In my opinion, the Aussie government have always had a robust public stance on on-line child protection issues. However, it seems that they've wobbled a bit recently and dropped their own detailed Australian Communications and Media Authority (ACMA) child abuse content lists for the rather flat-footed INTERPOL 'worst of' lists. The Australian Financial Review has a detailed article on the politics behind the decision here - it makes for interesting reading especially as a foreigner with no axe to grind.
Better and more technically qualified people than I will tell you that the INTERPOL 'worst of' list is just that - it's also the slowest refreshed and the bluntest of tools. Blocking entire domains and IP addresses at DNS level is a concept and technology that belongs in the bad old days. And more importantly, really doesn't provide adequate protection for anybody especially those who are affected by the abuse.
It is also surprising that the Aussies have taken this path as the technology, resources and the will exists all around the world to do battle with this global and persistent threat. The guys at the Internet Watch Foundation and INHOPE (and their colleagues around the world) are delivering quantifiable results without adversely impacting on freedom of expression or access to legitimate content.
So - I applaud the Aussies for doing something - but I believe they (and we) can do better than implementing 'a just enough' policies on on-line child abuse content.
We all work in the internet security industry, and as such we're involved with a wide range of technologies, markets and people.
Our collective blog is a space for our insights, observations and interests...
(N.B. The opinions expressed here are those of the individual authors, and not those of Smoothwall ltd or Smoothwall inc.)
Tuesday, November 20, 2012
Monday, November 19, 2012
Block or Unlock?
With facebook's announcement that they're slowly opting all their users into HTTPS, yet another large chunk of the web gets a welcome layer of encryption.
Welcome, of course, as it helps protect users' highly personal data - often all to recoverable by network sniffing tools, and decreases the possibility of cookie hijack. It's by no means perfect, but it's a great addition.
On the other hand, this SSLization of the web universe does pose a threat in businesses and schools alike - with more traffic going over HTTPS, the requirement for web filtering to intercept and decrypt this traffic rises. In many instances, the stark choice is to either block a site completely, or perform an intrusive "Man in the Middle" inspection. These issues are always going to be most keenly felt on BYOD devices where the MitM decryption would be both more intrusive technically, and socially - hey, it's my device, my traffic, keep out!
There are no silver bullets here. Sure, we can identify most HTTPS traffic's ultimate destination (it's facebook, it's google), but many organisations need a finer level of policy of they are to allow these sites - forcing safesearch is an important one for Schools, or for businesses, maybe a restriction on facebook posts.
The creeping tide of HTTPS is not going away - the only thing keeping more large sites from going fully SSL is the cost/speed tradeoff (encryption on that scale can be computationally expensive), but the need for web filtering for an ever more varied set of organisations has yet to wane either.
This is going to be a long and interesting ride... and I would welcome any comments from our readers on what they are doing to work around these problems, or what they think would be the ideal scenario.
Welcome, of course, as it helps protect users' highly personal data - often all to recoverable by network sniffing tools, and decreases the possibility of cookie hijack. It's by no means perfect, but it's a great addition.
On the other hand, this SSLization of the web universe does pose a threat in businesses and schools alike - with more traffic going over HTTPS, the requirement for web filtering to intercept and decrypt this traffic rises. In many instances, the stark choice is to either block a site completely, or perform an intrusive "Man in the Middle" inspection. These issues are always going to be most keenly felt on BYOD devices where the MitM decryption would be both more intrusive technically, and socially - hey, it's my device, my traffic, keep out!
There are no silver bullets here. Sure, we can identify most HTTPS traffic's ultimate destination (it's facebook, it's google), but many organisations need a finer level of policy of they are to allow these sites - forcing safesearch is an important one for Schools, or for businesses, maybe a restriction on facebook posts.
The creeping tide of HTTPS is not going away - the only thing keeping more large sites from going fully SSL is the cost/speed tradeoff (encryption on that scale can be computationally expensive), but the need for web filtering for an ever more varied set of organisations has yet to wane either.
This is going to be a long and interesting ride... and I would welcome any comments from our readers on what they are doing to work around these problems, or what they think would be the ideal scenario.
Friday, November 16, 2012
Whose views are they anyway?
Have a look at your various social media accounts – do any
of them contain the name of the company you work for? Do you post a mixture of
work and personal material? If so the decision of the High Court released on
the 16th November is something you need to be aware of.
A bit of background; an employee, who identified his
employer on his Facebook page, posted some comments following a news story
about gay marriage. The comments reflected the employee’s strongly held
religious convictions. Some co-workers complained and the employer determined
the posts amounted to gross misconduct and imposed strong sanctions.
The English High Court considered the case and finally
decided that the employer had been wrong to class the employee’s personal
facebook pages as representing the views of the organisation. On this basis the
action taken over the “gross misconduct” was unfounded and the employer was in
breach of contract.
You might like to think that this decision was on the basis
of the principles of freedom of expression, the human rights act or some
equivalent legislation – you would be mistaken. What it came down to was the
balance of the posts that could be seen to be related to work and those that
were purely personal.
In other words, if you freely mix posts about your work and
social life, you could be opening up your social media account to considerably
stronger scrutiny that you imagined. There has been a rash of cases recently
that demonstrate how the “written” character of social media transforms the
responsibility you bear for firing your views into the ether.
So what should we do – either you need to keep your work and
personal profiles separate, or recognise that anything you say could be seen in
a bad light by your employer, other players in your industry or regulatory
bodies. It’s worth spending a few minutes thought on the matter. Personally, I’ve
just taken any reference to work off my Facebook account!
Subscribe to:
Posts (Atom)