From ukcrypto at chiark.greenend.org.uk Sun Aug 12 17:41:00 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Sun, 12 Aug 2007 17:41:00 +0100 Subject: How information is protected Message-ID: <46BF462C.2834.1B51167@davidh.spidacom.co.uk> http://news.independent.co.uk/uk/crime/article2856892.ece outlines how "well" those inside the tent protect information about us. Not at all. ======================================================== Database of top-secret police phone taps stolen By Ruth Elkins Published: 12 August 2007 Police chiefs have launched a major investigation after the theft of a computer database containing thousands of top-secret mobile phone records from terrorism and organised crime investigations. Scotland Yard is concerned that crucial evidence from undercover investigations could be lost forever or has found its way into "the wrong hands" after the computer and other IT equipment disappeared from a private firm in Sevenoaks, Kent, last Monday night after a break-in. Forensic Telecommunications Services, whose clients include Scotland Yard, The Police Service of Northern Ireland, HM Revenue and Customs and the Crown Prosecution Service, specialises in tapping mobile phone calls made by criminal suspects. The stolen security-protected server contained the minutiae of phone calls it had screened, including the identity of the person who had made the call, as well as the exact time and location of the suspect when the call was made. In a statement released to The Mail on Sunday, Forensic Telecommunications Services confirmed that the equipment had been stolen from its offices but denied that its disappearance would impact negatively on current police cases. ======================================================== See also the Wail on Sunday http://www.mailonsunday.co.uk/pages/live/articles/news/news.html?in_arti cle_id=474788&in_page_id=1770&ct=5 However, if the information stolen is as the article states then there would be no problem in victims being told their data had been rummaged around in by the police and other bods. It is always good to get further evidence that backs up my opinions. Undoubtedly the only reason those inside the tent don't want victims to be told is that the victims might then ask awkward questions. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Mon Aug 13 08:34:50 2007 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Mon, 13 Aug 2007 08:34:50 +0100 Subject: How information is protected In-Reply-To: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> Message-ID: >From: David Hansen >Reply-To: ukcrypto@chiark.greenend.org.uk >Date: Sun, 12 Aug 2007 17:41:00 +0100 > >http://news.independent.co.uk/uk/crime/article2856892.ece outlines how >"well" those inside the tent protect information about us. Not at all. The article says that the server (holding top-secret phone calls relating to terrorism and organised crime) was "security protected": any idea whether this means securely encrypted, physical protection or both? The police are concerned that vital information might be lost forever (implying lack of back-up) or fall into the wrong hands (if encrypted, they don't trust the encryption) while Forensic Telecommunications Services "denied that its disappearance would impact negatively on current police cases." - but doesn't mention future ones... I don't think, without further information, you can be sure that precautions were inadequate - unless "office" means a place with desks and phones! Mary Hawking -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Mon Aug 13 09:53:07 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Mon, 13 Aug 2007 09:53:07 +0100 Subject: How information is protected In-Reply-To: References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk>, Message-ID: <46C02A03.15460.52F8C1C@davidh.spidacom.co.uk> On 13 Aug 2007 at 8:34, Mary Hawking wrote: > I don't think, without further information, you can be sure that > precautions were inadequate - unless "office" means a place with desks > and phones! Further information would enable me to refine my opinion, perhaps even change it. However, those inside the tent have a history of not being keen on real accountability, see RIP for example, so I think my opinion is the correct one at the moment. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Mon Aug 13 15:09:13 2007 From: ukcrypto at chiark.greenend.org.uk (Ian Mason) Date: Mon, 13 Aug 2007 15:09:13 +0100 Subject: How information is protected In-Reply-To: References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> Message-ID: <397E232E-0408-41C4-8551-98F412E0B04D@sourcetagged.ian.co.uk> On 13 Aug 2007, at 08:34, Mary Hawking wrote: > > > ... "denied that its disappearance would impact negatively on > current police cases." - but doesn't mention future ones... > I fear you've got it right. Over-specific answers like that always make me suspect the "lawyers lie" i.e. it is literally true but it is deliberately misleading because it is constructed in the hope that you will draw an inference not strictly implied. From ukcrypto at chiark.greenend.org.uk Mon Aug 13 22:36:31 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Mon, 13 Aug 2007 22:36:31 +0100 Subject: How information is protected In-Reply-To: References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> Message-ID: <46C0CEDF.4010104@gmx.co.uk> Mary Hawking wrote: > The article says that the server (holding top-secret phone calls > relating to terrorism and organised crime) was "security protected": any > idea whether this means securely encrypted, physical protection or both? Probably means they locked the door when they left for the night :) From ukcrypto at chiark.greenend.org.uk Mon Aug 13 23:06:29 2007 From: ukcrypto at chiark.greenend.org.uk (Roger Hird) Date: Mon, 13 Aug 2007 23:06:29 +0100 Subject: How information is protected In-Reply-To: <46C0CEDF.4010104@gmx.co.uk> References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> <46C0CEDF.4010104@gmx.co.uk> Message-ID: <4f11ecf798roger.hird@argonet.co.uk> In article <46C0CEDF.4010104@gmx.co.uk>, Dave Howe wrote: > Mary Hawking wrote: > > The article says that the server (holding top-secret phone calls > > relating to terrorism and organised crime) was "security protected": > > any idea whether this means securely encrypted, physical protection or > > both? > Probably means they locked the door when they left for the night :) OK - that would at least be basic physical protection - often ignored by the systems guys. But I assume that in the use of a private contractor for such work (why, one wonders) clear security standards would be specified covering physical and system security - and their implementation confirmed. Or is HMG just following the general privatisation principle of contractually defining requirements and, if they are not met, depending on an ability to sue (though I'd be hard put to put a value on such losses). RogerH -- Roger Hird roger.hird@argonet.co.uk Running RISCOS 4.39 on an Acorn StrongARM RiscPC From ukcrypto at chiark.greenend.org.uk Tue Aug 14 09:13:52 2007 From: ukcrypto at chiark.greenend.org.uk (David Biggins) Date: Tue, 14 Aug 2007 09:13:52 +0100 Subject: How information is protected In-Reply-To: <46C0CEDF.4010104@gmx.co.uk> References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> <46C0CEDF.4010104@gmx.co.uk> Message-ID: "Security Protected" --- "We at least insist they set a Windows password..." "Strongly Security Protected" --- "... of at least five characters" "Under conditions of high security" --- "... and someone checks that the doors are locked" "In a secure infrastructure" --- "... fence, and five-lever locks" "We take security very seriously" --- "what passwords?" Dave. > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk=20 > [mailto:ukcrypto-admin@chiark.greenend.org.uk] On Behalf Of Dave Howe > Sent: 13 August 2007 22:37 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: How information is protected >=20 > Mary Hawking wrote: > > The article says that the server (holding top-secret phone calls=20 > > relating to terrorism and organised crime) was "security=20 > protected":=20 > > any idea whether this means securely encrypted, physical=20 > protection or both? >=20 > Probably means they locked the door when they left for the night :) >=20 >=20 >=20 From ukcrypto at chiark.greenend.org.uk Thu Aug 16 23:12:31 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Fairbrother) Date: Thu, 16 Aug 2007 23:12:31 +0100 Subject: RIPA pt III Message-ID: <46C4CBCF.8080905@zen.co.uk> Just got this email from the HO. --Peter Fairbrother 1. As a consequence of Parliamentary approval, Part III of the Regulation of Investigatory Powers Act 2000, which relates to the Investigation of Protected Electronic Information, comes into force on 1st October. It also commences those parts of Part 4 of the Act which relate to the scrutiny of the powers in Part III and to the issue and effect of codes of practice. The Commencement order can be found here: http://www.opsi.gov.uk/si/si2007/20072196.htm 2. The Parliamentary debates can be found here http://www.publications.parliament.uk/pa/ld200607/ldhansrd/text/70717-gc0001.htm#07071763000003 and http://www.publications.parliament.uk/pa/cm200607/cmgeneral/deleg5/070717/70717s01.htm and the Code presented to Parliament can be found here: http://security.homeoffice.gov.uk/ripa/encryption/code-of-practice/), 3. Part III of RIPA gives no new powers to any public authority to acquire data. All it does do is give them a new power to require that data they have obtained or expect to obtain lawfully should be put into an intelligible form or to require disclosure of the means to make it intelligible. 4. We will be working closely with respondents, public authorities, LEA, industry, financial service providers and NTAC to ensure that the process is proportionate and necessary and that the necessary safeguards are in place. We will engage with representative bodies, such as APACS and the BBA, to ensure that stake holders are engaged and to emphasise the role of NTAC as the lead authority for all matters relating to the operation of Part III of RIPA. The Home Office web site will be updated with relevant details and a soft and hard copy version of the Code of Practice will be available shortly. If you have any concerns please do not hesitate to contact the Home Office at encryption@homeoffice.gsi.gov.uk or NTAC at ripaiii@ntac.gsi.gov.uk From ukcrypto at chiark.greenend.org.uk Mon Aug 20 10:44:14 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Fairbrother) Date: Mon, 20 Aug 2007 10:44:14 +0100 Subject: OT-ish: Help? Message-ID: <46C9626E.1010800@zen.co.uk> Would anyone like to help test m-o-o-t? A hardware test compatibility CD is being issued today or tomorrow. I want people to try it on their computers and report back. m-o-o-t is supposed to work on most computers, so I want to see how well it does. I'll need a snail-mail address - this is being done entirely by snailmail, as I want to collect some statistics and doing it electronically might skew them. The CD of _no use_ except for hardware testing, and it does not resemble the final release much. Requires i386-compatible (i486 or higher) processor and 256 Megs of RAM. Please reply offlist. Thanks! Peter Fairbrother From ukcrypto at chiark.greenend.org.uk Mon Aug 20 16:54:38 2007 From: ukcrypto at chiark.greenend.org.uk (Tom Thomson) Date: Mon, 20 Aug 2007 16:54:38 +0100 Subject: More bad law to be "fixed" by COP In-Reply-To: <46C9626E.1010800@zen.co.uk> References: <46C9626E.1010800@zen.co.uk> Message-ID: <049201c7e342$69f85ea0$d401010a@neos.tv> A Lords Science and Technology Committee says "Legitimate security researchers are at risk of being criminalised as a result of the recent amendments to the Computer Misuse Act. ... We welcome the Minister's assurance that guidance on this point will appear later in the summer, but urge the Crown Prosecution Service to publish this guidance as soon as possible, so as to avoid undermining such research in the interim." Why is there this crazy idea that bad, downright stupid, counterproductive legislation can be fixed with a Code of Practice and doesn't require amendment? We know perfectly well from recent experience that Ministerial statements about restricting the applicability of a law beyond what restrictions clearly and unambiguously exist on the face of the law are completely worthless, since the various authorities which use/enforce the law can ignore such statements with impunity. Why should we imagine that if Mr Croaker approves a Code of Practice it will have any real effect? M. From ukcrypto at chiark.greenend.org.uk Tue Aug 21 08:31:16 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Tue, 21 Aug 2007 08:31:16 +0100 Subject: How information is protected In-Reply-To: References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> <46C0CEDF.4010104@gmx.co.uk> Message-ID: <46CA94C4.9090506@gmx.co.uk> More from Kablenet, reproduced by The Register: http://www.theregister.co.uk/2007/08/15/fts_forensic_data_theft/ ... The data contained on the server is believed to relate to cases where the evidence has already been disclosed to defence solicitors, as well as old cases where judgements have already been passed. FTS said: "In the unlikely event that the server was accessed, none of the data stored on the server in any way compromises ongoing police operations. All the data was restored within 24 hours due to FTS' business continuity measures." ... From ukcrypto at chiark.greenend.org.uk Tue Aug 21 08:52:47 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Tue, 21 Aug 2007 08:52:47 +0100 Subject: How information is protected In-Reply-To: <46CA94C4.9090506@gmx.co.uk> References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> <46C0CEDF.4010104@gmx.co.uk> <46CA94C4.9090506@gmx.co.uk> Message-ID: <46CA99CF.8030404@gmx.co.uk> Dave Howe wrote: > The data contained on the server is believed to relate to cases where > the evidence has already been disclosed to defence solicitors, as well > as old cases where judgements have already been passed. As an aside - if I were the defence (or appeal) solicitor in such a case, I would be fascinated to compare what was actually disclosed (ie, what they decided to use in court) with the total of data collected.... From ukcrypto at chiark.greenend.org.uk Tue Aug 21 09:20:21 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Tue, 21 Aug 2007 09:20:21 +0100 Subject: How information is protected In-Reply-To: <46CA99CF.8030404@gmx.co.uk> References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk>, <46CA94C4.9090506@gmx.co.uk>, <46CA99CF.8030404@gmx.co.uk> Message-ID: <46CAAE55.14361.450D7D@davidh.spidacom.co.uk> On 21 Aug 2007 at 8:52, Dave Howe wrote: > As an aside - if I were the defence (or appeal) solicitor in such a case, I > would be fascinated to compare what was actually disclosed (ie, what they > decided to use in court) with the total of data collected.... Indeed, especially as the police have again been allowed to decide if something is of interest to the defence. That has undoubtedly led to false convictions, just as it did in the past. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Tue Aug 21 09:02:59 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Sommer) Date: Tue, 21 Aug 2007 09:02:59 +0100 Subject: How information is protected In-Reply-To: <46CA99CF.8030404@gmx.co.uk> References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> <46C0CEDF.4010104@gmx.co.uk> <46CA94C4.9090506@gmx.co.uk> <46CA99CF.8030404@gmx.co.uk> Message-ID: <46CA9C33.9010703@pmsommer.com> Dave Howe wrote: >> > > As an aside - if I were the defence (or appeal) solicitor in such a > case, I would be fascinated to compare what was actually disclosed > (ie, what they decided to use in court) with the total of data > collected.... > > > If you are the defence solicitor you put in a defence case statement under CPIA 1996 (and as subsequently revised) raising the issue and if the totality is not disclosed you go to the judge and ask for a court order on the basis that otherwise a fair trial cannot proceed. The CPS Disclosure Manual explains: http://www.cps.gov.uk/legal/section20/chapter_a.html Peter Sommer From ukcrypto at chiark.greenend.org.uk Tue Aug 21 16:21:18 2007 From: ukcrypto at chiark.greenend.org.uk (Richard Clayton) Date: Tue, 21 Aug 2007 16:21:18 +0100 Subject: More bad law to be "fixed" by COP In-Reply-To: <049201c7e342$69f85ea0$d401010a@neos.tv> References: <46C9626E.1010800@zen.co.uk> <049201c7e342$69f85ea0$d401010a@neos.tv> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <049201c7e342$69f85ea0$d401010a@neos.tv>, Tom Thomson writes >A Lords Science and Technology Committee says >"Legitimate security researchers are at risk of being criminalised as a >result of the recent amendments to the Computer Misuse Act. ... We welcome >the Minister's assurance that guidance on this point will appear later in >the summer, but urge the Crown Prosecution Service to publish this guidance >as soon as possible, so as to avoid undermining such research in the >interim." > >Why is there this crazy idea that bad, downright stupid, counterproductive >legislation can be fixed with a Code of Practice and doesn't require >amendment? The idea comes from assurances from the Government that the community is over-reacting... you may or may not believe that is so. >We know perfectly well from recent experience that Ministerial statements >about restricting the applicability of a law beyond what restrictions >clearly and unambiguously exist on the face of the law are completely >worthless, since the various authorities which use/enforce the law can >ignore such statements with impunity. Why should we imagine that if Mr >Croaker approves a Code of Practice it will have any real effect? Mr Croaker doesn't have a role in approving a CoP here --- what's going on is that the CPS (the DPP in fact) will publish a statement saying in what circumstances they would expect to approve a prosecution. This will colour the attitude of police in pursuing cases and submitting them to the CPS for a decision on proceeding. So it will have an effect -- or not, depending what it says! BTW: "summer" in this case is the Civil Service notion of "summer" which means sometime before the Queen's Speech in November :) - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBRssC7poAxkTY1oPiEQLLewCg+T05bq6Dpx8uD9Kin7b/e5looeoAnjoC F3Biqz8Qe3RdiefTmx9Ryizn =qzO4 -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Tue Aug 21 16:32:23 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Tue, 21 Aug 2007 16:32:23 +0100 Subject: How information is protected In-Reply-To: <46CA9C33.9010703@pmsommer.com> References: <20070813065425.18696.66361.Mailman@chiark.greenend.org.uk> <46C0CEDF.4010104@gmx.co.uk> <46CA94C4.9090506@gmx.co.uk> <46CA99CF.8030404@gmx.co.uk> <46CA9C33.9010703@pmsommer.com> Message-ID: <46CB0587.3030209@gmx.co.uk> Peter Sommer wrote: > If you are the defence solicitor you put in a defence case statement > under CPIA 1996 (and as subsequently revised) raising the issue and if > the totality is not disclosed you go to the judge and ask for a court > order on the basis that otherwise a fair trial cannot proceed. And how would you win that if you did not know (or could not prove) that anything was withheld? From ukcrypto at chiark.greenend.org.uk Fri Aug 24 15:11:50 2007 From: ukcrypto at chiark.greenend.org.uk (Dr Adrian Midgley (In the office)) Date: Fri, 24 Aug 2007 15:11:50 +0100 Subject: NHS email encryption Message-ID: <46CEE726.5000806@defoam.net> From a PCT to its doctors etc "The reason for the new email address is to meet requirements of the Data Protection Act 1998 Principle 8 in line with the PCTs renewal of the Data Protection notification to the Information Commissioner. Any patient identifiable information sent from an ordinary email account (eg ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully encrypted and therefore open to interception and would constitute sending details outside the EEA. This is not considered acceptable practice and will be in breach of the Data Protection Act. nhs.net email accounts are encryption enabled, therefore a secure way to send and receive patient identifiable information." The new one is SSL to server, SSL from server to reader. From ukcrypto at chiark.greenend.org.uk Fri Aug 24 17:40:05 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Fri, 24 Aug 2007 17:40:05 +0100 Subject: NHS email encryption In-Reply-To: <46CEE726.5000806@defoam.net> References: <46CEE726.5000806@defoam.net> Message-ID: In article <46CEE726.5000806@defoam.net>, "Dr Adrian Midgley (In the office)" writes >Any patient identifiable information sent from an ordinary email >account (eg ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully encrypted >and therefore open to interception and would constitute sending details >outside the EEA. Hold on, are they saying that the server that does nhs.uk emails is located outside the EEA?!? mail.nhs.uk is allegedly 212.137.44.179, which is somewhere in cw.net; Sheffield according to one geolocation tool, Manchester another, London a third (did anyone say geolocation was an inexact science?) -- Roland Perry From ukcrypto at chiark.greenend.org.uk Sat Aug 25 02:47:59 2007 From: ukcrypto at chiark.greenend.org.uk (Adrian Midgley) Date: Sat, 25 Aug 2007 02:47:59 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net> Message-ID: <46CF8A4F.806@defoam.net> Roland Perry wrote: > In article <46CEE726.5000806@defoam.net>, "Dr Adrian Midgley (In the > office)" writes >> Any patient identifiable information sent from an ordinary email >> account (eg ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully encrypted >> and therefore open to interception and would constitute sending >> details outside the EEA. > > Hold on, are they saying that the server that does nhs.uk emails is > located outside the EEA?!? > > mail.nhs.uk is allegedly 212.137.44.179, which is somewhere in cw.net; > Sheffield according to one geolocation tool, Manchester another, > London a third (did anyone say geolocation was an inexact science?) I think what they are demonstrating is that someone has no clue. -- A From ukcrypto at chiark.greenend.org.uk Sat Aug 25 08:41:37 2007 From: ukcrypto at chiark.greenend.org.uk (Ross Anderson) Date: Sat, 25 Aug 2007 08:41:37 +0100 Subject: NHS email encryption Message-ID: > The new one is SSL to server, SSL from server to reader Which makes you feel more comfortable - unencrypted email about you sent from one doctor's demon account to another doctor's pipex account - or this encrypted thingy that uses a server maintained by the government? The same issue arose in the context of legal communications. While there may be no basic objection to a CPS solicitor communicating with a barrister he instructs using a Ministry of Justice webmail server, I would not be relaxed about my lawyers doing this were I a defendant. If the government is now saying that data protection law means you have to share your private data with the government, then the wheels have come off. Ross From ukcrypto at chiark.greenend.org.uk Sat Aug 25 11:27:01 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Sat, 25 Aug 2007 11:27:01 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net> Message-ID: <46D003F5.3040303@gmx.co.uk> Roland Perry wrote: > In article <46CEE726.5000806@defoam.net>, "Dr Adrian Midgley (In the > office)" writes >> Any patient identifiable information sent from an ordinary email >> account (eg ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully encrypted >> and therefore open to interception and would constitute sending >> details outside the EEA. > > Hold on, are they saying that the server that does nhs.uk emails is > located outside the EEA?!? > > mail.nhs.uk is allegedly 212.137.44.179, which is somewhere in cw.net; > Sheffield according to one geolocation tool, Manchester another, London > a third (did anyone say geolocation was an inexact science?) I *do* know the nhs.net official mailservers have been causing us problems - they assert their wilingness/ability to do opportunistic crypto in their EHLO replies, but then drop the connection if you attempt to do a STARTTLS from outside of the nhs.... This is apparently a deliberate security misfeature, no idea how or why they would implement that. From ukcrypto at chiark.greenend.org.uk Fri Aug 24 15:27:03 2007 From: ukcrypto at chiark.greenend.org.uk (Mark Lomas) Date: Fri, 24 Aug 2007 15:27:03 +0100 Subject: NHS email encryption In-Reply-To: <46CEE726.5000806@defoam.net> References: <46CEE726.5000806@defoam.net> Message-ID: ------=_Part_19206_6111287.1187965623876 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline On 24/08/07, Dr Adrian Midgley (In the office) wrote: > From a PCT to its doctors etc > > "The reason for the new email address is to meet requirements of the > Data Protection Act 1998 Principle 8 in line with the PCTs renewal of > the Data Protection notification to the Information Commissioner. Any > patient identifiable information sent from an ordinary email account (eg > ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully encrypted and therefore > open to interception and would constitute sending details outside the > EEA. This is not considered acceptable practice and will be in breach of > the Data Protection Act. nhs.net email accounts are encryption enabled, > therefore a secure way to send and receive patient identifiable > information." > > > The new one is SSL to server, SSL from server to reader. They could at least cite the correct principle. Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Regards, Mark ------=_Part_19206_6111287.1187965623876 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline

On 24/08/07, Dr Adrian Midgley (In the office) <amidgley2@defoam.net> wrote:
From a PCT to its doctors etc

"The reason for the new email address is to meet requirements of the
Data Protection Act 1998 Principle 8 in line with the PCTs renewal of
the Data Protection notification to the Information Commissioner. Any
patient identifiable information sent from an ordinary email account (eg
ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully encrypted and therefore
open to interception and would constitute sending details outside the
EEA. This is not considered acceptable practice and will be in breach of
the Data Protection Act. nhs.net email accounts are encryption enabled,
therefore a secure way to send and receive patient identifiable
information."


