Avoid: a) contact; b) phishing.

It is impossible to ascertain at first look whether a phishing email is genuine or not.

I was thinking about not posting this week, as many, many of us have rather a lot on our minds at the moment. Like the rest of the UK, our household is in lock-down, and I’m trying to juggle work with the (actually very limited) demands of my two children, alongside my wife. So far, our broadband is holding out, and I’ve worked from home long enough that I’ve managed to get the rest of the family’s remote access issues sorted so far.

But I decided that I wanted to post, because I wanted to issue a warning, in case you’ve missed it elsewhere: watch out for phishing emails.

I try to keep these articles relevant to people who aren’t IT professionals: “technically credible, but something you could show to your parents or your manager”. Given how many parents (not to mention grandparents and, scarily, managers) seem to be going online for pretty much the first time, here’s my first definition of phishing emails[1].

“A phishing email is one which pretends to be from a person or company you trust, trying to get personal details such as logins or bank information, or to install malicious software on your device.”

Here’s my second definition, particularly relevant now.

“A phishing email is one sent by low-lives who are attempting to scam vulnerable, scared people for their own personal gain.”

Many phishing emails look exactly the same as a normal email from the relevant party. To be clear, it is impossible for anyone, even an expert, to ascertain at first look whether a polished and sophisticated phishing email is genuine or not. There are ways to tell, if you’re an expert, by looking in more detail at the actual details of the email, but most people will not be able to tell. I have nearly been caught over the past week, as have one of my kids and my wife. Two that have come round recently were particularly impressive: one from Netflix, and one for the TV licensing authority in the UK. Luckily, I’ve trained my family well, and they knew what to do, which is this:

NEVER CLICK ON ANY LINKS IN AN EMAIL.

There. That’s all you need to do. If you get an email which is asking you to click on a link, a graphic or a picture, don’t do it. Instead, go to the website of the actual company or organisation, or contact the individual who allegedly sent it to you. You should easily be able to work out whether your credit card has been declined, your email account has been suspended, you need to pay extra tax within the next 24 hours (hint: you don’t), your friend is stuck in Tenerife or you have used up all of your phone data. If in doubt, stay calm, don’t panic, and contact a more expert friend[2], and get them to help.

To be clear, it’s easy to get it wrong. I work in IT security, and I’ve been caught in the past: see my article I got phished this week: what did I do? This will also tell you (or your designated expert) what to do in the event that you do click on the link.

And, of course, keep safe.


1 – the word “phishing” is derived from “fishing”, as the emails are “fishing” for your details. The “ph” is a standard geek affectation.

2 – often, but not always, son or daughter, grandson or granddaughter[3].

3 – or one of the people whose manager you are, of course.

Your job is unimportant (keep doing it anyway)

Keep going, but do so with a sense of perspective.

I work in IT – like many of the readers of this blog. Also like many of the readers of this blog, I’m now working from home (which is actually normal for me), but with all travel pretty much banned for the foreseeable future (which isn’t). My children’s school is still open (unlike many other governments, the UK has yet to order them closed), but when the time does come for them to be at home, my kids are old enough that they will be able to look after themselves without constant input from me. I work for Red Hat, a global company with resources to support its staff and keep its business running during the time of Covid-19 crisis. In many ways, I’m very lucky.

My wife left the house at 0630 this morning to go into London. She works for a medium-sized charity which provides a variety of types of care for adults and children. Some of the adults for whom they provide services, in particular, are extremely vulnerable – both in terms of their day-to-day lives, but also to the possible effects of serious illness. She is planning the charity’s responses, coordinating with worried staff and working out how they’re going to weather the storm. Charities and organisations like this across the world are working to manage their staff and service users and try to continue provision at levels that will keep their service users safe and alive in a context where it’s likely that the availability of back-up help from other quarters – agency staff, other charities, public or private health services or government departments – will be severely limited in scope, or totally lacking.

In comparison to what my wife is doing, the impact of my job on society seems minimal, and my daily work irrelevant. Many of my readers may be in a similar situation, whether it is spouses, family members or other people in the community who are doing the obviously important – often life-preserving – work, and with us sitting at home, appearing on video conferences, writing documents, cutting code, doing things which don’t seem to have much impact.

