BladeSec IA Logo

Company Information

Introduction
Company principles
Certifications and qualifications
Why choose BladeSec IA?
News and comment <

Products and Services

Typical work
Engaging us
Specific highlights

Travel Advice

More

Contact us
Privacy statement
Terms and conditions
Environment statement
Equality and diversity statement
 

Latest news and comment.

2024/13/03 - System upgrade - Work completed.
The work was started early (yesterday!) and now our gateway server is running Ubuntu 24.04.

2024/11/27 - System upgrade - At risk notice.
We will be performing some operating system upgrades next Tuesday (3RD December, 2024). Work will start as soon as customer reports have been distributed - approximately 09:20. The work is expected to take no longer than 3 hours, and so normal service should be resumed by lunchtime.

2024/11/20 - The thirty year cycle.
I recently attended a meeting hosted by the Ministry of Defence on a topic that used to be classed at Secret. One of the speakers highlighted that the particular issue we were discussing was a mainstream consideration at the height of the Cold War thirty or so years ago. Part of the remit of the group is to try and remember what has been forgotten in that time as part of the problem is that the centres of expertise have long since retired (and in one particularly sad case, died).

And all this came to the fore when I read that Sweden has reissued If crisis or war comes for the first time in six years. Finland did something similar a few days ago. (I note the Finnish version is entirely online which may serve as part of the problem rather than a part of the solution). To those of a certain age, the words "Protect and Survive" carry a certain chill even now.

It is also interesting to note the world events. Ex. Dynamic Front 25 started earlier in November and is currently taking place in Finland, not far from the Russian border. And as if by magic, two cables in the Baltic Sea are degraded, possibly severed.

2024/11/18 - Tesco in Stornoway.
I am still bemused by the coverage Tesco opening on a Sunday in Stornoway has attracted. I noted that the central belt media felt the need to dispatch their reporters to the Outer Hebrides on at least one of the terrestrial channels. As usual, the local press are far more nuanced and highlight the far more significant difficulties faced by those living on the islands, that the rest of the world choose to ignore.

2024/11/11 - Security investment.
In the face of tighter and tighter public sector budgets, it can be incredibly difficult to obtain a balanced investment in security. After all, nobody actually wants security software to work. It would be far better if all the moist robots holding the keyboard were so perfect, that they'd never open a phishing e-mail, never introduce malware into a computer, would always wear their pass and only ever used their work e-mail for proper, sound purposes. But no. Those same moist robots are only human and therefore flawed. They need coerced into doing the right thing along with occasional reminders of why.

Over the years, I have used a variety of techniques to try and implement an effective security culture:-

In terms of the why, one technique I have used (although, this is about getting those moist robots to do the right thing rather than obtaining additional security budget) is to ensure the advice and guidance they are given, translates to something they can use outside of work. Thus, instead of just implementing two-factor authentication, you take the time to explain to staff why it's important. Not only will that ensure that a good security control registers with them, but it will also help keep them safe at home.

In terms of getting security budget, once upon a time, I would take a programme perspective and for every technology delivery, I'd build in a budget for appropriate security controls. In this case, the security spend was always absorbed into the overall project delivery. For the most part it worked, but as budgets tightened, the programme manager would always point at me and say that it was my fault that his project went over budget. What started off as a simple server upgrade would grow arms and legs as we needed to replace various parts of legacy networking infrastructure to accommodate what had been sold purely as a simple, cheap piece of work.

I responded by tracking security incidents and applying a cost to them. It may have been a largely fanciful amount, but it was strangely effective when you do this for every incident:-

Number of staff impacted or involved × Length of incident or outage in hours × Average hourly cost

This approach allows you to highlight how much a security incident costs and can usefully be contrasted with the cost of implementing a security control.

The Register has called before for an independent investigator into technology incidents and did again, earlier this month. The more I think about it, the more I think this is the future.

This is not about assigning blame, but to find out why something happened so that society can learn from it and prevent it happening again. Whilst this might go a long way to helping the case for security budgets, it would also do away with the spin that every company puts out when they have been hit with a "sophisticated" and "complex" cyber-attack, when the reality is more likely they just didn't patch something, they ignored a legacy product or they failed to configure a new toy properly. Transparency can only improve IA within UK PLC and certainly be of a significantly greater benefit than a fine.

2024/11/08 - Internet attacks.
It is a widely accepted truth that when you attach something to the internet, it will begin to attract a degree of interest in a very short space of time. For the most part, this interest is simply automated scanning looking for some low hanging fruit. Occasionally, something with far more resources and commitment lines up its cross hairs on you.

And that happened to our gateway server in October.

This server only offers SSH to the internet. The authentication must be by public / private key pairs and all the weak crypto is disabled. The other thing of note is that this server, because it faces the internet, is very aggressively patched. It has some other tools installed on it to detect nefarious activity, including Fail2ban. Fail2ban has a fairly robust configuration to simply drop traffic from known bad hosts.

I've been collating the number of blocked IPs that Fail2ban blocks on an hourly basis for almost exactly a year now. I felt something interesting was happening, but have only just done the analysis.

Nine of the top ten days with the most blocked IP addresses were made in October this year. As a result of that, further investigation of the log-files showed an entity that learned quickly it would be blocked after a specific number of failed attempts. It stopped fairly quickly hitting that limit, and instead rotated it's IP before it occurred. That means, there were multiple failed logins that did not result in a statistical entry. The attempted User IDs were, however, logged and unsurprisingly "root" was the number one attempted ID. There wasn't really anything else of note.

Looking further back, and taking the months in general, October last year was the second worse month for blocked IP addresses after October this year. December, 2023 and January, 2024 make up fourth and third respectively.

What is equally interesting is the drop-off of attacks. As I write this, for the last week, blocked IPs only just make it into double figures. There was a similar pattern back in May, 2024 for about ten days, although the traffic immediately prior to that wasn't particularly notable, except there was a gradual increase from February, 2024 to April, 2024. Prior to the October, 2024 bump, things had been relatively quiet since August.

Interesting times....

2024/11/02 - Tesco opening on Sabbath in Stornoway.
Whilst far from information assurance, I was surprised that Tesco reviewing the opening hours for it's store on the Isle of Lewis made for national news. Having just come back from there*, I confess to being slightly disappointed. I have no interest in the religious argument, but the atmosphere in Stornoway on a Sunday is something quite delightful and I would wager that this will change things for the worse. And that is a shame. I no longer recall the cold, wet, blustery Sunday afternoons of my youth as something to be endured, but enjoyed.
--
* And recognising that I do occasionally throw personal snippets in here; I have spent the end of October into November every year in Lewis since my wife and I renewed our wedding vows there in 2017. This one was somewhat notable as it was our silver wedding anniversary and was our fifth visit this year. It was supposed to mark a change of circumstances, but unfortunately the best laid plans of mice-and-men....

