Spy Blog - SpyBlog.org.uk

Has anyone else who is subscribed to the MI5 email alert list still not yet received their MI5 Security Service website What's New alert emails from Friday, when Jonathan Evans formally took over as Director General, and the website was updated ?

MI5 website What's New page

JONATHAN EVANS TAKES OVER AS DIRECTOR GENERAL (21/04/2007)

Jonathan Evans has today taken over from Dame Eliza Manningham-Buller as the new Director General of the Security Service. As the head of the Service, Mr. Evans is responsible for leading and directing its work against threats to the UK's national security. He has been a member of the Service since 1980 and has focused mainly on counter-terrorism, both international and domestic. He served as the Service's Deputy Director General from 2005 to 2007 and has succeeded Dame Eliza following her retirement. For more information on Mr. Evans and the role of the Director General, please click on this item's headline.

The disappearance from view of the "We Are All Doomed - now what are we meant to do exactly ?" web graphic button links such as

on the relevant pages on the MI5, the Home Office and the Intelligence.gov.uk websites, is a bit puzzling.

Is it just managerial incompetence from the Home Office's new Office for Security and Counter-terrorism, or is there a deliberate attempt to try to forget about the whole "terror alert status" media hype ?

It does make us wonder what is going on, and how these people are ever going to make better use of the web and the internet in terms of brand image, trustworthiness and hearts and minds, than our terrorist and other enemies do.

Posted by at 12:31 PM | Permalink | Comments (2)

The MI5 website email subscription list system seems to have been re-vamped, again, with some considerable improvements.

The Intelligence and Security Committee of Parliament have looked into the affair, in so far as it is within their narrow remit, and seem to have been assured that the initially improved system is working ok.

The Information Commissioner's Office is currently investigating the data protection aspects of the original system, which we believe did breach the Data Protection Act.

Which Home Office politician or spin doctor or MI5 Security Service civil servant is willing to admit that they made a mistake with the original launch of this email alert subscription service ?

Continue reading "Is the MI5 email subscription list system now working as it should have done when launched ?" »

Posted by at 8:31 PM | Permalink | Comments (2)

As subscribers to the Security Service MI5's

What's New mailing list

Whenever we publish an item on the "What's New" section of this website, we will issue the same item by e-mail to subscribers. This will enable you to stay informed about what we are doing, without having to constantly check our website for updates. Threat level information will be provided as part of the "What's New" list.

we are still waiting for our email list subscription confirmation emails - the " few days" wait, is now over a month. See our category archive of postings on this topic.

We were hoping to have been alerted by email to this recent "What's New" item on the MI5 website:

LAUNCH OF THE CENTRE FOR THE PROTECTION OF NATIONAL INFRASTRUCTURE (01/02/2007)

Continue reading "Centre for the Protection of National Infrastructure announced on the MI5 website, but not by email" »

Posted by at 3:03 PM | Permalink | Comments (1)

MI5 the Security Service, have a statement on the What's New page on their website:

The Security Service does not have a Press Office and does not comment on intelligence matters. The Home Office issues statements relating to our work from time to time...

Why then, is the Cabinet Office handling the media spin over the MI5 email subscription data affair ? Home Secretary John Reid is the man who is meant to be politically responsible for any MI5 "not fit for purpose" issues, but the Home Office Press Office somehow seem to have managed to land the Cabinet Office with the job of trying to put a brave face on it.

According to the BBC:

Alert system dubbed a 'shambles'

By Mark Ward
Technology Correspondent, BBC News website
Last Updated: Monday, 15 January 2007, 13:19 GMT

[...]

A spokeswoman for the Cabinet Office said the changes made to the service, including bringing the data to the UK, were due to happen before SpyBlog investigated. This was to help cope with the large numbers of people signing up.

Approximately how many people have apparently signed up for this insecure service then ?

"Moving the data to the UK will enable faster e-mail delivery to subscribers,

How much faster exactly ? It may only take a fraction of a second longer for an email to be sent from, say Seattle to London than from London to London. It could even be faster, for many internet users.

most of whom are in the UK

This email subscription list data should never have left the United Kingdom in the first place.

What about the millions of UK internet users with say, hotmail.com or yahoo,com or gmail.com or aol.com email accounts, all hosted in the USA ?

and will enable the Security Service to use Mailtrack's latest technology." said a statement issued by the Cabinet Office.

This should have been installed and tested on an adequate number and specification of UK Government hosted machines to cope with the anticipated demand, and sanity checked for security and privacy vulnerabilities during the formal accreditation process required for connection to the Government Secure Intranet to Internet email gateways, used by UK Central Government Departments, before the system was launched to the public last Tuesday.

Does this wording imply that the Security Service has actually signed a contract with MailTrack this time ?

The Cabinet Office said: "We are confident that the technical arrangements for this service are entirely compliant with the Data Protection Act".

