Skip to content

Quantum Safe Cryptography and Security

The current state-of-the-art cryptographic principles use well-studied methods that have been relied upon for more than 20 years. Amongst cryptographic experts, well-studied, proven and mature techniques are the most preferred for security reasons. However, such techniques were not designed to resist quantum attacks, because at the time of their invention, research into quantum computation was obscure and unknown to most cryptographic practitioners. New cryptographic techniques have emerged in recent decades that do provide protection against quantum threats. These techniques are termed “quantum safe” and consist of both techniques based on quantum properties of light that prevent interception of messages, as well as classic computational techniques, all of which were designed to resist quantum attacks emerging from the rapidly accelerating research field of quantum computation


Security controls that are known to be highly vulnerable to quantum attack, and can be easily broken by a quantum computer, include:

1. Any cryptosystem that is built on top of the mathematical complexities of Integer Factoring and Discrete Logarithms. This includes RSA, DSA, DH, ECDH, ECDSA and other variants of these ciphers. It is important to point out that almost all public key cryptography in fielded security products and protocols today use these types of ciphers.

2. Any security protocols that derive security from the above public key ciphers.

3. Any products or security systems that derive security from the above protocols. Controls that are known to be somewhat vulnerable to quantum attack, but can be easily repaired include symmetric key algorithms like AES that can be broken faster by a quantum computer running Grover’s algorithm than by a classical computer. However, a quantum computer can be made to work just as hard as a conventional computer by doubling the cipher’s key length. This is to say that AES-128 is as difficult for a classical computer to break as AES-256 would be for a quantum computer.


AES is considered quantum-safe because the cipher can adapt to a quantum attack by increasing its key size to rectify a vulnerability introduced by quantum computing.


Ciphers like RSA and ECC are not quantum safe because they are not able to adapt by increasing their key sizes to outpace the rate of development of quantum computing. In order to attack a 3072-bit RSA key, for instance, a quantum computer must have a few thousand logical qubits. In general, the number of logical qubits needed scales in a linear fashion with the bit length of the RSA key. When such a quantum computer becomes available, moving to a larger RSA key size would thwart a quantum attack until a larger quantum computer is invented. However, doubling the size of an RSA or ECC key increases Quantum Safe Cryptography and Security 14 the running time of the cipher on a conventional computer by a factor of 8. That means that if the size of keys that a quantum computer can attack doubles every two years, then the running time of keys on a conventional computer increases by a factor of 8 every two years, outstripping Moore’s Law and rapidly becoming impractical both in terms of speed and in terms of channel size, i.e. the required bandwidth to transmit the key information.


Read the cautions on AES written by Schneier.  Schneier did increase the number of rounds to make AES safe, but that made it far too slow to use.  AES should never have qualified.

AES using CBC (Cipher Blocks) can be broken.  Any version of AES using CBC has been broken – using the Beast or Lucky 13 attacks.

The only form of AES not broken is GCM (Galois Counter Method), which requires specific dedicated hardware, and is not deployed in software versions of AES – they’re all the broken CBC type.



How to steal passwords from web browsers – Windows 10 & Windows 7

Sometimes, you’ll forget your password to a site.  In that situation WebBrowserPassView will find those forgotten passwords.  Alas, its dangerous in that it will detect your Paypal login ID and password too.  Use this tool with care.  Don’t put in on a USB and install it on a girlfriends laptop – as that’s called stalking.  Stalking is being weird, so don’t go there.

Step 1 – Download WebBrowserPassView

The tool works fine on Windows 10.  You may find that it’s detected as a Virus or dangerous tool and you’ll have to make an exception for it.

Step 2 – Install it and away she goes

The app will launch revealing all your forgotten login ID and passwords.


Step 3 – Reused passwords.

At a guess, you’ll find that you’ve been reusing the same 3 passwords on various accounts.

That’s a no no.

