An enquiring teenager has turned into one of our top security experts. But the way the country is going has him worried. By Paul Fisher.
The surname says it all. Richard Brain, co-founder and technical director of independent specialist UK security organisation, ProCheckUp, is one clever guy. From the age of nine, he was into electronics and building radio transmitters. In his teens, he tried to patent a watch design that sensed the heartbeat of the wearer through the ohm resistance of the skin. It was for old people, he says.
If a pensioner's ticker stopped beating, the watch would send out an RF signal to the hospital. Unfortunately, the idea had already been patented. But still, how many other teenagers would even think about such a thing?
Brain did a degree in electronic engineering at Middlesex. He came top of his year, his spare time spent with circuit boards and chips at a defence contractor. We met in his football pitch of a boardroom at ProCheckUp's elegant Russell Square HQ.
“I was playing around with big boys' toys and helping to design them, but I also designed and built my own computers. Unlike nowadays, when you buy motherboards, I was designing my own circuit boards, microware and OS to go with my computers. In those days, things such as Pacman and Space Invaders were coming out on Atari. So I designed my own high-resolution colour video card, which made things such as Pacman and Space Invaders realistic on a home-built PC. You saw Space Invaders as it was in the arcades, and not as it was on the Atari home system,” he says.
You get the picture. Anyone can build a PC from components; Brain built the components. After he completed his degree, he quite naturally created his first company, Brain Software, abandoning a doctorate at Imperial College. It made add-on cards for Acorn's Archimedes home computer, which had launched in 1987. When this had run its course by the early 1990s – it became unprofitable, Brain says, due to draconian UK health and safety regulations around electronics manufacturing – he moved into computer consultancy.
“I was rolling out things such as Netware. I was one of the first Microsoft Certified System Engineers. I was one of the first master CMEs and I had about two or three masters at one particular time. So, for a couple of years, I was rolling out network infrastructure.
“Around 1995, people started to put on internet connections, thanks to Compuserve and America Online, and in about 1998 you got the first e-commerce sites. It was extremely primitive. I started to lock them down, because in the early days you had no firewalls. You didn't even have Windows firewalls,” he says.
All this makes Brain sound arrogant, but he doesn't come across as that in the flesh. When he lists his achievements, well, that's what it is: he did do these things, so he lists them. He is laidback, a bit shy, even, but garrulous and enthusiastic when it comes to his work.
It became clear to Brain that there was a future in testing the vulnerability of websites – and 2000 brought the first proper paying customer for what was then called ProCheckNet. Nearly a decade later, he's coy about naming that first customer, save that it was then “the biggest website in the world”.
“It had 100,000 pages in those days. We tested every page and we found that 10 per cent or 15 per cent of those were vulnerable to attacks, such as SQL Injection or Cross-Site Scripting. From then on, we really took off,” he says.
The company name was changed to ProCheckUp in 2000. Brain reckons that the fledgling business was at least three years ahead of the competition. The common tool used then was WebInspect, he says, but it was in a manual, interactive form, where you had to bring up a web page and test the variables within it. “It didn't do automatic spidering, and it wasn't particularly intelligent. That sort of stuff only came about 2004. We had it in 2000.”
Fast-forward to the present and the business is affected by the crunch, like everyone else. Thankfully for him, it's clients more than ProCheckUp doing the suffering. It used to have three of the top four UK acquiring banks as clients.
“One of them went bust, which isn't great. It was taken over by somebody else. Hopefully, we'll be okay. We have a couple of airlines, which is another problem area. And entertainment companies, people who sell music, one of the top three online companies – I can't tell you who it is,” he says.
Confidentiality constraints mean he can't name a lot of his clients, which must be a source of frustration and make marketing a challenge – although the website mentions a clutch: insurers esure and CPP, EuropeArabBank and onlinegolf.com. “The thing is, it's just ethics, really. Sometimes, you might have situations like, forgive me, a bit like – prostitution. Nobody really wants to talk about it,” he says.
His comparison is a little clumsy, but you get the idea. Mind you, even with this level of promised discretion, some just don't get the message, it seems.
“We've told a couple of our big clients they've got security vulnerabilities, but because of budgetary constraints, they haven't fixed the websites yet. They'll pay us £5,000 or £10,000 to test their main website, but it will cost them £10,000 to fix that website.
