Smoothwall's team of intrepid web-wranglers have recently noticed a change in Twitter's behaviour. Where once, it was impossible to differentiate the resources loaded from twimg.com, Twitter now includes some handy sub-domains so we can differentiate the optional user-uploaded images from the CSS , buttons, etc.
This means it's possible to prevent twitter loading user-content images without doing HTTPS inspection - something that's a bit of a broad brush, but given the fairly hefty amount of adult content swilling around Twitter, it's far from being the worst idea!
Smoothwall users: Twitter images are considered "unmoderated image hosting" - if you had previously made some changes to unblock CSS and JS from twimg, you can probably remove those now.
We all work in the internet security industry, and as such we're involved with a wide range of technologies, markets and people.
Our collective blog is a space for our insights, observations and interests...
(N.B. The opinions expressed here are those of the individual authors, and not those of Smoothwall ltd or Smoothwall inc.)
Showing posts with label twitter. Show all posts
Showing posts with label twitter. Show all posts
Wednesday, April 22, 2015
Tuesday, February 24, 2015
Twitter - Den of Iniquity or Paragon of Virtue... or Someplace in Between?
Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.
Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.
That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.
Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.
Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.
Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.
Monday, October 29, 2012
Your Money or Your Life?
Such was the typical refrain of the 18th century Highwayman on stopping a stagecoach full of wealthy but ill-prepared travelers. We'd like to think we don't have to make that choice today, but information superhighwaymen (I can't believe I just wrote that) are asking us to do so, and more surprisingly, we consistently make the wrong choice.
Many sensible people use online banking probably with 2 factor authentication, you may have one of the little devices that generates a code to enter when you log in. Personally, I wouldn't use online banking without it, and even the committed technophobes in my family are using it.
On the other hand, I am often still unable to protect my social identity with anything stronger than a password. I'd like to - and I already do for my email, thanks to Google's forward looking approach (no doubt because their corporate customers demanded it!). Facebook does now have "login approvals" under security options - not quite 2 factor but close enough, and will make pinching your password a lot harder. These sort of features are still not understood by most, or in some cases unavailable.
This leads to the strange situation where we protect our money, which is a terrible thing to lose, but eminently recoverable, more strongly than we protect our reputation, our personal information and our privacy. You cannot get this back. The cat will not go back in the bag. We still value security incidents in terms of a "dollar cost", when the cost of your personal pictures being made public could be much higher, and you cannot undo the harm that has been caused. The password issue is simply an indication of our priorities, and these are wrong.
The potential impact of a this type of "social" security breach should not be underestimated. The tragic case of Amanda Todd shows how extreme the consequences can be, pictures she believed to be private were spread across the internet. These pictures were not a traditional "security breach", but something which if it had happened in the days before indelible, freely copied pixels would have been forgotten.
This is perhaps even more important for young people - as heavy users of social media, often their attitudes and approach to online security is not where it should be - a combination of inexperience and, until very recently, little or no help from educators or parents.
Reader, stop thinking with your wallet for a moment, and make sure you put a value on your reputation, your health, your happiness and your life, because Facebook, linkedin, google, they've all got fragments of those things. If you can't be sure what you give these cloud services is secure, my advice would be not to give it at all.
Helpful hints
Many sensible people use online banking probably with 2 factor authentication, you may have one of the little devices that generates a code to enter when you log in. Personally, I wouldn't use online banking without it, and even the committed technophobes in my family are using it.
On the other hand, I am often still unable to protect my social identity with anything stronger than a password. I'd like to - and I already do for my email, thanks to Google's forward looking approach (no doubt because their corporate customers demanded it!). Facebook does now have "login approvals" under security options - not quite 2 factor but close enough, and will make pinching your password a lot harder. These sort of features are still not understood by most, or in some cases unavailable.
This leads to the strange situation where we protect our money, which is a terrible thing to lose, but eminently recoverable, more strongly than we protect our reputation, our personal information and our privacy. You cannot get this back. The cat will not go back in the bag. We still value security incidents in terms of a "dollar cost", when the cost of your personal pictures being made public could be much higher, and you cannot undo the harm that has been caused. The password issue is simply an indication of our priorities, and these are wrong.
The potential impact of a this type of "social" security breach should not be underestimated. The tragic case of Amanda Todd shows how extreme the consequences can be, pictures she believed to be private were spread across the internet. These pictures were not a traditional "security breach", but something which if it had happened in the days before indelible, freely copied pixels would have been forgotten.
This is perhaps even more important for young people - as heavy users of social media, often their attitudes and approach to online security is not where it should be - a combination of inexperience and, until very recently, little or no help from educators or parents.
Reader, stop thinking with your wallet for a moment, and make sure you put a value on your reputation, your health, your happiness and your life, because Facebook, linkedin, google, they've all got fragments of those things. If you can't be sure what you give these cloud services is secure, my advice would be not to give it at all.
Helpful hints
- Email - Gmail offers 2 factor, enable it. Hotmail.. update Jan '14 -Hotmail now supports 2fac!
- Facebook - turn on login approvals, and take extra care to log out of public computers, turning on secure browsing is helpful to protect session cookies
- Phone - use a screenlock PIN, this will foil a casual attacker. Have some way to wipe your phone if lost. Don't display text messages on the lockscreen.
- Linkedin - You can check "always use a secure connection", but that's a marginal upgrade
- Flickr - use federated authentication from Google or perhaps Facebook
- Twitter - check "require personal information for a password reset", no 2 factor (yet) so take care with your data - update: May 2013, twitter introduces 2fac, thanks!
Subscribe to:
Posts (Atom)