2024/10/22 - Business use of personal e-mail.
It's not the first time that the former Home Secretary, Ms Braverman, has decided to forward government material to her personal e-mail account. I note that the end of the article by El Reg, highlights that Ms Braverman stated, "I have requested briefing and guidance by security experts on what constitutes appropriate use of Government and personal IT. I have now received this briefing."

Whilst the definition of insanity is performing the same action and expecting a different result, there are complexities about business use of personal resources - whether e-mail, IT equipment or mobile phones. Certainly, the stay-at-home order at the beginning of Covid would have been inordinately impossible for many organisations without a degree of flexibility from all those involved.

It must be emphasised, that a number of commercial e-mail services handle considerably more e-mail in a day than many government systems handle in a year - probably by several orders of magnitude. This gives them an insight into what bad looks like and permits them to take precautions that government can only dream of. If the personal e-mail account is properly secured, the threat from the bad guys is probably minimal. The real issue is the question of legal jurisdiction as most sizeable e-mail providers who have the insight I suggest are based in the US; and that could be a problem.

But it's not really an excuse. If the department policy says, "organisational kit only", then that's the line in the sand. And I guarantee there are really, really good reasons for that.

2024/10/01 - Nightsleeper annoyances.
It was the finale of Nightsleeper on BBC One last night. Don't worry, I'm not going to give away any spoilers except to say I worked out who The Driver was by the end of the third episode. As soon as you realise who it was, it was difficult to figure it might be anybody else. Equally, all the diversions into other plot twists from that point all began to grate as much as the inaccuracies, but as I said, it was largely an enjoyable romp. I daresay doctors and nurses don't particularly care for all of Casualty and coppers almost certainly won't like Blue Lights or Line of Duty. And farmers have given up on Emmerdale a long time ago!

However, beyond the inaccuracies, there were two things that really irked me about the finale:-

Firstly, when the staff were evacuated from Nova, they didn't even lock their PCs. My one and only evacuation whilst in a secure office in Whitehall saw all the staff lock their PCs away securely, before leaving the building as this was deemed safer than taking their laptops with them outside the office.

However, the real doozy (for me) occurred when Joe plugged a USB cable into a console. He managed it on the first attempt - almost without looking. I mean there are only two ways to insert a type A USB, but everybody knows that it takes between three and five attempts, and usually only after checking the alignment of the connector you are trying to insert!

One thing that Nightsleeper did capture almost perfectly was when Abbey walked out of the station at the end. It's an incredibly odd sensation when you have done something that is monumentally important and yet the world doesn't know anything. The only way I can describe it is like you're not part of what is going on, like you're watching it, rather than being part of it. It is a strange sensation and probably has a name.

2024/09/27 - Interesting news items.
First off, there has been an arrest in the cyber attack against critical national infrastructure / cyber attack against passengers' personal devices / defacement of a closed portal on public wi-fi (please delete as appropriate based on your own views of reality). What is interesting is that it appears to be a malicious insider who is employed by GlobalReach, the provider of the landing page.

Next up: Owners of Unix-a-like systems, including Linux, some flavours of BSD and potentially ChromeOS need to update their CUPS installation immediately. There is a doozy of a vulnerability present, that Canonical and Red Hat have assessed with a CVSS of 9.9. You can determine if your install on systemd systems is vulnerable by entering:-

sudo systemctl status cups-browsed
If the response states "running" or "enabled", run this:-
grep BrowseRemoteProtocols /etc/cups/cups-browsed.conf
If that says, "cups", then your system is vulnerable. There are steps available to mitigate the vulnerabilities, but it will affect the printing service. You should apply patches from your vendor as soon as possible.

Finally, from the "I didn't realise they were separate" news-desk, Tails and Tor announce they are joining forces. Given that we issue a Tails stick to every consultant on any deployment, this can only be a good thing.

2024/09/26 - Public wi-fi disruption.
In a headline that - on the face of it - allows the BBC to show life emulating art, attackers have NOT caused disruption at 19 UK railway stations.

Even the opening paragraph highlights that it is the public wi-fi that has been impacted and not the railway stations. The irony is that out of the locations that are listed as being impacted, I would wager there's a pretty good 4G, possibly even 5G signal and therefore, it does beg the question why people need public wi-fi. Instead of making a useful article about the risks of using unprotected wi-fi, the BBC have gone nuclear in their headline.

And for the avoidance of doubt, I am quite enjoying Nightsleeper. The first episode annoyed me as I picked holes in everything. The second less-so as I learned to live with the inaccuracies. Whilst not as good as The Undeclared War, fundamentally, it's a good romp that glamorises to the world, the work we do. And it is nice seeing so many familiar locations, but not the real Nova. Seemingly, the interior shots were filmed at the Riverside Campus belonging to the City of Glasgow College.
--
10:50 Update: The original headline on the BBC article was, "Network Rail: Twenty railway stations affected by cyber attack". I see that BBC have changed the headline in their revised article to be "Wi-fi hack at train stations displays message about terror attacks". Specifically mentioning wi-fi is good, but that's all they needed to do. Why do they still have to mention "terror attacks"?
13:00 Update: The BBC have revised the headline again. This time it reads, "Hack puts terror message on railway station boards". I have been unable to confirm that a message has appeared anywhere other than within a wi-fi captive portal. Once again, this appears wildly inaccurate, as is the initial crawl from ITV that states, "Major UK train stations have been targeted by a cyber-security attack which saw "Islamophobic messaging" displayed on a passengers' screens." You can just about hear tongues being inserted into cheeks at The Register around their statement, "Infosec experts weighed in on the news, saying the event is the latest to highlight how critical national infrastructure (CNI) in the UK is a common target for cybercriminals looking to send a message." I hate to say this, but public wi-fi is not CNI. The official statement from Telent highlights that it was the wi-fi landing page that was compromised, and nothing else - as yet! Reuters, as usual, states facts.
13:30 Update: I suspect that the BBC are reading this webpage, as their headline now states, "Wi-fi hacked at 19 railway stations". Accuracy at long last!