Step 4 – Download and Install Browsing History View


Select the number of days to filter by… here I’ve selected only 3 days.


And the results… are all the sites that my browser has seen over the last 3 days.  Here you can see the screenshots taken for blog articles published this week.



Screenshots created for articles.


Use these tools wisely, and only on your own laptop.

Finding out someones paypal login ID and password is hacking.   Even if you’re using this data for a divorce, remember that you’ll need to admit to what you’re doing, and there will be no happy endings.

Code Breaking Methods – Cryptology – Cryptanalysis = Code breaking

The code breakers of Bletchley Park were actually cryptanalysts, who are code breakers.  Cryptanalysis is the study of analyzing information systems in order to study the hidden aspects of the systems. There are several way to find the blind spot in an encryption scheme.


Social Engineering

The easiest attack, is social engineering.  If you ever claim to be a “temp” and you need the password on an account reset, then the “helpless” temp is a good line of attack.

Brute Force

This is the most time consuming attack, as all possible combinations are tried until the right key is found. However, it is guaranteed to work, given enough time and computing resources.  The game of Brute Force, is that if you change your password every 28 days, then I have to crack it in 14 days to get 14 days access.  Privacy demands that I have to make my password able to withstand an attack, within 28 days, or until I change the password.


Length of password stops the brute Force attack.

It is easy to crack a 6 letter password,but far more difficult to crack a 10 letter password even with cloud computing.  You are recommended to use a 14 or 15 character password.

Of course it goes without saying that your password will use special characters, upper case and a number.  The reason is that this forces the attack to use all 95 keys on the keyboard, rather than 26 lower + 10 numbers.  A key comprised from 36 items is easier to crack that 95 characters.  Go for length rather than complexity to thwart a brute force attack.

Frequency Analysis

This is now old school, but of course is worthwhile being aware of.  The English language uses certain letters with a higher frequency and other letters hardly at all.  Consider the use of the letter E compared to how often you’ll see an X or a Z.  That’s frequency analysis at work.  Any self respecting ciphers will work to block frequency analysis.

Man in the Middle Attack.

Here the attacker acts as an “agent”, sat between both parties.  They each think they are communicating with the correct person, but a 3rd person is acting as a broker or middle man to their communication.

A Man in the middle is an eavesdropper.  He acts like a router.  Which is why the weak MD5 encryption used on Cisco routers is a major concern.  The ideal place for surveillance to take place is on the ISP’s router.  Think of the UK’s Snoopers Charter where the ISP has to store all your browsing history for 12 months.  The government is carrying out an Man in the Middle Attack via the router.


Its worthwhile noting that foreign governments have the expertise and motive to carry them out.  The Greek government was hacked by a 3rd party for several months.

Plain Text

If a plain text part of the message can be identified, it gives clues to the encryption keys.

In Bletchley Park, standard wartime messages such as  weather forecasts gave away known plain text, which helped identify the keys in use.


One Time Pad

The only encryption system that cannot be broken, is a one time pad.  This needs a list of random keys the same length or longer than the message.  The keys must never be reused.


Programming flaws

Side attacks using programming flaws are often used.

To start the key we need an IV or Initialisation Vector.   If the software reuses a small IV, then the encryption is easily broken.  Any system where the IV is not totally random will fail when the code breakers start working on it.  They will spot the patterns and reuse of the IV, and then be able to break the code.

Privacy demands that Cryptologists have the upper hand over Cryptanalysts.

Use the strongest encryption keys that you can.  Follow the EU ENISA advise to use RSA 4k at a minimum and move to RSA 16k as soon as software allows.  RSA 2048 is not safe to use.  Neither are the hashing programs for MD5 or SHA1.

But the greatest weaknesses will always be You.  Make sure you use 15 character passwords, use special characters in every password, and change your password often.

It’s a game of cat and mouse.  Long may Cryptologists rule.


CEH – Certified Ethical Hackers course.

