For the past month or so, the UK government has increased its hot-air output on the subject of online pornography. I hope their aims are admirable (and I have to assume they are), but there seems to be relatively little method and much more madness right now. Where are they going wrong, and what can be done about it?
Not all porn is Child Abuse. Following two recent, high profile cases where child murderers were found to have viewed child abuse images, there were a number of hasty pronouncements, fuelled in large part by "enthusiastic" press coverage. Most of these centred around "regular" legal pornography.
This is a problem. Even if most viewers of abuse imagery do also view legal porn it doesn’t follow that viewing legal porn leads to viewing child abuse imagery. Users of illegal drugs also purchase headache tablets in the supermarket - should we ban all painkillers because users might turn to illegal drugs? I fear, however, that good sense makes poor headlines, so we're probably stuck with this crooked thinking.
It is difficult to decide what is "porn": in order to protect the children, there is a suggestion that ISPs block access to porn "by default" (though there seems to be some weaselling on the cards here with the word "default"). However this happens, the question will arise "who decides what is pornography?". In this case, it won't be the government, as they've devolved responsibility to a private organisation (your ISP) who will further devolve this to a filtering company.
I know a little about the inner workings of one such filter company - we at Smoothwall spend quite some effort on making sure things are as well categorised as they can be. It's a difficult question - one US judge managed to come up with an interesting answer: "I know it when I see it. Our lists aren't perfect, but the "lowest bidder" is likely to be some faceless off-shore corporate who frankly won't give a <censored> if your favourite sports forum has been misidentified as pornographic.
Update: The BBC have picked up on this outsourcing of filtering and identified TalkTalk's filtering partner as Huawei, who have been stuck with the "they must be up to no good because they're from China" tag - a nasty generalisation, but one prevalent in the media right now. It's interesting to note that TalkTalk themselves appeared to distance themselves from Huawei by overplaying links with Symantec (having spoken with industry insiders on this, this is not news...). This shows that we're already seeing a company viewed as "undesirable" making moral decisions on behalf of TalkTalk's customers. See also, wedge: thin end.
Many very popular sites have plenty of porn and ISP level blocking is going to be pretty brutal. I will have a good old nibble of my hat if we get anything better than domain blocking, but if there's full HTTPS inspection, I'll eat the thing whole, and the matching gloves, before moving to a country with a less invasive government (and preferably hot weather, as I will have ingested my hat & gloves).
Let's take an example of why we need granularity to be any good. Twitter. Whilst indulging in a spot of online ornithology, you might enter a search term "great tits". There you go, plenty of porn-over-https on a domain you can't block. Time to legislate seven shades out of twitter, and the next site, and the next...
Finally, lets touch on an old favourite hobby horse of mine: the Internet is not The Web - and there are plenty of non-web services out there, from the old school like NNTP news groups, to the more modern like encrypted peer-to-peer, and a bunch in between where some of the worst images are found. If we aim at google, we're preaching to the choir, they already work with the relevant bodies to keep their results as clean as possible. Again, this is focusing in the wrong place if the real aim is to clean up child abuse imagery.
My suggestion? Make sure the bodies responsible for this sort of thing are adequately funded. I would like to see the creation and distribution of Child Abuse Images come to a complete stop. These latest proposals take aim at two targets though, and when you try to aim at two things at once, one of those shots is likely to miss the target let alone the bulls-eye.
We all work in the internet security industry, and as such we're involved with a wide range of technologies, markets and people.
Our collective blog is a space for our insights, observations and interests...
(N.B. The opinions expressed here are those of the individual authors, and not those of Smoothwall ltd or Smoothwall inc.)
Showing posts with label politics. Show all posts
Showing posts with label politics. Show all posts
Monday, July 22, 2013
Wednesday, October 10, 2012
Cybercrime: Tough Gig, or Easy Ride?
William Hague is to tell an international Cybercrime conference that "being a cybercriminal has never been easier."
Let's deal with these points in order. Firstly, for those of you reading this who hail from sunnier climes outside the UK, William Hague is a would-be UK Prime Minister who was constantly thwarted by unfortunate credibility issues, often involving peaked headgear. He's currently serving as Foreign Secretary, but since cabinet posts change with alarming regularity, and seemingly require no qualification in your subject area, he'll probably be secretary for trouser pressing by the time I hit "publish".
