Thursday, August 22, 2013

Mile High Wi-Fi

Long haul flights may never be the same again as high speed Wi-Fi is set to be delivered to air passengers in 2014.

Train travelers and even bus passengers have become used to on board access but the new system will deliver speeds ten times greater than those currently available. The technology is based on the ability to aim a satellite dish with ultra high precision and keep it on target as the aircraft moves.

But as many organizations have discovered, having more bandwidth doesn’t always mean happy customers. Hotels in particular have seen apparently ample connections being hogged by applications like streaming media and file sharing leading to lots of unhappy guests. In the confines of an aircraft at 30,000 feet who knows what the result of a slow connection might be…?

Then there’s the whole question about what content is accessible to users. No airline is going to be happy with illegal downloads crossing its network, adult content is plainly not acceptable, and how to deal with acceptable content in different sovereign air spaces is anyone’s guess.

There are of course several Smoothwall engineers willing to do extensive field research in fitting UTMs onto aircraft heading for warm and sunny locations, providing of course that they are allowed to “recover” for a couple of weeks.

What can we say? Watch this air-space!

Tuesday, August 20, 2013

LinkedIn switches focus to kids

LinkedIn have announced that they are reducing the age limit for membership from 18 to 13. I have to say that disturbed would be an underestimation of my reaction.

Firstly, it seems rather absurd, especially at a time when the safety of young people online is at the centre of public debate. Personally, I find it weird that LinkedIn finds it acceptable to allow teenagers or screenagers (if you want to be hip) to connect and network with adults they don’t know. I see bad times ahead!

LinkedIn’s argument for offering the service feels wishy-washy. It will help young people to research their career options and job prospects. Really? What self-respecting 13 year old is on the hunt for work? At that age, I was still sharing Pogs in the playground or at the roller disco. Ah, to be young again. Seriously though, the future hadn’t even entered my mind.

While the concerns might be about what smartphone is fashionable, I would say that the same applies to young people today.

It’s also said that young people will be able to create an online persona that looks towards higher education and work rather than the standard social networks, but will this be any different from the idealised CVs employers see from school leavers?

Even with the planned changes LinkedIn says they’ll stay true to their professional networking roots. I can’t see how though. Will there be a LinkedIn boycott by business people who use it for the purpose for which it was made? They will surely find the under 18s brigade a nuisance rather than an asset. Also, who is going to be comfortable with connecting with an under 18 for fear of being branded a predator?

Is this really about opportunities for kids or is LinkedIn after a slice of online advertising spend? Last year Facebook’s ad revenue reached $5 billion.

Anyway rant over. Don’t look me up on LinkedIn chances are you won’t find me.

Monday, August 19, 2013

Once more unto the BREACH...

Security: noun. The state of being free from danger or threat.

Security is a powerful word on the web. Secure Online Banking, Secure Logins, Secure Portals, Secure Searches, all are now common parts of web vernacular. We have a Secure Web Gateway as part of our product line up. The basis for much of this security is TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer).

BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is an attack on TLS and SSL. Details are a search away ("tls breach attack" is a good start). The result is that an attacker can theoretically extract specific pieces of information from a secure exchange between client and server, like a bank account number or password reset link. The clever bit is that it takes advantage of, and indeed relies on, the fact that this information is compressed as well as encrypted. Servers routinely compress data sent to the client to save bandwidth, but this relies on both parties agreeing to a compression scheme which is accomplished by the client advising the server in the initial request which compression schemes it supports. This is where a nifty new Smoothwall feature comes in. Combined with an older, more entrenched capability, it can help mitigate the BREACH threat. Ironically, this is accomplished by interfering with a secure process.
Regular readers of and other Smoothwall users will be aware of YouTube For Schools, which makes use of Smoothwall’s header insertion capability to inform YouTube that the client is only allowed access to educational videos. Combining this with HTTPS inspection, (which is effectively a man in the middle attack, akin to a switchboard operator listening to a phone call and something SSL/TLS was designed specifically to prevent) we can override the header that specifies which compression schemes the client’s browser is willing to accept, effectively instructing the server not to compress data and putting a large blue spanner in the BREACH attack.
Who says you can’t fight fire with fire?

Wednesday, August 7, 2013

Unsuspecting sites find themselves hosting child abuse imagery. But why?

The Internet Watch Foundation recently released a statement regarding the hacking of legitimate business websites to store illegal imagery of child sexual abuse. The imagery wasn't directly accessible from these unsuspecting sites, but linked to from external sources — including portals for legal adult content.

