer can track them to your home address. There, building up a pattern of purchases over time, a more accurate profile can be created than simply relying on that more familiar method of snooping, the store loyalty card. This can be sold on to others (because you forgot to check the small print on the packaging that gave them the rights to do this), whereupon ‘targeted marketing’ – otherwise known as junk mail – can be more specifically created.

And the doctor, dentist, dietician, social worker, chiropractor, Weight Watchers rep and personal trainer can all tailor their services to the exact amount of beer and chocolate consumed since they last saw you.

The Government can gather accurate statistics about the state of the nation’s health, replacing the gloomy documents that condemn all people who live in a certain region of the country to an early grave because they eat everything deep-fried (like Glasgow) with individual documents for each of us, based on our RFID-tracked purchases.

“Round Three – this is where you take a dive, son…”

In the free world, we are just getting used to the idea of biometric data on things like national ID cards, or passports, or our bank access, whilst over in the USA, this sort of thing has been part of the border checks and so on for some time now. I’ve even got a fingerprint scanner to unlock my latest PDA. Despite the fact that iris and fingerprint scanning is not fool-proof (there have been at least 100 cases of naturally duplicated identifiers in the UK alone), we are placing increasing reliance on these techniques – and yet the algorithms used do produce duplications from different individuals.

And now I read that the UK Government has jerked its knee into the groin of society in more ways, reacting to reports by immediately suggesting that a specialised database would be implemented in each case. So we have the database of all children in the wake of the Climbié child abuse case. There’s a database of criminal allegations (one for convictions already exists) following the Soham murder trial in which perpetrator had several times been implicated in events that, had they been brought to trial, would have meant he never would have been employed in the job where he met his victims. Now there’s the database of deaths, following the Shipman trial, to identify patterns in areas that would have otherwise gone undetected. computing.co

Sounds like the beer and nappies issue again – finding links using data mining.


And this week’s winner is…

The makers of all the storage systems, plus either IBM, Microsoft or Oracle. It is obvious that the need to handle more data will necessarily needs more storage capacity, plus a heavyweight database to deal with it.

And such sensitive information will be very valuable – how much will our taxes go up by to afford this all? Clearly some form of hardened system is needed (cue the ethical hackers) otherwise this highly sensitive information will be at risk of theft, extortion and general misuse.

What better way to practice your newfound skills as an ethical hacker than removing the speeding fine from your record, or altering the price of your favourite things at the supermarket to a more affordable level? One Exxon area manager I spoke to showed me how the price of fuel at the pumps was alterable from the workstation in his home. Actually, it was in his garden shed. And it was possible to alter the price at a specific station for the next 10 minutes.

It wouldn’t have been hard to wire-tap that one…




by Ian Thompson ComputerCops Staff Editor



Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.


Copyright © Ian Thompson All Rights Reserved 2004.