“We know a couple of customers – even really, really big banks or e-commerce sites – where everything comes down to a constrained budget. A couple of times they know they've got vulnerabilities on their website and yet they can't afford to do it until a year later, when they get the next budget to fix the website,” he says.
Which, when you think about it, is amazing: they leave it a whole year. So why don't these big corporations just do the testing for themselves and save yet more money? “It all comes down to budget. Even a lot of the big banks can't afford to hire expert people in-house anymore, so they sub-contract. And they then have to trust that the external company is doing a decent job. The trouble is, the external company is just trying to make as much money as possible. You then have to make sure, by checks and balances, that it is doing the job properly. Unfortunately, the team meant to be doing that doesn't have the expertise. It got rid of the ones who did in the last performance review,” he says.
The conversation moves on to every penetration tester's favourite subject: the 1990 Computer Misuse Act. Brain rolls his eyes to heaven: “Oh joy, yes.” He has obviously got something to say about it. Has it made the business harder?
“What's the definition of a hacking tool? Is the actual programming language that's used in a lot of these hacking scripts a hacking tool? It all comes down to intent behind the tool. Nmap (a freely available scanner) may have been created innocently, but is it used for administrators to lock down their firewalls, or is it used by hackers to hack insecure administrators?
“Things are now more complex. In the UK, the police can hack criminals' PCs without getting a court order. You've heard of that? That's a recent thing. Now, there's legislation enabling the government to put wiretaps on internet connection points,” he adds.
Brain says a similar operation by the US National Security Agency in 2005 was exposed by the Electronic Frontier Foundation (and reported by the New York Times). The NSA had internet wiretaps at AT&T hub centres where other providers connected to the AT&T internet points. These computers, he says, then tapped the internet for email, VoIP calls and everything else.
This talk of governmental nefariousness gives the conversation an interesting turn. Suddenly, we are having a history lesson. Richard Brain becomes very passionate indeed. A different side to the shy techie emerges and one that could only come from someone with intimate knowledge of how easy it is to hack into other people's systems.
“The Government is trying to do that with the UK, but in a cost-cutting way. All emails have to be saved for a year, as do browser trails. Unfortunately, there's a problem. About 80 per cent of email is actually spam these days,” he says.
“If we had to store each spam or each email, we'd run out of storage rapidly. Ten or 12 times a day I get these huge emails, ten or 20 megabytes, and they're rubbish, they're garbage. If the ISPs had to record and store all emails sent to them, then all they'd be doing is having a great store of anti-spyware and anti-spam. The actual emails that the police want will be deluged in there,” he says.
Given that this law is potentially another ill-thought-out mess, isn't there a case for a government minister or a department – or someone who actually knows what they're talking about – to be advising the Government, or actually in the Government?
“You should have an independent judge, not a politically assigned judge. A judge who came from the ground up and is known for their independence, to actually say to the police, ‘yes, I can see there's a risk in this person to other people; they might harm other people, therefore I'm going to allow you to hack into their computer, or put a wiretap onto their internet connection'.
“Instead of concentrating on the people you should be worried about, you breach everybody's civil rights. If you give police powers to hack people's PCs, would they always use that for the public good? From the creators of the English judicial system, the Magna Carta, through Charles I's and Cromwell's time to now, the judiciary was always meant to overrule the kings and the princes, and eventually everyone was protected by an independent judiciary against the police.”
Like most of us, Brain says he would prefer that everything he sends and talks about on the internet would remain private, “unless it affects anybody else in a negative manner”. And even then, he would expect an independent person to ask if what he was doing was enough of a risk to warrant surveillance.
“A lot of the MPs do not actually understand their constitutional rights any more, and a lot of English people do not understand their constitutional rights. And if you don't understand your constitutional rights, you lose it,” he says.
He goes on to paint a pretty convincing picture of a nation turning into a fearful surveillance society – councils using anti-terror laws to bully citizens into recycling properly, using cameras to check whether parents are “cheating” the schools' postcode lottery.
Yes, but what if someone said that these people doing these things are hurting other members of society? That they're getting one over by putting their kids in schools they shouldn't be in. That they're filling up their neighbours' bins, dropping litter, all those things. Why not use those powers? I get my answer.
“You cannot use a law that wasn't intended for peeking into bins, because you start to undermine the constitution of English society and 1,000 years of history behind us. That is what I think everyone in society should be trying to protect,” he says. A firewall approach to legislation. Now there's a thought.