After a Tweet by Damien Mulley I checked out the Next
Generation Broadband paper from the Dept of Communications.
My few thoughts are below. These are provisional. If I think more about this I'll get depressed and the comments will get worse.
First point. There are no real numbers in the document. I would
expect a definition of what current generation broadband is, and what next
generation broadband is. Is that too much to ask.
There are some vague references to current speeds but no
specifics. Worse it states “rather than predicting an exact speed, the
objective should be to aim for the level which will support innovation". This
is attempting to set up any NextGen initiative for success no matter how half
assed it might be.
The key points I'd pick from the paper are
* Lack of definitions
* A litany of platitudes. The benefits sections of Next Generation broadband are a litany of platitudes. Many of these would be available with decent provision of current broadband but this is overstated. The other question I have to ask is just what is a knowledge economy, compared to say an ignorance economy and what does it mean for society. I say this as someone who wrote a 200 page dissertation on Ireland as knowledge based economy
* Further papers due later this year. I can hardly wait. Actually I can because of this is any guide they won't be worth the wait.
* The mention of the - well paid - International Advisory
Forum. A summary of the problems with
this grop start here. As I'd like to point out "we have
consultants" is not persuasive to those of us who like to think.
* The lack of exact speeds - yes I mentioned this earlier. Its
important so it needs to be repeated. There are not specific targets or
definitions for NextGen Broadband.
* The discussion of Broadband in Ireland today is mealy
mouthed. Its sleevenism.” It was bad but we're all right nowW. No we're not.
* International Comparisons Pt 1:
There are no comparisons for current broadband, and no
graphics.
* International Comparisons Pt 2:
Asia is glossed over even though its where some of the key
work has happened to date. It states in general that "governments are not
funding the roll-out of high speed Next Generation broadband to the home" and
effectively concludes that we should follow the herd. It is in essence weaselling
out of public investments and the the importance of public goods. Government
created ESB and the rural electrification project. Next Gen should be something
similar. We should be looking to be tangibly world class. We can be and we
should be.
*Threats "if there is not investment in Next Generation
Broadband now, Ireland will lag significantly behind" Yes. This is why
this needs to be a public good to start with
*Strategy. The strategy piece isn't it merely pulls together
the ideas earlier in the paper. It lacks vision, it lacks any tangible measure
of success and is vague and value free. (Values are important). The updates on
earlier action highlight this. Its pieces of paper pushed around signifying
nothing of importance, and the glacial speed at which these have happened are
maddening.
Overall this paper is a disastrous piece of drivel. It is a
waste of public money, - For this you brought in all these experts - and
reflects poorly on the Minister and the Department that produced it. There is
no vision for Ireland here. There are no examples of what Next Generation
Broadband could achieve; no real tangible examples and it wouldn't be hard to
produce some.
Damien Mulley described it as "Dishonest, contradictory and in no way based in reality." Conway's Law applied I think.
This is the reply I received via email today
Dear Mr. Casey,
Thank you for your correspondence regarding the recent laptop thefts. We hope to be
able to at least partially answer your queries, however not all information
requested can currently be provided.
With regard to your question 1, 2 and 8 regarding the details of past and current
levels of protection etc., as a general policy, and specifically under the current
circumstances, we are unfortunately unable to divulge specific information, as
intimate knowledge of our security procedures and systems could be said to represent
a security risk in and of itself. We can assure you however that vigorous measures
have been taken to prevent a possible recurrence of this issue.
In the event of fraudulent activity on a customer's account, any legitimate claim
for loss of funds or identity fraud will be handled in conjunction with the banks
and Gardaí. We have advised all affected customers by letter, and a dedicated
hotline has been put in place. (1850 431 431) We shall of course offer such further
assistance as may be required, on a case by case basis.
The FAQ below should account for any queries not responded to above.
With kind regards,
Bord Gáis Energy
Joyce's Court, Dublin 1, Ireland
www.bordgaisenergy.ie
They included their useless list of questions that answers nothing I've asked
This is how I replied. The additional question below comes from Brian Honan
"Dear Sir or Madam
I can appreciate that you may not be in a position to answer all questions however in this case I feel that you have not answered any questions of my questions.
You're say you are not able to answer questions 1,2 & 8. " as "as intimate knowledge of our security procedures and systems could be said to represent a security risk in and of itself." I'm sure that I don't need to remind you that security by obscurity is bad approach to security. Can you give me any reason that as a customer of Bord Gais whose trust has already been betrayed that I should continue to be a customer?
