Don't Complain About Social Media Bores

Some of my older readers will remember a time before social media, when we had real friends, and talked about real things. They'll remember it fondly, and talk about those halcyon days of pints down the pub, phone calls and lovingly crafted snail mail. To be honest, we are probably better off with social media, but there's still a few things that we might miss. In the "good old days", you could easily avoid the boring guy who had only one topic of conversation (like how rotten his shifts at the mill were). Now we're stuck listening to "social media bores" because we know if we unfriend/unfollow them, they'll know, and it'll just be even worse.

After an in-depth meta analysis, and extensive survey (OK, I hit google and had a chat with 4 colleagues), it can be revealed that the top 5 "Social Media Bores" are:

1. The Braggart: This guy can't buy a replacement lightbulb without telling you why he's got the best. Expect: Holiday bookings and new-car photos

2. "Guess where I am?": She can't help but tell you where she is, regardless of how dull it is.
Expect: "In Slough", "At the local shop", "Entering purgatory... where to next?"

3. The cat bore: Yes, we know you've got a cat, you use him as your profile picture.
Expect: Pictures considerably less funny/cute/well captioned than those already littering facebook

4. The Cliffhanger: An Unspecified emote - and we're all supposed to guess what's wrong?
Expect: "Feeling really sad", "Great news!" (and then nothing)

5. Captain Gullible: Is there a hoax this chap hasn't swallowed hook line & sinker?
Expect: "Did you know water drains anticlockwise in Australia?"

Now comes the hard part. I want you to forgive these guys. I ask you this, not in the spirit of the holiday season, but because I have discovered that it is virtually impossible not to be a social media bore. Observe:

So, if you do want to say something you might think twice about tweeting, maybe hang on, and do it over a beer - or don't say it at all!

If you are interested, here's some of the research I didn't do:

Legal issues:

• Twitter advice on Contempt of Court
• BBC on Twitter and the Law

Workplace issues:

• Business Insider: 13 People who were sacked due to  tweets and the 17 for Facebook 

Family issues:

• Try not to follow escort agencies on twitter if anyone might be watching you
• I'm told one of my colleagues once got told off by his mother for something he said on Facebook - didn't even make the local news though!

Bores:

• Huffington Post: Facebook Bores

7 Ways To Deal With HTTPS traffic

HTTPS traffic. It's a bunch of encrypted zeroes and ones flying through our firewalls and web filters, and frankly many people haven't got much of an idea what it's doing or why it's there. There are business critical apps aplenty that require you to let this impenetrable traffic march on, but what can we do to gain a bit of visibility? In a rare moment of caffeine-induced lucidity, I lay out your options:

1. Do Nothing

This is one of my favourite options - complete inaction. Whilst it might seem like it is a safe bet, after a while things start to go wrong. Sometimes, I take this approach to household chores: it's liberating to not do the laundry for a while, but the day you run out of socks is a dark day indeed.
User Impact: *****
Blocking Efficacy: (that's no stars!)
Advice: Only if you like to have problems

2. Block it ALL!

Not a great idea this one. Might have worked in the deep and distant past, but today's Internet will have no truck with that. Back to doing laundry, it's the equivalent of putting up with prodigious and vile body odour because you can't be bothered to wash your smalls. Might have worked in 200BC, but in 2013 you will likely find it a social faux-pas. Apologies to any readers who were eating breakfast while reading that :)
User Impact: (that's no stars!)
Blocking Efficacy: *****
Advice: Don't do it!

3. Look for Reverse DNS

So I want to allow HTTPS traffic through, but I want to be selective. I know - I'll take the destination IP and do a reverse lookup on it, then I can use that to match... I'll be able to control everything. I don't have a sock analogy here - sorry folks (well I do, but it would be stretched thinner than even the most ardent fans of my blogging would take - an exercise for the reader to build their own!). Reverse DNS is basically pretty unreliable. It's OK for spotting some of the big stuff, so you might whitelist based on it, but conversely it's terrible as a whitelist because it is inclined to miss bits. Yes, more of the internet than ever has reverse lookup, but this still sucks.
User impact: *****
Blocking efficacy: **
Advice: Don't do it!

4. Use Plaintext header information to domain block

This is more like it. Anyone using a "traditional" proxy, where you set up the computer to use an HTTPS proxy, can already do this.

