NOT Finding and accessing a Google Docs collection shared with your group

Today Google Docs annoyed me. A lot. Google have put a nice new UI on Docs and it is generally much better. However they have still not fixed an important usability issue - if someone shares a collection (previously known as folders which was a misleading name) with a group and you are in that group you would expect to be able to search for it and actually find it. Not quite...

Yesterday someone I know was struggling to put a collection shared with their group in their My collections. They were used to the old convoluted way. But it's simpler now. Or so I thought. I had not realised one extra bit of information. If one shares a collection with a group, no one in the group can see the collection until they are given a URL to the collection. So they can't see the document collection until they see the document collection. Chicken and egg.

The work around is either click on the link in the original sharing email just once. Or have someone IM, email or list on an internal wiki, the URL to the collection. Just click on it then close it. Now the collection will appear when you search for it and you can then follow the simple steps in my video.

Rubbish.

I am told a solution is being worked on. While they are at it I would also like logins to automatically strip the domain when users insist on typing their full email address when only the name part is needed. And the ability to not allow normal users to share stuff as they just mess it up. And the ability to disable "Off the record" in Google Talk. Basically I would like some polish on the Google Apps product. Stop working on fun new clever stuff and do the last 10% of what you already wrote.

Orange Money Launches NFC Credit Card, Still Years Behind Africa

According to el reg, Orange is launching a new service, under the name "Orange Cash". I must admit to being a bit disappointed when I read the article though - it turns out this is just a pre-paid card (the article calls it a credit card, but that's stretching a definition since it is pre-paid!) with NFC (near field communications). While this is fun tech - Pete, a sysadmin here at Smoothwall Leeds described his first NFC shopping experience as "the simplest shopping I ever did" - it is hardly revolutionary. Indeed many people will already have NFC cards if they've recently been issued a new debit card.
So, what was I expecting? Well, being a regular visitor to Kenya, I noticed in december there were adverts all over Nairobi for Orange's "iko pesa" ("there's money" in kiswahili) service - a rival to local operation "mpesa" by Safaricom. Mpesa and iko both allow users to easily transfer money using mobile phones. I can see why this might be more useful to Kenyans than it would be in the UK - there's relatively little in the way of "infrastructure", especially outside of Nairobi, and many people have little ready access to cash, so this is a great way to pay for things, or send some cash home. On the other hand, i'd really find this useful in the UK - just for paying small sums to friends and family. Yes, I know I can access internet banking, but I might not have their details (how may of your colleagues do you have bank details for?) - so if I find myself owing Carol a fiver for a box of noodles at lunchtime, I either mess about with internet banking, or take a stroll to the ATM. If I already have her phone number, I could simply send her mpesa... much better, no?
Both these technologies raise interesting questions for security. NFC type devices are now used for opening car doors and allowing the engine to be started. We recently saw articles (see yahoo)suggesting that thieves might "range extend" proximity keyfobs to break into cars. It would be interesting to know if this could be done to NFC cards, but it seems a lot of work for transactions which are limited to a relatively small sum. I've not yet heard of any interesting mpesa fraud - although allegedly you can pay kenyan police bribes with it!

ISPs: Your Customers Are Not Idiots

Well well. That's a first. Today I picked up a Huawei ADSL 2+ modem/router from my local post office, where it had been imprisoned for the crime of being (only marginally) too large to fit through my standard sized postbox. After walking home in the Yorkshire drizzle, I decided to have a poke around in the box, despite the fact that my new Internet service doesn't kick in til Tuesday.

New Internet service. Sore point. My erstwhile ISP UK Online have given up the ghost, and are encouraging well-known bastion of customer service Sky as their natural successor. I was sad to lose UKO - as one of a handful of LLU providers, they're part of a limited number of "real" ISPs, rather than marketing bacon wrapped round the tiny cocktail sausage of BT wholesale. Anyway, I liked UK online. Their customer service guys were helpful and smart. Their prices where a bit rich, but not too bad. Their service was beautifully reliable. I never felt "capped", and I never had a peep out of any of the many and various VPN types I used on the connection. So - sad to see them go.

A lot of people raised an eyebrow at my choice of talk talk. I'm a techie.. and they're very... con sumer, no? Well.. to be honest, it was them or Sky! I already have a relationship with both companies for TV and phone, and my experience of talk talk for phone over the last ~5 years has been good. I know that may put me in a minority, but it has been. I had a mixed bag when I rang to order my new service - UK call centre, answered quickly... but I needed to give far too many details and was treated a bit like a new customer. Overall, a wash on customer service there.

Anyway - that's enough warbling.. what prompted me to post? Oh yeah. In the modem box there's a leaflet. This leaflet gives you a choice - you can use the enclosed CD to configure your new modem.. or get this - you can follow the manual, and here's your username and passowrd. Crack on. This is new to me. As techie-in-residence for family and friends, and as a long-time Smoothwallite I have set up more DSL connections than most BT engineers, and one of my pet hates is the unwavering adherence to "Put the CD in and follow the prompts". This sort of thing naturally gets my back up - a kind of presumption of moronicity, if you will. On top of that, I am a Linux user, and of course user of vaguely unusual firewalls, sometimes "Put in the CD and press buttons" just won't answer the brief.

So - big props to Talk Talk - you didn't treat me like an idiot, and come go-live day, your little modem might well just chill on the shelf whilst I use the information you chaps handily provide to configure my trusty-but-sadly-discontinued linksys am200.