With regard to question 3 - 7. You appear to have ignored these questions so I am repeating them here.
Q3 Why was data containing bank account details ever on any standalone machine (Laptop or PC) and not stored on a server?
Q4. What was the data on the laptop that was stolen being used for ?
Q5. Are you planning to put fraud insurance in place for these customers for the next few years?
Q6. Are you planning compensation for impacted customers?
Q7. What else are you planning to do for customers?
I would also ask you for an answer to part of question 8 which relates to question 3 & 4.
"Are you changing policy on what data is downloaded onto laptops and desktop machines?"
I'd also add a final question
"what monitoring in place to detect copying/dload of sensitive data"
The answers coming from this account appear to be written by a PR person unconcerned with the customer.
Again I have to ask you give me any reason that as a customer of Bord Gais whose trust has already been betrayed that I should continue to be a customer?
Sincerely
Dermot Casey
Haul the boys to the pool for swimming lessons. Back home for a quick fight with water pistols before lunch, then a fair with bouncy castles and face painting in the afternoon. Paddling and wading later followed by pizza for tea. Happy boys. Happy Daddy and Happy Mum.
Perfect Fathers Day almost. Wishing my own Dad was alive to delight in his Grandkids.
Brian Honan suggested an additional question "I would also ask what monitoring in place to detect copying/dload of sensitive data"
I was going to ask them a question on Data Leakage which would have covered this but decided not to.
Brian has a good post on the whole matter here I like his discussion of the notion of a Custodian.
I have emailed the Press Office this morning with no reply yet and left voicemails for the Corporate Affairs Manager on her landline and mobile and with the Public Relations Officer again on her landline and her mobile.
Q1 . On your website you refer to "sophisticated password protection. One of the laptops with password protection contained the details of Bord Gáis Energy’s residential electricity customers who pay via direct debit." What do you mean by sophisticated password protection? Is
this the standard operating system protection or something else?
Q2 What operating system and version of operating system was on the Laptops?
Q3 Why was data containing bank account details ever on any standalone machine (Laptop or PC) and not stored on a server?
Q4. What was the data on the laptop that was stolen being used for ?
Q5. Are you planning to put fraud insurance in place for these customers for the next few years?
Q6. Are you planning compensation for impacted customers?
Q7. What else are you planning to do for customers?
Q8 What steps have you taken to prevent a reoccurance of this problem other than encrypting your laptops? Have you changed physical security access? Are you changing policy on what data is downloaded onto laptops and desktop machines?
Thousands signed up. I signed up. Now in the biggest shooting youself in the foot incident since Custer said, "nah I don't need those gatling guns" they have lost bank details for 75,000 customers.
Four laptops were stolen from Bord Gais as they say "A burglary took place on Friday, 5th June in one of Bord Gáis Energy’s Dublin offices. During this incident four laptops were stolen, one of which contained customer information of 75,000 customers Bord Gáis Energy residential electricity customers."
Despite the widly publicised incidents with Bank of Ireland last year these laptops WERE NOT ENCRYPTED. In the 12 days since that incident all Laptops are now encrypted. That shows that encrypting Laptops wasn't a priority before the 5th of June.
They further state on their website
"What information was stolen?
The information on one of the stolen laptops contains names, addresses and bank account details of the affected customers.
What information was on the laptops?
Of the four laptops stolen, one had hard drive encryption and the remaining three had sophisticated password protection. One of the laptops with password protection contained the details of Bord Gáis Energy’s residential electricity customers who pay via direct debit.
What customers are affected?
This affects customers who applied to switch to Bord Gáis Energy for residential electricity before Friday 29th May 2009 and had opted to pay by direct debit"
So thats me included.
There are two failures here. The first failure is in failing to encrypt the laptops. After Bank of Ireland last year, failure to encrypt laptops is criminally negligent. And I am deadly serious about that. This is not an IT failure it is a failure of proper Risk Management and Corporate Governance.
The second failure is the response.
There is a hope the the data won't be misused. But hope is not a plan and its not effective. The statement is this
"What is the likelihood this information will be misused?
Typically in incidents involving the theft of a laptop it is completely cleaned and sold on within 24 hours. We have been reliably informed that they are not aware of any case in Ireland where data that was contained on a stolen or lost laptop has been used fraudulently because of this we believe the likelihood of the information being misused."
