1. Exquisite Tweets from @musalbas

    PreoccupationsCollected by Preoccupations

    Can businesses trust the advice of the new National Cyber Security Centre given it's part of GCHQ, which stockpiles unfixed vulnerabilities?

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    I've said from day one that there is a huge conflict of interest from the UK's National Cyber Security Centre (NCSC) being a part of GCHQ. They released this vulnerabilities equities process today, where NCSC-found vulnerabilities may be retained. 1/ ncsc.gov.uk/blog-post/equi…

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    The problem is that the NCSC is tasked with communicating and coordinating with UK companies to ensure that they're secure, where the GCHQ's job is to gather intelligence on targets by for example, using hoarded exploits. 2/

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    Some of the hacking targets of the Five Eyes intelligence community has been for example, international technology companies (e.g. network equipment companies in China or Belgacom in Belgium), some of whom may have UK-based operations. 3/

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    Given NCSC is part of GCHQ, why should international technology companies with operations in the UK coordinate with the NCSC on matters of information security, if they know that the intel they provide them might be shared with GCHQ so that they can be used to hack them? 4/

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    Example: NCSC researchers find a vulnerability in some software, which they let GCHQ retain due to the vuln equities process. NCSC also knows that some company that GCHQ is interested in hacking uses said software, because said company shared information with NCSC in past. 5/

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    Because of this, there's a clear incentive for international companies to share as little information as possible with the NCSC, because they might share it with GCHQ, who we know has a track record in hacking technology companies to "Master the Internet". 6/

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    Anyway it would be nice to have at least one tax-payer funded organisation that pays researchers to find and help fix vulnerabilities for a change, instead of using them to hack people, instead of just leaving it private companies like Google's Project Zero with cash to spare. 7/

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    Everyone has a vested interest in the security of open source projects and software that the public uses. So I'm not really comfortable with public money being used to hoard exploits, when it could be put to good use i.e. by auditing poorly funded open source projects. 8/

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam

    The Royal Society also thinks that NCSC's arrangement with GCHQ is "unlikely to be ideal in the longer term". royalsociety.org/topics-policy/… 9/

    Reply Retweet Like

    musalbas

    Mustafa Al-Bassam