Modern SSL implementations are actually TLS implementations - SSL went out of fashion when flared trousers and wearing a baseball cap backwards were the hottest news. TLS is what we are really using when we refer to SSL. Anyhow, there's a cute little extension to TLS called SNI. This method won't work with really ancient browsers.

For those of you still awake, these methods let your web filter block accurately by destination domain. Not URL, domain. Just the first bit. Everything after the / is still mystery meat. This is a reasonable option for blacklist, and a great option if you're whitelisting.
User impact: *****
Blocking efficacy: ***
Advice: No brainer, get it turned on

5. Verify Certificates

You can, and should, check certificate validity on your web filter. It's that simple, really. There's a few gotchas - in that sites with self signed certificated will need explicitly allowing, but otherwise, this is a great idea. One of the main advantages to this method is the blocking of HTTPS proxy anonymizers, which rarely go to the financial trouble of a full, CA signed certificate.
User Impact: ****
Blocking Efficacy: *
Advice: Use in conjunction with another method, but do use it

6. Full Inspection

If you're really keen to protect against the threats of web-borne malware, and you want the best filtering, then this is the gold standard. A "Man in the Middle" decryption allows your filter to see the full URL and content, so you can do fine grained blocking, search term analysis and anti-malware scanning, among other things. Of course your users will see a certificate warning if you do this, as you'll be re-signing a certificate claiming to be facebook.com or whatever. The only way round this is to install your Certificate Authority (CA) on your users' systems. Don't install one that's not got your organisation name in it - some vendors just produce a "standard" CA, and this is really dangerous, allowing the vendor unfettered backdoor access to your clients' browsing. Full inspection can be tricky for BYOD as you have no easy way to push out the CA - so  bear that in mind when deciding how to filter.
User Impact: **
Blocking Efficacy: *****
Advice: Definitley use for machines you can push policy to, advise caution on BYOD

7. The NSA Option

If you are the US government, there's always the option of spending a whole heap of your billions of dollars in black budget breaking everyone's crypto. While this is highly effective, people will then tend to avoid you at social functions, and may talk about you behind your back. But at least you'll know what they are saying.
User Impact: CLASSIFIED
Blocking Efficacy: BLOCKED
Advice: Be afraid

Caveat scriptor - the further perils of a social networker

Caveat scriptor! (Writer Beware!)

We mentioned a few times the problems that you might run into if you post something online without really thinking it through. It can go much further than a red face next time you see friends.

What’s bad for the individual can also be bad for the organisation too – vicarious liability (that we've mentioned many times) can mean that if an organisation can’t demonstrate that its’ trying to monitor and manage access it too can be considered liable for its employees actions. The real kicker here is that the organisation can’t even use the defense that it was unaware of the behavior, the law expects that sensible precautions will be taken.

The message was hammered home this week with the results of the Freedom of Information request to the Student Loan Company about misuse of social media. The response showed that there had been 4 cases (over 5 years) where disciplinary action had been taken. Although the details in the response are scant, there are indications that these individuals were using personal accounts.

Cue the debate about your right to say what you like and why should an employer be able to discipline (in these four cases – dismiss) you for what you say? It comes down to a question of whether you’re representing your employer – a question that was tested in the Adrian Smith case last year.

Essentially the test is this – would a reasonable person viewing your Blog / Wall / Tweets associate you with your employer. If they would then you suddenly need to be a lot more careful about what you say. Someone who finds your opinions objectionable may be also take action against your employer and it’s likely that they would then want to take action against you.

What’s the answer – keep your online work and your social life separate or be prepared to be squeaky clean if you don’t.

For the employers out there -  a strong Acceptable Usage Policy, combined with control of access to Social Media over your network, something that web filters are pretty good at, is a good start for a defense against vicarious liability.

Overall everyone must remember that once something is in print, be that electronic or hard copy it’s almost impossible to get back. As the Duke of Wellington said “Publish and be damned”

Mile High Wi-Fi

Long haul flights may never be the same again as high speed Wi-Fi is set to be delivered to air passengers in 2014.

Train travelers and even bus passengers have become used to on board access but the new system will deliver speeds ten times greater than those currently available. The technology is based on the ability to aim a satellite dish with ultra high precision and keep it on target as the aircraft moves.

