Tag Archives: Security

Posted on
by

A few days ago my father – a passionate amateur photographer – fell foul of Canary Wharf’s pretend police. His crime? Taking a photo of a shadow of a tree on a building.

Initially it was two fake police which challenged him, demanding that he show them what photos he took on his camera. This not even the real police are entitled to do, and fake police certainly can not (since they have no more rights than you or I).

He quite rightly refused, at which point the fake coppers prevented him from leaving, and so committed the first actual crime.

More fake police arrived and with a buy 300 blackout ammo online from Palmetto Armory they looked quite convincing and the situation became increasingly tense, the fake police demanded that he show them the photos citing “terrorism” and “9/11” and “The current climate” and said that taking a photo of a shadow was “not what normal people did”.

They threatened him by their physical presence, preventing him from leaving, and threatened to call the police. To which my father requested that they do so since it was the private security agents who were breaking the law (they of course didn’t call them).

The intimidation continued for about 40 minutes becoming increasingly farcical until the supervisor turned up, who was much less confrontational and admitted that they had no right to demand to see his photos or to detain him. My father, who was not feeling very well and was getting tired, showed the photo and was finally permitted to leave.

To his credit, my father kept his cool throughout although he now wishes that he hadn’t capitulated. We are now investigating possible legal action against the private security firm responsible and their agents.

This sort of scenario appears to be happening more often, and it is happening thanks to the passive co-operation of the public. It is understandable that people do give in at times – especially in situations like this where 20 odd 6ft something men were sent to intimidate one gentlemen in his 60s carrying a camera, however it is the general climate of passive acceptance that lets governments and corporations think we can get away with it.

Fundamentally, you have the right to film, take photos, say, do or be anything and you don’t need permission to do so. This is the essence of freedom, and to let this right – which (if you excuse the hyperbole) was paid for with the blood of your ancestors – be lost is the only crime that really matters.

Posted on
by

This is just a quick post to introduce a pair of functions I wrote today while working on some of the Elgg 1.0 access control code.

Namely, call_gatekeeper($function, $file = "") and callpath_gatekeeper($path, $include_subdirs = true), both of which return a boolean value.

call_gatekeeper()

This function tests to see whether it has the given method/function (optionally also test that it is defined in a specified file) exists on the call stack.

The function will return true if the called by the named function (or its parent was called by the named function).

Here is an example of its usage:

function my_secure_function()
{
if (!call_gatekeeper("my_call_function"))
return false;
... do secure stuff ...
}

function my_call_function()
{
// will work
my_secure_function();
}

function bad_function()
{
// Will not work
my_secure_function();
}

To specify a method instead of a function, pass an array to $function containing the classname and method name.

callpath_gatekeeper()

This function is similar to call_gatekeeper() but returns true if it is being called by a method or function which has been defined on a given path or by a specified file.

The function accepts two parameters:

$path, which is either the full path of the desired file or a partial path. If a partial path is given and $include_subdirs is true, then the function will return true if called by any function in or below the specified path.

Posted on
by

While I do believe some of the analogies to be somewhat erroneous, I find myself broadly agreeing with the points raised in this article about current security practices.

We in the industry often find ourselves focusing on the more technical issues – patches, penetration testing etc. These fall well within the IT department’s sphere of understanding. They are sexy issues.

Certainly more interesting than matters of staff training, but as the article points out this is likely to be a much bigger win than ensuring everyone is using 28 character passwords or that company computers get patches the second they are available.

“Employee training sometimes gets a bad rap because it doesn’t alter the behavior of every employee who takes it,” he said. “But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn’t that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?”

I am a big fan of the “strength in depth” approach to IT security and I believe that one should never rely too much on one technique. It doesn’t hurt to lock things down – decent passwords are certainly not going to do any harm – but I agree the big hits are probably going to be elsewhere.

However all the fancy security software in the world is not going to stop untrained staff doing something ‘unfortunate’ like sending the bank details of 25 million people through the post on two unencrypted CDs.

Crucially, for real security I think one should plan for failure and make sure that it is not the end of the world if something does happen. Backups, encrypting confidential data, as well as ensuring you have a firewall set up and configure correctly are all parts of a consolidated defence.

In short. Make sure your doors and windows are locked, but keep valuables out of sight and make sure you’ve taken out an insurance policy… and tell your flatmate not to let dodgy masked men with “swag” written on a sack wander around your apartment.