The new one is SSL to server, SSL from server to reader.
 
 
They could at least cite the correct principle.
Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Regards, Mark
 
------=_Part_19206_6111287.1187965623876-- From ukcrypto at chiark.greenend.org.uk Sat Aug 25 09:08:04 2007 From: ukcrypto at chiark.greenend.org.uk (Roger Hayter) Date: Sat, 25 Aug 2007 09:08:04 +0100 Subject: NHS email encryption In-Reply-To: References: Message-ID: In message , Ross Anderson writes >> The new one is SSL to server, SSL from server to reader > >Which makes you feel more comfortable - unencrypted email about you sent >from one doctor's demon account to another doctor's pipex account - or >this encrypted thingy that uses a server maintained by the government? > >The same issue arose in the context of legal communications. While there >may be no basic objection to a CPS solicitor communicating with a >barrister he instructs using a Ministry of Justice webmail server, I >would not be relaxed about my lawyers doing this were I a defendant. > >If the government is now saying that data protection law means you have >to share your private data with the government, then the wheels have >come off. I think the Government are saying all NHS data belongs to them: except possibly GP data which they acknowledge might be confidential, but still probably ought to belong to them. GP data is of course the only source of comprehensive health data on the general population. The latest plan is for all GP systems to run on PCT-owned server farms. My take on this is that all GP data will then be available to the security services, but less covert access will need further negotiation. Is this unduly cynical? This is a question about how safely you can run an encrypted database on someone else's server, so I suppose is slightly on topic. -- Roger Hayter From ukcrypto at chiark.greenend.org.uk Sat Aug 25 14:07:27 2007 From: ukcrypto at chiark.greenend.org.uk (Adrian Midgley) Date: Sat, 25 Aug 2007 14:07:27 +0100 Subject: NHS email encryption In-Reply-To: <46D003F5.3040303@gmx.co.uk> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> Message-ID: <46D0298F.8050501@defoam.net> Dave Howe wrote: > Roland Perry wrote: >> In article <46CEE726.5000806@defoam.net>, "Dr Adrian Midgley (In the >> office)" writes >>> Any patient identifiable information sent from an ordinary email >>> account (eg ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully >>> encrypted and therefore open to interception and would constitute >>> sending details outside the EEA. >> >> Hold on, are they saying that the server that does nhs.uk emails is >> located outside the EEA?!? >> >> mail.nhs.uk is allegedly 212.137.44.179, which is somewhere in >> cw.net; Sheffield according to one geolocation tool, Manchester >> another, London a third (did anyone say geolocation was an inexact >> science?) > > I *do* know the nhs.net official mailservers have been causing us > problems - they assert their wilingness/ability to do opportunistic > crypto in their EHLO replies, but then drop the connection if you > attempt to do a STARTTLS from outside of the nhs.... This is > apparently a deliberate security misfeature, no idea how or why they > would implement that. Is it possible to document that (I mean further than just saying it - I believe you of course)? And can I confirm that this would mean that the system being presented to doctors and all other NHS workers as providing encrypted ("end to end" no less) transmission to collect mail by (webmail and) POP3 and IMAP4 over SSL so as to safely carry patient-identifiable information between places in the NHS network and places outside it, does not provide that encryption when operated as described? Or is it possible that there is some secret sauce in Microsoft Outlook/Express which causes the server to communicate with it as securely as any Microsoft application and other standard-compliant systems for email to be served a degraded performance? (Why does this sound so horribly familiar and plausible?) -- A From ukcrypto at chiark.greenend.org.uk Sat Aug 25 17:43:26 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Sat, 25 Aug 2007 17:43:26 +0100 Subject: NHS email encryption In-Reply-To: <46D0298F.8050501@defoam.net> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> Message-ID: <46D05C2E.4080103@gmx.co.uk> Adrian Midgley wrote: > Is it possible to document that (I mean further than just saying it - I > believe you of course)? I will check when I am back at work next week - we "resolved" the problem by forcing use of HELO on the systems affected, but could turn that off temporarily (or just use puTTY for the exchange :) > And can I confirm that this would mean that the system being presented > to doctors and all other NHS workers as providing encrypted ("end to > end" no less) transmission to collect mail by (webmail and) POP3 and > IMAP4 over SSL so as to safely carry patient-identifiable information > between places in the NHS network and places outside it, does not > provide that encryption when operated as described? When connected to from outside of the NHS? presumably that is outside of their secure zone, so isn't affected either way by any assertions they have made regarding nhs-only mail. I would just route the traffic over N3, but the conditions of usage for our N3 link is that it is airgapped from our main network - inconvenient, to say the least. > Or is it possible that there is some secret sauce in Microsoft > Outlook/Express which causes the server to communicate with it as > securely as any Microsoft application and other standard-compliant > systems for email to be served a degraded performance? (Why does this > sound so horribly familiar and plausible?) I think it is more that they don't want to do TLS to anyone outside of their "trusted domain". My understanding is that TLS works fine for "internal" users, but they don't know how to turn off the STARTTLS ad for ehlo for external users without also disabling it for internal... From ukcrypto at chiark.greenend.org.uk Sat Aug 25 18:12:30 2007 From: ukcrypto at chiark.greenend.org.uk (Brian Morrison) Date: Sat, 25 Aug 2007 18:12:30 +0100 Subject: NHS email encryption In-Reply-To: <46D05C2E.4080103@gmx.co.uk> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> Message-ID: <20070825181230.00cf40c0@peterson.fenrir.org.uk> --Sig_qEGT8mwc.kRbhwcEK92zS7_ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sat, 25 Aug 2007 17:43:26 +0100 Dave Howe wrote: > I think it is more that they don't want to do TLS to anyone outside of=20 > their "trusted domain". My understanding is that TLS works fine for=20 > "internal" users, but they don't know how to turn off the STARTTLS ad=20 > for ehlo for external users without also disabling it for internal... Are you suggesting that they don't then authenticate once the TLS is initialised? That seems rather bizarre, surely the correct way of doing this is to authenticate in all cases but refuse to do so from outside the trusted networks unless TLS or SSL is used to prevent the visibility of the base64 encoded AUTH strings? --=20 Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." =20 GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --Sig_qEGT8mwc.kRbhwcEK92zS7_ Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG0GL+9BNjUd4y5cURAgE+AKCN0CiJqTW4Q9dZstlTkZjQHXGv7ACgxZkj EF1Gk5VSTK32LlR/pvK5xIQ= =cOwg -----END PGP SIGNATURE----- --Sig_qEGT8mwc.kRbhwcEK92zS7_-- From ukcrypto at chiark.greenend.org.uk Sat Aug 25 21:28:41 2007 From: ukcrypto at chiark.greenend.org.uk (Charles Lindsey) Date: Sat, 25 Aug 2007 21:28:41 +0100 Subject: NHS email encryption In-Reply-To: <46D0298F.8050501@defoam.net> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> Message-ID: On Sat, 25 Aug 2007 14:07:27 +0100, Adrian Midgley wrote: > Dave Howe wrote: >> I *do* know the nhs.net official mailservers have been causing us >> problems - they assert their wilingness/ability to do opportunistic >> crypto in their EHLO replies, but then drop the connection if you >> attempt to do a STARTTLS from outside of the nhs.... This is >> apparently a deliberate security misfeature, no idea how or why they >> would implement that. > Is it possible to document that (I mean further than just saying it - I > believe you of course)? > > And can I confirm that this would mean that the system being presented > to doctors and all other NHS workers as providing encrypted ("end to > end" no less) transmission to collect mail by (webmail and) POP3 and > IMAP4 over SSL so as to safely carry patient-identifiable information > between places in the NHS network and places outside it, does not > provide that encryption when operated as described? I don't think STARTTLS will ever give you "end-to-end" encryption. The most it can do is to protect you against eavesdroppers on the external lines. Within the nhs server farm the message would still be in the clear, where any NHS employee could see it. But, of course, they would never do that, would they. If you want end-to-end encryption, then you use multipart/encrypted. Or PGP. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From ukcrypto at chiark.greenend.org.uk Sun Aug 26 13:58:49 2007 From: ukcrypto at chiark.greenend.org.uk (Adrian Midgley) Date: Sun, 26 Aug 2007 13:58:49 +0100 Subject: NHS email encryption In-Reply-To: <46D05C2E.4080103@gmx.co.uk> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> Message-ID: <46D17909.5090802@defoam.net> Dave Howe wrote: > Adrian Midgley wrote: >> Is it possible to document that (I mean further than just saying it - I >> believe you of course)? > > I will check when I am back at work next week - we "resolved" the > problem by forcing use of HELO on the systems affected, but could turn > that off temporarily (or just use puTTY for the exchange :) > >> And can I confirm that this would mean that the system being presented >> to doctors and all other NHS workers as providing encrypted ("end to >> end" no less) transmission to collect mail by (webmail and) POP3 and >> IMAP4 over SSL so as to safely carry patient-identifiable information >> between places in the NHS network and places outside it, does not >> provide that encryption when operated as described? > > When connected to from outside of the NHS? presumably that is outside > of their secure zone, so isn't affected either way by any assertions > they have made regarding nhs-only mail. > But the assertion made to us is that nhs.net mail gives us secure access to our mail (IE maintaining "end to end" encryption) from eg home, when we read it collecting it from/using the nhs.net servers which are provided for access to internal mail from outside. > I think it is more that they don't want to do TLS to anyone outside of > their "trusted domain". My understanding is that TLS works fine for > "internal" users, but they don't know how to turn off the STARTTLS ad > for ehlo for external users without also disabling it for internal... > Again, this sounds a) bizarre, and b) not unlikely. But it would suggest that certain specific promises were not being kept. From ukcrypto at chiark.greenend.org.uk Sun Aug 26 14:00:36 2007 From: ukcrypto at chiark.greenend.org.uk (Adrian Midgley) Date: Sun, 26 Aug 2007 14:00:36 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> Message-ID: <46D17974.3070901@defoam.net> Charles Lindsey wrote: > On Sat, 25 Aug 2007 14:07:27 +0100, Adrian Midgley > wrote: > > I don't think STARTTLS will ever give you "end-to-end" encryption. The > most it can do is to protect you against eavesdroppers on the external > lines. Within the nhs server farm the message would still be in the > clear, where any NHS employee could see it. Well, system admins anyway, and security personnel. But yes, that is what I also don't think, and it is what it is described as definitely doing... > > If you want end-to-end encryption, then you use multipart/encrypted. > Or PGP. That's what I do. gpg. From