2024/09/10 - Death of James Earl Jones.
The man who became a household name when he gave Darth Vader the tonal menace, died peacefully at home last night.

To those that think his world started and ended with Star Wars and The Lion King should also reflect on the fact that he was awarded his Ranger Tab and his unit was sent to establish a cold-weather training facility in Colorado. When you look at his long list of credits, remember that he had a stutter since childhood. But above all, reflect upon the kindness of the man who never grew tired telling small children that he was their father.
--
Updated on 2024/09/16 with a link to highlight the merits of the Ranger Tab.

2024/09/09 - Upgrade to Ubuntu 24.04.1 temporarily stopped.
There it is. We have a single headless server that we performed the upgrade on the day it became available. And it's been monumentally unstable since. It will run for many hours perfectly well and then something happens. It's still running, but it seems to lose connectivity as though it is under a massive load. We've expended no time in investigating as it appears that the syslogs are mangled too. We will wait and see what this bug brings.

Interestingly, a laptop that went from Ubuntu 23.10 to 24.04 is operating with no ill effects.

2024/09/02 - End of an era in Stornoway.
I couldn't let this pass without comment as the Stornoway branch of the TSB has quite a lot to answer for. It was to there, in 1976, that a very small version of me was transported, with my family, when my father was appointed the manager. We lived above the bank where the offices of Macdonald, Maciver & Company are located now. I should highlight their kindness about permitting me to return a few years ago to remanisce, but equally I was pleased to be able to explain that an odd mark on the ceiling of their office was caused by my mother retrieving Christmas decorations from the unfloored attic above and losing her balance. The resulting foot through the ceiling was rather funny as it was not serious.

I also note that the TSB is closing the Peterhead and Lerwick branches. That too, is somewhat poignant, as my father was the first individual from outside Peterhead to win a scholarship to Peterhead Academy as a youth. Equally, my father used to go to the Lerwick branch of the TSB occasionally to cover holidays.

So... it is the end of an era, but I am grateful that the bank gave me ties to Stornoway and Lewis that go well beyond any other place I have ever lived.

2024/08/29 - More on the arrest of Pavel Durov, CEO of Telegram.
Whilst the BBC haven't corrected the then-speculative article alleging that Mr Durov was arrested for refusing to join international programmes to remove child sexual abuse material (CSAM), we did fix some of the links and improved the readability of the post yesterday.

A new BBC report now states his arrest was far wider than CSAM, and covered an investigation into organised crime and complicity in enabling illicit criminal transactions. That would seem to be backed up by the AJ report linked at 16:15.

Interestingly, the architecture of Telegram is such that it would have been really easy to permit law enforcement access to the majority of messages within the platform (as far as I can see, unless "Secret Chat" is enabled between two participants, all messages are unencrypted and would reside on the Telegram servers in plain.) To that end, I would wildly speculate that you can take the boy out of Russia.... ;-)

2024/08/28 - Interesting commentary on Telegram.
Warning: Some links in the article below are to the Russia Today and Al Jazeera websites. Their content is likely to be heavily biased and may be unsuitable reading for many individuals. The availability of these sites may be sporadic in many parts of the world and the simple act of accessing them may be subject to monitoring under the auspices of "law enforcement" in certain jurisdictions.

Coming the same week as the CEO of Telegram, Pavel Durov, was arrested in France, is a monumentally interesting analysis of what Telegram actually is. (Spoiler alert: It is really difficult to activate the encrypted messaging as it requires your collaborator to be online at the same time in order to activate "Secret Chat". Equally, it can't be used for more than two participants, making a mockery of Telegram channels. Ergo: For a very large percentage of it user base, Telegram is simply an unencrypted social media platform.)

Despite this, it is amazing how often Telegram's "end-to-end" encryption of messages is incorrectly repeated. Equally, some press reports state that Telegram has suddenly become more popular following Mr Durov's arrest in France. On the face of it, Telegram has been, and continues to be immensely popular.

Just before Russia Today went dark earlier in August, it published a statement quoting the Russian internet watchdog, Roskomnadzor:-

  • The article states, "In 2017, WikiLeaks revealed that Signal's encryptions could be easily bypassed by the CIA, using the hacking tools described in the Vault7 disclosures." This is entirely untrue and stems from Wikileaks incorrectly implying that the encryption had been back-doored. It has not. The truth is that if a handset is compromised, and a key-logger installed, no form of encryption will help you. Vault 7 describes a number of techniques for gaining access to handsets from different manufacturers to do exactly this.
  • Next, the article states, "In January 2022, the Swiss army banned the use of Signal, WhatsApp and Telegram, citing data protection concerns." That is true but it only tells part of the story. Switzerland has some of the most stringent data protection laws in the world that sets personal privacy head and shoulders above any other country. As a result, US firms such as Signal and WhatsApp would struggle to comply with them and as a consequence of that, the Swiss army banned the use of US-owned secure messaging for military personnel when on deployment. Instead, they recommended Threema instead. The military position isn't a reflection on the security of the application but because of the "Cloud Act" and you can find real life details of what Signal can disclose here.
  • Next up, the article states "The US government funding for Signal reportedly ran dry last December, and the app began to struggle." These rumours first started to appear after Meredith Whittaker posted an article about how expensive Signal was to run. These new rumours gave credence to allegations of an association between the Open Technology Fund and Open Whisper Systems (where the Signal Protocol came from). The fact remains, I can't find any independently verifiable evidence to support this other than vague statements from individuals who have a vested interest in spreading fear, uncertainty and doubt. Wikipedia article on OTF here.
  • Finally in this article, we come to, "Musk, who had endorsed the app in 2021, warned about "known vulnerabilities" that were "not being addressed" in May." Mr Musk's seemingly erudite reference is for a flaw in Signal Desktop which is real. The thing about that, is that it was similar to the Vault7 issue. It requires the host device to be compromised in order to access the Signal content. However, it remains a flaw, that is due to be fixed.
Following Mr Durov's arrest, Russia Today made another statement. The key take-away from this article is, "However, Russian Foreign Minister Sergey Lavrov said on Tuesday that Durov's detention proved that Telegram is a "truly" secure platform." In light of the analysis of Telegram, I shall simply end with: X-D.