Farewell Peter

It is with some sadness that we learn this week of the resignation of Peter Robbins OBE, Chief Executive of the Internet Watch Foundation. On Wednesday Eve Salomon, Chair of the IWF Board, announced that Robbins had tendered his resignation, effective July this year.

Robbins tenure at the IWF began in 2002 and it was with great pleasure that we at Smoothwall worked with he and his colleagues. Having met personally, I can say that he is true gentleman and clearly possesses a great understanding of technical and political nuance of work the IWF are involved in.

Media coverage of Robbin’s resignation reached The Register today and we were pleased to see kind commentary from Jane Fae Ozimek.
An interesting aside is Ozimek’s comment on the quantity of items in the IWF’s URL list. I believe that the supposedly “low” headline figure is a indication of the IWF’s success in their ‘Notice and Takedown’ role of tackling Child Abuse content at source, rather than a suggestion that the IWFs work may soon be complete*. Additionally, it is worth pointing out that unlike most URL lists, IWF’s list has a high degree of entropy, reflecting the rapidly changing hosts of abuse images - further testament of course to the takedown efforts of the IWF and other international Hotlines.

On that note we wish Peter every success in future, as Smoothwall continues to work with the IWF throughout 2011.


* - The IWF’s Annual Report for 2010 is due out later in the year. This yearly publication is an illuminating read and a great reminder of why we continue to support the IWF.

Secure Facebook, ooh er

In the same week as Data Privacy Day and the suspected hacking of CEO Mark Zuckerberg's Facebook page, Facebook have added the new option of always-on SSL encryption for users accessing their service.

In a blog post yesterday the social networking giant announced two new security features. “Social authentication” is a new form of user authentication designed to thwart automated attacks, by asking the user to identify photos of their Facebook friends.
Facebook have also added the option of “Secure Browsing” to their Account security settings. When enabled, this causes Facebook to use SSL encrypted connections (HTTPS) rather than plain old HTTP. The changes give protection against various attacks “on the wire”, such as the Firesheep tool seen last year and the more sinister actions of the Tunisian government.

Ostensibly this is good news for us Facebookers, however the situation in the workplace may be less clear. With 4 out of 10 workplaces apparently blocking Facebook, we can assume that a good proportion of the remaining 6 use filtering and monitoring procedures instead. If Facebook access becomes “invisible” through encryption, more of these firms may be forced to bring down the ban hammer on facebook.com.
Or they could try a filter that understands HTTPS, like Guardian? Because it is the 21st century after all.

Google, autocomplete, filtering - where next?

Google have begun rollout of the second round of autocomplete filters. If you're not familiar with autocomplete, and the filtering... here's the background: Google introduced auto-complete to their "search" box to make life easy for the terminally lazy - for example, when I start typing "web filter" into google, it handily suggests adding "bypass" on the end. I hadn't thought of that. Thanks! The next development was google "instant" - where search results were displayed for your half-completed terms. Soon, autocomplete got filtering - ostensibly to save the blushes of innocent searchers whose half-completed thoughts turned out to match vaguely pornographic terms. "Hot chi" for example will quickly stop autocompleting.

So that's the autocomplete filter - mostly "adult" content under scrutiny... some drug use type phrases. The next addition though is "copyright infringement searches" - now I don't personally see how not completing "torrent" is going to help reduce piracy - joe warez isn't going to sit at his PC and type "tor" and then think "nah, can't be bothered!" and search for "tortelini" instead. No, I don't rightly see the advantage. It stirred up a veritable hornets' nest of "free speechers" though, many of whom were conspicuous by their absence when the first lot of filtering was applied.

What interests me, from a web content filtering point of view, is the choice of terms. If we're going beyond "things that can cause embarrassment" to "things considered harmful by a. moralist" then where's the gambling terms? To my knowledge there isn't one that's filtered. My guess is that online gambling pays too well in google ads to make it worth filtering! On the other hand, powerful lobbying groups love to see torrent searches marginalised.

This has implications for web filtering types like Smoothwall - we have to help fill the gaps, especially in education - between what google is willing to keep out of searches, and what educators deem suitable for their young charges. Fun.

Internal Threats

Don't just secure your network perimeter, consider that the majority
of attacks are committed by someone with existing access to the
internal network. These are often on hubs or rogue access points so
first things first, enable strict mac access control on your access
switches, you don't need to be using expensive switches as the feature
is often available on the most basic of managed switches. It may seem
tedious to get the mac addresses of every device but you've probably
already got them listed, in dhcp for example or even run an automated
script to scrape the arp cache from your dns server every couple of
minutes for a week.
Have a wireless survey every couple of weeks, it doesn't have to be
done by a pro with mapping software (unless you've got the money to
burn), you could even use a smart phone and take a slow stroll around
your premises, personally I'd use the tools on a live Linux
distribution like backtrack3. If you're really keen on wireless
security, look into kismet, it can be set to detect rogue access
points and even attempt to disrupt their use if discovered!
Sounds a simple one but only make live the network points that you
need to. An active network point in an unused room is perfect for an
intruder to get unsupervised access to your network.
Segment your network, either physically or virtually using vlans.
Having a firewall between your core servers and clients might seem a
little over the top but consider the services that are actually used
by your clients, these are very unlikely to change, at the very least
you could monitor traffic on non-standard/interesting ports, i.e. Who
is connecting via RDP to your domain controllers? Or who is accessing
file shares on your SQL server?