I think it’s important, sometimes, to look at what we do with a different eye, and this is one of those times. However, I’m going to continue working, and here are some of the reasons:

  • I expect to continue to bring in a salary, which is going to be difficult for many people in the coming months. I hope to be able to spend some of that salary in local businesses, keeping them afloat or easing their transition back into normality in the future;
  • it’s my turn to keep the household running: my wife has often had to keep things going while I’ve been abroad, and I’m grateful for the opportunity to look after the children, shop for groceries and do more cooking;
  • while I’m not sick, there are going to be ways in which I can help our local community, with food deliveries, checks on elderly neighbours and the like.

Finally, the work that I – and the readers of this blog – do, is, while obviously less important and critical than that of my wife and others on the front line of this crisis, still relevant. My wife spent several hours at work creating an online survey to help work out which of her charity’s staff and volunteers could be deployed to what services. Without the staff who run that service, she would be without that capability. Online banking will continue to be important. Critical national infrastructure like power and water need to be kept going; logistics services for food delivery are vital; messaging and conferencing services will provide important means for communication; gaming, broadcast and online entertainment services will keep those who are in isolation occupied; and, at the very least, we need to keep businesses going so that when things recover, we can get the economy going again. That, and there are going to be lots of charities, businesses and schools who need the services that we provide right now.

So, my message today is: keep going, but do so with a sense of perspective. And be ready to use your skills to help out. Keep safe.

9 tips for new home workers

Many workers are finding that they are working from home for the first time.

I wrote an article a few months ago which turned out to be my most popular ever, called My 7 rules for remote work sanity (it’s also available in Japanese). It was designed for people who are planning to work remotely – typically from home, but not necessarily – as a matter of course. With the spread of coronavirus (Covid-19), many workers are finding that they are working from home for the first time, as companies – and in some cases, governments – close offices and require different practices from workers. Alternatively, it may be that you suddenly find that schools are closed or a relative becomes ill, and you need to stay at home to be with them or care for them. If you are one of those people – or work with any of them – then this post is aimed at you. In it, you’ll find some basic tips for how to work from home if it’s not something you’re used to doing.

1 Gather

In order to work from home, you may need to gather some infrastructure pieces to take home with you. For many of us, that’s going to be a laptop, but if there are other pieces of hardware, then make sure you’re ready to bring them home. If you don’t have a laptop normally, then find out what the rules are for using your own devices, and whether they have been changed to account for the period when you’ll be working from home. Download and install what you need to do – remember that there are open source alternatives to many of the apps that you may typically be using in the office, and which may provide you with a sufficient (or better!) user experience if you don’t have access to all of your standard software.

2 Prepare

What else do you need to do to make sure everything will work, and you will have as little stress as possible? Making sure that you can connect to work email and VPN may be important, but what about phones? If you have a work-issued phone, and it’s the standard way for colleagues or customers to contact you, then you may be OK, as long as you have sufficient coverage, but you may want to look at VoIP (Voice over IP) alternatives with your employer. If you have to use your own phone – mobile or landline – then work out how you will expense this and with whom you will share this information.

3 Agree

If you have been told that you may (or must) work from home by your employer, then it is likely that they will be providing guidance as to what your availability should be, how to contact colleagues, etc.: make sure that any guidelines are plausible for you, and ask for clarity wherever possible. If you are having to work from home because of family commitments, then it’s even more important to work out the details with your employer. Rules to support this sort of situation vary from country to country, and your employer will hopefully be aware that their best chance of maintaining good output and commitment from you is to work with you, but if you don’t come to an agreement up front, you may be in for a shock, so preparatory work is a must.

4 Educate

Just because your employer has agreed that you should work from home, and has agreed what your work-time should look like, it doesn’t mean that your boss and colleagues will necessarily understand how this change in your working life will impact on how they relate to you, contact you or otherwise interact with you. Let them know that you are still around, but that there may be differences in how best to reach you, when you are available, and what tasks you are able to perform. This is a courtesy for them, and protection for you!