It is clear that there is an awful lot of manipulation of opinion going on - which is why there are so many links to source articles in the paragraph above. On the face of it, Russia appears unsure of how to play it. Should they adopt Mr Durov as a slighted one of their own, or simply go down the well-worn route of using him as a political pawn, highlighting the censorship and sanctions imposed by the west? It does remain to be seen why Mr Durov was arrested.
--
14:45 Update: From the "speculation is news" desk, the BBC have reported that Mr Durov was arrested for refusing to join international programmes to detect child abuse material.
16:15 Update: Good summary from AJ here.

2024/08/19 - Congratulations to Inveraray & District Pipe band.
On Saturday, Inveraray & District Pipe Band won the 2024 World Pipe Band Championships. This marks the third time the band have won the Worlds, having previously come out on top in 2017 and 2019.

I had been invited to go, and it would have been great to be there to watch friends win, but unfortunately, I had a prior commitment. Instead, we were at The Royal Edinburgh Military Tattoo - which was also an excellent show...

2024/07/29 - Secure Boot rendered useless.
Binarly have announced research that has found Secure Boot is entirely broken on over 200 devices from the world's biggest PC vendors. Despite the fact the the signing keys were marked "DO NOT TRUST", manufacturers used them anyway.

The issue arises from an accidental(?) leak of the platform key in a GitHub repo back in 2022. Whilst the key was encrypted, it was encrypted with a four character password that was trivial to break.

More here and here.

2024/07/24 - Securely deleting storage media.
One of my customers is trying to upgrade two servers. As a back-up, they are going to image the servers to an external storage device (highly likely to be spinning metal). Before the device is relocated from one secure data centre to another, it has to be securely blanked. Put enough security nerds in a room, and we all have an opinion on how best to achieve this:-

  • Where you don't need an assured blanking, I personally like the simplicity of using ShredOS.

  • The next most popular way was to use:-
    sudo dd if=/dev/urandom of=/dev/<INSERT PROPER DEVICE - DO NOT JUST ASSUME>

  • The problem with /dev/urandom is that it can be very slow. Seemingly the following works better:-
    head -c 32 /dev/urandom | sudo openssl enc -rc4 -nosalt -pass stdin -in /dev/zero -out <INSERT PROPER DEVICE>
    (Bearing in mind, that I have never used it, I can't say how effective it is.)

  • A number cite the use of scrub or shred commands:
    sudo shred -n 5 -vz /dev/<INSERT PROPER DEVICE>
    Or
    sudo scrub -p dod /dev/<INSERT PROPER DEVICE>
    Your own mileage may vary when using either of them.

  • Everybody recognises that the following, if available, can be the quickest and most secure way to erase a storage device:-
    sudo hdparm -I /dev/<INSERT PROPER DEVICE>
    Check to see that it says "supported: enhanced erase" and then enter
    sudo hdparm --user-master u --security-erase -p /dev/<INSERT PROPER DEVICE>

The thing is, all of these things are designed to resist the type of attack outlined here made (in)famous by Peter Gutmann and here is an interesting analysis of that paper by Daniel Feenberg. Mr Feenberg's analysis links to a further statement, apparently from Mr Gutmann himself.

What it really comes down to, however, is how much money and time an attacker is willing to put into recovering your data. Whilst some activities may be of interest to authorities causing them to expend a substantial amount of time and resource, the fact is most people just aren't that interesting! An attacker waiting to acquire a storage device at the point you fail to blank it properly is more likely to put effort into compromising your security in other ways. An organisation who buys up old hard drives to see if they can recover anything interesting just isn't going to be able to apply a massive amount of time or money on every device.

To my mind, that means that using any of the above processes, whilst undoubtedly leaving fragments of data behind that would be recoverable, will render the vast majority irretrievable.

2024/07/22 - More on CloudStrike.
I see that CloudStrike has it's own Wikipedia page. However, I guess you know normal thresholds have been exceeded into geek levels when there's an xkcd comic about the situation. It was even a topic of conversation with a few familiar faces at the annual Intelligence Corps Day in Edinburgh on Saturday.

But in all seriousness, most people had never heard of CrowdStrike until Friday. And to be honest, I had no idea it's use was quite so widespread. It always struck me as a fairly niche product - that has previous for instability.

As usual, the criminals were quick to weaponise the world's most serious IT outage in the history of technology. It showed how quickly Windows admins along with Security and Communications Teams had to align to prevent a catastrophic incident becoming an awful lot worse. Interestingly, there has been some reasonable speculation how the current, post-pandemic hybrid or home-working will have contributed to extending the outage.

Despite the efforts of no-doubt tired, stressed and undervalued IT staff over the weekend, it looks like there will still be a backlog at GP surgeries, some flights still won't go and trains and banks will also be impacted.

I note that there are many "experts" have jumped on the bandwagon to proclaim how to fix things - but this really was almost a perfect storm. Fixing it requires a change to society's thinking - starting with understanding the difference between value and cost.

In other news, I see that Cellebrite assisted in the accessing of Trump's would-be assassin's phone - and did so in forty minutes.

2024/07/19 - Microsoft 365 and CrowdStrike.
As I was going to bed last night, there were rumours that MS365 was considerably "degraded". Come the morning and the news is full of a global outage caused - apparently - by a poor CrowdStrike update. I don't know whether this is due to the global situation, but this feels bad and much worse than the denials would suggest.

2024/07/02 - Vulnerability in OpenSSH.
Given how ubiquitous SSH is, this feels bad.

Clearly, there are caveats. It's not been proven on Windows or Apple variants, nor on 64 bit versions of Linux - and only glibc-based versions are vulnerable. Either way, with over a third of all internet facing versions of SSH proving to be vulnerable, it's time to patch - urgently.

Original finding from Qualys here.

2024/06/26 - USB slots in Toyotas.
Regular readers will know that occasionally, when we're not making unpopular statements, we occasionally throw up little nuggets of information on the basis that when published on the Internet, it will largely be there forever. Over the years we've dealt with gotchas when reflashing a Google Pixel, electrically checking automotive fuses quickly, lots about people whom I respect, news from the Isle of Lewis, upgrading Ubuntu, family mentions and stories about boats.

This time it's about the USB ports in some Toyotas.

I recently bought a new-to-me Toyota. It was the first vehicle I've ever bought that seemed to come with everything needed to make and receive phone calls and listen to music from a USB or by Bluetooth out of the box. (All my previous Subarus had to be "tweaked" slightly with after market hardware.) The frustration, however, arrived really quickly when trying to use the USB port as the car would play it in an entirely arbitrary order.

It meant that for the first 3 months of owning my new car, I had to resort to using the same CDs burnt with MP3s that I was forced to use in my last Subaru. Even upgrading the software made no difference.

