Phillip Hallam-Baker's Web Security Blog

The Internet is a big place, it has a billion users and not all of them are honest and some have evil intent. Adults have a difficult enough time keeping safe on the Internet. Now we have children using computers at earlier and earlier ages, how do we control that risk?

As always we have the folk whose answer is 'don't let the kids near it'. Which is often merely a way of evading the problem. One supposedly serious report from a supposedly serious learned medical body tells us that there is no proof that computers do not do harm so the 'safe' option is for parents to ideally stop their children using computers or to seriously limit their use. I found this advice offensive, as anyone with a scientific training shoud. Ignorance is never a sound basis for offering advice to others.

I taught myself to use a computer at 11. I have seen a child teach himself to read using a computer at three. There is no substitute for the human teacher, but it might also be the case that there is no substitute for the computer as well. No human teacher can compete with the patience of the machine.

So how do we start being serious about online child safety.

It occurs to me that one starting point for a serious consideration of online child safety would be to ask computer security specialists what they do. They have (or should) have a much better idea of the potential risks, and they are trained to evaluate potential solutions.

So if you have views on this I would appreciate you sharing them with me by email at hallam@dotcrimemanifesto.com. In particular I am interested in knowing:

• What are the ages of your children?
• Which child online safety issues have you considered?
• What security controls have you employed?
• Are there security measures that someone advised you to use that you consider to be misguided?

You can also comment in this thread by for obvious reasons it is probably not a good idea to mention your own children if you do so.

Posted by Phillip Hallam-Baker at 1:21 PM | Permalink | Comments (0)

Some time ago I posted on the Iranian missiles photoshop hoax (Drowning in disinformation

Well now it appears that one of the sources that pushed the hoax story in the media has itself been involved in a complex hoax of its own. Martin Eisenstdat, purportedly the 'McCain Camp Adviser' who revealled that Sarah Palin did not know Africa was a continent turns out to be a hoax.

So now we have at least two levels of hoax, possibly more. All of which reinforces my original argument that we need to establish more trustworthy sources of information in the Web.

Is the New York Times a trusted source of information? Well this week a fake copy was printed. And what was perhaps more surprising was the fact that a large number of journalists seem to have reported the groups claim to have printed 1.2 million copies without questioning the improbability of financing, let alone perpetrating a hoax on such a scale.

Is nytimes.com a trustworthy source of information? Well not http://nytimes.com/, that is for sure. Not without SSL security at the very least.

Posted by Phillip Hallam-Baker at 8:04 AM | Permalink | Comments (0)

THUS is a part of Cable and Wireless that operates in the UK. It is also a victim of phishing, or at the least brand impersonation.

The scam in this case appears to be an advance fee fraud. People are told that they have a job, they just need to pay for the visa application. The mails are of course sent out by crooks, this is a scam.

There have been similar scams involving lotteries, but these tended to involve the larger companies that could conceivably have a PR budget to do such stuff. this is a scam that can affect pretty much any company larger than a corner shop.

Posted by Phillip Hallam-Baker at 7:37 AM | Permalink | Comments (0)

Now that the 2008 US election is over, the Newsweek reports from reporters embedded in the campaign are coming out.

The top cyber-security news is that the Obama campaign was successfully penetrated by some form of Trojan and files uploaded from the machine.

While the source of this particular attack is unknown, and will probably remain so, the potential has been demonstrated. What might well have been an opportunistic attack in 2008 will almost certainly be followed by well planned and executed plans in the 2012 campaigns.

Even though the machines in question would not have stored classified information, the potential for manipulating policy through an IT compromise of a campaign is in some ways more significant than an IT compromise at (say) the state department.

The risk is not so much that a foreign power might change the outcome of the election than that they might influence the policy platform that the campaign runs on. Once an administration is formed, the apparatus of policy formation is slow and cumbersome, it takes a great deal to blow it off course. But during a campaign, the smallest of gusts can capsize a vessel with the right timing. Even though campaign promises are not the same thing as policy, there is a definite connection.

The bottom line is that security of campaign communications matters at least as much as security of administration communications. And this is only one example of the fact that in the Internet age, national security rests on the whole information infrastructure and not just the tiny fraction that is run by the government.

Posted by Phillip Hallam-Baker at 4:16 PM | Permalink | Comments (0)

[Note, this post was prepared on Oct 15th but for reasons that will become obvious, posting was delayed until today]

Whatever else may be said about the 2008 US Presidential election, the Web did the job we intended it to do back in 1992. The 2008 election was not the first election in which the Internet (and indeed the Web) were used. In fact I ran a Web server with material from all of the parties back in 1992 and the Clinton-Gore campaign had an online campaign in that election run by Jock Gill.

But 2008 is the first election in which the agenda was not entirely set by the establishment media which would much rather debate lipstick on a pig than healthcare, education or the economy.

So much for self congratulation. Now to look at what did not work.

One of the biggest problems was that at the same time the Web makes it easy to make information available, it also makes that information less easy to trust. Unlike the 2004 election the 2008 election has not had whole media cycles dominated by fake photographs (Kerry/Fonda) or forged documents (aka Rathergate). But that seems to have been as much because people are much less likely to trust the information they see.

The good part is that we are less likely to be fooled. The bad is that we are less likely to be informed. We need to have a mechanism that allows people to actually trust their eyes.

This problem has many aspects and will take many years to solve completely. But a good starting point would be to look at the issue of copyright and in particular the use of DMCA takedown notices to supress speech as happend during the campaign.

The basic facts are that the McCain/Palin campaign uploaded videos to YouTube. YouTube then received DMCA copyright notices and the videos were removed. Whereupon the McCain/Palin campaign complained that their free speech was being suppressed and that videos from the campaigns should be vetted manually. In response to which Google said that they were not going to create special categories of content.

It is very easy to get into arguments about which side is right and overlook the fact that these goals are not necessarily incompatible.

In particular, the real problem here is a failure of accountability. The DMCA was written to address the problem of copyright infringement by unknown, unaccountable parties. It contains a provision for an objection to be made against a takedown notice. The whole point of DMCA is to identify the parties to a dispute so that it may be resolved in a court of law.

So why not allow any party to sign their uploaded content with a digital certificate that contains their authenticated business address? We have all the infrastructure in place to issue such certificates today (although Google can hardly be expected to have the code to make use of them.)

Posted by Phillip Hallam-Baker at 6:49 AM | Permalink | Comments (1)