National Cyber Security Academy to tackle shortage of experts – City Campus Newport


Newport City Campus will be home to the National Cyber Security Academy.

The University of South Wales (USW) and Welsh Government have joined forces to launch an innovative project to help address a shortage of cyber security skills and develop the next generation of cyber security experts

The pilot National Cyber Security Academy (NCSA), the first of its kind in Wales and a major UK initiative, is being set up at USW’s Newport City Campus, and will take its first students in October.

Also involving Welsh digital innovation company Innovation Point and major industry players – including Airbus, General Dynamics UK, Alert Logic, Information Assurance, QinetiQ, Silcox Information Security, Westgate Cyber, Wolfberry and the South Wales Cyber Security Cluster – the NCSA will work to close an expected skills gap in the cyber security sector. By 2019 it is forecast that an additional 4.5 million personnel will be needed worldwide.

The NCSA builds on plans for a £60m Newport Knowledge Quarter, which would see USW work in partnership with Coleg Gwent to build a new learning campus in the city’s riverbank area.

With funding support from the Welsh Government, the £500,000 pilot initiative involves a cohort of current USW Computer Forensics and Computer Security undergraduates. They will work on real-world projects set by NCSA partners, while also ‘flight testing’ the course to ensure it meets the latest cyber security challenges. It will develop as industry partners identify new challenges in the cyber security environment. If the pilot is successful, the University will quickly build up the student numbers through the delivery of a full-time dedicated degree programme in Applied Cyber Security.

Economy Minister Edwina Hart AM said:

“Cyber crime continues to pose a growing global security threat and there is a real demand for highly skilled cyber security experts to tackle this issue. South Wales is already a renowned centre for cyber security expertise and this initiative is designed to deliver the highly specialist skills required by businesses working in the sector.”

Airbus Defence and Space’s Andy Love, of Strategic Business Development, said: “There is an emerging eco system around cyber technology that is based in South Wales and Airbus is proud to be part of it. Our involvement with the course and the curriculum is an exciting opportunity for business and academia to influence the next generation of cyber security specialists.”

Professor Julie Lydon, Vice-Chancellor of the University of South Wales, said:

“Cyber security – along with terrorism, international military crises, and major accidents and natural disasters – is seen by the UK Government as one of the four major national security threats facing the country.

“Meanwhile – according to research by the Ponemon Institute – 39 major companies in the UK faced costs of between £630,000 and £16m in fighting cyber crime last year.

“Therefore, both government and business understand there is a growing need for graduates with hands-on skills that can fight cyber threats, and that there is a need to work together to address this challenge.

“That’s the demand that the NCSA will address. Putting students and industry together to come up with solutions to online problems.

“For industry, it offers direct access to a pool of graduates who have been trained to the highest standards and who have a clear understanding of cyber threats, while, for the students, it will maximise the opportunities for them to get a job when they leave USW.”

Scotland Yard charge Cardiff man with “training, researching” how to use crypto software – Ars technica

A Cardiff man who is a suspected member of ISIS has been accused of training in the use of encryption software to aid terrorism and hiding a computer program on a USB drive disguised as a cufflink.

Samata Ullah, 33, was charged with six terrorism offences after being arrested in a street in Cardiff on September 22 by officers from Scotland Yard’s counter-terrorism squad.

The charge sheet includes one count of preparation of terrorism “by researching an encryption programme, developing an encrypted version of his blog site, and publishing the instructions around the use of [the] programme on his blog site.”

Ullah is also accused of knowingly providing “instruction or training in the use of encryption programmes” in relation to “the commission or preparation of acts of terrorism or for assisting the commission or preparation by others of such acts.”

He has additionally been charged with being in possession of a “Universal Serial Bus (USB) cufflink that had an operating system loaded on to it for a purpose connected with the commission, preparation, or instigation of terrorism.”


oh dear.  All of the Forensics, Information Security, Computer Security and Cyber Security students are in big trouble.  We all study encryption, and probably all have programs on our USB drives.  I once owned a Duracell Battery styled USB pen, sorry.  My bad.