The long and short of it is that I should have followed my hunch and not done so much internet searching. If you search for information on how to fix it, you will get lots of people tell you that it's playing the tracks in alphabetical order (it's not), according to the access time (definitely not) or by numerical track order according to the file metadata (nope again). There are even a few people that say that they managed to solve it by creating a playlist (an M3U file). That didn't work for me and indeed within the almost 1500 pages of manual, it did say that it didn't recognise playlists.

I should have followed my hunch.

The FAT drive specification is pretty basic and the car was basically playing the music in the order that it was copied to the stick. (I admit, there is some complexity around this, but broadly at a high level, it's as simple as I outline). To solve it, copy the files to the stick and run this as root on the unmounted device. Windows and Mac users will be pleased to know there are other similar programmes for different operating systems - but this isn't supposed to be easy!

You're welcome!

(And don't get me started why Toyota would put a USB port and 3.5mm audio socket vertically on the centre console. Sure, they're protected when they're not in use, but put in any USB memory stick and the audio socket remains exposed. Luckily, protective covers aren't expensive.)

2024/06/25 - Mr Assange pleading guilty.
I suppose it's the end of an era but I, for one, will be happy to see the end of the popular cult of the veneration of Mr Assange.

Whilst I accept my views are unpopular, I do wonder whether his fans have ever stopped to reflect on the impact his actions have had on the victims of his alleged crimes in Sweden. For an individual who stood up for justice, transparency and accountability; it is clear that he does not see those values represented amongst his own personal morals. And those who think that the atrocities WikiLeaks highlighted meant that ends justified the means, then they are deluded. As Wilfred Owen said, the "the first casualty of war is innocence". If anybody thinks the level of barbarism exhibited in the 2007 Baghdad air strike was somehow unique to that era, they remain deluded.

War is to go beyond hell. Sitting at home in a comfy seat, with an oat-milk skinny latte leaving likes on everything social media throws up is not war.

It's not even a worthy commentary on the utter destruction and personal loss.

2024/06/24 - News round-up.
A few interesting things happened just as we were finishing on Friday:-

  • Whilst this is undoubtedly the right thing to do, Russia remains very happy to and is competent operating on foreign soil. I hope this ends well - especially for the family of Ms Sturgess.
  • I still dislike the term "cyber" as in "cyber-security". It doesn't matter how the attack is conveyed, the target is information, power and money. The increasingly interconnected society means that what happens in the virtual world has an increasing impact on the real world. There is a reason BladeSec IA do information assurance and not "cyber".
  • This was a brave statement to make in the current climate and especially as the representative of the National Federation of Sub-Postmasters. It feels naive at best.
  • The comments from Mr Thompson make me wonder how this will pan out.
Having been involved in the roll out of many new information systems over the years, nothing ever hits the ground 100% perfectly - but you can put guardrails around that to limit the damage and prevent it becoming calamitous. And ensuring all changes are tracked and attributable is elementary.

2024/06/20 - Kicking the wronged when they're down.
I did say that I wasn't going to dwell any longer on the fate of the poor folk that have been wronged in the Horizon Post Office scandal, however things have hit a new low today. The Post Office have referred themselves to the Information Commissioner for disclosing the details of 555 sub-postmasters who sued them in 2017.

This was a national disgrace when it happened. It became far worse when the Post Office failed to remediate legitimate third party concerns. It perpetuated the travesty by failing to do any of it in a reasonable timescale. Instead, the Post Office continue to find ways to make it far, far worse.

2024/05/05 - Russia outed as behind NHS major incident.
It's been confirmed. This is right from the military playbook and so it worries me what will happen tomorrow....

2024/05/04 - NHS severely impacted by security incident.
On the same day that the D-Day veterans arrive in France to commemorate the 80TH Anniversary of the Normandy Landings, the NHS in London have declared a major incident. The attack has been made against a provider of pathology services resulting in the cancellation and movement of a number of treatments.

I'd wager Russia are behind this.

And the date is significant.

And the NHS being a target is deliberate.

It's sickening.... But there is no Geneva Convention in the virtual world - even when it impacts the physical world.

2024/05/23 - PSNI facing £750k fine from the ICO.
Following on from the data breach last year I do find myself in two minds about this. Ignoring the fact that the size of the fine is largely speculation at the minute, (The BA one went from £183.39 million to £20 million) I personally don't think that the ICO's penalty regime entirely works.

The bottom line is that right now, every public sector organisation is facing huge budget cuts. They face a daily onslaught of people who rightly exert their legal right to obtain information on their operations, or to access the information that they hold about that individual. Each of these requests takes up a hugely significant proportion of time and effort to resolve.

Back when I was the inaugural Data Protection Officer for a public sector organisation at the roll out of the Freedom of Information (Scotland) Act, I operated largely singularly. Now most public sector organisations have entire departments dealing with public requests. That is a massive cost that, for the most part, is entirely unrecoverable, yet it forms part of the legal obligations of that organisation.

However, the real reason I have an issue with the penalty regime is that fining the body responsible for the (in this case, a human error) breach, doesn't help the victims. Instead, it impacts the funds available to the body to take appropriate corrective action. They may be able to pay another suitably senior individual to validate responses to official requests prior to sending them out which would prevent this ever happening again. They may be able to invest in suitable automation; to prevent this happening again. They may even be able to pay their victims more than the paltry £500 the PSNI are giving each of their staff.

And that's why in the current economic situation, I would suggest that the ICO's approach for fining public sector organisations is flawed.

Whilst I am criticising the ICO, I may as well highlight that they are permitted to keep a portion of the fines they raise. I appreciate that what I said above makes a case for increasing their fines, but I'd point out that the ICO have been trying to increase the scope of their operations at least since 2017. As recently, as yesterday they were rattling their swords on something that is for preview in Windows 11, that may never actually go live! On the other hand, they don't seem to be terribly interested in flaws in Apple's and GL-iNet's geolocation services that have existed for years.

2024/05/05 - A less Googled future.
I have previously mentioned my use of LineageOS and just how successful it was bringing a fully patched Android 14 distribution to a Motorola Moto G7 Plus that was supposed to stop getting updates at Android 10. Well, one update after Android 14 arrived, it was apparent that it too was no longer supported - which wasn't bad for a phone of that age

That prompted an investigation to determine what that phone should be replaced with. I had spent a lot of time reading about GrapheneOS and the work it was doing on containerisation for Google applications, as well as redirecting Google Play Service calls to GrapheneOS. It was interesting enough for me to want to give it a go. Because it only works on Google Pixels, I had to order one of them and because a Google Pixel 7 can run both LineageOS and GrapheneOS (clearly not at the same time!) I ordered one of them. Another benefit was that stock was being run down ahead of the Pixel 9 appearing.