5 Video-conference

If you can, use video-conferences for meetings with colleagues, customers, partners and the rest. Yes, it means that you need to change out of your pyjamas, brush your hair, get at least partly dressed (see some of the tips from my semi-jokey seasonal post The Twelve Days of Work-life Balance) and be generally presentable, but the impact of being able to see your colleagues, and their being able to see you, should not be underestimated. It can help them and you to feel that you are still connected, and make a significant positive impact on teamwork.

6 Protect

During the time that you are working from home, you need, if at all possible, to protect the workspace you will be using, and the time when you will be working, from encroachments by other tasks and other people. This can be very difficult when you are living in a small space with other people, and may be close to impossible when you are having to look after small children, but even if it is just room for your laptop and phone, or an agreement that the children will only come to you between television programmes, any steps that you can take to protect your time and space are worth enforcing. If you need to make exceptions, be clear to yourself and others that these are exceptions, and try to manage them as that, rather than allowing a slow spiral to un-managed chaos[1].

7 Slow down

One of the classic problems with working from home for the first time is that everything becomes a blur, and you find yourself working crazily hard to try to prove to yourself and others that you aren’t slacking. Remember that in the office, you probably stop for tea or coffee, wander over to see colleagues for a chat – not just work-related – and sit down for a quiet lunch. Take time to do something similar when you’re working from home, and if you’re having video-conferences with colleagues, try to set some of the time on the call aside for non-work related conversations: if you are used to these sorts of conversations normally, and are missing them due to working at home, you need to consider whether there may be an impact on your emotional or mental health.

8 Exercise

Get up from where you are working, and go outside if you can. Walk around the room, get a drink of water – whatever it is you do, don’t stay sat down in front of a computer all day. It’s not just the exercise that you need – though it will be beneficial – but a slight change of scene to guard against the feeling that you are chained to your work, even when at home.

9 Stop

Another common pitfall for people who work from home is that they never stop. Once you allow your work into your home, the compartmentalisation of the two environments that most of us manage (most of the time, hopefully) can fall away, and it’s very easy just to “pop back to the computer for a couple of emails” after supper, only to find yourself working away at a complex spreadsheet some two and a half hours later. Compartmentalising is a key skill when working from home, and one to put into your daily routine as much as possible.

Finally…

It’s likely that you won’t manage to keep to all of the above, at least not all of the time. That’s fine: don’t beat yourself up about it, and try to start each day afresh, with plans to abide by as many of the behaviours above as you can manage. When things don’t work, accept that, plan to improve or mitigate them next time, and move on. Remember: it is in your employer’s best interests that you work as sensibly and sustainably as possible, so looking after yourself and setting up routines and repeatable practices that keep you well and productive is good for everybody.


1 – I know this sounds impossible with small kids – believe me, I’ve been there on occasion. Do your best, and, again ensure that your colleagues (and manager!) understand any constraints you have.

Not quantum-safe, not tamper-proof, not secure

Let’s make security “marketing-proof”. Or … maybe not.

If there’s one difference that you can use to spot someone who takes security seriously, it’s this: they don’t make absolute statements about security. I’m going to be a bit contentious here, and I’m sorry if it upsets some people who do take security seriously, but I’m of the very strong opinion that we should never, ever say that something is “completely secure”, “hack-proof” or even just “secured”. I wrote a few weeks ago about lazy journalism, but it pains me even more to see or hear people who really should know better using such absolutes. There is no “secure”, and I’d love to think that one day I can stop having to say this, but it comes up again and again.

We, as a community, need to be careful about the words and phrases that we use, because it’s difficult enough to educate the rest of the world about what we do without allowing non-practitioners to believe that we (or they) can take a system or component and make it so safe that it cannot be compromised or go wrong. There are two particular bug-bears that are getting to me at the moment – and that’s before I even start on the one which rules them all, “zero-trust”, which makes my skin crawl and my hackles rise whenever I hear it used[1] – and they are (as you may have already guessed from the title of this article):