Then again, Google are now terrorists under this ruling.  And about time too.


Other articles discussing Scotland Yard’s Encryption charges

In the UK, running a blog over HTTPS is an act of terrorism, says Scotland Yard

While this adds significant nuance to the Ars article above, the primary point still stands as to count three: the criminal act was researching encryption, developing an encrypted version of a blog site (which describes publishing over HTTPS and a few other things), and teaching encryption. The intent of this criminal act was to aid and assist terrorism, but the criminal act was still researching, deploying, and teaching cryptography. This is a hugely important nuance – quoting a comment from user Withabeard on Reddit:

He hasn’t been charged for helping terrorists.

He has been charged for having an encrypted blog. The reason authorities have chosen to charge him, is because that blog may contain material that helps terrorists. The distinction is small, but it has a massive impact on how we apply laws in the UK.

Helping other people conduce killing of other humans is already illegal in the UK, so that is what he should be charged with if there is evidence he did it.

But he has literally been charged with “instruction or training in the use of encryption programmes”.

It shouldn’t matter what the encryption was going to be used for, no-one should ever be charged with doing that.


VPN Secure (Australia) – VPN Review

Today, we’ll look at an Australian VPN provider, and check out how safe they really are to use.  Selecting a privacy VPN is quite a task; and much research is needed.  Firstly we need a provider that does not log traffic, and has strong encryption.

VPN Secure (Australia)

VPN Secure Site

We need to consider privacy issues, such as does the VPN log our IP, then technical issues such as security and how easy is it to install.


Here we see how VPN Secure (Australia) perform.  They do not log your traffic, nor your DNS requests.  They do not timestamp your connection, bandwidth or IP Address – this is excellent for privacy.  If a server was seized, then the logs will reveal nothing.


 However the issue of DNS requests is not one we can glance over.  The VPN provider must act as your DNS server (not your ISP).  The last thing you want is BT acting as your DNS server – that way they can track every site you’ve visited.  You can test for DNS leaks on this site – test your VPN.




Next we consider in which countries they have servers.  The nearer the server the fast response you should get.  It’s also useful as in the UK we have the “Snoopers Charter”, therefore we might prefer to use an IP in France or the Netherlands.  The network speeds of the Netherlands are high – another reason to connect outside of the UK.

vpn speed.png

vpn secure speed#.png

If you wish to watch BBC iPlayer, then you will need to use a server based in the UK.

However if you are based in the UK, remember that the Snoopers Charter makes the ISP store all your browsing records for 12 months.  So use your ISP, to connect to the VPN, and then use the DNS server of the VPN provider (not your ISP).  vpn-secure-dns

Lastly – always use OpenVPN.  Always, without exception use OpenVPN.

VPN Secure offer a free trial.



VPN Secure Site

How to Crack SHA1 password hashes – online Crackstation – Visual guide

If you have a SHA1 hash, then you can use Crackstation online to crack the password.  Let me show you password cracking for real.

Step 1 – Calculate a SHA1 hash

Use the miracle salad website, to calculate your SHA1 hash

Enter “password” and the site will calculate the SHA1 hash.


Step 2 – Copy the hash


Step 3 – Crackstation online – Free Password Hash Cracker

Paste the hash into Crackstation online and enter the Captcha


The green colour shows the hash was instantly decrypted. This is why “password” and easy passwords such as “12356” are so dangerous.

Crackstation allows you to download their wordlist.  Be warned, the file sizes involved are loarge.


Step 4 – Download Crackstation dictionaries

CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. If the hash is present in the database, the password can be recovered in a fraction of a second. This only works for “unsalted” hashes. For information on password hashing systems that are not vulnerable to pre-computed lookup tables, see our hashing security page.