Yesterday I installed GrapheneOS. It was pretty easy, following the instructions and I had a play. A day later, I'm replacing it with the stock Google firmware ahead of flashing LineageOS onto it this afternoon.

The reason is that GrapheneOS clearly has a very niche market and I don't think it's me. Whilst I don't want to depend on Google applications and services, BladeSec IA does use Google cloud infrastructure for our business e-mail, contacts, calendaring and tasks. As a consequence, I do expect a new phone to be able to handle those four things - not necessarily out of the box, but with as little effort as possible. It's clear that GrapheneOS is too much in the privacy camp.

Try as I might, I could not get the FOSS Calendar application I use, to synchronise to Google. I managed to get everything else working - in the end. On the basis that it synchronised my Tasks, I freely admit that it was probably me doing something wrong that prevented my calendar working. The problem was that having exerted a few hours trying to work it out (and I even read the online manual whilst it was flashing; worryingly, it goes from explaining Android gestures to storage permissions) I have opted to revert to LineageOS.

And that's where I find things now. LineageOS strongly suggests only installing it from the stock image. You would think that would be easy enough - Google even provides a web page to help you do it. And that's the point of this update as there are a few nuances that I thought may help people in the future.

Firstly, I chose to do it on Chrome from Windows 10. We have a solitary remaining Windows laptop that's used for all sorts of things. If I need to run some stuff that I can't look at, it will always go somewhere else other than a production machine. Hence, reverting the firmware to stock was always going to happen there.

My Pixel 7 appeared under "Portable Device" in the Windows Device Manager. It seemed to support my notion that I had followed the instructions to install the Windows USB device drivers. It did strike me as odd that Windows said that it was running the most up-to-date drivers already, but I'll circle back to that in a second.

The next issue is that the Google website doesn't actually seem to tell you how to prepare the device until after it fails. You need to enable Developer Mode, enable USB debugging and enable OEM unlocking. (I won't tell you how to do that as this isn't supposed to be easy!). When you enable USB debugging, it is easier to click "Always" under "Trust the computer". You are, after all, reflashing the firmware - the decision won't persist.

All went well and the online flashing tool was able to find my Pixel. I was able to click the option to reinstall the public firmware and my Pixel rebooted into the bootloader.

That's where the wheels came off.

Nothing I did would allow my laptop to see the Pixel. I went back into Windows Device Manager, and I spotted that the Pixel was now listed under "Other Devices", but with a yellow warning triangle. A quick right click and offer of the USB device drivers I had previously tried to apply when it was a "Portable Device" and low, happiness was restored.

I'm typing this as the original stock firmware is downloading. This afternoon, I will install LineageOS after updating the phone on the stock Google software. Hopefully, it'll be easier as it's something I've done many, many times before.

2024/04/29 - Threat in the news.
This was quite timely as we completed a specialised threat assessment briefing for a government client last week. Other notable issues in the last twelve months also include a significant increase in "Social Media Auditors".

2024/04/24 - Website issue.
It's approaching the annual renewal of our website SSL certificate. I thought it was odd when our service provider (Namesco) started the renewal yesterday, when the certificate expires at the beginning of June. I thought it was odd, when I received two lots of verification e-mails from the provider of the SSL certificate. And I thought it was odd when the website stopped serving off HTTPS late yesterday afternoon.

We've taken the SSL redirect off, so that you can read the website in glorious insecurity until Namesco have resolved the issue. The website doesn't actually capture any sensitive or personal data, so this won't impact on much except your browser telling you that the connection is insecure.

2024/04/16 - A world away.
I'm just back from a heavily curtailed trip to the Isle of Lewis. I try to avoid catching up with information security news and gossip whilst there. It's so much more important to see friends, however there are two interesting articles from Bruce Schneier that are worth repeating:-

  • Bruce has expanded his memorial article on Ross Anderson.
  • Bruce then goes on to explain in his usual accessible way, how the internet dodged a bullet when the XZ Utils library was subject to a nation-state attack. If it doesn't chill you to the bone, it should as it would have entirely compromised the security and integrity of SSH.
2024/04/04 - At risk notice has now been withdrawn.
This afternoon's work has been completed and all is working again.

2024/04/04 - Reminder of this afternoon's at risk notice for CJSM networking.
Work is due to commence at 15:00. An update shall be posted following it's completion.

2024/03/31 - At last a good use for artificial intelligence?
Last night, I had an epiphany regarding the current apathy towards politics and politicians (on both side of the divide). I had this notion where what passes for artificial intelligence could be tasked to generate a word cloud of terms associated with each major political party on a daily basis using material from mainstream media and news sites dated within the last month. Thus, it would exclude the bias exhibited in social media, and be immediately more consumable by the populace. Technically it wouldn't require AI, but it seems like a good way to get funding for the project!

I suspect I was reflecting on this. I can't relate to the why but I do find it utterly heart-breaking. If this genuinely helps, then perhaps it is the best use of generative artificial intelligence so far.

2024/03/30 - Death of Ross Anderson.
There can't be many folk of a certain age that work in the information security field that aren't aware of Ross and the work that he did - especially in crypto. I have even quoted him on this website and so, I am saddened with the sudden announcement on Friday. In the mid-nineties, my boss at the time was also a Cambridge grad, so I think I met Ross a couple of times in 1995 or 1996. His insights were always thought provoking and I would hope that a bit of his intellectual curiosity rubbed off on me, if not then, but certainly in more recent times.

The Cambridge technology field was surprisingly well acquainted with each other. It was due to a legacy of those times that I've always supported Cambridge during the annual boat race - and there's a little bit of me thinks Ross would have welcomed today's result in both the men's and woman's races.
--
(Updated 2024/04/02 to link to Bruce Schneier's far more insightful post about Ross.)
(Updated 2023/04/04 to include a link to The Register's obituary.)

2024/03/27 - At risk notice: Changes to the CJSM secure e-mail service.
BladeSec IA use a service provided by the Ministry of Justice to securely route e-mails to government and policing colleagues. This service requires some changes to be made and therefore we are announcing an "At Risk Period" where CJSM e-mails shall not be routed to us between 15:00 and 17:00 on Thursday the 4TH of April. Because of the nature of the change, please monitor the items you send to us for "bounce-back" messages. If you receive such an e-mail, please resend it after the at-risk period has expired.

