News and comment <

Travel advice

2026/05/11 - The end of an era - Part 2.
Last week's explanation was one of the longest entries I have ever made on this website, but even then, the story remains unfinished.

The bottom line was that whilst the Disclosure Scotland contract was my main source of income, it was one of a few. There was little risk of my becoming destitute and with my experience, I felt confident that I would not be without an interesting role for long.

I reached out to people I had mentored, those who I had helped when they were in a similar predicament and acquaintances that I respected. The sad thing there was out of the dozen or so folk I contacted, I had little interest. One was desperate for me to go back into consultancy for a big faceless organisation. Another lined up a conversation with a security architect in a FinTech. Neither appealed as I still wanted to make a difference. I did, however, give myself a deadline to find something aligned to my personal aims rather than profit.

I ended up applying for permanent roles within government, policing and wider criminal justice. I was considered - and had a few interviews, but largely I would be lucky if I got anything. It was clear that AI was doing a lot of heavy lifting and there was no way I would compromise my integrity to use AI to retaliate with buzzword bingo in my resume. The feedback I received was usually banal and generic, however Police Digital Services was a new low.

I had an "informal interview" where I felt I hit it off with the individual who would be my boss. We spoke effortlessly about my knowledge and experience and at the end, the interviewer had no further questions. He finished by saying I'd be offered a second interview after he returned from Australia. Oddly, three weeks later, I received a rejection along with an invitation to request feedback. This I did, asking why I did not get an interview. The feedback was basically, "there were other, stronger candidates". Given that I had worked with PDS from the days it was the Police ICT Company, and what I had achieved - including introducing colleagues in NPIRMT to contacts within AWS, I was surprised by this and asked for specific information on why I had been offered an interview and then rejected. The long and short was despite three attempts to clarify what had happened, no further information was provided. I pointed out that they may as well choose candidates by rolling a dice, as there was clearly no subjective decision making involved. Give them their due, I had a call from the HR Director to apologise, but by then the role had been filled. They did suspend all recruitment for a period, but I never did receive any feedback.

At that point, I began to doubt my own expertise and skills, but worse than that was my wife tells me I forgot how to smile. I was still being kicked.

2026/05/06 - The coming storm.
I forgot to highlight this issue when it occurred. The gist of it being that despite all the checks and balances, de-identified health data belonging to half a million volunteers appeared for sale on Alibaba.

To put that into context, Biobank is a UK body who offered their data to registered research institutions. They were responsible for deciding what good looked like before they shared their data. They were responsible for deciding what security controls were in place - and I can say with some authority, none of that was cutting edge. Whilst it was a body trying to control their data, it was not trying to apply physical controls en-masse to pretty much the entire internet.

And it's not just me who is worried about the coming storm. It is effectively pushing society into more and more walled gardens where each instance of big-tech has their own jurisdiction and standards and their own way to take and monetise your being; all whilst increasing division and breaking transparency and the flow of information.

Why won't somebody really think of the kids?

2026/05/05 - The end of an era.
It's clear to the thirteen of you who read this website regularly that something is amiss. I've hinted as much, and the various changes to the website caused friends to raise concerns that I, or somebody close to me, was unwell.

No.

The fact was I had to wait until a contract expired yesterday before setting finger to keyboard. History is written by the victors, and I know that facts are already being re-written to suit a specific narrative.

Firstly, the elephant in the room is that BladeSec IA is no more. The hopes and dreams I had of actually providing definitive IA advice at a reasonable cost from qualified and experienced professionals is dead. We did everything we could to maintain our standing, but as I have said previously I consider myself a thoroughly kicked dog.

The straw that broke the camel's back was eluded to here. In my line, trust is hard-won. When trust is earned, it should be for life, but I never expected it to be thrown back at me by people whom I had grown close to personally as well as professionally.

My wife and I had made no secret of our desire to live on The Isle of Lewis. We spent enough time there, it seemed a natural thing for us to return to my childhood home. The one thing that would derisk that move was a renewal of a contract with Disclosure Scotland. Through COVID and for a while afterwards, my existing zero-hours contract had been extended non-competitively for short periods of three months and six months. Indeed, I was left in this limbo for longer than the original contract duration!