They are probably correct but they misunderstand RISK. The consequences of misuse of Data are so large that this hoping is not enough. Bord Gais need monitoring with the Irish Credit Bureau for these customers. They need to transparently enable customers to setup new accounts with new account numbers for all the affected customers. They need to put fraud insurance in place for these customers for the next few years. They need to do this with minimal impact to customers. And they need to think about some form of compensation for the worry caused to customers. And it should be monetary. A few months free electricity for example.
Bord Gais you need a program in place tomorrow for helping your customers and your CEO needs to recognise this.
Last night I watched PrimeTime which talked briefly about who controls our schools. Just in case you’ve been on planet mars the figure is 92% of Primary Schools are controlled by the Catholic Church. This is despite the fact that all the teachers salarys, pretty much all other staff costs, and buildings etc have been paid for by the state. (Except where they have been paid for by the parents but they’re still owned and run by the church.)
There was a brief talk to camera piece between Ronan Mullen
(can I describe him as very Catholic Senator) and Geraldine
McCarthy. Mullen referenced a RedC survey that suggested that 47% of parents
wanted a Catholic Education, 39% wanted all religions taught equally and the
other 14% wanted a non-religious education. Mullen made some bizzare comments which McCarthy shot down.
Senator Mullen suggested another agenda at work in questioning the role of the Catholic Church (those damn liberal secularists he might have said). Of course there has been an agenda a work on our school system for over 150+ years that he didn’t speak about. The agenda has been that of the church. The “give me the boy and I’ll give you the man” philosophy. An agenda aimed at securing the role of the church at the heart of the state. I am a product of that system myself. Nuns for 2 years then the Christian Brothers education until university. I had a good general education and I’m sure my parents were happy with the religious ethos of the schools.
The discussion that followed the snippets of Mullen &
McCarthy (during which Sen Mullen made some bizarre claims that Ms McCarthy
emphatically refuted) was brief and to my mind one sided. It was between Fintan O'Toole and a Bishop ( I believe Bishop Leo O'Reilly) representing the Conference of Bishops who are in charge of those 92% of schools.
The topic I assume they emerged from the question asked (and answered very well) by Fintan O’Toole in the Irish Times last Saturday as to why there was – uniquely in Europe – no state run primary system of Education.
The Bishop claimed that the Church provided a primary education because that was what parents wanted. Which is strange because if the RedC poll is to be believed less than 50% of parent want that. And there is no alternative. There is no choice. (The small number of Educate Together schools provide some alternative to the Catholic school system but are few in number). As a parent I have no choice. There is no alternative. Effectively the state is funding a catholic indoctrination, sorry educational program. Which one has to believe is what the Church wants.
As Fintan O’Toole pointed out last night no one is trying to
deny Catholics their ethos, or their education. As he said very nicely
referencing the RedC poll “if you could start by handing over half the schools”
we might make some progress. I get the feeling that the church regards
education the same way that Charlton Heston regarded his guns – and that we’ll
need to pry it from their cold dead hands. So be it. The time is right and the
mood is right in the country for the orders to start handing back to the state
what has been provided by the people of the state. Lets be clear on this - handing back to us what is ours.
To allow those of a
secularist view some choice in how their children are educated. This might even enable us to start cherishing the children of the nation equally.
(the post title comes from an excellent book by Stephen Law called "The War for Childrens Minds" which speaks more broadly on the idea of a liberal v's religious education)
Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance. We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need.
A future in which privacy would face constant assault was so alien to the framers of the Constitution that it never occurred to them to call out privacy as an explicit right. Privacy was inherent to the nobility of their being and their cause. Of course being watched in your own home was unreasonable. Watching at all was an act so unseemly as to be inconceivable among gentlemen in their day. You watched convicted criminals, not free citizens. You ruled your own home. It's intrinsic to the concept of liberty.
For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.
How many of us have paused during conversation in the past four-and-a-half years, suddenly aware that we might be eavesdropped on? Probably it was a phone conversation, although maybe it was an e-mail or instant-message exchange or a conversation in a public place. Maybe the topic was terrorism, or politics, or Islam. We stop suddenly, momentarily afraid that our words might be taken out of context, then we laugh at our paranoia and go on. But our demeanor has changed, and our words are subtly altered.
This is the loss of freedom we face when our privacy is taken from us. This is life in former East Germany, or life in Saddam Hussein's Iraq. And it's our future as we allow an ever-intrusive eye into our personal, private lives.
Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.