The normal internet e-mail shall remain unaffected by this change.

2024/03/25 - More on the British Library attack.
The Register comes to the same conclusion that we did. The opinion piece goes further pointing out parallels between air accident investigation and the importance of the British Library report. As we said before, the details need to be shared with every senior in every organisation. El Reg's article largely ends by pointing out that there is no IA version of the Civil Aviation Authority to call out criminal mismanagement (although negligence seems more appropriate). It remains a chilling read.

2024/03/18 - News round-up.
There are a few things that we've been remiss in not mentioning:-

Firstly: This breaks my heart as much as an article in The Field listing details of the men who died between the signing of the 1918 Armistice Agreement at 5:45 and when it was announced on the 11TH hour, of the 11TH day of the 11TH month. If you work within IT or the technology industry, you owe it to those Post Masters who died having been falsely prosecuted to ensure that it never happens again. Never.

Secondly: Moving onto the digital attack that occurred in October last year against The British Library. In an relatively unprecedented demonstration of openness a review of the incident was published at the beginning of the month. The details of that, including the apparent attack vectors, should be shared with every senior in every organisation.

Next: There's been a massive outcry about a family photo that was posted by The Princess of Wales to social media on Mother's Day. It was "kill-filed" by various media outlets as having been doctored. Given that Google actually advertises the Pixel phone by highlighting the reality-altering features of the Magic Editor, my view is "how can we trust any image from a modern phone as being undoctored?". I get annoyed at my Nokia G22 that regularly does things that AI thinks improves the image resulting in a cartoony feel - and there is no way to switch it off. No. I think we should be grateful that the Princess of Wales edited the image by hand rather than using AI. After all, it's the minute flaws that show it's hand crafted.

Finally: Many folk who work in this sector will be aware that Professor Fred Piper died on the 12TH of March. Whilst many people knew Fred from Royal Holloway, where he was the founding director of the Information Security Group there, I knew him as one of the founders of the Institute of Information Security Professionals in 2006. The IISP went on to became the Chartered Institute of Information Security built on much of the work that Fred did, from the Skills Framework to the academic network. Not only was he one of the founding Directors, but he held the role until 2014 where he helped influence information assurance in academia and the wider industry. He was one of the humblest, most engaging academics, I knew and I will miss him.

2024/03/06 - Safer Travel, 2024.
We're delighted that it's finally arrived, albeit a week late. That was simply down to work commitments!

Eagle-eyed readers will notice there are very few updates between the final issue of 2023 and this one. We make no apology for that as it represents a different way of working. We normally spend hours trying to integrate all the necessary changes into the first edition of the subsequent year at the same time as fielding enquiries from folk who say, "Safer Travel is out of date" without actually contributing for it. Hence, this version has only received minor changes.

Watch this space.... We suspect the next issue will top out at over 200 pages!

2024/02/26 - The Calcutta Cup.
It was a bit of a fraught trip back from the Outer Hebrides on Saturday. The kick off for the Calcutta Cup was scheduled about twenty minutes before we made land. It meant that those first few minutes where England looked so incredibly dominant was by means of a very sporadic, poor quality mobile signal.

By the time we had checked into our hotel in Ullapool, and I had unpacked all the dog kit, Scotland had started their retaliation and were ahead - something that England never recovered from.

The match was notable for more than just the fourth successive Scottish win. Credit must go to Duhan van der Merwe for completing the first ever hat-trick by a Scotland player against England. His personal performance was the stuff legends are made from.

2024/02/15 - Backdoored encryption is illegal.
The European Court of Human Rights (ECHR) has issued a decision highlighting that laws that require the deliberate weakening of encryption violate the European Convention on Human Rights. This is something that will be awkward for the UK's Online Safety Act, 2023 and it's largely unenforceable and now non-compliant spying clause.

The mechanisms behind the decision make for interesting reading too, as we largely have to thank our friends(!) in Russia for this finding. It gets even weirder than that, as it was a legal challenge against Russia's Federal Security Service (the FSB) who demanded technical information from Telegram in order to assist in the decryption of a user's communications in 2017. The user originally challenged the order in Russia unsuccessfully - unsurprisingly. The thing was, somebody clearly overlooked the fact that Russia was a technically a member of the Council of Europe from from 1996 until its invasion of Ukraine in 2022. This means that the appeal, lodged in 2019 had to be considered by the ECHR until a decision was made; which it now has.

Good manners saves me from making a comment citing both the UK Government and Russia in the same sentence!

2024/02/01 - Safer Travel 2024.
Now that we have passed the inordinately busy January and started into February, we can start to plan for the pro-bono and expenses-only work we do. Part of that is the first edition of the 2024 version of Safer Travel.

There are a number of modifications that are outstanding; mainly around having a "plan B", and what it should look like whilst dealing with disasters in foreign places. Equally, now that everybody has become an expert on videoconferencing, there's a never ending stream of advice on that particular front that we need to sort through. We hope to have the first edition for 2024 in place by the end of February as the changes are not terribly extensive. When that's sorted there will be a significant review in time for the second edition. As always, we will try to get it out prior to the Scottish summer holidays.

In a related note, this year marks my 25TH wedding anniversary and we have some very interesting, and extensive travel planned for much later in the year. I think the travel shall encompass every form of travel that is listed in Safer Travel. Whilst I didn't set out to do this, it feels that that highlights how extensive the anniversary travel is!

2024/01/21 - Network upgrade - Work completed.
As with all these things, we ended up starting half an hour late, but broadly everything went to plan. All services are back on-line as of 12:30.

2024/01/21 - Network upgrade - Work commencing.
The router upgrade as highlighted below is scheduled to commence at 10:00. Another message shall be posted when everything's back to normal.

2024/01/15 - Network upgrade.
BladeSec IA need to swap out a network router that will shortly be end-of-lifed. We are proposing to undertake this on the morning of Sunday the 21ST of January when it will have no impact on any customers. In the last 24 hours, the router has exhibited some instability, and so we may need to bring forward the change. In this case, we shall only do this after customer reports have been issued / collected and so a short-notice outage would occur after 14:00 on the stated day.

