Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

Ideal Christmas Present* – Personalised Enigma Logo Mugs!

Posted by Craig H on 3 November 2015

Today we’ve launched a new web site, enigmamug.com, and an associated CafePress store. The idea is that you enter your name, or whatever other word(s) you might like on a mug, it creates a design in the style of the Enigma machine logo and you can then (if you like it!) buy a mug with that design from CafePress. We have other designs also in the store: Enigma machine pluboards, with or without the plugs and cables, which we think look pretty good wrapped around a mug.
Read the rest of this entry »

Posted in Amusement, Bletchley Park, Cryptography, Enigma | Leave a Comment »

Threats, Risks and Vulnerabilities – What do they Mean for Product Development?

Posted by Craig H on 14 October 2015

Recently we’ve taken on a client with immense experience of IT product development but not so much experience with computer security.  A report I am writing for them starts by defining terms, to avoid possible confusion; I thought I’d also write this article to discuss more generally why “threats”, “risks” and “vulnerabilities” deserve specific definitions in that context.
Read the rest of this entry »

Posted in Terminology | Tagged: , , | Leave a Comment »

Custom Page Sizes for Microsoft Print to PDF

Posted by Craig H on 29 August 2015

I don’t usually post Windows tips and tricks, but I thought this might be useful as I haven’t seen it mentioned anywhere else. Briefly, the Windows 10 Print to PDF support doesn’t allow custom page sizes as it comes, but there is a simple way to enable it.
Read the rest of this entry »

Posted in IT Tips | Tagged: , , | 13 Comments »

Imagine, 6 Tons of Punched Cards Every Week!

Posted by Craig H on 2 May 2015

An often neglected, but crucial, part of Bletchley Park’s work in World War II was the vast amount of data processing done using punched cards on Hollerith machines.  The department which did this was called the “Freebornery”, at first located in Hut 7 (since demolished) and later in Block C (recently restored as the new visitor centre).

There has been very little detail published on the day-to-day operations of the Freebornery, so I recently visited the National Archives and made a copy of a typewritten document they hold: “The Use of Hollerith Punched Card Equipment in Bletchley Park”.  With their kind permission, we are now publishing the text on our wiki for the benefit of researchers and other interested readers.
Read the rest of this entry »

Posted in Bletchley Park, Enigma | Tagged: , , , | Leave a Comment »

Turning the Tables on Utility Companies with the Data Protection Act

Posted by Craig H on 7 August 2014

A few years ago I gave talks at Open Tech and Over the Air, including some mobile security ideas that phone manufacturers were unlikely to implement. One of those ideas was what I called “notarised call recording”, being a way to hold utility companies to account for what they promise you in telephone calls.

I was listening to the BBC’s You and Yours radio programme yesterday (on my way to Bletchley Park, as it happens) and was delighted to hear some aggrieved customers using the UK Data Protection Act (DPA) to get their utility company to supply them with call recordings. The company in question has complied, including a recording which clearly proves that they did promise what they subsequently denied!
Read the rest of this entry »

Posted in Data Protection Act, Data Rights | Tagged: , | Leave a Comment »

Raspberry Pi Fishcam – The Secure Version

Posted by Craig H on 16 August 2013

Having proved the concept using netcat, we need to add access control and make it accessible via a discoverable external address. The design is essentially the same, running the video capture command on the Pi and routing the output stream over IP to a remote client, but we use ssh (Secure SHell) as the transport to add authentication and encryption.

The first thing to do before exposing your Pi to the outside world is: change the default password! With Raspbian, the default admin user name and password is “pi” and “raspberry”. You should change the password to something that’s not based on a name or word that could be found in a cracking dictionary; best would be a randomly generated password that you write down and keep with you, or you can use initial letters of words in a sentence you can remember but others can’t guess. For extra security you could change the name of the admin account too.
Read the rest of this entry »

Posted in Authentication, Cryptography, Open Source | Tagged: , | 6 Comments »

Raspberry Pi Fishcam

Posted by Craig H on 16 July 2013

I had security concerns over installing a wireless webcam to keep an eye on our goldfish. Such things are available cheaply off the shelf, typically manufactured in China, but I’m not willing to put a device of questionable provenance on our Intranet, especially not with a direct channel out to a server in China.

I started thinking about using a Raspberry Pi and Skype as an alternative solution. As (most of) the software would be open source, that way I would only have to trust Microsoft and the NSA not to interfere with the Skype server😉.

My Raspberry Pi camera module didn’t arrive until this week (the first production run sold out almost immediately back in May) and, unfortunately for the plan, Microsoft have turned off the ability to register a Skype developer account in the meantime😦. Read the rest of this entry »

Posted in Open Source, Risks | Tagged: , | 4 Comments »

Security Lessons from Bletchley Park and Enigma

Posted by Craig H on 29 May 2013

I had fun presenting at the DC4420 security meetup in London yesterday. The topic was “Security Lessons from Bletchley Park and Enigma” and the slides are now up on SlideShare.

We covered how the Enigma machine works, how Bletchley Park exploited German mistakes, and the five lessons I picked out were:

  1. Cryptosystems have subtle flaws
  2. Plan for key compromise
  3. Users pick poor passwords
  4. Pick a good RNG and trust it
  5. Don’t underestimate the enemy
  6. Read the rest of this entry »

Posted in Cryptography, Enigma | 6 Comments »

Visualising a Software Security Initiative

Posted by Craig H on 10 April 2013

Last month I was pleased to attend the BSIMM Europe Open Forum. BSIMM is a model for assessing software security activities within an organisation; I have been following it since its first release in 2009, and over the last several months I’ve been able to use it in earnest at Visa Europe.

For me, the most interesting discussion at the forum was on presenting BSIMM assessment results in a visually compelling way. The BSIMM document uses spider charts, which hide potentially valuable information about activities at lower maturity levels. Sammy Migues presented a format he uses at Cigital, called “equalizer diagrams”, which reveal that information but lack the comparison with a benchmark.

I decided to ask Louise (the other half of Franklin Heath) about this, as data visualisation is one of her principal skills. We’ve come up with something I like to call a “DIP switch diagram”, which I will explain in this post. Read the rest of this entry »

Posted in Software Security, Visualisations | 1 Comment »

The method behind the madness

Posted by Louise H on 8 December 2012

…The madness being a visualisation of Open University module results between 2007 and 2011.

OUAnalysisImage

For the last 18 months, I have been studying for a degree with the Open University. I’ve successfully completed the equivalent of the first year of full-time study – composed of 120 Level One points, split over modules in both Business and IT. The result of this is that I now have letters after my name – Cert Computing and IT, and Cert Bus Stud. (I especially like the latter). I am now studying two second Level modules in programming. And like many students, I am easily distracted by displacement activities.

Last week, someone posted a breakdown of 2011 results to one of the OU Facebook groups. This document contained percentage breakdowns of results by module codes, and straightaway some numbers caught my eye. For instance, why did only 29.9% of students complete module B190?

Curious, I loaded this pdf document into an excel spreadsheet to muck about with it some more. I quickly realised I needed some more context around this information. What was module B190? What level was it? How many credits did it provide?
Read the rest of this entry »

Posted in Data, Visualisations | Leave a Comment »