Can Twitter be blamed for bad behaviour?

The case of the abusive tweets sent to campaigner Caroline Criado-Perez have once again highlighted the difficult issues that surround user generated content.

Ms Criado-Perez’s situation clearly demonstrates the potential for social networks to be used a vehicle for harassment. After being involved in the successful call for a woman to be featured on a forthcoming banknote, she received a torrent of abusive messages including threats of rape.

When Ms Criado-Perez reported the matter to Twitter the response was not what she expected – she was told to report the matter to the police who have now arrested a 21 year old man on suspicion of harassment offences.

Twitter now faces a welter of criticism about its reaction to the situation and its policy about reporting abuse. It’s now reported to be planning to introduce a “report abuse” button similar to those seen on many news sites or forums.

At the end of 2012, the then Director of Public Prosecutions, responding to prison sentences being handed out to twitter users gave guidance that prosecutions would only be sought where material published was grossly offensive or criminal. In Ms Criado-Perez’s case the inclusion of threats clearly pushed this over the line.

However, like the argument around the blocking of pornography by ISPs, the ability to report abuse on social networking sites would require the companies to become an arbiter of a complex and finely shaded law and take on the cost of providing the huge resource to monitor the flow of content.

The problem, however, is not completely new. Threatening phone calls and text messages have been creating misery for users for many years. Networks always advise reporting the case to the police and their ability to support the abused customer is limited (changing phone number for example). Companies like twitter could be forgiven perhaps for wondering why they are required to go further than long established mobile and telecoms operators.

The treatment of people who express strong views in public is cause for concern and this seems to be a particular issue when the views expressed are those of a woman, but there is a risk of confusing the issue of this abuse and the medium it is carried by.

As the medium of much modern discourse, it’s right to expect social networks to work closely with law enforcement when abuse takes place. This means that records must be kept to enable investigations, but this is quite different from a further growth of privatised censorship.

Just as with the debate around other forms of abuse, the answer here is to attack the problem at its’ root – in this case the irrational reaction of people toward women who express strong opinions in public – rather than trying to sweep the problem under the carpet by moderating a messaging system carrying over 33,000 messages per second.

No Budget to Block Porn? Confuse the Public and Rope In ISPs...

For the past month or so, the UK government has increased its hot-air output on the subject of online pornography. I hope their aims are admirable (and I have to assume they are), but there seems to be relatively little method and much more madness right now. Where are they going wrong, and what can be done about it?

 Not all porn is Child Abuse. Following two recent, high profile cases where child murderers were found to have viewed child abuse images, there were a number of hasty pronouncements, fuelled in large part by "enthusiastic" press coverage. Most of these centred around "regular" legal pornography. 

This is a problem. Even if most viewers of abuse imagery do also view legal porn it doesn’t follow that viewing legal porn leads to viewing child abuse imagery. Users of illegal drugs also purchase headache tablets in the supermarket - should we ban all painkillers because users might turn to illegal drugs? I fear, however, that good sense makes poor headlines, so we're probably stuck with this crooked thinking.

 It is difficult to decide what is "porn": in order to protect the children, there is a suggestion that ISPs block access to porn "by default" (though there seems to be some weaselling on the cards here with the word "default"). However this happens, the question will arise "who decides what is pornography?". In this case, it won't be the government, as they've devolved responsibility to a private organisation (your ISP) who will further devolve this to a filtering company.

I know a little about the inner workings of one such filter company - we at Smoothwall spend quite some effort on making sure things are as well categorised as they can be. It's a difficult question - one US judge managed to come up with an interesting answer: "I know it when I see it. Our lists aren't perfect, but the "lowest bidder" is likely to be some faceless off-shore corporate who frankly won't give a <censored> if your favourite sports forum has been misidentified as pornographic.

Update: The BBC have picked up on this outsourcing of filtering and identified TalkTalk's filtering partner as Huawei, who have been stuck with the "they must be up to no good because they're from China" tag - a nasty generalisation, but one prevalent in the media right now. It's interesting to note that TalkTalk themselves appeared to distance themselves from Huawei by overplaying links with Symantec (having spoken with industry insiders on this, this is not news...). This shows that we're already seeing a company viewed as "undesirable" making moral decisions on behalf of TalkTalk's customers. See also, wedge: thin end.