  • quantum-proof
  • tamper-proof

I’ll start with the latter, because it’s more clear cut (and easier to explain). Some systems – typically hardware systems – are deployed in environments where bad people might mess with them. This, in the trade, is called “tampering”, and it has a slightly different usage from the normal meaning, in that it tends to imply that the damage done to a system or component was done with the intention that the damage didn’t necessarily stop its normal operation, but did alter it in such a way that the attacker could gain some advantage (often, but not always, snooping on activities being performed). This may have been the intention, but it may be that the damage did actually stop or at least effect normal operation, whether or not the attacker gained the advantage they were attempting. The problem with saying that any system is tamper-proof is that it clearly isn’t, particularly if you accept the second part of the definition, but even, possibly if you don’t. And it’s pretty much impossible to be sure, for the same reason that the adage that “any fool can create a cryptographic protocol that he/she can’t break” is true: you can’t assess the skills and abilities of all future attackers of your system. The best you can do is make it tamper-evident: put such controls in place that it should be clear if someone tries to tamper with the system[3].

“Quantum-safe” is another such phrase. It refers to cryptographic protocols or primitives which are designed to be resistant to attacks by quantum computers. The phrase “quantum-proof” is also used, and the problem with both of these terms is that, since nobody has yet completed a quantum computer of sufficient complexity even to be try, we can’t be sure. Even once they do, we probably won’t be sure, as people will probably come up with new and improved ways of using them to attack the protocols and primitives we’ve been describing. And what’s annoying is that the key to what we should be saying is actually in the description I gave: they are meant to be resistant to such attacks. “Quantum-resistant” is a much more descriptive and accurate phrase[5], so why not use it?

The simple answer to that question, and to the question of why people use phrases like “tamper-proof” and “secure” is that it makes better marketing copy. Ill-informed customers are more likely to buy something which is “safe” or which is “proof” against something, rather than evidencing it, or being resistant to it. Well, our part of our jobs as security professionals is to try to educate those customers, and make them less ill-informed[6]. Let’s make security “marketing-proof”. Or … maybe not.


1 – so much so that I’m actually writing a book at it[2].

2 – not just the concept of “zero-trust”, but about trust in general.

3 – sometimes, the tamper-evidence is actually intentionally destroying the capabilities a system so that you can be pretty sure that the attacker wasn’t able to make it do things it wasn’t supposed to[4].

4 – which is pretty cool, though it does mean that you can’t make it do the things it was supposed to either, of course.

5 – well, I’m assuming that most of such mechanisms are resistant, of course…

6 – I fully accept that “better-informed” would be better choice of phrase here.

Demonising children (with help from law enforcement)

Let’s just not teach children to read: we’ll definitely be safe then.

Oh, dear: it’s happened again. Ill-informed law enforcement folks are demonising people for getting interested in security. As The Register reports, West Midlands police in the UK have put out a poster aimed at teachers, parents and guardians which advises them to get in touch if they find any of the following on a child’s computer:

  • Tor browser
  • Virtual machines
  • Kali Linux
  • Wifi Pineapple
  • Discord
  • Metasploit

“If you see any of these on their computer, or have a child you think is hacking, please let us know so we can give advice and engage them into positive diversions.”

Leaving aside the grammar of that sentence, let’s have a look at those tools. Actually, first, let’s address the use of the word “hacking”. It’s not the first time that I’ve had a go at misuse of this word, but on the whole, I think that we’ve lost the battle in popular media to allow us to keep the positive use of the term. In this context, however, if I ask a teenager or young person who’s in possession of a few of the above if they’re hacking, they answer will probably be “yes”, which is good. And not because they’re doing dodgy stuff – cracking – but because they’re got into the culture of a community where hacking is still a positive word: it means trying stuff out, messing around and coding. This is a world I – and the vast majority of my colleagues – inhabit and work in on a day-to-day basis.

So – those tools. Tor, as they point out, can be used to access the dark web. More likely, it’s being used by a savvy teenager to hide their access to embarrassing material. VMs can apparently be used to hide OSes such as Kali Linux. Well, yes, but “hide”? And there is a huge number of other, positive and creative uses to which VMs are put every day.

Oh, and Kali Linux is an OS “often used for hacking”. Let’s pull that statement apart. It could mean:

  1. many uses of Kali Linux are for illegal or unethical activities;
  2. many illegal or unethical activities use Kali Linux.

In the same way that you might say “knives are often used for violent attacks”, such phrasing is downright misleading, because you know (and any well-informed law-enforcement officer should know) that 2 is more true than 1.