Crackstation’s lookup tables were created by extracting every word from the Wikipedia databases and adding with every password list we could find. We also applied intelligent word mangling (brute force hybrid) to our wordlists to make them much more effective. For MD5 and SHA1 hashes, we have a 190GB, 15-billion-entry lookup table, and for other hashes, we have a 19GB 1.5-billion-entry lookup table.

You can download CrackStation’s dictionaries here, and the lookup table implementation (PHP and C) is available here.

As you can see, cracking password hashes is like a game of snap.  The hash is “looked up” and the plain text password is returned to you.

Background Info

CrackStation’s Password Cracking Dictionary

I am releasing CrackStation’s main password cracking dictionary (1,493,677,782 words, 15GB) for download.

What’s in the list?

The list contains every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.

The format of the list is a standard text file sorted in non-case-sensitive alphabetical order. Lines are separated with a newline “\n” character.

You can test the list without downloading it by giving SHA256 hashes to the free hash cracker or to @PlzCrack on twitter. Here’s a tool for computing hashes easily. Here are the results of cracking LinkedIn’s and eHarmony’s password hash leaks with the list.

The list is responsible for cracking about 30% of all hashes given to CrackStation’s free hash cracker, but that figure should be taken with a grain of salt because some people try hashes of really weak passwords just to test the service, and others try to crack their hashes with other online hash crackers before finding CrackStation. Using the list, we were able to crack 49.98% of one customer’s set of 373,000 human password hashes to motivate their move to a better salting scheme.

What hash algorithm should I use?

DO use:

DO NOT use:

  • Fast cryptographic hash functions such as MD5, SHA1, SHA256, SHA512, RipeMD, WHIRLPOOL, SHA3, etc.
  • Insecure versions of crypt ($1$, $2$, $2x$, $3$).
  • Any algorithm that you designed yourself. Only use technology that is in the public domain and has been well-tested by experienced cryptographers.

Even though there are no cryptographic attacks on MD5 or SHA1 that make their hashes easier to crack, they are old and are widely considered (somewhat incorrectly) to be inadequate for password storage. So I don’t recommend using them. An exception to this rule is PBKDF2, which is frequently implemented using SHA1 as the underlying hash function.


How to hash files using EXF hashing tool

Step 1 – download EXF hashing tool

Create an EXF directory


Download the file to the exf directory.


Step 2 – Install EXF

Extract the file in EXF directory (use PeaZip as an opensource zipping tool).

Run the console app

cd exf-exactfile-console-app


exf.exe – this will display command list syntax if you wish to explore further options.

Step 3 – hash a directory

Select a small test directory to hash, here I’ve selected c:\steampunk.

exf -md5sum -d c:\steampunk


Notice that it tells us “10 files are hashed”, alas there’s a typo and “successfully” has been mispelt.

Step 4 – Change directory to the hashed directory

cd c:\steampunk

dir /w

look for “TestFiles.exe”




EXF will then run and test that the file hashes are the same as stored in checksums.md5


So now you have confrmation that all the files in your directory have the same hash.

Remember the EU ENISA advice.

We use RSA 4k as a minimum, and 256 encryption.  Here we see that SHA512 is available.

Therefore go with the strongest hashing algorithm available in the software.

Other hashes are:


Step 5 – Multiple hashes of a single file

The MD5 hash is now consider unsafe.  Therefore we can default to using SHA1, SHA512 or even using MD5 alongside SHA1 and SHA512.  Even if an attack on an MD5 hash were successful, the SHA512 hash would not be affected.

Here we carry out 4 hashes on the readme.txt

exf -crc32 -sha1 -sha512 -md5 readme.txt


Notice how the output of the hashes are much longer for the secure hashes; in particular the SHA512 hash runs over the width of the command prompt.

exf -crc32 – sha1 -sha512 -md5 c:\steampunk\steampunk_1.jpg


All SHA hashes

exf -sha1 -sha256 -sha512 c:\steampunk\steampunk_1.jpg


Notice the increasing length of the hash.