But as many organizations have discovered, having more bandwidth doesn’t always mean happy customers. Hotels in particular have seen apparently ample connections being hogged by applications like streaming media and file sharing leading to lots of unhappy guests. In the confines of an aircraft at 30,000 feet who knows what the result of a slow connection might be…?

Then there’s the whole question about what content is accessible to users. No airline is going to be happy with illegal downloads crossing its network, adult content is plainly not acceptable, and how to deal with acceptable content in different sovereign air spaces is anyone’s guess.

There are of course several Smoothwall engineers willing to do extensive field research in fitting UTMs onto aircraft heading for warm and sunny locations, providing of course that they are allowed to “recover” for a couple of weeks.

What can we say? Watch this air-space!

LinkedIn switches focus to kids

LinkedIn have announced that they are reducing the age limit for membership from 18 to 13. I have to say that disturbed would be an underestimation of my reaction.

Firstly, it seems rather absurd, especially at a time when the safety of young people online is at the centre of public debate. Personally, I find it weird that LinkedIn finds it acceptable to allow teenagers or screenagers (if you want to be hip) to connect and network with adults they don’t know. I see bad times ahead!

LinkedIn’s argument for offering the service feels wishy-washy. It will help young people to research their career options and job prospects. Really? What self-respecting 13 year old is on the hunt for work? At that age, I was still sharing Pogs in the playground or at the roller disco. Ah, to be young again. Seriously though, the future hadn’t even entered my mind.

While the concerns might be about what smartphone is fashionable, I would say that the same applies to young people today.

It’s also said that young people will be able to create an online persona that looks towards higher education and work rather than the standard social networks, but will this be any different from the idealised CVs employers see from school leavers?

Even with the planned changes LinkedIn says they’ll stay true to their professional networking roots. I can’t see how though. Will there be a LinkedIn boycott by business people who use it for the purpose for which it was made? They will surely find the under 18s brigade a nuisance rather than an asset. Also, who is going to be comfortable with connecting with an under 18 for fear of being branded a predator?

Is this really about opportunities for kids or is LinkedIn after a slice of online advertising spend? Last year Facebook’s ad revenue reached $5 billion.

Anyway rant over. Don’t look me up on LinkedIn chances are you won’t find me.

Once more unto the BREACH...

Security: noun. The state of being free from danger or threat.

Security is a powerful word on the web. Secure Online Banking, Secure Logins, Secure Portals, Secure Searches, all are now common parts of web vernacular. We have a Secure Web Gateway as part of our product line up. The basis for much of this security is TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer).

BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is an attack on TLS and SSL. Details are a search away ("tls breach attack" is a good start). The result is that an attacker can theoretically extract specific pieces of information from a secure exchange between client and server, like a bank account number or password reset link. The clever bit is that it takes advantage of, and indeed relies on, the fact that this information is compressed as well as encrypted. Servers routinely compress data sent to the client to save bandwidth, but this relies on both parties agreeing to a compression scheme which is accomplished by the client advising the server in the initial request which compression schemes it supports. This is where a nifty new Smoothwall feature comes in. Combined with an older, more entrenched capability, it can help mitigate the BREACH threat. Ironically, this is accomplished by interfering with a secure process.

Regular readers of edugeek.net and other Smoothwall users will be aware of YouTube For Schools, which makes use of Smoothwall’s header insertion capability to inform YouTube that the client is only allowed access to educational videos. Combining this with HTTPS inspection, (which is effectively a man in the middle attack, akin to a switchboard operator listening to a phone call and something SSL/TLS was designed specifically to prevent) we can override the header that specifies which compression schemes the client’s browser is willing to accept, effectively instructing the server not to compress data and putting a large blue spanner in the BREACH attack.

Who says you can’t fight fire with fire?

Unsuspecting sites find themselves hosting child abuse imagery. But why?

The Internet Watch Foundation recently released a statement regarding the hacking of legitimate business websites to store illegal imagery of child sexual abuse. The imagery wasn't directly accessible from these unsuspecting sites, but linked to from external sources — including portals for legal adult content.