The contract was eventually let, and I was awarded a 2+1+1 contract in May 2024. It was the continuation of a role that had defined me since 2008, and where I had played an integral role in building the security team and the assurance regime. With that in place, my wife and I set about planning for a move. I sought the views of all my clients, and none raised any concerns with our plans.

During the late summer of 2024, I had detected a palpable change in the way I was treated. The transparency was evaporating, and I was presented with fait accompli portions of work too often that were - in my professional opinion - poor.

Following an incident where I let my frustrations boil over about not being consulted on a particular outside engagement that I owned, an individual took what I said personally. I counted this individual as a close friend and not only attended a family funeral out of respect for him, but visited him and his family when we were both on holiday close by. Instead of him raising it with me, he downed tools and complained to everybody that would listen that I had threatened him. The truth was, I had threatened everybody in the team with a throwaway comment that nobody else took exception to. Needless to say, had he spoken to me, my respect for him would have entailed an immediate and forthright apology.

The camel was a bit bent out of shape by this point, but my wife and I planned for our annual trip to the Isle of Lewis for our wedding anniversary at the end of October 2024. This time was a bit more special. Not only was it our Silver Wedding Anniversary, but we were scheduled to look at four houses and have an informal interview with the local authority about fostering. We had already booked our remaining trips for the end of 2024, and the beginning of the following year, aiming to be ensconced on the island by May, 2025.

Ten days before we were due to travel - thanks to a misdirected e-mail - I discovered well established plans to get rid of me; four months into a four year contract. When an individual who doesn't understand government information assurance is asked to get rid of the governance mechanism that keeps him and his team in check, that individual is not going to be impartial.

It wasn't pleasant cancelling our plans for our Silver Wedding Anniversary. It was quickly clear that we would be unable to move by May and the situation was compounded by the fact that our normal accommodation was unavailable for the summer 2025 as it had already been booked by other travellers. I made no mention of my own circumstances as I wanted to believe the powers that be when they said the assessment was going to be fair and impartial. In my heart of hearts, I knew they wouldn't, but I didn't want their sympathy as they ripped up the Civil Service Code. The leaked e-mail, after all, was very clear that my not being there was a certainty.

As it was, my first official view of life at Disclosure Scotland without me was presented at the last Security Working Group meeting prior to Christmas 2024. I could level an utter lack of empathy at those involved at the timing - as once again, it put a considerable dampener on what should be a happy time of year. It was then, however I realised it was pointless to register any protest. Even if I had been successful, it would have come at too great a cost.

I get the fact that I'm just the hired help, but I always expected to be the master of my own demise, by leaving after developing a modern assurance regime. With that in mind, I always expected to leave the organisation in a better place than when I arrived. After all, I was an authority on assurance as the Head of the Accreditation Specialism Advisory group and working across policing, criminal justice, the Scottish Government, UK Government Departments and arms-length bodies as well as being one of the original Fellows of the Chartered Institute of Information Security. But that portion of work was never given any priority until somebody else who didn't understand government IA decided it was and threw my trust under a bus.

Throughout all the darkness, the one glimmer of light was the kindness exhibited by Sandy Matheson who on hearing about our lack of travel to Lewis lent us his family's sheiling in Harris for a trip in May. Far be it for me to add malice to a lack of empathy, but something caused Disclosure Scotland to serve my notice a few days before that trip too.

It was also upsetting given how much I had achieved for Disclosure Scotland and how many bullets I helped them dodge, only one person contacted me to say goodbye.

So, I spent most of last year very, very broken.

There is no doubt in my mind that the people involved will be able to identify themselves in this narrative. I tried hard to anonymise it but in truth, my heart wasn't in it. I'm sure I will be able to live with myself. After all my last words to my former boss were "Hell mend you".
--
2026/05/07: Edited extensively to improve legibility.

2026/04/30 - When democracy keeps failing.
I appreciate hunting with dogs can be an emotive topic for some, but as Tim Bonner from the Countryside Alliance points out, the minister responsible for bringing about the ban is focused on the how rather than the why. This mimics the widespread inability to accept fact in other areas. I suppose the only way this deviates is that the ban was in the 2024 Labour Party Manifesto - unlike controls on Social Media and Digital IDs!