So Mr. Hague is addressing a summit, or conference, or whatever else it is politicians do, and he intends to state that being a cybercriminal has never been so easy. I'm not sure I agree. In many ways, getting up to no good on the Internet has become much harder. For example, 10 years ago, if you wished to send an anonymous email, it was pretty easy to find an open relay. I've linked to the Wikipedia entry, because some of our younger viewers might be slightly incredulous that such a thing ever existed. You could fairly easily get hold of a free (or hacked) shell over telnet, to put another layer between your IP and the law (who wouldn't have known an IP address if it bit them). Finally, the recipient of your email would probably be much more receptive to offers of 10% of a pile of gold bullion from a Nigerian prince than they might be today.
So in the "Against" column, we have more tightly locked down systems, more savvy law enforcement, and users starting to wake up to risks on the Internet. We also have vulnerability reporting, and companies large and small beginning to take IT security seriously, as the clued-in customer base votes with their feet. I'm not saying we're even hitting "good" yet, but we're streets ahead of where we were 10 years ago.
How about the "For" column? What makes life easier for today's Inter-crim? A proliferation of victims, for one: Internet penetration continues to, er, penetrate, and more and more people are "connected". Wider ranging use of the Internet, particulary withe regard to money - I was an early adopter of Internet banking, and when I started using it, few of my peers were past "chequebook and pen". Now my parents use it (a good marker for when technology becomes pervasive perhaps?), and I am checking my balance on an eminently stealable, 24x7 connected, 3rd party software filled phone. Eek. Finally, we should also consider the business side of web-based wrongdoing: you no longer need to be particularly clever to operate as an IT-fraudster, you can go out and buy off-the peg tools to bypass security restrictions.
So is it easier? Well, i'd argue it's probably easier to get into Cybercrime, but it's also easier to get caught. It's probably easier to find a victim, but the pool of victims is waking up to the threat. There are definitely more angles of attack, but software vendors are often starting with security in mind. No, I think it's probably no easier than it ever was.
Oh, wait. Our politicians are attending cybercrime conferences and talking about "files stolen by hackers which were equivalent to 20 million A4 pages" and "[telephone] international hotlines set up to help tackle emergencies". Cybercrims can get the cigars out and put their feet up, 2002 called, it wanted its tech back.
Let's deal with these points in order. Firstly, for those of you reading this who hail from sunnier climes outside the UK, William Hague is a would-be UK Prime Minister who was constantly thwarted by unfortunate credibility issues, often involving peaked headgear. He's currently serving as Foreign Secretary, but since cabinet posts change with alarming regularity, and seemingly require no qualification in your subject area, he'll probably be secretary for trouser pressing by the time I hit "publish".
So Mr. Hague is addressing a summit, or conference, or whatever else it is politicians do, and he intends to state that being a cybercriminal has never been so easy. I'm not sure I agree. In many ways, getting up to no good on the Internet has become much harder. For example, 10 years ago, if you wished to send an anonymous email, it was pretty easy to find an open relay. I've linked to the Wikipedia entry, because some of our younger viewers might be slightly incredulous that such a thing ever existed. You could fairly easily get hold of a free (or hacked) shell over telnet, to put another layer between your IP and the law (who wouldn't have known an IP address if it bit them). Finally, the recipient of your email would probably be much more receptive to offers of 10% of a pile of gold bullion from a Nigerian prince than they might be today.
So in the "Against" column, we have more tightly locked down systems, more savvy law enforcement, and users starting to wake up to risks on the Internet. We also have vulnerability reporting, and companies large and small beginning to take IT security seriously, as the clued-in customer base votes with their feet. I'm not saying we're even hitting "good" yet, but we're streets ahead of where we were 10 years ago.
How about the "For" column? What makes life easier for today's Inter-crim? A proliferation of victims, for one: Internet penetration continues to, er, penetrate, and more and more people are "connected". Wider ranging use of the Internet, particulary withe regard to money - I was an early adopter of Internet banking, and when I started using it, few of my peers were past "chequebook and pen". Now my parents use it (a good marker for when technology becomes pervasive perhaps?), and I am checking my balance on an eminently stealable, 24x7 connected, 3rd party software filled phone. Eek. Finally, we should also consider the business side of web-based wrongdoing: you no longer need to be particularly clever to operate as an IT-fraudster, you can go out and buy off-the peg tools to bypass security restrictions.
So is it easier? Well, i'd argue it's probably easier to get into Cybercrime, but it's also easier to get caught. It's probably easier to find a victim, but the pool of victims is waking up to the threat. There are definitely more angles of attack, but software vendors are often starting with security in mind. No, I think it's probably no easier than it ever was.
Oh, wait. Our politicians are attending cybercrime conferences and talking about "files stolen by hackers which were equivalent to 20 million A4 pages" and "[telephone] international hotlines set up to help tackle emergencies". Cybercrims can get the cigars out and put their feet up, 2002 called, it wanted its tech back.
Subscribe to:
Posts (Atom)