Many very popular sites have plenty of porn and ISP level blocking is going to be pretty brutal. I will have a good old nibble of my hat if we get anything better than domain blocking, but if there's full HTTPS inspection, I'll eat the thing whole, and the matching gloves, before moving to a country with a less invasive government (and preferably hot weather, as I will have ingested my hat & gloves).

Let's take an example of why we need granularity to be any good. Twitter. Whilst indulging in a spot of online ornithology, you might enter a search term "great tits". There you go, plenty of porn-over-https on a domain you can't block. Time to legislate seven shades out of twitter, and the next site, and the next...

Finally, lets touch on an old favourite hobby horse of mine: the Internet is not The Web - and there are plenty of non-web services out there, from the old school like NNTP news groups, to the more modern like encrypted peer-to-peer, and a bunch in between where some of the worst images are found. If we aim at google, we're preaching to the choir, they already work with the relevant bodies to keep their results as clean as possible. Again, this is focusing in the wrong place if the real aim is to clean up child abuse imagery.

My suggestion? Make sure the bodies responsible for this sort of thing are adequately funded. I would like to see the creation and distribution of Child Abuse Images come to a complete stop. These latest proposals take aim at two targets though, and when you try to aim at two things at once, one of those shots is likely to miss the target let alone the bulls-eye.

Meet the sarcasm monitor - coming to a social network near you...

Okay, so we already know our personal details are ‘out there’ in the hands of companies who want our data to sell it to third parties. Big Data is big business!

Tracking technologies like marketing analytics, digital footprinting, and cookies all help to build a detailed picture of you: what you had for breakfast, where you ate last night and even your home address.

Spotter, a French company, has reportedly taken things a step further with the development of a tool that detects if a comment posted online has a “sarcastic” tone. Presumably their clients will use the findings as some form of business intelligence.

Obviously it depends on where your company does business. For an international company like Smoothwall this could be relevant if we wanted to track our British customers, because this is a trait of our humour. However, this will probably be next to useless for monitoring comments of customers in parts of the world where sarcasm isn’t part of daily conversation. It would also be interesting to see if it can identify the full spectrum of irony.

The UK sales director at Spotter, Richard May assures us that “the company monitored material that was "publicly available". Thanks for the reassurance! (Did you get that one Spotter?). Seriously though, how can we be sure?

Search giant Google was slammed for circumventing the default settings on Apple’s Safari browser which installed cookies even when the users opted for non-third party cookies. Facebook is also not so friendly, reportedly scanning your personal messages to increase its “like” counter.

Spotter’s chosen time to come to market doesn’t seem so good. People are already more aware than ever that Big Brother is watching. In a global survey by Big Brother Watch 79% said they were concerned about their online privacy. Wherever we are, we must watch what we say online. Many cases have been in the media, with people getting disciplined or fired for being vocal online about things that happen at work.

The Ed Snowden revelations have made us more worried. Just how much do they know? The answer: a lot! As I write GCHQ could be trawling through your Facebook posts, internet histories and phone calls. It is for our own good you know. To protect our freedom, says William Hague. How free do you feel? Not so much?

Infosec is here again (stand K60)

This week I was asked nicely by our marketing folks if I could write something that could link to our presence at Infosecurity Europe (We're at stand K60, come visit us, there's probably free stuff, and definitely interesting people - there, y'happy now marketeers? ;) ).

Anyway, I thought i'd do a piece on new Infosec exhibitors I planned to visit. Sadly, I didn't find a lot to get me excited on my trawl through the exhibitor list! Don't get me wrong, I'm sure there's some great stands there (including ours, K60, did I mention it?), but the list just about failed to get a hoary old 10-year-infosec-veteran like me engaged.

What I did see though, was a couple of vendors offering "end user training" - particularly Bob's Business (extra points for being from Yorkshire), and Phish.me. Now, there are those who suggest that this sort of training isn't that wonderful an idea - including infosec superhero Bruce Schneier writing over at Dark Reading. I kinda agree with Bruce, especially with regard to the value of implementing training measures "server side",  and increasing our resilience to inevitable failure, but I think maybe he paints slightly too dark a picture of end-user training.

 I know we fail with a lot of our efforts to change user behaviour, but eventually, some of it sticks. I've written in the past  about how tough it is to change people's mindset: I had to remind my dad to wear his seatbelt pretty recently, and campaigns to encourage their use have been ongoing 40 years (plus laws to that effect, plus obvious downside of going un-belted), but younger folk seem to be much more likely to belt up - something has caused the message to "stick". Eventually.