They may be compliant now that the system seems to be entirely within the United Kingdom, but they were in breach of the Data Protection Act from last Tuesday until Friday night.

We have written to the Information Commissioner about the Data Protection issues, and about what happens to the data and the webserver logfiles which are in the USA.

We have also written (but not via email !) to the Intelligence and Security Committee, who are meant to scrutinise MI5 on our behalf, and who were the ones who suggested a more open and less complicated Terror Threat Level status system in the first place.

Posted by at 2:48 PM | Permalink | Comments (1)

The Mail on Sunday has published a misleading article about the data protection scandal of the MI5 email subscription list for Terror Alert Status changes and MI5 website news updates, launched with so much hype on Tuesday, and which Spy Blog was embarrassed to discover was so unnecessarily insecure.

See: "MI5 e-mail alert sign up shambles - all email subscription web forms sent to the USA, without encryption"
.
N.B.. There have been lots of media and blog stories claiming that the system sends out "terror alerts", implying specific terrorist threat warnings, but that is simply not the case.

MI5 terror alert blunder sends private data to US mailshot firm

By JASON LEWIS - Last updated at 21:02pm on 13th January 2007

The Mail on Sunday article did not bother to try to contact Spy Blog for any comments, instead preferring to use the phrase "The Mail on Sunday can reveal..."

However, in their interview with David Geller, the president of the US firm WhatCounts Inc, which they also publish photos of David Geller and his wife, and they make a point about saying that she is Iranian, mention their young child and their home town and style of house where they live !

They also imply that his company has links with the CIA, simply because it does work for the Voice of America radio station. The same could be said of any company which does business with the BBC World Service.

The claim that Mrs. Geller (who is specifically named by the Mail on Sunday)

a public relations executive, describes her interests as Iran, travel and cooking and gives her home town as Tehran.

obviously comes from web surfing her online digital photography albums on the Flickr website.

There is no suggestion that the Gellers have any links to the Iranian regime which has been named as part of the axis of evil by President Bush for its sponsorship of international terrorism.

There simply was no such suggestion until the Mail on Sunday just made it !

In what way are those personal family details at all relevant to a story, in which WhatCounts.com is no longer really involved, since, as of Friday evening, the MI5 system has been changed, as we reported, in our previous blog article "MI5 e-mail list subscriptions now more secure than at launch"

Continue reading "MI5 email subscription data scandal - misleading Mail on Sunday article" »

Posted by at 3:07 AM | Permalink | Comments (2)

Sometime on Friday evening, the MI5 e-mail list subscription service has been modified from the shambolic version which was launched on Tuesday evening (see "MI5 e-mail alert signup shambles - all email subscription web forms sent to the USA, without encryption")

The e-mail list subscription service no longer seems to send your personal data to the USA in an unencrypted format, but it is still not being hosted entirely on secure UK Government IT infrastructure.

However, signing up this way, no longer gets you an email confirmation immediately, you will now have to wait "a few days". Will the terrorists also wait ?

There has been no indication of an update to the website on its front page, which still claims "Updated 9.1.07 17:00"

There has been no new news item on the What's New page, and so, it is not surprising that there has not been an email message to those people who have already subscribed to the MI5 website news update e-mail list.

The links to the web form

http://www.mi5.gov.uk/output/Page575.html

now take you to an SSL / TLS encrypted web page

https://www.mi5.gov.uk/output/Page575.html

You can now register "anonymously"

To subscribe, enter your e-mail address and, optionally, your name in the form below and press the "Subscribe" button. You can register anonymously if you wish, but providing your name (or a user name of some description) will enable us to help you more effectively if you report a problem with your subscription.

There is also now an extra paragraph at the bottom of the page :

Security

Your subscription details will be sent over a secure Internet connection via a Secure Socket Layer (SSL), a protocol used for secure communications over the Internet. Web addresses that begin with "https" indicate that an SSL connection will be used.

Hooray ! This uses the already installed Digital Certificate for the www.mi5.gov.uk website, which was already being used for an SSL encrypted web form.

So far, so good, but why could this not have been done on Tuesday when the service was launched ?

So where is this e-mail list sign up web form being processed this time ?

Continue reading "MI5 e-mail list subscriptions now more secure than at launch" »

Posted by at 1:41 AM | Permalink | Comments (9)

What a shambles over the heavily hyped "MI5 e-mail alert system", which failed to be available on Tuesday morning, as was implied in the media, but which has appeared on Tuesday evening, with all the appearance of a rushed job !

Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which are physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them.

Is this evidence of a rush job, to satisfy the demands of the Home Office spin doctors or is it incompetence, or indifference to the privacy and security of the general public ?

Continue reading "MI5 e-mail alert signup shambles - all email subscription web forms sent to the USA, without encryption" »

Posted by at 9:01 PM | Permalink | Comments (42)