The EU Data Retention Directive Trashed by the EU Court of Justice

Today the Europan Court of Justice has declared invalid the Data Retention Directive that forced ISP’s to retain some traffic data to be made available for the law enforcement agencies. Though the decision is immediately effective, until the local parliaments don’t update the concerned internal regulations, as crazy as it may sounds, ? the data-retention is still a legal obligation to be fulfilled.

It would be of great help if the local data protection authorities would issue a statement saying that they will not enforce anymore their own controls on data-retention, since any activity in this direction could be challenged on the ECJ decision.

A final remark: how is it possible that the data-protection authorities all over Europe didn’t spot the “little”, “tiny” problem of the Data Retention Directive?

There is no such thing as “Information Security”

Security is Security. Period. No matter whether you’re designing a network, traveling around some third world country or assessing the pollution of the food you’re going to eat: security prowess comes from the confrontation of danger(s).

There is something different in people who’s been exposed to dangers of every sort (soldiers, firefighters, ER personnel) and those who don’t: the former knows what they’re talking about, the latter don’t. You can read it in their eyes, demeanor and down-to-earth approach, contrary to the pompous, empty style of somebody who can’t even handle spending half an hour on Barcelona’s Las Ramblas without being pickpocketed.

Think about it, the next time a “security” consultant tells you that “you have a security problem” and that “he can fix it”.

Friday Night (Data Retention) Fever

Here is a real case that happened just a couple of days ago, while helping an ISP to find a way to handle the deletion of data after the mandatory term imposed by the Eu Data Retention Directive expires. Whatever the solution, thank to the rigidity of the provisions, a law will not be obeyed.

Background:

  •  ? The automatic processing of the data-deletion is usually made so that a script matches daily the data-creation date with the current date, and if the match says that the retention term is expired, then the script delete the data,
  • The only exception is a “freeze” order issued by a Court or a prosecutor. In this case it is possible to avoid the requested data to be destroyed,
  • The “freeze” order are notified either by fax, secure email or direct order to the “Protocol department” (that handles the incoming communications, and that “route” the messages to the concerned people),
  • While when the offices are closed there is always at least one resource belonging to the technical department to be alerted in case of urgency, the administrative offices just shut down the curtains of Friday at – say – 5P.M.,

Scenario:
– let’s say that a secure mail or a fax containing the “freezing” order arrives when the Protocol Department is closed. This means that the request will be processed the next day,

– let’s say that the “freezing” order concerns data that are going to be destroyed the very same Friday night when the order arrived,

What happens is that the “freezing” order arrived timely, before the data were destroyed, but since the internal route of the order is handled when the term is expired, the data have been deleted.

A possible solution could be to extend the deleting time frame of three days (thus accounting for the week-end gap) but it doesn’t work. Here is why.

If I have to destroy the data on Friday, and I kept it until Monday just to check if some Court order has been notified in the meantime, it might happens that on the very same Monday a Court order might be notified in relationship to the Friday-to-be-deleted data (when the data are supposed not to exist anymore).

So, if I follow the DRD I must refuse to comply with the Court order because though the data are there, they can be processed only if the Court order were notified within the original term. On the other hand, I can’t refuse to obey to a Court order, if I still have the concerned information.

A contemporary version of the Buridan’s Ass Paradox.

 

The Italian Approach on Cyberwarfare: paper-based security

From time to time, cyberwarfare surfaces on the ocean of the useless Italian political and sub-political talks.

Last week, waiting my turn to talk in a conference, I’ve heard a speaker claiming to “knows best” ? that said that in five year Italy will have its set of actual guidelines to enforce ENISA standards, advocating a stronger tie between industries and a government committee on critical infrastructure and all the usual vaporware that comes with the topic.

I stayed speechless while losing the count of the times that – in about 27 years on the field – I’ve heard such kind of nonsenses. These people care about the colour of the windows’ curtains while there a house still to be built. They think in term of “national committee”, “global report”, “breach notification” while they still have to succeed in convincing people in not leaving passwords on a monitor-stuck post-it. This reminds me a sketch from “I Maniaci“, an Italian movie from the Sixties, where His Excellence Micozzi, ministry of defense (actor Raimondo Vianello) alwyas followed the journalists questions’ by saying “we shall appoint a committee to look further into the matter”, even the day he was cautioned for alleged wrongdoing.

While the movie was supposed to by a comedy, seeing it today doesn’t elicit a laugh. The security issue ? is serious because, when the Echelon scandal exploded, we could claim that it was a relative threat to Italy since our communication infrastructure and our reliance upon were from stone-age. But now things have changed enough to allow an attack(er) to actually endanger Italy as a country. And I can’t stop thinking of ? the Italian approach being like a politburo of some (former) Eastern Block country, talking about Marxist orthodoxy while people in the squares was taking down Lenin’s statues.

We shall appoint a committee to look further into the matter.

Security is not a process, is a product

No, I didn’t do a mistake. I actually meant that security is product and not – as the mantra we hear since decades – a process. Truth is that company departments are governed by this god called “budget” and failing to fully spend it means that at the next round the financial controller will bash it, thus lowering the status and the power of the involved IT or security manager.

So monies have to be spent but how? Not on consulting or security management, of course. When incidents happen (as they do, more often that we may imagine or hope) the barrel starts rolling and everybody in the company keep it rolling on somebody else’s shoulders. And here comes the catch: nobody will ever be fired for having purchased stacks of “security-branded” boxes like firewalls, intrusion detections tools etc. even if these boxes aren’t properly deployed.

It’s easy to address the incident meeting with the CEO, the HR head and the legals by saying: “look, we purchased the best things on the market, and to be sure that we were safe, we doubled all the components – you know, redundancy, high-availability and those other things required by our security certification. Unfortunately these fucking balcanian hackers know better then the devil itself. But I have already managed how to fix the problem: our supplier has been asked to provide its latest device that will protect us better than ever. BTW, since we’re talking about that, though I got a fair price cut, the thing is costly and I need my budget to be extended. Is for security sake!”

Now compare this statement with what follows: “well, as you know, we didn’t need to spend money on hardware. Our firewalls are still capable and fit, so I focused on the internal checks. I hired a consulting firm to do penetration test once-a-year (can’t do it more often because the company complained that these activities slow down the business), than I had another company to monitor and analyze the daily flow of the traffic we generate (but we have been prevented by the legals to dive much too deep into the origin of the connections, so we don’t actually know where did the trojan come from), I then hired an auditor to check the software installed on each computer in use, but the HR told us that we couldn’t do it on the high level management laptop.”

And here comes the final question: which one security manager is gonna be fired?