It must be emphasised that whilst the outage will have no affect on customers, this will result in no connectivity for internal BladeSec IA information systems. Whilst e-mail and the BladeSec IA website shall continue to be fully operational, the gateway and customer reporting servers shall be taken offline. Any customer having a critical issue, should use the appropriate telephone contact rather than e-mail during this time.

The customer facing service shall be fully operational by 08:00 on Monday 22ND.

2024/01/10 - The Post Office scandal - the last word.
I think that it's fair to say that the public reaction to Mr Bates vs. The Post Office has been unprecedented.

At long last the poor souls that have been battling to get their reputations and livelihoods back, fair compensation and even widespread recognition are on the brink of achieving all this. This is great and shows the power of the media. That said, I do find myself irritated that it took a TV dramatisation for it to enter the public conscience and for it to be prioritised by politicians and criminal justice organisations. Only now are we seeing a force of thought, and the potential prosecution of responsible staff in Post Office Limited and Fujitsu.

What is wrong with society that it took a fact-based work of fiction to fix such an atrocity?

2024/01/09 - Website updates.
We have finally relented, and fully automated the mechanism we use to post news and comments, and other changes to the BladeSec IA website. It should mean that these will appear more regularly rather than in blocks of two or three (or not at all). The only bit that we can't do automatically is purge the cache from the content delivery network, however, most changes should percolate through in less than 24 hours despite this.

2024/01/05 - Mr Bates vs. The Post Office.
It was a very impressive dramatisation, and serves to highlight the outstanding predicament of so many sub-postmasters.

If you haven't watched it, please do so on STV Player or ITVX.

This programme should be mandatory viewing for senior civil servants, MPs, MSPs and all directors and C-Level executives of organisations of national interest. If you think you can get away with it or that what you do doesn't affect people's lives, to quote Abe Lincoln, "You can fool some of the people all of the time, and all of the people some of the time, but you can not fool all of the people all of the time". And that's the rub; the internet is "all of the people". In this day and age, eventually, somehow, even against the odds, no matter how careful you are, and despite NDAs and confidentiality agreements... The truth will always come out.

2024/01/02 - For Rebecca....
I watched the first episode of Mr Bates vs. The Post Office in absolute horror. I had a knot in my stomach as the entire disregard for humanity played out. I have never witnessed a dramatisation that so closely mirrored the reason BladeSec IA does what it does. We don't sell boxes and every bit of consultancy is backed by fact and decades of experience. We value the integrity of our's and client data just as much as the confidentiality and availability and that means that our customers trust us - to safeguard vulnerable adults, or to ensure children's voices are heard, to police environment enforcement and to manage evidence forensically. We do it, not just because it's important, but because people's lives depend on it.

As the credits rolled on the first episode, I was reminded of the point my late father lost faith in banking. He was an old-school bank manager that liked pens, paper and writing everything down. (This was one piece of advice that I have ruthlessly stuck to - If you write it down, you don't go wrong.) When his bank was computerised, the closing balance did not tally with the paper record that he had insisted was maintained. I recall that it was not a massive amount, but because he had sought evidence that the computer system was accurate, one of his tellers was quickly able to identify that the amount outstanding was, to the penny, the same as the funds held in the charity and non-profit accounts. When my father phoned the helpline to point this out, whomever he spoke to realised that that category of account had not been transferred onto the computer system. My father maintained that he heard some typing, and the outstanding balance on his branch was changed to nil. He maintained that if somebody can do that without seeing the evidence of the cash at hand or without the authority of the branch manager, computerisation was always going to be met with suspicion.

My father was lucky in some ways as ultimately, his bank made the transition reasonably well, although I note that I had cause to complain to a different bank several years later, when I went to get a mini-statement from an ATM and discovered that the date the statement was issued was three days prior to the "last transaction".

That's why this remains so important....

2024/01/01 - Happy New Year!
Unlike recent years, we've decided to stay put, and so I am penning this from the security cart shed rather than the Isle of Lewis. Perhaps it is something to do with the fact that we're entering the thirteenth year of BladeSec IA.... or maybe not.

Looking back at the last three months, we've been inordinately busy, doing inordinately interesting things for our inordinately special clients. We're delighted to have a couple of new clients on-board who have been very vocal in championing our skills and abilities with other bodies.

I continue to look in frustration at the "traditional" consultancy sector. It is clear that it survives by never admitting failure, never scaling to provide best value and pandering to procurement by being so large, it can't fail - except to deliver best value client focused programmes. Many government departments are bought into the hype looking for "digital delivery partners" that can offer "development, hosting, administration, infrastructure, security services, data centre, on-prem, cloud, hybrid, UK-based, security cleared and ready-by-a-week-Tuesday". If that were divided up into smaller lots, you can imagine the value that would be provided to the tax-payer; all in return for an overarching programme manager - and you never know, some programmes may deliver to time, to budget, to specification.

With that, here is our tongue in cheek look at the last twelve months:-

  • Average distance travelled to work: 12.7 miles.
  • Distance to farthest job: Over 5000 miles.
  • Oddest destination to be back in: Stirling.
  • Value of donations made by BladeSec IA to support good causes: £225-00.
  • Amount of time donated by BladeSec IA staff pro-bono: 26 days.
  • Date the magenta toner was finally replaced in the office laser printer: 21ST December, 2023 (Technically, it was still going, but they're all so old, it's getting a bit grainy.)
  • The number of times, Suilly the security cart shed dog has had to be taught recall: 5 (and counting).
  • Number of dummies eaten by Suilly the security cart shed hound: 3.
  • Number of dummies lost by Suilly the security cart shed hound: Nil (was 2, but then he found them again).
  • Oddest item bought on-line by a member of BladeSec IA staff: A set of "cleaning picks". (Which I am told are for getting into really small areas!)
  • Top ten albums on the security cart shed playlist: Road by Alice Cooper, Felsenfest by dArtagnan, All We Have Is Now by Elephant Sessions, Soapbox Heroes by Enter the Haggis, IMPERIA by Ghost, Starcatcher by Greta Van Fleet, Live from Nowhere in Particular by Joe Bonamassa, Gettin' Old and Growin' Up both by Luke Combs and Live at The Old Fruitmarket by Rura.
  • Average score given to Indiana Jones and the Dial of Destiny: Seven out of ten. (Considerably better than Crystal Skulls!)
  • Amount of money received by BladeSec IA for anything other than consultancy: £nil. (Was it ever going to be anything else?
  • Number of technology products sold By BladeSec IA: None.
Happy New Year!


Click here for older News & Comment.