ukcrypto at chiark.greenend.org.uk Sun Aug 26 17:31:31 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Sun, 26 Aug 2007 17:31:31 +0100 Subject: NHS email encryption In-Reply-To: <20070825181230.00cf40c0@peterson.fenrir.org.uk> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <20070825181230.00cf40c0@peterson.fenrir.org.uk> Message-ID: <46D1AAE3.2000301@gmx.co.uk> Brian Morrison wrote: > Are you suggesting that they don't then authenticate once the TLS is > initialised? That seems rather bizarre, surely the correct way of > doing this is to authenticate in all cases but refuse to do so from > outside the trusted networks unless TLS or SSL is used to prevent the > visibility of the base64 encoded AUTH strings? No, I am saying that the EHLO response indicates that STARTTLS is supported, but if you attempt to then use STARTTLS it doesn't actually respond with the ssl sequence but a "not authorized" message. Our mailserver did not then attempt to send mail unencrypted, but failed back to the queue with an error. The "fix" from our end was to force the mailserver to use HELO instead, which prevents the TLS attempt entirely. From ukcrypto at chiark.greenend.org.uk Sun Aug 26 17:36:07 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Sun, 26 Aug 2007 17:36:07 +0100 Subject: NHS email encryption In-Reply-To: <46D17909.5090802@defoam.net> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> Message-ID: <46D1ABF7.3050406@gmx.co.uk> Adrian Midgley wrote: > But the assertion made to us is that nhs.net mail gives us secure access > to our mail (IE maintaining "end to end" encryption) from eg home, when > we read it collecting it from/using the nhs.net servers which are > provided for access to internal mail from outside. I haven't had such an assertion made to me, but then, I am not an NHS employee. I would be surprised though if their secure mail solution involved you sending via TLS from their internet facing (MX record target) server, rather than (eg) using RPC-over-HTTPS with outlook/exchange, some sort of delivered app (such as a citrix environment), or https webmail. > Again, this sounds a) bizarre, and b) not unlikely. But it would > suggest that certain specific promises were not being kept. Wouldn't surprise me, either way. As an external company merely sending email to NHSnet users, we couldn't even raise it is a ticket - we aren't users of the mail system (other than sending mail to those who are, obviously) From ukcrypto at chiark.greenend.org.uk Sun Aug 26 18:08:32 2007 From: ukcrypto at chiark.greenend.org.uk (Brian Morrison) Date: Sun, 26 Aug 2007 18:08:32 +0100 Subject: NHS email encryption In-Reply-To: <46D1AAE3.2000301@gmx.co.uk> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <20070825181230.00cf40c0@peterson.fenrir.org.uk> <46D1AAE3.2000301@gmx.co.uk> Message-ID: <20070826180832.740dbade@peterson.fenrir.org.uk> --Sig_yf_rHv0ox.PW8ktPHoUbE+m Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sun, 26 Aug 2007 17:31:31 +0100 Dave Howe wrote: > Brian Morrison wrote: > > Are you suggesting that they don't then authenticate once the TLS is=20 > > initialised? That seems rather bizarre, surely the correct way of > > doing this is to authenticate in all cases but refuse to do so from > > outside the trusted networks unless TLS or SSL is used to prevent the > > visibility of the base64 encoded AUTH strings? >=20 > No, I am saying that the EHLO response indicates that STARTTLS is > supported, but if you attempt to then use STARTTLS it doesn't actually > respond with the ssl sequence but a "not authorized" message. Our=20 > mailserver did not then attempt to send mail unencrypted, but failed=20 > back to the queue with an error. The "fix" from our end was to force the= =20 > mailserver to use HELO instead, which prevents the TLS attempt entirely. >=20 I see, that seems very odd, as surely the security of the mail transaction is assured with TLS/SSL even outside the NHS network. While I can see that there are concerns about securing the mail on say a doctor's laptop, it doesn't seem to make sense to differentiate between outside and inside their own network unless convinced that the mail is only secured when stored and not when in transit. The latter of those two can be fixed with TLS/SSL whereas the former may using some sort of gpg-alike. I can't see what they're trying to achieve by their current stance. --=20 Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." =20 GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --Sig_yf_rHv0ox.PW8ktPHoUbE+m Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG0bOQ9BNjUd4y5cURAn6BAKC5OqwpAA99bwGngGQtrZrCHMBX0gCfYGx6 5WYUy1DRl6HTBR/pwYLKyvg= =vkBf -----END PGP SIGNATURE----- --Sig_yf_rHv0ox.PW8ktPHoUbE+m-- From ukcrypto at chiark.greenend.org.uk Sun Aug 26 20:49:25 2007 From: ukcrypto at chiark.greenend.org.uk (Charles Lindsey) Date: Sun, 26 Aug 2007 20:49:25 +0100 Subject: NHS email encryption In-Reply-To: <46D17909.5090802@defoam.net> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> Message-ID: On Sun, 26 Aug 2007 13:58:49 +0100, Adrian Midgley wrote: > But the assertion made to us is that nhs.net mail gives us secure access > to our mail (IE maintaining "end to end" encryption) from eg home, when > we read it collecting it from/using the nhs.net servers which are > provided for access to internal mail from outside. Then they have a funny idea of what "end" means :-( . It seems it is kept secure from everyone except the ones I would expect you most wanted to hide it from. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From ukcrypto at chiark.greenend.org.uk Sun Aug 26 22:16:16 2007 From: ukcrypto at chiark.greenend.org.uk (Ian Mason) Date: Sun, 26 Aug 2007 22:16:16 +0100 Subject: NHS email encryption In-Reply-To: <46D0298F.8050501@defoam.net> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> Message-ID: <14D31158-6E0E-4304-AA46-E6B6EB2568D6@sourcetagged.ian.co.uk> On 25 Aug 2007, at 14:07, Adrian Midgley wrote: > Dave Howe wrote: >> Roland Perry wrote: >>> In article <46CEE726.5000806@defoam.net>, "Dr Adrian Midgley (In the >>> office)" writes >>>> Any patient identifiable information sent from an ordinary email >>>> account (eg ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully >>>> encrypted and therefore open to interception and would constitute >>>> sending details outside the EEA. >>> >>> Hold on, are they saying that the server that does nhs.uk emails is >>> located outside the EEA?!? >>> >>> mail.nhs.uk is allegedly 212.137.44.179, which is somewhere in >>> cw.net; Sheffield according to one geolocation tool, Manchester >>> another, London a third (did anyone say geolocation was an inexact >>> science?) >> >> I *do* know the nhs.net official mailservers have been causing us >> problems - they assert their wilingness/ability to do opportunistic >> crypto in their EHLO replies, but then drop the connection if you >> attempt to do a STARTTLS from outside of the nhs.... This is >> apparently a deliberate security misfeature, no idea how or why they >> would implement that. > Is it possible to document that (I mean further than just saying it > - I > believe you of course)? It appears to accept STARTTLS correctly from my mailserver, vis: > Aug 26 22:08:12 equinox.ian.co.uk sendmail[24085]: [ID 702911 > mail.info] STARTTLS=client, relay=smtp.nhs.net., version=TLSv1/ > SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168 > Aug 26 22:08:15 equinox.ian.co.uk sendmail[24085]: [ID 801593 > mail.info] l7QL8BF7024081: to=, > delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=120404, > relay=smtp.nhs.net. [216.239.198.21], dsn=4.3.0, stat=Deferred: 451 > Requested mail action not taken: mailbox unavailable My server is not using self-signed certificates but a certificate signed by my own (self-signed) CA. Perhaps the NHS servers only exhibit problems with strictly self-signed certificates; which tend to be the commonest type of certificate on STARTTLS capable SMTP servers in my experience. > > And can I confirm that this would mean that the system being presented > to doctors and all other NHS workers as providing encrypted ("end to > end" no less) transmission to collect mail by (webmail and) POP3 and > IMAP4 over SSL so as to safely carry patient-identifiable information > between places in the NHS network and places outside it, does not > provide that encryption when operated as described? > > Or is it possible that there is some secret sauce in Microsoft > Outlook/Express which causes the server to communicate with it as > securely as any Microsoft application and other standard-compliant > systems for email to be served a degraded performance? (Why does this > sound so horribly familiar and plausible?) > > > -- > A > From ukcrypto at chiark.greenend.org.uk Mon Aug 27 08:07:35 2007 From: ukcrypto at chiark.greenend.org.uk (Roger Hayter) Date: Mon, 27 Aug 2007 08:07:35 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> Message-ID: In message , Charles Lindsey writes >On Sun, 26 Aug 2007 13:58:49 +0100, Adrian Midgley > wrote: > >> But the assertion made to us is that nhs.net mail gives us secure access >> to our mail (IE maintaining "end to end" encryption) from eg home, when >> we read it collecting it from/using the nhs.net servers which are >> provided for access to internal mail from outside. > >Then they have a funny idea of what "end" means :-( . > >It seems it is kept secure from everyone except the ones I would expect >you most wanted to hide it from. > As I remarked on this thread, users of NHS systems can have no expectation of privacy *from* the government. The government already assert the right to use hospital administrative and care record data for central administrative purposes and for clinical audit. There is a lot of pressure to allow it to be used it for medical research (which would include selling the information to drug companies). It would be entirely consistent with this policy to archive the plain text of all NHS email. Our only legitimate concern would be the ability of the central system to keep our email out of the hands of third parties. -- Roger Hayter From ukcrypto at chiark.greenend.org.uk Mon Aug 27 14:06:33 2007 From: ukcrypto at chiark.greenend.org.uk (PeteM) Date: Mon, 27 Aug 2007 14:06:33 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> Message-ID: <46D2CC59.2010300@callnetuk.com> Roger Hayter wrote: > > As I remarked on this thread, users of NHS systems can have no > expectation of privacy *from* the government. We certainly have the right to *demand* privacy from the government, though whether we can get it (or some of it) is another matter. The battle may not yet be lost. > The government already > assert the right to use hospital administrative and care record data for > central administrative purposes and for clinical audit. There is a lot > of pressure to allow it to be used it for medical research (which would > include selling the information to drug companies). *Anonymised* data, which (pace Ross) is a lot less sensitive than identifiable medical records. It would be > entirely consistent with this policy to archive the plain text of all > NHS email. Our only legitimate concern would be the ability of the > central system to keep our email out of the hands of third parties. That's probably what the *government* thinks our legitimate concerns should be. I thinks otherwise. -- Pete Mitchell From ukcrypto at chiark.greenend.org.uk Mon Aug 27 17:27:55 2007 From: ukcrypto at chiark.greenend.org.uk (Roger Hayter) Date: Mon, 27 Aug 2007 17:27:55 +0100 Subject: NHS email encryption In-Reply-To: <46D2CC59.2010300@callnetuk.com> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> <46D2CC59.2010300@callnetuk.com> Message-ID: In message <46D2CC59.2010300@callnetuk.com>, PeteM writes >Roger Hayter wrote: >> As I remarked on this thread, users of NHS systems can have no >>expectation of privacy *from* the government. > >We certainly have the right to *demand* privacy from the government, >though whether we can get it (or some of it) is another matter. The >battle may not yet be lost. > Not if we are NHS employees (or patients) transacting NHS business: unless you are talking about unenforceable "natural" rights. >> The government already assert the right to use hospital >>administrative and care record data for central administrative >>purposes and for clinical audit. There is a lot of pressure to allow >>it to be used it for medical research (which would include selling >>the information to drug companies). > >*Anonymised* data, which (pace Ross) is a lot less sensitive than >identifiable medical records. Administrative and audit data is only anonymised "if possible", and for audit, generally, the actual notes have to be checked by someone. Research data has the name clipped off but is not to be aggregated. Age, sex, post code, ethnic origin, past medical history, drug history and allergies is plenty to identify most people down to single figures, overkill in rural postcodes. This data is to be protected by the researchers. -- Roger Hayter From ukcrypto at chiark.greenend.org.uk Mon Aug 27 18:28:44 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Mon, 27 Aug 2007 18:28:44 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net>, <46D2CC59.2010300@callnetuk.com>, Message-ID: <46D317DC.14977.D77643@davidh.spidacom.co.uk> On 27 Aug 2007 at 17:27, Roger Hayter wrote: > Research data has the name clipped off but is not to be aggregated. Age, > sex, post code, ethnic origin, past medical history, drug history and > allergies is plenty to identify most people down to single figures, > overkill in rural postcodes. This data is to be protected by the > researchers. Given that a dodgy company involved in intercepting communications can't be bothered to protect data from someone removing the server, any protection by the medical research mob is undoubtedly so miniscule as to be non-existent. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Mon Aug 27 22:40:31 2007 From: ukcrypto at chiark.greenend.org.uk (Charles Lindsey) Date: Mon, 27 Aug 2007 22:40:31 +0100 Subject: NHS email encryption In-Reply-To: <20070826180832.740dbade@peterson.fenrir.org.uk> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <20070825181230.00cf40c0@peterson.fenrir.org.uk> <46D1AAE3.2000301@gmx.co.uk> <20070826180832.740dbade@peterson.fenrir.org.uk> Message-ID: On Sun, 26 Aug 2007 18:08:32 +0100, Brian Morrison wrote: > On Sun, 26 Aug 2007 17:31:31 +0100 > Dave Howe wrote: >> No, I am saying that the EHLO response indicates that STARTTLS is >> supported, but if you attempt to then use STARTTLS it doesn't actually >> respond with the ssl sequence but a "not authorized" message. Our >> mailserver did not then attempt to send mail unencrypted, but failed >> back to the queue with an error. The "fix" from our end was to force the >> mailserver to use HELO instead, which prevents the TLS attempt entirely. >> > > I see, that seems very odd, as surely the security of the mail > transaction is assured with TLS/SSL even outside the NHS network. > > While I can see that there are concerns about securing the mail on say > a doctor's laptop, it doesn't seem to make sense to differentiate > between outside and inside their own network unless convinced that the > mail is only secured when stored and not when in transit. The latter of > those two can be fixed with TLS/SSL whereas the former may using some > sort of gpg-alike. > Then it seems that doctors can send mails to each other using STARTTLS to prevent 'outsiders' from seeing it. But it would not be possible for a patient to send email to his doctor that way > I can't see what they're trying to achieve by their current stance. That remark presupposes they know what they are trying to achieve :-) . -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From ukcrypto at chiark.greenend.org.uk Tue Aug 28 07:11:15 2007 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Tue, 28 Aug 2007 07:11:15 +0100 Subject: Recovered FTS server: Is it possible to show whether or not information has been accessed? Message-ID: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> "A police spokesman said the server was undamaged. "Examination revealed the information had not been accessed," the spokesman said. FTS declined to comment." http://www.computerweekly.com/Articles/2007/08/20/226280/police-recover-s tolen-forensic-server.htm Is it *technically* possible to be sure that information on a server has not been accessed, backed up during the period it went missing or copied? If so, how? Mary Hawking -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Tue Aug 28 07:33:02 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Sommer) Date: Tue, 28 Aug 2007 07:33:02 +0100 Subject: Recovered FTS server: Is it possible to show whether or not information has been accessed? In-Reply-To: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> References: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> Message-ID: <46D3C19E.6080104@pmsommer.com> The basic test is to look at the date-and-time stamps: of files on the server if these remain unaltered from the time of last "official" use, then one can say that the server itself has not been started up in the normal fashion. (on a Win XP machine you would normally look at the NTUSER.DAT file which gets written to during normal close-down - its "last written" date and time stamp should precede that of any event in which the computer has passed out of the owner's hands). On the other hand standard computer forensics procedures are to use techniques so that you can copy the contents of a computer's hard-disks (including such things as RAID arrays) without starting the computer up normally, so as to eliminate accusations of tampering. The procedures normally involve either starting the computer from a bootable CD (which has an OS and imaging software) or removing the hard-disks into a separate chassis, interposing write-protect devices and then running forensic imaging software. So: if the DTS server fell into the hands of ordinary villains, the claim of non-accessing of valauble and sensitive information can probably be sustained. But into the hands of those with experience of digital forensics..... Peter Sommer Mary Hawking wrote: > > > Is it *technically* possible to be sure that information on a server > has not been accessed, backed up during the period it went missing or > copied? > If so, how? > > From ukcrypto at chiark.greenend.org.uk Tue Aug 28 08:04:43 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Tue, 28 Aug 2007 08:04:43 +0100 Subject: Recovered FTS server: Is it possible to show whether or not information has been accessed? In-Reply-To: <46D3C19E.6080104@pmsommer.com> References: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> <46D3C19E.6080104@pmsommer.com> Message-ID: In article <46D3C19E.6080104@pmsommer.com>, Peter Sommer writes >The basic test is to look at the date-and-time stamps: of files on the >server if these remain unaltered from the time of last "official" use, >then one can say that the server itself has not been started up in the >normal fashion. (on a Win XP machine you would normally look at the >NTUSER.DAT file which gets written to during normal close-down - its >"last written" date and time stamp should precede that of any event in >which the computer has passed out of the owner's hands). >On the other hand standard computer forensics procedures are to use >techniques so that you can copy the contents of a computer's hard-disks >(including such things as RAID arrays) without starting the computer up >normally, so as to eliminate accusations of tampering. The procedures >normally involve either starting the computer from a bootable CD (which >has an OS and imaging software) or removing the hard-disks into a >separate chassis, interposing write-protect devices and then running >forensic imaging software. > >So: if the DTS server fell into the hands of ordinary villains, the >claim of non-accessing of valauble and sensitive information can >probably be sustained. But into the hands of those with experience of >digital forensics..... An excellent description, but there are some other things which can be done. eg: Use the BIOS to write the date and time last used into non-volatile RAM, which would demonstrate whether or not the PC had been powered up at all (irrespective of the boot mechanism). But apart from a range of PCs I once had a hand in designing I don't know if this technique is deployed very often; and a determined villain could fake it. and: I have some SCSI drives which record internally the number of seeks they've done, and the power-up time. Not sure how much (if any) co-operation that requires from the PC. If network management software was regularly logging those statistics, you might have a chance of spotting how long the drives had been powered up after the time of theft (even better if the server was powered off at a known time that evening). -- Roland Perry From ukcrypto at chiark.greenend.org.uk Tue Aug 28 09:30:55 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Tue, 28 Aug 2007 09:30:55 +0100 Subject: NHS email encryption In-Reply-To: <14D31158-6E0E-4304-AA46-E6B6EB2568D6@sourcetagged.ian.co.uk> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <14D31158-6E0E-4304-AA46-E6B6EB2568D6@sourcetagged.ian.co.uk> Message-ID: On 26 Aug 2007, at 22:16, Ian Mason wrote: > > It appears to accept STARTTLS correctly from my mailserver, vis: I've had this in my mail.access file (I'm a sendmail shop): Try_TLS:smtp.nhs.net NO since the year dot. I don't think it's totally unreasonable to refuse opportunistic encryption from people using self-signed certificates: to the eyes of the uninitiated SSL in that situation appears to offer authentication when in fact it only offers some measure of confidentiality. My memory is that it wouldn't accept my signed-by-a-self-signed-CA certificates, unlike IanM's experience, but it was a long time ago that I bumped into this problem. ian From ukcrypto at chiark.greenend.org.uk Tue Aug 28 09:11:19 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Tue, 28 Aug 2007 10:11:19 +0200 Subject: Recovered FTS server: Is it possible to show whether or not information has been accessed? In-Reply-To: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> References: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> Message-ID: <200708280811.l7S8BJr8012223@dm-holland-02.uk.sun.com> >"A police spokesman said the server was undamaged. "Examination revealed >the information had not been accessed," the spokesman said. FTS declined >to comment." > >http://www.computerweekly.com/Articles/2007/08/20/226280/police-recover-s >tolen-forensic-server.htm > >Is it *technically* possible to be sure that information on a server has >not been accessed, backed up during the period it went missing or >copied? >If so, how? It's not impossible, but you need to meet some conditions which I think are not likely to be true: - the server was tamper-evident and no traces of tampering were found - the server cannot be made to boot from anything you can plug into it (ethernet, floppy, DVD, USB, Firewire) I'd assume they're just lying. Casper From ukcrypto at chiark.greenend.org.uk Tue Aug 28 11:13:40 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Tue, 28 Aug 2007 11:13:40 +0100 Subject: Recovered FTS server: Is it possible to show whether or not information has been accessed? In-Reply-To: <200708280811.l7S8BJr8012223@dm-holland-02.uk.sun.com> References: <+wc1FKBDy70GFw2A@tigers.demon.co.uk>, <200708280811.l7S8BJr8012223@dm-holland-02.uk.sun.com> Message-ID: <46D40364.28632.152A3B@davidh.spidacom.co.uk> On 28 Aug 2007 at 10:11, Casper.Dik@Sun.COM wrote: > I'd assume they're just lying. How dare you criticise the hard working people inside the tent:-) They never tell lies!!! They sincerely believed it when they said it and thus are above any criticism, let alone being held to account. For examples of this sort of spin see Tony B Liar over Iraq and the police over their murder of a passenger on a train. And the Home Office claim to wonder why people don't believe a word they say. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Tue Aug 28 15:35:36 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Tue, 28 Aug 2007 15:35:36 +0100 Subject: Beware police at work Message-ID: <46D440C8.14710.104FF23@davidh.spidacom.co.uk> So, to http://news.bbc.co.uk/1/hi/scotland/tayside_and_central/6966846.stm where we read: >DC Murray, who gave his evidence from behind screens So much for open court. More and more of these petty officials are demanding to be hidden from us plebs. They must be very delicate flowers. >Brain McConnachie QC, prosecuting, asked: "Did you find anything >relating to terrorism?" > >DC Murray replied: "No." Ah, convincing evidence. >He said that he had opened a number of icons and saw: "A number of >photos of family gatherings and a number of Word documents, but >nothing that was relevant to other inquiries." Yet another case of a petty official throwing his "weight" around by the sound of it. >DC Murray admitted to Mr McConnachie that according to guidelines he >should not have switched on the laptop, but he was not aware of that >instruction at the time. Ignorance is no excuse. These are the petty officials the Home Office think should have access to my data, with no real oversight and absolutely no responsibility for their actions. >When asked if he had planted any evidence on the laptop while it was >switched on or deleted any information, he replied: "No." Ah, convincing evidence. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Tue Aug 28 17:10:59 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Tue, 28 Aug 2007 17:10:59 +0100 Subject: Beware police at work In-Reply-To: <46D440C8.14710.104FF23@davidh.spidacom.co.uk> References: <46D440C8.14710.104FF23@davidh.spidacom.co.uk> Message-ID: <8uLklz0TkE1GFA$q@perry.co.uk> In article <46D440C8.14710.104FF23@davidh.spidacom.co.uk>, David Hansen writes >>DC Murray, who gave his evidence from behind screens > >So much for open court. More and more of these petty officials are >demanding to be hidden from us plebs. They must be very delicate >flowers. That's a bit unfair. He works for Special Branch, and making him identifiable will likely hinder his future work. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Tue Aug 28 17:40:26 2007 From: ukcrypto at chiark.greenend.org.uk (Hasan Qunoo) Date: Tue, 28 Aug 2007 17:40:26 +0100 Subject: Beware police at work In-Reply-To: <8uLklz0TkE1GFA$q@perry.co.uk> References: <46D440C8.14710.104FF23@davidh.spidacom.co.uk> <8uLklz0TkE1GFA$q@perry.co.uk> Message-ID: <319daa5c0708280940g70bd6773q6f62210d401fbbb5@mail.gmail.com> I am a bit surprised there was no question whether the officer who should be examining the data can understand Arabic or not. Hasan On 8/28/07, Roland Perry wrote: > In article <46D440C8.14710.104FF23@davidh.spidacom.co.uk>, David Hansen > writes > >>DC Murray, who gave his evidence from behind screens > > > >So much for open court. More and more of these petty officials are > >demanding to be hidden from us plebs. They must be very delicate > >flowers. > > That's a bit unfair. He works for Special Branch, and making him > identifiable will likely hinder his future work. > -- > Roland Perry > > From ukcrypto at chiark.greenend.org.uk Tue Aug 28 19:49:01 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Tue, 28 Aug 2007 19:49:01 +0100 Subject: Beware police at work In-Reply-To: <319daa5c0708280940g70bd6773q6f62210d401fbbb5@mail.gmail.com> References: <46D440C8.14710.104FF23@davidh.spidacom.co.uk> <8uLklz0TkE1GFA$q@perry.co.uk> <319daa5c0708280940g70bd6773q6f62210d401fbbb5@mail.gmail.com> Message-ID: In article <319daa5c0708280940g70bd6773q6f62210d401fbbb5@mail.gmail.com>, Hasan Qunoo writes >I am a bit surprised there was no question whether the officer who >should be examining the data can understand Arabic or not. Are you aware that (a) there was Arabic data on the PC and (b) this question wasn't asked. Or was it just not reported? Did the defence miss this obvious line of enquiry? -- Roland Perry From ukcrypto at chiark.greenend.org.uk Tue Aug 28 20:05:14 2007 From: ukcrypto at chiark.greenend.org.uk (Hasan Qunoo) Date: Tue, 28 Aug 2007 20:05:14 +0100 Subject: Beware police at work In-Reply-To: References: <46D440C8.14710.104FF23@davidh.spidacom.co.uk> <8uLklz0TkE1GFA$q@perry.co.uk> <319daa5c0708280940g70bd6773q6f62210d401fbbb5@mail.gmail.com> Message-ID: <319daa5c0708281205u1556b440q5d926656543c6e27@mail.gmail.com> I do not know really but the obvious question for anyone investigating anything is to verify first if the suspect is telling the truth first and then search for other accusations. I have to say I am not aware of the case but as the BBC article talk about the Arabic poems I could not help but to wonder what kind of poem was it. It can be anything really and if there was anyone who verified that. The article does not tell much. Hasan On 8/28/07, Roland Perry wrote: > In article > <319daa5c0708280940g70bd6773q6f62210d401fbbb5@mail.gmail.com>, Hasan > Qunoo writes > >I am a bit surprised there was no question whether the officer who > >should be examining the data can understand Arabic or not. > > Are you aware that (a) there was Arabic data on the PC and (b) this > question wasn't asked. Or was it just not reported? Did the defence miss > this obvious line of enquiry? > -- > Roland Perry > > From ukcrypto at chiark.greenend.org.uk Tue Aug 28 21:31:33 2007 From: ukcrypto at chiark.greenend.org.uk (Brian Morrison) Date: Tue, 28 Aug 2007 21:31:33 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <14D31158-6E0E-4304-AA46-E6B6EB2568D6@sourcetagged.ian.co.uk> Message-ID: <20070828213133.12cc76bb@peterson.fenrir.org.uk> --Sig_WacKG6QhPgszeS.pYM+xa42 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 28 Aug 2007 09:30:55 +0100 Ian G Batten wrote: > I don't think it's totally unreasonable to =20 > refuse opportunistic encryption from people using self-signed =20 > certificates: to the eyes of the uninitiated SSL in that situation =20 > appears to offer authentication when in fact it only offers some =20 > measure of confidentiality. Such a decision depends on why you are using TLS on your mailserver. If it is to ensure authenticity then fair enough, if it's to ensure eavesdropping is much more difficult then it's a legitimate exercise even if authentication is not achieved by that method. --=20 Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." =20 GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --Sig_WacKG6QhPgszeS.pYM+xa42 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG1IYl9BNjUd4y5cURAmCDAKDcBk+hPqMXoUULagOdMNvyvda/YgCg9of8 F4AlpqwOnT8ORhFd9XtJXbE= =wYAM -----END PGP SIGNATURE----- --Sig_WacKG6QhPgszeS.pYM+xa42-- From ukcrypto at chiark.greenend.org.uk Tue Aug 28 22:29:02 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Tue, 28 Aug 2007 22:29:02 +0100 Subject: Recovered FTS server: Is it possible to show whether or not information has been accessed? In-Reply-To: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> References: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> Message-ID: <46D4939E.1080705@gmx.co.uk> Mary Hawking wrote: > "A police spokesman said the server was undamaged. "Examination revealed > the information had not been accessed," the spokesman said. FTS declined > to comment." > > http://www.computerweekly.com/Articles/2007/08/20/226280/police-recover-s > tolen-forensic-server.htm > > Is it *technically* possible to be sure that information on a server has > not been accessed, backed up during the period it went missing or copied? > If so, how? The short answer is yes, its technically possible. The longer answer is that its unlikely; at a bare minimum, you would need to activate a ATA password on the hard drive so that you need a special boot floppy (or ATA password enabled bios) to even spin it up. In that case, the drive would need to be dismantled and the platters mounted on a forensic recovery rig in order to access the data. Assuming you were willing to spend a decent amount on security, you could encrypt the hard drive using a physical token for the key (drives exist that can do this, usually using 3DES and encrypting at the firmware level). It is also possible that software encryption at the os level was used to protect the data - not presumably EFS (which apparently the WSJ can crack in three days) but something like Truecrypt - so yes, in that case they could have copied the raw data from the drive, but not accessed the information (as encrypted volumes require a password to mount before they are decrypted, and as the data on them is never stored to disc in an un-encrypted form, powering off the machine effectively removes any chance to recover the plaintext of the intercepts) Given the level of security and technical skill shown by the company so far (Assuming that the office door was even locked) I suspect that anything like that is fairly unlikely. They have probably just checked the time stamps, decided that windows has not booted on that machine since they last used it, and hence it was "not accessed". From ukcrypto at chiark.greenend.org.uk Tue Aug 28 22:38:28 2007 From: ukcrypto at chiark.greenend.org.uk (Dave Howe) Date: Tue, 28 Aug 2007 22:38:28 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <14D31158-6E0E-4304-AA46-E6B6EB2568D6@sourcetagged.ian.co.uk> Message-ID: <46D495D4.9090209@gmx.co.uk> Ian G Batten wrote: > since the year dot. I don't think it's totally unreasonable to refuse > opportunistic encryption from people using self-signed certificates: to > the eyes of the uninitiated SSL in that situation appears to offer > authentication when in fact it only offers some measure of confidentiality. I don't see how that can really be an issue; the NHSNet server doesn't need to be sure that servers sending data *to* it are legitimate, as it doesn't (or shouldn't) care who talks to it. Clients *should* wish to be sure that the server they are talking to really is from NHSNet, just in case there is a MitM attack in progress, but even then, a self signed TLS certificate has got to be better than sending completely unencrypted (if nothing else, it forces use of a MitM attack instead of just passive sniffing of the traffic) as a partial aside - has any CA in the history of SSL certification, ever had to pay or offered to pay compensation after mistakingly issuing certificates to someone not entitled to them? > My memory is that it wouldn't accept my signed-by-a-self-signed-CA > certificates, unlike IanM's experience, but it was a long time ago that > I bumped into this problem. Most TLS certificates are self-signed or signed by company/internal CAs. Commercial CA certificates are the exception rather than the rule (I am surprised CAs don't push that particular marketing line more, but they don't seem interested in TLS certs, just webserver ones) From ukcrypto at chiark.greenend.org.uk Wed Aug 29 13:52:05 2007 From: ukcrypto at chiark.greenend.org.uk (Tom Thomson) Date: Wed, 29 Aug 2007 13:52:05 +0100 Subject: Recovered FTS server: Is it possible to show whether or not information has been accessed? In-Reply-To: <46D3C19E.6080104@pmsommer.com> References: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> <46D3C19E.6080104@pmsommer.com> Message-ID: <065a01c7ea3b$672ad9a0$d401010a@neos.tv> Peter Sommer wrote:- > The basic test is to look at the date-and-time stamps: of files on the = > server if these remain unaltered from the time of last "official" = use,=20 > then one can say that the server itself has not been started up in = the=20 > normal fashion. (on a Win XP machine you would normally look at the=20 > NTUSER.DAT file which gets written to during normal close-down - its=20 > "last written" date