In the last 6 weeks, the IWF has received over 277 complaints from people who have happened upon this kind of content. But what could be the purpose for secreting illegal child abuse content on otherwise lawful sites? In order to avoid hysteria and misplaced action, we need to attempt to understand the cause, rather than the symptoms, or we risk an ill thought through, knee-jerk reaction.

Superficially, there seem to be three potential causes: the nefarious, the vindictive, and the political.

The nefarious route is the least savoury. In this scenario, the purpose of the act is to distribute child imagery for criminal users — its enthusiasts. It's an easy conclusion to jump to, and start raiding the barn for pitchforks, but it raises a few issues. Firstly, why would such sensitive, illicit content be distributed on the open web? Why would a more clandestine service not be used? If you are attempting to run an illegal commercial enterprise, it doesn't seem to make sense that you would do business out in the open, rather than using TOR or other 'Deep Web' facilities. There is an inherent risk of your content being found, and, thankfully, shut down.

There's an argument to be made (and very eloquently by your favourite blogger and mine, Tom Newton), that this space has been hacked and traded multiple times, with no connection between the owners and the original attack. That the whole process provides a smokescreen. However, why would a misdemeanour criminal who 'acquires' web space allow themselves to be attached to a much more serious crime? It seems that there would be a quickly falling house of cards, where bucks would swiftly be passed to evade serious punishment.

Finally, why would the link be placed into an open forum? In this case, links to legal adult fetish content arrived at the illegal material. Someone deliberately attempting to access illegal content might claim that there is a theoretical benefit: any analysis of the browser's web activity would suggest that they were innocently looking for something legal, and were "horrifyingly duped". This theoretical benefit seems to crumble under the exposure of having an unprotected public link to your illegal content. A link that many people could find and, thankfully, have reported.

That the content persists, rather than being deleted after some underground transaction, also seems to suggest either a significant lack of discretion, or that the content was meant to be found. Which brings us to: the vindictive.

The smear of being supposedly complicit in child sexual abuse is almost indelible. As operations Ore and Yewtree have shown, entire nations will stand up and take notice when this particular topic is raised. People in the public eye may not have been convicted, such as Massive Attack's Robert Del Naja, but lives can be ruined.

Because of this, the threat of being affiliated with such toxic material can become a weapon. Anecdotally, I have seen the behaviour of the delightful inhabitants of 4Chan, where anonymity and arguments run wild. Threats are made from behind the veil of the screen and the shield of the keyboard, and these threats can —and do — escalate. I've never witnessed anything that would entirely explain the current hacks, but I have seen threats of the planting of illegal material on people's computers, coupled with calls to the police. For more on the far-reaching implications of web activity, see the recent post by security researcher Brian Krebs, who was sent heroin by malicious online adversaries, with the intent of calling the police to implicate him.  The drugs were acquired online, but were simply a tool .

In this scenario the child abuse imagery is also a tool of threat or extortion, rather than intended for criminal viewing . An enormously inflammatory weapon able to destroy reputations and lives. The unsuspecting owner of the website could be the target, or possibly a third party who is known to use the legal pornography site hosting the links. It could even be an attempt to extort the owners of the pornography site by suggesting that they are complicit in funding the material.

Still, until prosecutions commence, the idea that these hacks are designed to malign and ruin individuals (or businesses) is just one of many possibilities. The fact that these attacks have increased in the last 6 weeks gives rise to a timely third option... the political.

No post on inappropriate content would be complete without some commentary on David Cameron's plans for a UK-wide, ISP-level content filter. Criticism over the filter falls into two camps: the supposed hand of the nanny state, and the alleged technological ignorance on display. If you were keen to demonstrate that a domain-level Internet filter impedes freedom without providing protection, then showing that illegal  — let alone "offensive" — material can be put onto reputable sites may erroneously be seen as direct action.

It seems inherently possible. Though why would conventional, legal adult content not be used to get the point across? Why risk affiliation with another serious crime? Why risk your political legitimacy by associating yourself with abhorrent material? And where do the links from adult sites come into play?

None of these options seem outlandish, and yet none completely fit the situation. There are undoubtedly myriad scenarios that haven't been considered here — please feel free to add in the comments.

The causes here aren't clear cut, but there continues to be one cause that is: working with the IWF to eliminate online child abuse content for good.