Twitter - Den of Iniquity or Paragon of Virtue... or Someplace in Between?

Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.

Block or Unlock?

With facebook's announcement that they're slowly opting all their users into HTTPS, yet another large chunk of the web gets a welcome layer of encryption.

Welcome, of course, as it helps protect users' highly personal data - often all to recoverable by network sniffing tools, and decreases the possibility of cookie hijack. It's by no means perfect, but it's a great addition.

On the other hand, this SSLization of the web universe does pose a threat in businesses and schools alike - with more traffic going over HTTPS, the requirement for web filtering to intercept and decrypt this traffic rises. In many instances, the stark choice is to either block a site completely, or perform an intrusive "Man in the Middle" inspection. These issues are always going to be most keenly felt on BYOD devices where the MitM decryption would be both more intrusive technically, and socially - hey, it's my device, my traffic, keep out!

There are no silver bullets here. Sure, we can identify most HTTPS traffic's ultimate destination (it's facebook, it's google), but many organisations need a finer level of policy of they are to allow these sites - forcing safesearch is an important one for Schools, or for businesses, maybe a restriction on facebook posts.

The creeping tide of HTTPS is not going away - the only thing keeping more large sites from going fully SSL is the cost/speed tradeoff (encryption on that scale can be computationally expensive), but the need for web filtering for an ever more varied set of organisations has yet to wane either.

This is going to be a long and interesting ride... and I would welcome any comments from our readers on what they are doing to work around these problems, or what they think would be the ideal scenario.

Your Money or Your Life?

Such was the typical refrain of the 18th century Highwayman on stopping a stagecoach full of wealthy but ill-prepared travelers. We'd like to think we don't have to make that choice today, but information superhighwaymen (I can't believe I just wrote that) are asking us to do so, and more surprisingly, we consistently make the wrong choice.

Many sensible people use online banking probably with 2 factor authentication, you may have one of the little devices that generates a code to enter when you log in. Personally, I wouldn't use online banking without it, and even the committed technophobes in my family are using it.

On the other hand, I am often still unable to protect my social identity with anything stronger than a password. I'd like to - and I already do for my email, thanks to Google's forward looking approach (no doubt because their corporate customers demanded it!). Facebook does now have "login approvals" under security options - not quite 2 factor but close enough, and will make pinching your password a lot harder. These sort of features are still not understood by most, or in some cases unavailable.

This leads to the strange situation where we protect our money, which is a terrible thing to lose, but eminently recoverable, more strongly than we protect our reputation, our personal information and our privacy. You cannot get this back. The cat will not go back in the bag. We still value security incidents in terms of a "dollar cost", when the cost of your personal pictures being made public could be much higher, and you cannot undo the harm that has been caused. The password issue is simply an indication of our priorities, and these are wrong.

The potential impact of a this type of "social" security breach should not be underestimated. The tragic case of Amanda Todd shows how extreme the consequences can be, pictures she believed to be private were spread across the internet.  These pictures were not a traditional "security breach", but something which if it had happened in the days before indelible, freely copied pixels would have been forgotten.

This is perhaps even more important for young people - as heavy users of social media, often their attitudes and approach to online security is not where it should be - a combination of inexperience and, until very recently, little or no help from educators or parents.

Reader, stop thinking with your wallet for a moment, and make sure you put a value on your reputation, your health, your happiness and your life, because Facebook, linkedin, google, they've all got fragments of those things. If you can't be sure what you give these cloud services is secure, my advice would be not to give it at all.

Helpful hints

•  Email - Gmail offers 2 factor, enable it. Hotmail.. update Jan '14 -Hotmail now supports 2fac!
•  Facebook - turn on login approvals, and take extra care to log out of public computers, turning on secure browsing is helpful to protect session cookies 
• Phone - use a screenlock PIN, this will foil a casual attacker. Have some way to wipe your phone if lost. Don't display text messages on the lockscreen.
• Linkedin - You can check "always use a secure connection", but that's a marginal upgrade
• Flickr - use federated authentication from Google or perhaps Facebook
• Twitter - check "require personal information for a password reset", no 2 factor (yet) so take care with your data - update: May 2013, twitter introduces 2fac, thanks! 

Facebook. Look, but don't touch.

Facebook. For some, it's the little black book, calendar, photo album, arcade and mailbox, all rolled up into one crisp pale blue package. The anvil on which many, including myself, forge their social lives.

It is however not without its problems. Between the above, facebook is an effective timesink and can impact productivity in the workplace, ultimately costing companies money. Numerous reports of cyberbullying, facebook stalking and the friend who got 'facebook fired' for posting something libellous understandably put organisations and instituions on edge. The knee jerk reaction is usually to deny access altogether. This hammerblow approach has the desired effect of protecting people from themselves, but can also leave them feeling cut off and frustrated.

Facebook is not an evil of itself by any means. People are social animals, and the Social Network is indeed an intrisic part of every day life for about 800 million people around the world. A friend found his dogs within 6 hours of them going missing, through a chain of events started with a facebook post, so it can certainly be a force for good.

Unrestricted access to facebook is out of the question for many organisations, and no access at all is a blanket solution. Is there a middleground?

I've been working on a project that should offer one.

The result is a solution that allows people to look, but not touch. In short, facebook is available, but without the risk to the individual or organisation. Read-only mode if you like. Combined with Smoothwall's time slots, it offers a powerful and flexible alternative to the hammer approach of blocking it entirely.

Facebook is a technical behemoth. A vast expanse of dynamic content, realtime updates, targetted adverts, likes, shares... the list goes on. It's also tied into an astonishing array of other sites around the web, pulling content from anywhere with a 'like' or 'share' button. Disseminating this giant was a challenge, but definitely worthwhile, and is another step in providing people with the tools to control what enters and leaves their organisations. This time, a scalpel.