and time stamp should precede that of any event in = > which the computer has passed out of the owner's hands). =20 Here I don't agree. If the server is set up in anything a seriously = secure fashion, it's quite likely that there are no NTUSER.DAT files for most users, only NTUSER.MAN files, which are NOT modified by anything the = user they refer to does. Also, I note than on the NT5.2 (XP Pro and Windows = 2003) systems I personally have an NTUser.dat file the dates on the .dat file = have no connection with when I last logged in or out: for example the dates = for NTUSER.DAT fomr me on the machine I am typing on now are Date Created: 08/05/2006 Date Accessed: 12/04/2007 Date Modified: 08/05/2006 although I log in and out almost every day (sitting at the machine when = I'm here and via a slightly secure VPN connection when I'm not). None of = those dates tell you that I logged in and did a lot of work on the machine and logged out again just yesterday. Besides, the most likely way in which data would be accessed is by = copying hard drives (or RAID arrays) without ever logging in to the server. = After all, how does person with unauthorized possession of the machine ever = get logged in - unless usable username-password combinations were cellotaped = to the side of the server (I've seen that before now in so-called secure environments). > On the other hand standard computer forensics procedures are to use=20 > techniques so that you can copy the contents of a computer's = hard-disks=20 > (including such things as RAID arrays) without starting the computer = up=20 > normally, so as to eliminate accusations of tampering. The = procedures=20 > normally involve either starting the computer from a bootable CD = (which=20 > has an OS and imaging software) or removing the hard-disks into a=20 > separate chassis, interposing write-protect devices and then running=20 > forensic imaging software. But a criminal doesn't have to follow the forensic procedure: he doesn't need to put a write-protect device in the way, because he isn't = concerned for example with having an audit trail that shows he was actively = disabling write access to prevent tampering with evidence. The simple process of booting off a CD containing something like Synmantec Ghost and taking an image of each disc is good enough for him. I don't think even the most na=EFve of us would suggest that knowledge of tools like Synantec Ghost = is restricted to the forensic computing community. > So: if the DTS server fell into the hands of ordinary villains, the=20 > claim of non-accessing of valauble and sensitive information can=20 > probably be sustained. But into the hands of those with experience of = > digital forensics..... It rather depends on whether the "ordinary villains" know a computer = from their elbow; it's not true that getting the data without leaving a clear record of having done so requires knowledge or experience of digital forensics. M. From ukcrypto at chiark.greenend.org.uk Wed Aug 29 14:12:07 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Sommer) Date: Wed, 29 Aug 2007 14:12:07 +0100 Subject: Recovered FTS server: Is it possible to show whether or not information has been accessed? In-Reply-To: <065a01c7ea3b$672ad9a0$d401010a@neos.tv> References: <+wc1FKBDy70GFw2A@tigers.demon.co.uk> <46D3C19E.6080104@pmsommer.com> <065a01c7ea3b$672ad9a0$d401010a@neos.tv> Message-ID: <46D570A7.5040303@pmsommer.com> Tom Thomson wrote: > Here I don't agree. I don't know anything about how FTS run their internal servers; I have met a few of their people in the course of legal instructions and on conference stages but have never discussed their internal systems with them. Mary Hawking began by asking a general question - and I sought to provide a generalised answer in terms which could be fairly easily understood. The rest is speculation. However knowing some of FTS's customers I expect that they would need to be satisfied - and in some detail - that security had not been breached. There are other people besides FTS who do cellsite analysis. Peter Sommer From ukcrypto at chiark.greenend.org.uk Thu Aug 30 10:57:16 2007 From: ukcrypto at chiark.greenend.org.uk (PeteM) Date: Thu, 30 Aug 2007 10:57:16 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> <46D2CC59.2010300@callnetuk.com> Message-ID: <46D6947C.40501@callnetuk.com> Roger Hayter wrote: > In message <46D2CC59.2010300@callnetuk.com>, PeteM > writes >> Roger Hayter wrote: >>> As I remarked on this thread, users of NHS systems can have no >>> expectation of privacy *from* the government. >> >> We certainly have the right to *demand* privacy from the government, >> though whether we can get it (or some of it) is another matter. The >> battle may not yet be lost. >> > Not if we are NHS employees (or patients) transacting NHS business: The NHS is bound by the law like any other organisation. Some laws - in particular the DPA - grant privacy rights to all citizens including patients. Such laws can in principle be enforced. > unless you are talking about unenforceable "natural" rights. In the long term all rights, legal or natural, are unenforceable because the legislature can remove them by changing the law. In the short term they can be enforced by the courts, or simply by the pressure of enough people asserting them. This has already happened once with the DH conceding right to withhold one's GP records from the "spine". > >>> The government already assert the right to use hospital >>> administrative and care record data for central administrative >>> purposes and for clinical audit. There is a lot of pressure to >>> allow it to be used it for medical research (which would include >>> selling the information to drug companies). >> >> *Anonymised* data, which (pace Ross) is a lot less sensitive than >> identifiable medical records. > > Administrative and audit data is only anonymised "if possible", Really? Who says? I thought it was the other way around. Anyway, in what circumstances would it not be possible to anonymise personal data? I can see that in some circumstances it might be necessary to *break* anonymity that had been imposed, but I can't see how it might be impossible to impose it in the first place. and for > audit, generally, the actual notes have to be checked by someone. AIUI, typically a senior clinician who would be bound by professional obligations of patient confidentiality. > Research data has the name clipped off but is not to be aggregated. Age, > sex, post code, ethnic origin, Is the *full* postcode to be attached, in clear, to records used for research? past medical history, drug history and > allergies is plenty to identify most people down to single figures, These items cannot be used to identify a subject - i.e. discover his name and address - because each particular (named) individual's drug history is not in the public domain, unlike his age, sex, address etc. -- Pete Mitchell From ukcrypto at chiark.greenend.org.uk Thu Aug 30 11:59:09 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Thu, 30 Aug 2007 11:59:09 +0100 Subject: NHS email encryption In-Reply-To: <46D6947C.40501@callnetuk.com> References: <46CEE726.5000806@defoam.net>, , <46D6947C.40501@callnetuk.com> Message-ID: <46D6B10D.1549.3E5B2A@davidh.spidacom.co.uk> On 30 Aug 2007 at 10:57, PeteM wrote: > Is the *full* postcode to be attached, in clear, to records used for > research? No doubt the medical research mob would claim that it is impossible for them to do their work without it. The fools who run the census (at least in Scotland) are under a similar delusion. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Thu Aug 30 14:13:15 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Thu, 30 Aug 2007 14:13:15 +0100 Subject: NHS email encryption In-Reply-To: <46D6947C.40501@callnetuk.com> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> <46D2CC59.2010300@callnetuk.com> <46D6947C.40501@callnetuk.com> Message-ID: <484A2CB2-4A73-4D1E-B701-D2B8C46F61A5@uk.fujitsu.com> > > past medical history, drug history and >> allergies is plenty to identify most people down to single figures, > > These items cannot be used to identify a subject - i.e. discover > his name and address - because each particular (named) individual's > drug history is not in the public domain, unlike his age, sex, > address etc. > I'd take evens on someone who knows how to read a set of records being able to identify an individual given a drug history, a postcode and electoral roll information for the residents of that postcode. For women, I'd take 2/1 on: the drug history's going to identify the pattern of children they've had. ian From ukcrypto at chiark.greenend.org.uk Fri Aug 31 09:43:40 2007 From: ukcrypto at chiark.greenend.org.uk (PeteM) Date: Fri, 31 Aug 2007 09:43:40 +0100 Subject: NHS email encryption In-Reply-To: <484A2CB2-4A73-4D1E-B701-D2B8C46F61A5@uk.fujitsu.com> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> <46D2CC59.2010300@callnetuk.com> <46D6947C.40501@callnetuk.com> <484A2CB2-4A73-4D1E-B701-D2B8C46F61A5@uk.fujitsu.com> Message-ID: <46D7D4BC.7000505@callnetuk.com> Ian G Batten wrote: > >> >> past medical history, drug history and >>> allergies is plenty to identify most people down to single figures, >> >> These items cannot be used to identify a subject - i.e. discover his >> name and address - because each particular (named) individual's drug >> history is not in the public domain, unlike his age, sex, address etc. >> > > I'd take evens on someone who knows how to read a set of records being > able to identify an individual given a drug history, a postcode and > electoral roll information for the residents of that postcode. For > women, I'd take 2/1 on: the drug history's going to identify the pattern > of children they've had. > Perhaps, but the drug history is useless without the full postcode. What you're showing is what a dangerous piece of information the postcode is when used in inference attacks. There are only 36 addresses that match my postcode, and at an average occupancy of 3 that narrows it down to only 100 people. So it's an even more specific identifier than my *name* (there must be thousands of Peter Mitchells in the UK). In areas that are less densely populated than SW London there are probably even fewer households per postcode. If researchers are to be given full postcodes - which I doubt - we will want to know the reason why. -- Pete Mitchell From ukcrypto at chiark.greenend.org.uk Fri Aug 31 12:11:49 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Fri, 31 Aug 2007 12:11:49 +0100 Subject: NHS email encryption In-Reply-To: <46D7D4BC.7000505@callnetuk.com> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> <46D2CC59.2010300@callnetuk.com> <46D6947C.40501@callnetuk.com> <484A2CB2-4A73-4D1E-B701-D2B8C46F61A5@uk.fujitsu.com> <46D7D4BC.7000505@callnetuk.com> Message-ID: <67B1235B-06A9-4B08-8FB8-9ABDA46C8CB0@uk.fujitsu.com> On 31 Aug 2007, at 09:43, PeteM wrote: > Ian G Batten wrote: >>> >>> past medical history, drug history and >>>> allergies is plenty to identify most people down to single figures, >>> >>> These items cannot be used to identify a subject - i.e. discover >>> his name and address - because each particular (named) >>> individual's drug history is not in the public domain, unlike his >>> age, sex, address etc. >>> >> I'd take evens on someone who knows how to read a set of records >> being able to identify an individual given a drug history, a >> postcode and electoral roll information for the residents of that >> postcode. For women, I'd take 2/1 on: the drug history's going to >> identify the pattern of children they've had. > > Perhaps, but the drug history is useless without the full postcode. > What you're showing is what a dangerous piece of information the > postcode is when used in inference attacks. Exactly. I'd suggest that full post code plus one fact which has at least 10 discrete common values will produce a target set of only a handful of people, and two such facts will be unique. > > There are only 36 addresses that match my postcode, and at an > average occupancy of 3 that narrows it down to only 100 people. There are only 10 for mine, totalling 19 adults and 12 children (two of the children may have turned 18 this year: my point stands). For the adults, age+sex is a unique key, for the children pretty close to it (there's one clash). Height, weight, month of birth, age, nature of highest educational qualification: pretty well any one of those will yield a target set of only two or three people, and any two of them are unique. ian From ukcrypto at chiark.greenend.org.uk Fri Aug 31 12:14:52 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Fri, 31 Aug 2007 12:14:52 +0100 Subject: NHS email encryption In-Reply-To: <46D6947C.40501@callnetuk.com> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> <46D2CC59.2010300@callnetuk.com> <46D6947C.40501@callnetuk.com> Message-ID: In article <46D6947C.40501@callnetuk.com>, PeteM writes >> Administrative and audit data is only anonymised "if possible", > >Really? Who says? I thought it was the other way around. Anyway, in >what circumstances would it not be possible to anonymise personal data? >I can see that in some circumstances it might be necessary to *break* >anonymity that had been imposed, but I can't see how it might be >impossible to impose it in the first place. Perhaps they mean that it will be anonymised as long as it's then *possible* to use the resulting data effectively in their Admin and Audit processes. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Fri Aug 31 12:19:25 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Fri, 31 Aug 2007 12:19:25 +0100 Subject: NHS email encryption In-Reply-To: <46D7D4BC.7000505@callnetuk.com> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> <46D2CC59.2010300@callnetuk.com> <46D6947C.40501@callnetuk.com> <484A2CB2-4A73-4D1E-B701-D2B8C46F61A5@uk.fujitsu.com> <46D7D4BC.7000505@callnetuk.com> Message-ID: In article <46D7D4BC.7000505@callnetuk.com>, PeteM writes >If researchers are to be given full postcodes - which I doubt - we will >want to know the reason why. They might be doing a study of people living within a certain distance of some $natural_hazard. Of course, you could deliver the data having already translated their postcodes into such a distance, but traditionally I think the researchers would do that. (I know that's the way we did it when trying to research childrens' travel-to-school profiles; 90% of the work was in doing that sum, and the school didn't want the work, nor would they hand us the raw data to do the work ourselves - I think we could have made a better case but we gave up.) -- Roland Perry From ukcrypto at chiark.greenend.org.uk Fri Aug 31 12:55:11 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Fri, 31 Aug 2007 12:55:11 +0100 Subject: NHS email encryption In-Reply-To: References: <46CEE726.5000806@defoam.net>, <46D7D4BC.7000505@callnetuk.com>, Message-ID: <46D80FAF.30565.DDA1D2@davidh.spidacom.co.uk> On 31 Aug 2007 at 12:19, Roland Perry wrote: > >If researchers are to be given full postcodes - which I doubt - we will > >want to know the reason why. > > They might be doing a study of people living within a certain distance > of some $natural_hazard. For most of the population of the UK I'm not convinced that any study would be that more useful with the whole of the postcode, compared to just the first part of the postcode. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Fri Aug 31 13:06:27 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Fri, 31 Aug 2007 13:06:27 +0100 Subject: NHS email encryption In-Reply-To: <46D80FAF.30565.DDA1D2@davidh.spidacom.co.uk> References: <46CEE726.5000806@defoam.net> <46D7D4BC.7000505@callnetuk.com> <46D80FAF.30565.DDA1D2@davidh.spidacom.co.uk> Message-ID: <1jc2WCTDRA2GFAGz@perry.co.uk> In article <46D80FAF.30565.DDA1D2@davidh.spidacom.co.uk>, David Hansen writes >> They might be doing a study of people living within a certain distance >> of some $natural_hazard. > >For most of the population of the UK I'm not convinced that any study >would be that more useful with the whole of the postcode, compared to >just the first part of the postcode. I was thinking of Supergrid lines, where a few hundred yards might make a difference. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Fri Aug 31 14:02:03 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Fri, 31 Aug 2007 14:02:03 +0100 Subject: NHS email encryption In-Reply-To: <1jc2WCTDRA2GFAGz@perry.co.uk> References: <46CEE726.5000806@defoam.net>, <46D80FAF.30565.DDA1D2@davidh.spidacom.co.uk>, <1jc2WCTDRA2GFAGz@perry.co.uk> Message-ID: <46D81F5B.308.11ADB12@davidh.spidacom.co.uk> On 31 Aug 2007 at 13:06, Roland Perry wrote: > >For most of the population of the UK I'm not convinced that any study > >would be that more useful with the whole of the postcode, compared to > >just the first part of the postcode. > > I was thinking of Supergrid lines, where a few hundred yards might make > a difference. In such a case they need to do some real experiments, not sit on their fat backsides messing around with information. The medical research mob are keen to point to the bod who removed the pump handle in London. However, he did not get his fountain pen out and spend all his time trying to crunch numbers. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Fri Aug 31 14:07:46 2007 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Fri, 31 Aug 2007 14:07:46 +0100 Subject: NHS email encryption In-Reply-To: <20070831064516.922.96045.Mailman@chiark.greenend.org.uk> References: <20070831064516.922.96045.Mailman@chiark.greenend.org.uk> Message-ID: >On 30 Aug 2007 at 10:57, PeteM wrote: > >> Is the *full* postcode to be attached, in clear, to records used for >> research? > >No doubt the medical research mob would claim that it is impossible for >them to do their work without it. > >The fools who run the census (at least in Scotland) are under a similar >delusion. >-- > David Hansen, Edinburgh Quite a lot of work has been done on data matching and medical records, and the problem is that the less frequent the medical condition is, the easier it is to identify the individual from less complete data.. As far as medical research goes, surely the need for location data - such as complete or partial post code - depends on the research question being asked? For instance, if the research concerned clusters (or lack of clusters) of particular diseases, then detailed location data would be important - whereas the study of the outcomes of particular interventions - e.g. statins in secondary prevention of CHD - would not. My understanding is that the plan is to use annonymised data where possible - and only use identifiable data where needed. Who decides what is needed and who would check this need is a different matter! Mary Hawking PS back to NHSMail - this was originally intended to allow sensitive information to be sent securely between secure addresses e.g. NHSMail or cgi.gov addresses. Being able to download email to a non secure address does seem to decrease the security, even if it might make the system more useful for all other purposes! -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Fri Aug 31 14:47:11 2007 From: ukcrypto at chiark.greenend.org.uk (Caspar Bowden) Date: Fri, 31 Aug 2007 14:47:11 +0100 Subject: NHS email encryption In-Reply-To: <46D6947C.40501@callnetuk.com> References: <46CEE726.5000806@defoam.net> <46D003F5.3040303@gmx.co.uk> <46D0298F.8050501@defoam.net> <46D05C2E.4080103@gmx.co.uk> <46D17909.5090802@defoam.net> <46D2CC59.2010300@callnetuk.com> <46D6947C.40501@callnetuk.com> Message-ID: FYI - the ICO has published new guidance on the meaning of personal data in= DPA, following an Art.29 WP Opinion discussing same in EU DPD some weeks a= go. Both are fascinating, and some surprises tucked away for DP Kremlinolog= ists... http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_spe= cialist_guides/personal_data_flowchart_v1_with_preface.pdf http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf -- Caspar Bowden >-----Original Message----- >From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-admin@chiark.= greenend.org.uk] On Behalf Of PeteM >... >Really? Who says? I thought it was the other way around. Anyway, in what >circumstances would it not be possible to anonymise personal data? I can >see that in some circumstances it might be necessary to *break* >anonymity that had been imposed, but I can't see how it might be >impossible to impose it in the first place. ... >These items cannot be used to identify a subject - i.e. discover his >name and address - because each particular (named) individual's drug >history is not in the public domain, unlike his age, sex, address etc. From ukcrypto at chiark.greenend.org.uk Fri Aug 31 14:56:59 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Fri, 31 Aug 2007 14:56:59 +0100 Subject: NHS email encryption In-Reply-To: <46D81F5B.308.11ADB12@davidh.spidacom.co.uk> References: <46CEE726.5000806@defoam.net> <46D80FAF.30565.DDA1D2@davidh.spidacom.co.uk> <1jc2WCTDRA2GFAGz@perry.co.uk> <46D81F5B.308.11ADB12@davidh.spidacom.co.uk> Message-ID: <1hWW2kdr4B2GFA2L@perry.co.uk> In article <46D81F5B.308.11ADB12@davidh.spidacom.co.uk>, David Hansen writes >> I was thinking of Supergrid lines, where a few hundred yards might make >> a difference. > >In such a case they need to do some real experiments, not sit on their >fat backsides messing around with information. As far as they are concerned, correlating ailments with the patient's home location *is* a scientific experiment. What do you suggest otherwise. Tie someone in an armchair under a grid line and come back ten year later to see if he has a brain tumour? -- Roland Perry From ukcrypto at chiark.greenend.org.uk Fri Aug 31 20:10:00 2007 From: ukcrypto at chiark.greenend.org.uk (Adrian Midgley) Date: Fri, 31 Aug 2007 20:10:00 +0100 Subject: NHS email encryption In-Reply-To: <46D81F5B.308.11ADB12@davidh.spidacom.co.uk> References: <46CEE726.5000806@defoam.net>, <46D80FAF.30565.DDA1D2@davidh.spidacom.co.uk>, <1jc2WCTDRA2GFAGz@perry.co.uk> <46D81F5B.308.11ADB12@davidh.spidacom.co.uk> Message-ID: <46D86788.7030101@defoam.net> David Hansen wrote: > On 31 Aug 2007 at 13:06, Roland Perry wrote: > > >>> For most of the population of the UK I'm not convinced that any study >>> would be that more useful with the whole of the postcode, compared to >>> just the first part of the postcode. > > The medical research mob are keen to point to the bod who removed the > pump handle in London. However, he did not get his fountain pen out and > spend all his time trying to crunch numbers. > JOhn Snow. He mapped the area, then plotted on his map each Cholera case. THen determined, on the ground I think, for each house in the area which of the two pumps they went to to get tehir water. He demonstrated that the families who got water from the Broad St pump tended to get Cholera, and the familes who went to the other pump tended not to. Then, having crunched his numbers thus, he went and removed the handle of the Broad St Pump. He also gave anaesthetics, and has a pub named after him, not so very far from the right place. I do not think he would have found the whole postcode more useful than the partial postcode, but he would have found it more difficult with anonymous abstracted data, I think. If someone felt like writing a demonstration of how to repeat that investigation while maintaining forward anonymity(?) then that might be a considerably persuasive demonstration of an argument. Written in fountain pen, by all means. Man: http://www.ganfyd.org/index.php?title=John_Snow Disease: http://www.ganfyd.org/index.php?title=Cholera Map: http://www.ganfyd.org/images/2/2c/John_Snow_cholera_map.jpg (If I was told it was fountain pen, I'd believe it) Some of the fools in my mob know stuff nevertheless. -- A