Next is Wifi Pineapple: this is maybe a little more borderline. Although there are legitimate uses for one of these, I can see that they might raise some eyebrows if you starting going around your local area with one.

Metasploit: well, it’s the tool to get to know if you want to get involved in security. There are so many things you can do with it – like Kali Linux – that are positive, including improving your own security, learning how to protect your systems and adopting good coding practice. If I wanted to get an interested party knowledgeable about how computers really work, how security is so often poor, and how to design better, more secure systems, Metasploit would be the tool I’d point them at.

You may have noticed that I left one out: Discord. Dear, oh dear, oh dear. Discord is, first and foremost, a free gaming chat server. If a child is using Discord, they’re probably playing – wait for it – a computer game.

This poster isn’t just depressing – it’s short-sighted, and misleading. It’s going to get children mislabelled and put upon by people who don’t know better, and assume that information put out by their local police service will be helpful and straightforward. It’s all very well for West Midlands police to state that “[t]he software mentioned is legal and, in the vast majority of cases is used legitimately, giving great benefit to those interested in developing their digital skills”, and that they’re trying to encourage those with parental responsibility to “start up a conversation”, but this is just crass.

I have two children, both around teenage age. I can tell you know that any conversation starting with “what’s that on your computer? It’s a hacking tool! Are you involved in something you shouldn’t be?” is not going to end well, and it’s not going to end well for a number of reasons, including:

  • it makes me look like an idiot, particularly if what I’m reacting to is something completely innocuous like Discord;
  • you’re not treating the young person with any level of respect;
  • it’s a negative starting point of engagement, which means that they’ll go into combative, denial mode;
  • it will make them feel that I suspect them of something, leading them to be more secretive from now on.

And, do you know what? I don’t blame them: if someone said something like that to me, that would be precisely my reaction, too. What’s the alternative suggested in the poster? Oh, yes: contact the police. That’s going to go well: “I saw this on your computer, and I got in touch with the police, and they suggested I have chat with you…” Young people love that sort of conversation, too. Oh, and exactly how sure are you that the police haven’t taken the details of the child and put them on a list somewhere? Yes, I’m exactly that sure, as well.

Now, don’t get me wrong: there are tools out there that are dangerous and can be misused, and some of them will be. By teenagers, children and young adults. People of this age aren’t always good at making choices, and they’re sensitive to peer pressure, and they will make mistakes. But this is not the way to go about addressing this. We need to build trust, treat young people with respect, discuss choices, while encouraging careful research and learning. Hacking – the good type – can lead to great opportunities.

Alternatively, we can start constraining these budding security professionals early, and stop them in their tracks by refusing to let them use the Internet. Or phone. Or computers. Or read books. Actually, let’s start there. Let’s just not teach children to read: we’ll definitely be safe then (and there’s no way they’ll teach themselves, resent our control and turn against us: oh, no).

Isolationism – not a 4 letter word (in the cloud)

Things are looking up if you’re interested in protecting your workloads.

In the world of international relations, economics and fiscal policy, isolationism doesn’t have a great reputation. I could go on, I suppose, if I did some research, but this is a security blog[1], and international relations, fascinating area of study though it is, isn’t my area of expertise: what I’d like to do is borrow the word and apply it to a different field: computing, and specifically cloud computing.

In computing, isolation is a set of techniques to protect a process, application or component from another (or a set of the former from a set of the latter). This is pretty much always a good thing – you don’t want another process interfering with the correct workings of your one, whether that’s by design (it’s malicious) or in error (because it’s badly designed or implemented). Isolationism, therefore, however unpopular it may be on the world stage, is a policy that you generally want to adopt for your applications, wherever they’re running.

This is particularly important in the “cloud”. Cloud computing is where you run your applications or processes on shared infrastructure. If you own that infrastructure, then you might call that a “private cloud”, and infrastructure owned by other people a “public cloud”, but when people say “cloud” on its own, they generally mean public clouds, such as those operated by Amazon, Microsoft, IBM, Alibaba or others.