In the last 6 weeks, the IWF has received over 277 complaints from people who have happened upon this kind of content. But what could be the purpose for secreting illegal child abuse content on otherwise lawful sites? In order to avoid hysteria and misplaced action, we need to attempt to understand the cause, rather than the symptoms, or we risk an ill thought through, knee-jerk reaction.

Superficially, there seem to be three potential causes: the nefarious, the vindictive, and the political.

The nefarious route is the least savoury. In this scenario, the purpose of the act is to distribute child imagery for criminal users — its enthusiasts. It's an easy conclusion to jump to, and start raiding the barn for pitchforks, but it raises a few issues. Firstly, why would such sensitive, illicit content be distributed on the open web? Why would a more clandestine service not be used? If you are attempting to run an illegal commercial enterprise, it doesn't seem to make sense that you would do business out in the open, rather than using TOR or other 'Deep Web' facilities. There is an inherent risk of your content being found, and, thankfully, shut down.

There's an argument to be made (and very eloquently by your favourite blogger and mine, Tom Newton), that this space has been hacked and traded multiple times, with no connection between the owners and the original attack. That the whole process provides a smokescreen. However, why would a misdemeanour criminal who 'acquires' web space allow themselves to be attached to a much more serious crime? It seems that there would be a quickly falling house of cards, where bucks would swiftly be passed to evade serious punishment.

Finally, why would the link be placed into an open forum? In this case, links to legal adult fetish content arrived at the illegal material. Someone deliberately attempting to access illegal content might claim that there is a theoretical benefit: any analysis of the browser's web activity would suggest that they were innocently looking for something legal, and were "horrifyingly duped". This theoretical benefit seems to crumble under the exposure of having an unprotected public link to your illegal content. A link that many people could find and, thankfully, have reported.

That the content persists, rather than being deleted after some underground transaction, also seems to suggest either a significant lack of discretion, or that the content was meant to be found. Which brings us to: the vindictive.

The smear of being supposedly complicit in child sexual abuse is almost indelible. As operations Ore and Yewtree have shown, entire nations will stand up and take notice when this particular topic is raised. People in the public eye may not have been convicted, such as Massive Attack's Robert Del Naja, but lives can be ruined.

Because of this, the threat of being affiliated with such toxic material can become a weapon. Anecdotally, I have seen the behaviour of the delightful inhabitants of 4Chan, where anonymity and arguments run wild. Threats are made from behind the veil of the screen and the shield of the keyboard, and these threats can —and do — escalate. I've never witnessed anything that would entirely explain the current hacks, but I have seen threats of the planting of illegal material on people's computers, coupled with calls to the police. For more on the far-reaching implications of web activity, see the recent post by security researcher Brian Krebs, who was sent heroin by malicious online adversaries, with the intent of calling the police to implicate him.  The drugs were acquired online, but were simply a tool .

In this scenario the child abuse imagery is also a tool of threat or extortion, rather than intended for criminal viewing . An enormously inflammatory weapon able to destroy reputations and lives. The unsuspecting owner of the website could be the target, or possibly a third party who is known to use the legal pornography site hosting the links. It could even be an attempt to extort the owners of the pornography site by suggesting that they are complicit in funding the material.

Still, until prosecutions commence, the idea that these hacks are designed to malign and ruin individuals (or businesses) is just one of many possibilities. The fact that these attacks have increased in the last 6 weeks gives rise to a timely third option... the political.

No post on inappropriate content would be complete without some commentary on David Cameron's plans for a UK-wide, ISP-level content filter. Criticism over the filter falls into two camps: the supposed hand of the nanny state, and the alleged technological ignorance on display. If you were keen to demonstrate that a domain-level Internet filter impedes freedom without providing protection, then showing that illegal  — let alone "offensive" — material can be put onto reputable sites may erroneously be seen as direct action.

It seems inherently possible. Though why would conventional, legal adult content not be used to get the point across? Why risk affiliation with another serious crime? Why risk your political legitimacy by associating yourself with abhorrent material? And where do the links from adult sites come into play?

None of these options seem outlandish, and yet none completely fit the situation. There are undoubtedly myriad scenarios that haven't been considered here — please feel free to add in the comments.

The causes here aren't clear cut, but there continues to be one cause that is: working with the IWF to eliminate online child abuse content for good.