In the tech world, things seem to happen more rapidly - just around the office here we've had 2 factor authentication turned on by default for a year or so on our email. When it was first turned on, people moaned. It was hard to use. It was inconvenient. Now, it's kind of expected. Indeed, when we launched a new system that couldn't SSO, people asked: "Where's the 2FA?". Now, these were non-techies, but they were people working in the security business... but I see that as a glimmer of hope. Perhaps in this more fast-moving world the "buckle up" message will sink in within a generation?

Would love to hear from people in "the real world", where their users really don't have an interest in IT security. Have you been able to train out bad habits? Is Bruce right and end-user training won't help?

Finally... since we're here, and you've gotten this far, here's a few people I'll be visiting at Infosec anyway - Vuln management folks RandomStorm (Yorkshire connection, plus a few ex-Smoothwallers there), SIEM Maestros Splunk (I just love graphs... I think I caught the bug from one of our developers...), SSH (Which self respecting Linux-botherer would miss it?), Bunker Secure Hosting (you had me at "Bunker") and, last but not least Vipre (the now-divorced-from-GFI anti-malware used in Smoothie). Hey maybe it won't be so dull after all... visit K60. Go on. Please.

Mobile Malware: 3 Key Differences and 3 Top Tips

Traditional malware is relatively easy to spot - well, ok, I am sure most security vendors would disagree, but it is. Compared to mobile malware - I did say “relatively”, didn’t I?

Why is mobile malware so different to regular “desktop”  malware? Well, for a start, there’s the environment. Even on our most lightweight laptops, we’re willing to leave an antivirus running 100% of the time. Sure we’ll bitch and moan about it slowing the whole show down from time to time (usually poor software, or underwhelming tin... but still...) , but in the end, it stays. On our ‘phones however, small is king (don’t get me started on “phablets”, if I wanted to walk around with a plasma telly in my pocket i’d shoplift at dixon’s). Small devices mean small batteries, and we generally can’t afford to keep cpu chewers around “unnecessarily”. This means that anti-malware often takes a back seat: most users won’t run it.

Second up, there’s the homogeneity of the devices. Android often gets slated for a “fragmented platform”, but if you’re looking to have the same fundamental attack vectors, mobile is a great place to be. This was a criticism levelled at the Microsoft environment 5 years ago, but while Windows is still highly popular, the software stack is much more varied - Outlook is no longer de-facto, and nor is IE. iOS is going to give you even more of a predictable basis for attack, so as a malware author, it’s a great place to be. Our user has less control of the OS too, coming behind the vendor and the network in the pecking order - often a good thing, less rope to hang one’s self, but it means any AV has less foothold in the OS, and makes it hard for the user to spot “interesting” issues: the diagnostic tools aren’t readily available.

Finally, we come to the killer feature - the ability to make calls. If I “own” (or pwn, if you’re 17) your PC, you’re going to make me work to turn a profit: I can sell it, but for peanuts, I need 1000s. You probably don’t have your bank details in a text file on the desktop (do you? If so, please send your IP address on a postcard...), or at least I can’t rely on it. Your phone, however has the ability to spend money on your behalf right out of the box by placing calls to premium numbers, or signing up to text services. Even the appstore is more likely to be an easy place to slyly spend your coin than anything I can find on your PC.

So - before this post becomes “TL;DR”, i’ll leave you with a few tips on how to avoid getting your phone hacked (russian mafia style hack, rather than lazy journalist style hack)...

Rule Zero: The fundamental rule of safety - if it looks too good to be true, that’s because it is. If an app is normally 70p, and there’s a free copy offered: pony up, you tightwad. Best case, the free/cheap one’s ad supported, worst case, it’s worse. If an app offers you something for nothing that you know normally costs money, well, you’re paying somewhere. See also: Free lunch, existence or otherwise thereof.

Rule One: Check the permissions. Both iOS and Android apps will state what the app is allowed to do. Be especially cautious with things that could cost you money. Sadly, most things need network capability for something or other, so that’s not really a good red flag, but think: does this app need this permission? Why?

Rule Two: Follow the crowd. Wildebeest know there’s safety in numbers, and you should too. If an app has many users it is more likely to be kosher, but if an app is brand new to the app store and has very few downloads, tread carefully - especially if it looks like a mature app. Check the reviews while you’re at it.