2026/04/29 - When democracy fails.
I'm going to start by apologising for being slightly more political than normal. (The reason for that shall be made clear soon.)

Today, it's clear that the Labour party whips were out in force ensuring that the Prime Minister didn't face the prospect of having his dealings with the FCDO and Lord Mandelson dragged into a public inquiry. I'm not going to pass comment, but there are a remarkable number of parallels between the bullish attitude exhibited by Sir Keir and the wider Labour party.

Sir Keir didn't like the prospect of having the circumstances of Lord Mandelson's appointment dredged up and in the interests of trying to prop up popular opinion, his government committed to implementing some form of social media restrictions for kids regardless of the outcome of a consultation on an outright ban.

And in another atrocity to democracy, the same government (technically under guise of the "People's Panel on Digital ID") have sent out invites on "how [we] should design a Digital-ID". Once again, the answer appears to be largely already predetermined regardless of how independent and random the panel may be.

As a friend of mine once said, "If you're not angry, you're not paying attention"!

And in an entirely unrelated matter, but the ICO is currently without a leader.

2026/04/24 - Future Shock.
The CEO of Proton has made a number of interesting points in his post. El Reg has picked up on it and run with it. They highlight the age checks being implemented by other technology firms, whilst pointing out that one tried and then stopped when criminals accessed the information they were forced to collect.

And in terms of how secure WhatsApp actually is. Well.... the flaw with WhatsApp was always how it was monetised, and as I understand the Meta Privacy Policy, they do exploit your metadata. And now other people can too.

But having been the target of my ire for the past month or so playing at being the last bastion of privacy, Apple have actually done something tangible by fixing a flaw that stored an on-device notification history.
--
(With apologies: An early version of the item above was accidentally published with the item below.)

2026/04/23 - The NCSC widget.
I'm not at Cyber UK this year. I went to the last one they held in Glasgow and was disappointed. This time, I note that NCSC have launched their first "branded device".

Now... after almost 35 years working in IA, I can get my head around most threats, including some pretty outlandish ones. I participated in an MoD working group to try and remember what had been forgotten in a field that is a vulnerability to video signals. Despite this, I cannot get my head around what the SilentGlass device is supposed to protect against.

1. It sounds like it has mythical abilities with "threat agnostic" capabilities.
2. It's a commercial product approved to for used in the "highest threat" environments. And NCSC are making it available to "risk-conscious organisations".
3. And they've gone into partnership with a commercial organisation to market the device that is apparently available now.
4. And it's "NCSC branded"!

1. It sounds like it's a panacea - without explaining what exactly it's supposed to cure.
2. I'm pretty sure NCSC (or maybe CESG) used to warn against snake-oil products saying they can fix everything now and forever.
3. It doesn't appear to have a USB port or other mechanism for it to be updated. That suggests it's entirely unpatchable and unmaintainable - but yet it's effective against all threats.
4. Risk conscious organisations would have to be risk unconscious, as the risk / return / impact is just entirely missing from the announcement.
5. Yay for NCSC branding. I had a CESG calculator that I thought was immensely cool, but it's clear from the pictures on the NCSC website, the devices are clearly not branded.
6. Finally, given that NCSC have apparently announced their first hardware partnership.... why hasn't their commercial partner gone live with any material on their website. It's even conspicuous by it's absense.

2026/04/16 - Various bits of news.
Before turning to trivial matters, a brief moment is needed to highlight the death of Alexander "Sandy" Morton who played Golly in Monarch of the Glen. The series was mandatory Sunday night viewing in my house as a small child and forms one of the very few sets of physical DVDs that I own.

I have been very critical of Apple recently, but in the interests of openness, I will highlight this article highlighting the overall approach adopted by Apple to prove the individual's age was effortless.

It does rather ignore why Apple decided to appoint themselves as the moral gatekeeper of the UK's Online Safety Act. In that respect, it's rather like your car checking it's MoT'd, you have a licence and are properly insured before permitting you to drive it. And of course, it'll have to validate those details every time it's driven, because drivers can change and individual circumstances can change.

That highlights where the Apple approach will fail.

It won't repeat the validation every time it's unlocked. This will leave the stressed Apple parent who hands their iDevice to their child to placate them (something that iPads seem designed for and I have seen a thousand times) potentially open to prosecution under the Online Safety Bill.