There’s a useful adage around cloud computing: “Remember that the cloud is just somebody else’s computer”. In other words, it’s still just hardware and software running somewhere, it’s just not being run by you. Another important thing to remember about cloud computing is that when you run your applications – let’s call them “workloads” from here on in – on somebody else’s cloud (computer), they’re unlikely to be running on their own. They’re likely to be running on the same physical hardware as workloads from other users (or “tenants”) of that provider’s services. These two realisations – that your workload is on somebody else’s computer, and that it’s sharing that computer with workloads from other people – is where isolation comes into the picture.

Workload from workload isolation

Let’s start with the sharing problem. You want to ensure that your workloads run as you expect them to do, which means that you don’t want other workloads impacting on how yours run. You want them to be protected from interference, and that’s where isolation comes in. A workload running in a Linux container or a Virtual Machine (VM) is isolated from other workloads by hardware and/or software controls, which try to ensure (generally very successfully!) that your workload receives the amount of computing time it should have, that it can send and receive network packets, write to storage and the rest without interruption from another workload. Equally important, the confidentiality and integrity of its resources should be protected, so that another workload can’t look into its memory and/or change it.

The means to do this are well known and fairly mature, and the building blocks of containers and VMs, for instance, are augmented by software like KVM or Xen (both open source hypervisors) or like SELinux (an open source capabilities management framework). The cloud service providers are definitely keen to ensure that you get a fair allocation of resources and that they are protected from the workloads of other tenants, so providing workload from workload isolation is in their best interests.

Host from workload isolation

Next is isolating the host from the workload. Cloud service providers absolutely do not want workloads “breaking out” of their isolation and doing bad things – again, whether by accident or design. If one of a cloud service provider’s host machines is compromised by a workload, not only can that workload possibly impact other workloads on that host, but also the host itself, other hosts and the more general infrastructure that allows the cloud service provider to run workloads for their tenants and, in the final analysis, make money.

Luckily, again, there are well-known and mature ways to provide host from workload isolation using many of the same tools noted above. As with workload from workload isolation, cloud service providers absolutely do not want their own infrastructure compromised, so they are, of course, going to make sure that this is well implemented.

Workload from host isolation

Workload from host isolation is more tricky. A lot more tricky. This is protecting your workload from the cloud service provider, who controls the computer – the host – on which your workload is running. The way that workloads run – execute – is such that such isolation is almost impossible with standard techniques (containers, VMs, etc.) on their own, so providing ways to ensure and prove that the cloud service provider – or their sysadmins, or any compromised hosts on their network – cannot interfere with your workload is difficult.

You might expect me to say that providing this sort of isolation is something that cloud service providers don’t care about, as they feel that their tenants should trust them to run their workloads and just get on with it. Until sometime last year, that might have been my view, but it turns out to be wrong. Cloud service providers care about protecting your workloads from the host because it allows them to make more money. Currently, there are lots of workloads which are considered too sensitive to be run on public clouds – think financial, health, government, legal, … – often due to industry regulation. If cloud service providers could provide sufficient isolation of workloads from the host to convince tenants – and industry regulators – that such workloads can be safely run in the public cloud, then they get more business. And they can probably charge more for these protections as well! That doesn’t mean that isolating your workloads from their hosts is easy, though.

There is good news, however, for both cloud service providers and their teants, which is that there’s a new set of hardware techniques called TEEs – Trusted Execution Environments – which can provide exactly this sort of protection[2]. This is rapidly maturing technology, and TEEs are not easy to use – in that it can not only be difficult to run your workload in a TEE, but also to ensure that it’s running in a TEE – but when done right, they do provide the sorts of isolation from the host that a workload wants in order to maintain its integrity and confidentiality[3].

There are a number of projects looking to make using TEEs easier – I’d point to Enarx in particular – and even an industry consortium to promote open TEE adoption, the Confidential Computing Consortium. Things are looking up if you’re interested in protecting your workloads, and the cloud service providers are on board, too.


1 – sorry if you came here expecting something different, but do stick around and have a read: hopefully there’s something of interest.

2 – the best known are Intel’s SGX and AMD’s SEV.

3 – availability – ensuring that it runs fairly – is more difficult, but as this is a property that is also generally in the cloud service provider’s best interest, and something that can can control, it’s not generally too much of a concern[4].

4 – yes, there are definitely times when it is, but that’s a story for another article.