Death of the Keyboard? It's not just the keys that are numbered...

I bet there's a keyboard within two feet of you right now, be it mechanical, or virtual.
You'll probably use at least three different keyboards today, which for me at least makes the keyboard more ubiquitous than the teacup.

In one guise or another, the idea of pressing buttons to produce one character at a time has been with us since 1714 and has evolved considerably in that period.
So it's been with us for a while, but personally I think the keyboard's days are well and truly numbered.

Don't get me wrong, the day you have to go to a specialist shop for an antique piece of 'typing aparatus' aren't upon us yet, but I think soon it will be possible for even the most hardened technophile to get through the average day without typing a letter.

We're halfway there already. Between Google Now and Siri, you don't really have to touch your smartphone any more to bend it's powers to your will, though there are still limitations. Touchscreens are making a valiant effort to kill the mouse and even the humble Ford Focus comes with voice control (dubbed SYNC).

In the office, things like the Leap Motion and Space Top are promising to revolutionise the way we think of the 'desktop', stripping out the middlemen of the mouse and keyboard and freeing your hands to be the expressive and dexterous tools that they were meant to be.

Couple these concepts together in a package like Google Glass or the Oculus Rift you end up with a picture more advanced than Star Trek, with people searching for, creating and sharing information without ever pushing a button. It's a fascinating technological landscape that has sweeping implications for Smoothwall and our ilk.

10 Ways I Saved Time With Android Apps

I owned smartphones between 2001 and 2006. They were of limited use back then costing about the same as a good smartphone in 2012, the applications were often slow, lacking features and the interface cumbersome. Mobile internet was usually very slow, patchy and often frustrating. Not so long ago in retrospect. I was put off, they were not value for money at all....


Can the market sell to me again? I did not own another smartphone, until late 2012. I threw down the gauntlet. I enjoyed some of the advertisements and peer influence, but until the sums looked as if they were adding up for my requirements, I did not buy in. Bingo - a refined Android powered device appeared; the Galaxy Note 2. Another thing, tablets. I had resisted those too, but quite liked the look of those handy, intuitive pads. Readers are looking good as well. The Note 2 is a fusion of all these things. For someone like me, who is interested in many things, this device convinced me to buy into the marketplace again.


During my first month of ownership, these apps have genuinely saved me time whilst mobile:-


1) Camera + Gmail. Taking pictures of complex equipment at work, domestic appliances and the outcome of meetings. I reference the images to find parts, diagnose faults and communicate issues.


2) National Rail. Checking journeys and viewing delays. Less time spent waiting on a platform.


3) Met Office. Checking the five day forecast. Plan time to chop reclaimed wood for domestic multi-fuel burners.


4) Bank Balance App. Check balance and recent transactions. Knowing if payments have been received on purchases. Information to use when chasing late or lost deliveries.


5) Spotify. Finding a tune during a social gathering. A group of friends wanted to sing along to the popular folk song, The Wild Rover. Found the tune within seconds, the device speaker was good enough for a nice sing-along. I decided to subscribe to download play-lists.


6) Navigation. Searching for a store in a busy, unfamiliar area. Found the store without making any wrong turnings and had time to browse.


7) Google Sky Map. I was given a telescope for Christmas and wanted to provide Jupiter viewings for guests at a social gathering. Located Jupiter, then was easily able to point the telescope at the planet and focus. Everyone was able to see the planet’s markings and moon.


8) Clock. Setting an alarm. Usable and flexible alarm clock management. I can set alarms quickly when tired, each night I need them.


9) Independent. Independent news on-line. I no longer need to read my least favourite newspapers in a cafe I use regularly for lunch, if the single copy of ‘The i’ is in use by another customer. I might subscribe to the on-line version.


10) S Notes. I needed to take some notes whilst talking to a colleague. Important ideas, which may have been lost whilst looking for a pen and paper, were saved. For an ongoing task I couched a few ideas then noted them; the solution came to me whilst out walking.


The time accumulated in these examples range from a few seconds to minutes. As I find more time saving apps and become more adept at using them, this function of time will improve. The apps are good at saving time in context, when you are busy seconds are more valuable than when relaxing at home, for example. Catching up on missed TV is perfectly viable and I'll be ordering a take-away Friday night, using the web browser.