How to create MD5 and SHA1 hashes and a hashing database of files or folders in Windows 7

Step 1 – Download the file hashing software (FCIV.exe) from Microsoft


Step 2 – Create a new C:\FCIV folder

Copy a picture over to this folder for easy testing.


Step 3 – Install FCIV to FCIV Folder


Browse to FCIV folder



Step 4 – Create both MD5 and SHA1 hashes

MD5 hashes are not longer considered safe, despite the fact that they have been widely used.  A female mathematician called Wang developed an attack, which has shown how to create an MD5 collision.  The safer option is to use a SHA1 hash along with an MD5 hash – together.  There is no known attack that can break  both hashing systems in unison.

The syntax for generating two hashes simultaneously is -both



Step 5 – Create MD5/SHA1 hashes of an entire directory

Next  we hash an entire directory  c:\steampunk

Syntax is:

fciv.exe c:\steampunk -both

All the files in the steampunk directory will be hashed in both MD5 and SHA1 for you.


Perhaps you’d like to hash your sysinternals directory.


fciv.exe c:\sysinternals -both




Step 6 – Display MD5 hashes of a file

Change into FCIV folder – we are going to select the first file to hash.  The default hash is MD5.  If you don’t select a hash, the MD5 hash will be generated for you.

MD5 Syntax

fciv.exe c:\steampunk\618284.png


SHA1 Syntax

fciv.exe c:\steampunk\618284.jpg -sha1


Both Hashes

fciv.exe c:\steampunk\618284.jpg -both


The 323d hash is in the MD5 format.


Step 7 – Microsoft Example syntax.

fciv.exe c:\mydir\myfile.dll
fciv.exe c:\ -r -exc exceptions.txt -sha1 -xml dbsha.xml
fciv.exe c:\mydir -type *.exe
fciv.exe c:\mydir -wp -both -xml db.xml

If you get the path wrong, you’ll get this error.

Remember it’s good to make mistakes – you’ll learn faster when you make an error.



Step 8 – Create a Hash Database

If you need to check the hashed files to ensure they have not changed, then create a hash database.  Here it’s called “db”.

fciv.exe c:\file -both -xml db

See the line “Create new XML database”.

fciv.exe c:\file -both -xml db

The hash is now stored in a database called db.


Add Sysinternals hashes

fciv.exe c:\sysinternals -both -xml db




Step 9 – List the hashes in your Hash database

Need to check the hashes of your database?

fciv.exe -list -xml db


Use notepad to open the file db to see your hash.


Now, you have generated hashes of a file, and added that hash to a database.

List your Sysinternals hashes

fciv -list -both -xml db




Step 10 – Hash another file

fciv.exe c:\steampunk\steampunk_1.jpg


Notice the hash starting 981 is MD5 and 9b3 is SHA1

Okay, now lets add the hash to the database and see what we get.


List out the database db.

fciv.exe -list -xml db

We can see that Steampunk_1 has been added, however only MD5 hashes are displayed.


Here’s how to display SHA1 hashes in the database in a cmd prompt


fciv -list -both -xml db


There we are.  Our database can now list both hashes for all files added to it.

This database provides our evidence of the original hash.

UK Government Says Smart Meters Can Definitely Be Trusted Because GCHQ Designed Their Security

For some years, I have advised everyone to *not* have a smart meter fitted.  Did you know that the UK is about to start suffering power shortages and brownouts, until new forms of power generation are online? Therefore with a smart meter fitted, it would allow the government to cut off power for say an hour or two, street by street.  It also allows the power company to cut off your electricity supply if you were late paying, or if they lost your payment. There is one further twist to the story, GCHQ are heavily invested in the design of smart meters, against their will. Yes, Privacy advocates and GCHQ agree on one thing – that Smart meters are not a good idea.  Yet, GCHQ are heavily involved in their design.  Now, why is that?  And the answer to that question, is the reason that smart meters are to be avoided.