But it's okay. The Prime Minister will fix it because clearly the government understands technology.

Finally, before the month is out, we will be cancelling our TLS certificate for the website. Fundamentally, there has never been a need for it as we don't collect any information, don't set cookies, and don't perform any transactions. The website shall revert to be being served over unencrypted HTTP.

2026/04/14 - Death of Moya Brennan.
This morning, Moya Brennan, lead vocalist of Clannad died.

I was never fortunate to see her or Clannad in person, but I do remember the first time I heard Magical Ring and the stunning Theme from "Harry's Game". My friend Stuart had borrowed the album from his brother, Duncan, and he shared it with me. Shortly after that, I became a fan of Robin of Sherwood, and I instantly recognised the ethereal music accompanying an epic retelling of the legend.

Listening to Clannad, it was like it answered all sorts of musical questions in my head. It was neither rock, pop, traditional, folk, classical or a soundtrack. It was the antithesis of the music most others in my school listened to and I loved it. It became the soundtrack to all the wonderful, far away places my reading took me to.

2026/04/09 - Updates on recent stories.
Apple have released iOS 26.4, bringing mandatory age and identity checks to users in the UK. Given the population's recent investment in VPNs to circumvent other stupid controls, this does rather feel like Apple are shooting themselves in their privacy claims.

And for those wanting more information on Microsoft Azure, try Ars Technica.

2026/04/07 - ICO thinks of the children.
It's been a while since I had a moan about the ICO expanding its remit whilst being unable to fulfil it's regulatory role. Clearly, with all the discussion of kids and social media the ICO has seen an opportunity to get some column inches, and advocate that parent's actually parent. The sad thing is, it's largely what I've been saying for quite some time.

In other news, for any organisation that permits home working, or bring your own device, the latest NCSC advice should chill you to the bone. And ironically, I highlighted the risks of this during the uncontrolled COVID exodus in 2020.

It's almost like I know what I'm speaking about!

2026/04/05 - LinkedIn and privacy.
There are many people who insist that my views on social media are their own, but yet insist that LinkedIn is not the same.

As somebody who has never been very good at telling everybody (including those that don't want to listen!) how great I am, I steered well away from that particular site. The fact that they had too many security breaches (2012, 2021, 2023 and 2025), and the stupidity of people joining the "Government Security Cleared Group" were not lost on me.

But less evil? Really?.

LinkedIn is owned by Microsoft. Here is the starting point of a fascinating insight into Azure.

2026/03/25 - Apple and privacy.
(I won't apologise for the fact that it is remarkably bad timing from Apple that has resulted in two adjacent comments featuring a criticism of them. I'm sure I'll cope.)

Oh dear. Oh dear.

Remember this is from the company who claim Privacy: That's Apple. Look closely at that page. That Apple page. I especially like the bit that says, "Privacy is a fundamental human right" and "... we design our products and services to protect it". Err. No they don't.

The difference between verifiable fact and stated position is so wide, this is delusion on a US Presidential level.

What happened to honesty and personal integrity in society? It is clear it is now optional in a heavily-regulated, but hostile environment where there is no right or wrong, just opinion, personal truths, perspectives, framing and spin.

You couldn't make it up - because somebody already has and has passed it off as "fact".

2026/03/13 - Apple still at their old games....
Yesterday, I read this.

I would imagine there are a lot of Apple FanBois and FanGrrls who are so excited that once again Apple tell everybody they are the best at privacy and security. Indeed, I received the notification from three different sources, including one which specifically knocked my historical admiration for BlackBerry devices.

Here's the thing. (Linked to a search engine - choose your own provenance!)

I'd like to think that Apple did not consider BlackBerry 10 devices to be "consumer" devices? Except I - along with millions of others - were "consumers". I had a BlackBerry Passport. Millions of others had them. And others had the Z10 and the Q10. They were all perfectly functional devices that relied on no further infrastructure. To my mind, therefore, they were consumer devices.

But no. I suspect Apple just hope that the rest of the world doesn't remember BlackBerry 10. The fact remains that some of us do. Even ignoring the fact that the Passport remains one of the most functional devices that I have ever used (and I miss), it had approval for NATO Restricted almost 15 years before Apple decided to tell the world they were the first.

For the sake of telling a complete story, I should point out sideband attack detection and protection in BlackBerry 7.1 was better (it had a removable battery for one) but there was a reason the UK Government used BlackBerry devices for HMG Restricted (and some HMG Confidential - but that's another story) at the time Apple were struggling to certify their crypto module. (And for the avoidance of doubt, IOS6 had to be approved for Restricted because so many people just wanted an iPad or an iPhone - the residual risks were broadly catastrophic and the management was non-existant!)

History is written by the victors, and in this case the benefit to their "consumers" is nil.

2026/03/11 - Internet Watch Foundation TALK checklist.
It's all very well to sit in a high tower and criticise those who do not understand the internet or kids and their attempts to "ban the internet". Fundamentally, we all want to keep our kids and vulnerable members of society safe, it's just we disagree on how that is best achieved.

More years ago than I care to remember, I recall getting the watch-lists from a very early version of the Internet Watch Foundation (IWF) to remove illegal content from our NNTP News Server.

Today, I watched an interview with Ngaire Alexander from the modern-day IWF. What she said was refreshing and encouraged openness, responsibility and learning. I'm delighted the IWF continue to offer practical advice on internet safety.

Here is their advice.

And yesterday, I discovered that the knee-jerk reaction of "think-of-the-kids" has it's own law (NSFW) - like Murphy's Law.

2026/03/06 - Privacy when you are the product.
Fascinating article on privacy from the Beeb.

2026/02/22 - The future of this website - Part One.
In the coming months, there will be some changes to this website. The first starts this week as we migrate everything to use the BLADESEC.NET domain. If you receive any e-mail, or visit a website that uses an almost similar domain name. It's simply not us.

And for the avoidance of doubt, MR-MAIL.NET and MOON-RAVEN.CO.UK will continue to operate. There are no plans to migrate them.

In the coming months, we shall stop serving off HTTPS too - but that's still a wee while away.

2026/02/21 - All that is wrong with people on the web.
This brilliantly sums up everything that is wrong with people on the web in a motoring column. Clever people - with a good reason - make a plausible camper design and release it to the web-enabled masses. Those same masses run with it, generating their own AI-slop, and one US-based journalist lying and saying that they had driven something that simply does not exist in the real world.

2026/02/17 - Kids and VPNs.
It's almost like Mr Starmer reads this website.

Peers signalled their intention to for kids to be banned from social media platforms. We speculated that VPNs would be next. And there it is.

A three month consultation is thought to be a more likely outcome, but I would wager it will make little difference. Government has to be seen to do something about the cultural, parental and societal problem with social media and those under the age of sixteen can't vote. That makes them an easy target to victimise.

This whole situation just goes from bad to worse.

I note in the article linked to above, that DSIT want to ensure that "children have a healthy experience online". They are assuming that "online" is a healthy place to be in the first place. It's not. It never has been. It is a virtual world with both good and bad - just like this one.

The two are intrinsically linked and each is critically important to the other. The virtual world - like this one - brings far more good than bad. It is, however, a fundamentally flawed assumption that the Internet is universally a "good place".

In the same way that the real world comes with dangers that parents and teachers educate and explain, the virtual world is exactly the same - but seemingly without the learned experience. It's too easy for parents and guardians to stick a tablet in front of their kids in order to gain an hour of peace. It's too easy to let your kid use private messaging as a consequence of peer pressure. The next step is letting them set up a social media account before they are technically old enough. And all of this occurs without understanding, education, support and explanation.

This is the root of all that is wrong that now needs fixing. But no. Let's just ban the kids from using this stuff. Let's apply a physical control to the virtual world. Because that always works and kids will never try to circumvent that, will they?

It does not work and the people who will be affected will be some of the most vulnerable souls we know.

2026/02/16 - Scotland win the Calcutta Cup.
Having bounced back from their drubbing by Italy, the tables were turned and Scotland completely dominated England. The last time Scotland won - back in 2024 - I missed the beginning of the match because we were on a ferry returning from Stornoway. This time, I was safely ensconced in a pub in Stornoway with Suilly at my feet and nothing better to do.

Possibly an indication of things to come?

2026/02/05 - Kids and social media.
A few weeks ago, opposition peers in the House of Lords supported legislation to ban under-16s in the UK from social media platforms. It is clear that with this, it highlights how desperately poor government is when it comes to understanding (i) kids, (ii) how the Internet works, (iii) what went wrong with the Online Safety Act; and (iv) kids (again).

Banning is an apparently easy solution to a complex problem that society's mindless and selfish adoption of social media has led to. Banning it simply won't work, and we'll see another surge in VPN usage. This may potentially result in demands for that legitimate security-enforcing technology to be banned too - for all the wrong reasons. And how do you explain to kids that have had perhaps three years of legitimate social media access that they're no longer mature enough to access it?

Society let the problem be created. It largely took Elon Musk's purchase of Xitter for society to begin to doubt it's value. Factor in all the Russian and Chinese mis-information bots, and all the AI-slop, and it's clear the benefit to society from social media has been devalued almost entirely leaving the sharn to float to the top. Society needs to fix the problem through education and definitely not a blanket ban. After all, kids would never use their better knowledge of technology to circumvent a stupid rule, just because it's against the law, would they?
--
2026/02/09 - Updated to improve legibility.

2026/01/14 - News round up.
Things have been a bit busy since the turn of the year preparing for some excellent news that will be announced shortly. As a consequence, we missed some really important news items:-

• The UK Government has exempted itself from the new Cyber Security and Resilience Bill. When those in authority say "do as I say, not as I do", you are on a very slippery slope to losing all accountability.
• And the UK Government has fragmented it's approach to IA again - with added AI. What role does the Government Cyber Unit have over GCHQ, NCSC, various factions within the Home Office and Cabinet Office, various devolved administration functions and a whole raft of arms-length organisations? This will end up as a land grab for power, but ultimately confusion over responsibility. No. Just no.
• Forty years ago, the Hacker's Manifesto was written. Is this a note of things to come?
• In some good news, the Government has made their thirteenth or fourteenth U-Turn and announced that the non-manifesto, optional, but mandatory for employment, Digital ID has been canned.

2026/01/01 - Happy new year.
As mentioned previously, the first of January, has brought a significant change to the website. Undoubtedly, the referencing of things in the past-tense and the notice of not accepting work or referrals will bring about a lot of questions:-

Firstly: BladeSec IA still exists - and will do at least for a little while yet. All existing contracts will be honoured and delivered in the relentless and passionate way that we do things.

Secondly: No, we are not accepting any new work. Sorry. It doesn't matter who sent you here, what assurance issues you have. We are no longer the security consultancy of last resort for you.

Third: Other than Suilly, the security card shed dog, who had an operation to stabilise his knee back in October, we are all in excellent physical health - especially given the time of the year.

Finally: All good things come to an end, and it is the turn of BladeSec IA to fade to black. The Principles that we lived and died on are no more. Whilst it does break my heart, we did make it to our fourteenth year. I recognise now those values we judged ourselves on are simply lost. It has been a hell of a journey, but fundamentally I am out of fight and the situation has been compounded by circumstances.

The industry is crying out for new IA professionals, with numerous industry journals highlighting massive skills shortages. The government is seemingly prioritising the creation of a "cyber industry" (not to mention an AI one!) at the expense of developing those of us that have been round the loop before. We have endless experience, but it doesn't matter. Better to do assurance by "one-size-fits-all" (Cyber Essentials) or spreadsheet (the Cyber Assurance Framework and it's variations). Create guidance that "security practitioners" can deliver with little or no experience, and there is no doubt that it's being dumbed down.

In the face of increased threat the current situation makes no sense to me and as I said, I am all out of fight. There are only so many times you can kick a dog before he stops coming back and I have been kicked black and blue this last 12 months.

I don't do the cult of the celebrity. I am not good at self promotion and saying, "Look at me". Over thirty years, I have led by example, with my actions showing my integrity, fairness and honesty. I have not talked about many things, because I couldn't and that won't change.

In the coming months, there will be some things that we need to sort out - not least of which, what gets done with Travel advice. And we know how popular some of the news and comment has become, so we'll leave that up for the time being, with the proviso that they represent solely my personal views unless otherwise specifically stated.

All that remains to be said, is "happy new year" to you and yours and watch this space. It's going to be an awfully big adventure for me and mine.