The Inquirer Reported that:

INTELLIGENCE AGENCY GCHQ has intervened in the rollout of smart meters to demand better encryption to protect UK electricity and gas supplies.

GCHQ barged in after spooks cast their eyes over the plans and realised that power companies were proposing to use a single decryption key for communications from the 53 million smart meters that will eventually be installed in the UK.

The agency was concerned that the glaring security weakness could enable hackers, once they’d cracked the key, to gain access to the network and potentially wreak havoc by shutting down meters en masse, causing power surges across the network.

The security flaws would have been particularly catastrophic as the UK’s ‘Rolls Royce’ (i.e. unnecessarily expensive) smart metering system doesn’t just automate meter reading. It enables power companies to engage in power management and even to cut people off remotely if they haven’t paid their bills.

The UK’s smart metering system, which has only just started being rolled out years late, has been widely criticised.

So who is promoting the idea of smart meters?

The idea behind smart meters — that detailed information about how you consume electricity will allow you to use power more efficiently and thus cut your bills and your home’s carbon emissions — is a good one in theory. And yet smart meters are still not used very widely, even in countries like the UK, where the government has a strategy to install millions of them by 2020. Actually, the likely savings by users are small, but smart meters also promise to allow the electricity industry to lower salary costs by carrying out meter readings remotely, which is one reason why it is so keen on the idea. Another is because smart meters make it is easy to cut off someone’s supply if they don’t pay their bills.

The slow uptake of smart meters seems in part to be due to public concerns about security. People are worried that their smart meter will spy on them, sending back information to electricity companies that might be intercepted and used for targeted burglary when they are away. Similarly, there are fears that if the smart meter control system were compromised, domestic electricity supplies might be at risk on a large scale.

One of UK Parliament’s most important committees, the one monitoring science and technology, has just published a report into the UK smart meter roll-out, offering recommendations for ways to speed it up. Security is an issue it discusses, and one of the committee’s recommendations is as follows:

We recommend that the Government consider further how to communicate the level of thought that has gone into designing a secure system for smart metering

More about that “level of thought” is found in an appendix to the report, which contains the UK government’s evidence on this topic, including the following statement:

The Department of Energy and Climate Change (DECC) has worked with GCHQ since the very early design stage of the rollout, when the programme was initiated. The engagement with GCHQ has been one of partnership, issue discussion and resolution.

Helpfully, GCHQ has written a long and interesting description of its work on smart meters, and how it has tried to make UK smart meters resistant to attack. The post concludes:

We hope that this article has explained the thinking behind the design of the Smart Metering System. DECC, with support from GCHQ (part of which will be become the National Cyber Security Centre) has security right at the top of the list of things it cares about. Of course, no system is completely secure, and nothing is invulnerable. However, we’re confident that the Smart Metering System strikes the best balance between security and business needs, whilst meeting broader policy and national security objectives.

It’s interesting that the post mentions national security objectives. As Techdirt has reported, one of the worst features of the UK’s Investigatory Powers Bill that is currently wending it way through Parliament is that it creates a legal framework to allow GCHQ and the other intelligence agencies to hack into any kind of equipment in order to carry out surveillance. Of course, that’s really rather easy when you were the one who designed its security systems.


  1. You won’t save money.
  2. The data makes it easier for burglars and the state to target you.
  3. National states will be able to hack the smart meter and turn off your electricity.  This puts our national infrastructure at risk of cyber attack.
  4. Power companies will be able to disconnect your supply if there is a financial dispute.
  5. The state will be able to introduce rolling blackouts or restrict power supply.
  6. The security behind the smart meter, is a joke (to be blunt).  A single decryption key for 53 million homes, would have left the civilian infrastructure in a state of jeopardy.

Remember, GCHQ did not want smart meters, so who forced their hand?



%d bloggers like this: