When I was a kid my dad asked me what I wanted to be when I grew up. I of course said I wanted to be the CTO of a fast growing ISP with prospects Dad was somewhat confused with this and told me not to be a silly boy because the internet hadn’t been invented yet and I should learn to be a doctor or a judge or pursue some similarly respectable form of employment.

Some days it feels as if dad will end up having his own way and I will end up as a judge. In the news this morning is yet another report suggesting that ISPs should put together a code of practice in respect of taking down websites that do something we aren’t supposed to like.

There is a lot of this going on. If it isn’t the movie and music industry rightsholders wanting us to block sites promoting copyright infringement it’s Nominet in cahoots with the police trying to suspend domains allegedly supporting criminal activity.  Today its a Home Affairs Committee reporting on radicalisation suggesting that ISPs need a voluntary code of practice that supports the  taking down of websites containing violent extremist material.

Glancing through the report the committee did cover the issues surrounding radicalisation and the internet with reasonable thoroughness. For example it was recognised that there were existing legal mechanisms that allowed the take down of websites if they were breaking the law.

Now hands up if you think it is a good thing to kill people because they don’t have similar religious views as your own (leave a comment)? Okaay now hands up if you think this is a bad thing – “Like”, “tweet”  or “+1″ if this is you.

Now next question how many of you think it is a good thing for you to take decisions that have up until now been thought as the role of a high court judge – ie difficult ones that have serious implications if you get it wrong.

Because the whole world has moved or is moving onto the internet laymen (OED – a category of person often comprised almost exclusively of politicians) latch on to the idea of controlling that new world and stopping people accessing bits of it. In isolation some of these desires may not seen unreasonable. In reality when you take the whole picture into consideration the sum of these “not unreasonable” parts amounts to wholesale censorship.

If we are not careful the internet will turn into a police state. I’m not scaremongering here¹. There will be some roads waves you can’t walk surf because of fear of being seen by some authority somewhere to be associating with a website or concept even that displeases someone in authority.

Keep the internet open. Keep politicians away from the internet. We don’t need internet specific laws – we just need someone to make existing ones work. Layering codes of practice on codes of practice is not the way to do it.

¹ well I might be but I voice what should be a real concern to people

Tweet

Tinterweb is a wonderful place full of  great things that can change our lives. Of course we all know it is also full of pitfalls, dangers, threats, hazards, risks, problems, exposure, troubles and perils ¹.

I have just discovered the McAfee quarterly “Threats Report” . If you haven’t read it you need to rectify the situation. It is an amazing compendium of the threats to which we are exposed when we reach out into the land of the hypertext transfer protocol.

For the convenience of the busy reader I have selected some extracts for your delight.

• In Q2 the Android mobile operating system became the most “popular” platform for new malware.
• By Q3 Android has become the exclusive platform for all new mobile malware.

Look out that your phone doesn’t start texting premium rate numbers or broadcasting your personal data or even, as is the case with Android/NickiSpy.A and Android/GoldenEagle.A, start recording your telephone conversations. Don’t give any banking information over the phone will you. The malware stays on your phone for an extended period of time to make sure it catches the right phone conversation!

I’m not a worrier but I have started to think more about protecting myself and my family when communicating. There are some security solutions on the market and I will give them a go over the next few weeks and report back.

The McAfee report has tons of interesting stuff in it – Botnet growth by region, Social Media threats, new “bad reputation” URLs per day (hits 40,000 some days!!!). There are currently over a quarter of a million Active Malicious URLs. The report even tells you the going rate for Crimeware tools – $1,500 for Linux exploit tool LinuQ (with private exploit) – if you are unfamiliar with this don’t ask – it’s a need to know job and I don’t know.

I encourage you to read the report to which I link again here.

¹ My thanks to Roget’s Thesaurus for this contribution

Tweet

Akismet is a seriously good spam catcher. I just took a look at the comments it has trapped recently. Not clicked on any of the links but there is a wonderful range of products being pushed:

pre-workout supplements, SEO, LA Weightloss (to offset the pre workout supplements presumably), healthy food ideas, free online background checks, pharmaceutical delivery service, wedding photography, kitchen appliances, custom cabinet design!, Scottish mountain biking, a bar in London for stag nights.

Some of the comments appear to be quite carefully crafted responses the the post – as if they really are relevant. Anyway I’ve just deleted 103 of them. Sorry if yours was a genuine comment and is not approved. Keep em coming

Tweet

We, the world, are still finding our feet on the internet, or more accurately the world wide web. The www is a great place to be and at the same time full of pitfalls and nasties. Much like real, physical life really. I taught my kids not to take sweeties from strangers – that applies on or offline.  In recent years I’ve added “don’t click on links you aren’t sure of” and probably a few other words of advice specific to tinterweb.

That’s a piece of wisdom relating to the www that had he but known it shows Charles Darwin’s theory of evolution in action. Survival of the fittest and all that.

It isn’t just the consumer that is still trying to understand the landscape of the www. Government is, business is, as I said we all are.

The good folks at .uk registry Nominet are also trying to understand where they fit into all this. Nominet has come under scrutiny in recent years over its corporate governance. Nominet is after all responsible for a key part of the strategic infrastructure of UK plc. Looking after .uk is a very important job. This post is not all about Nominet’s corporate governance. I’m sure with all the eyes that have been gazing its way this is squeaky clean.

The one issue that we do have to consider though is that positioned as it is in the heart of the UK’s internet/www infrastructure Nominet is an easy target when it comes to people wanting to influence or affect that infrastructure.

The current case in point is a working group that “has brought together a cross-spectrum of interested stakeholders who have worked through a consensus driven approach to develop a set of principle-based recommendations to the Board on the matter of dealing with domain names used in connection with criminal activity. “

Nominet wants to work with law enforcement agencies to take down domains that appear to be involved in criminal activity where

1. The nature of the alleged criminal activity creates a clear risk of “imminent serious harm” to an individual or individuals. “Imminent serious harm” is defined as urgent or on-going harm. This would include, but is not limited to, the following examples: phishing, fraud, the unlicensed sale of medicines or other regulated goods and services, and botnets; or,
2. The domain is directly involved in the criminal distribution of counterfeit goods.

Now it is difficult for anyone to object to this. Nominet wants to do this is a fast and efficient manner – not in itself a problem either.

The problem lies in the fact that Nominet wants to do this without being in receipt of a court order – the process of obtaining which can be laborious. The proposal is that an authorised senior officer of a relevant Law Enforcement Agency will contact the registrar as a “trusted party” and declare that the suspension of a specific domain name is proportionate, necessary, and urgent, and that the agency is seeking suspension under the principle of last resort.

The issue is that here in the UK we have independent judges in place to decide on whether something is illegal or not and we don’t leave this decision to others. It is the same argument I have against the implementation of the Digital Economy Act notification system although I’m sure that no one is intending to compare “infringers” as defined by the DEAct with the “criminals” Nominet is seeking to thwart.

The Nominet draft proposals do provide for an appeals process but again this is highly redolent of the DEAct also with no defined structure or timescale.

Although this has surfaced before I’ve stayed relatively quiet on this one up until now but Nominet is looking to finalise its proposals on Friday so this does need mentioning.  I think the right answer here is along the lines I have previously discussed on this blog and that is to provide a judiciary that is agile and knowledgeable of the ways of new technology. If the judge can move quickly the all Nominet has to do is to provide a rapid response to that judge’s pronouncement and not to seek to do part of his job.

Tweet

Jonathan Radford our CFO is one of the least techy guys you could hope to meet.  He is often also the source of ideas for this “technical” blog because technology now reaches absolutely everyone on this planet one way or another.

Today he came up for a chat about Internet 2 and Project Phoenix and left me with a newspaper clipping from the FT (I said he wasn’t a techy – anyone else would have sent me a link). The point is though that the technology related article interested him because he could understand its implications for him personally.

The article concerned internet pioneer Vint Cerf’s comments re the need to start again with internet security. The internet is an open network currently running on the basis of trust. Starting again Cerf says he “would have put a much stronger focus on authenticity or authentication” and quoted Ori Eisen’s Project Phoenix as an example of the way forward (see original FT article for more on this).

You only have to note the recent spate of Twitter spam attacks to understand why a rethink on network security is necessary. People’s Twitter accounts have been compromised and have been sending Direct Messages to their followers with the text “Bad blog going around about you, heard or seen it yet?” and a link to a website that will rip your own Twitter credentials.

You might think having your Twitter account compromised is more of an embarrassment rather than a big security issue but do you by any chance use your Twitter password for other online logins? You might be opening up the door to a Pandoras Box of information about yourself that could be very interesting to someone trying to steal from you.

None of the recent scams have caught me out but it must just be a question of time. One weak moment when I’m tired …

Note the subject of security was high on everyone’s agenda at last week’s IT Directors Forum. It mostly related to the issue of Consumerisation of IT and people bringing in their own devices for use in the office.  The extent to which this was a problem depended on whether you were in a regulated industry or not but it was still a general concern.

It seems likely to me that were we to live in a properly authenticated internet world then CoIT and BYOD would be less of an issue as everyone would be using appropriate measures to secure their personal data. It is something we do need to sort because I am getting to the point where I often don’t click on a link just in case it is malicious, and that ain’t good.

PS Ori Eisen works for 41st Parameter website  Twitter.

PPS my 11 year old’s school homework over the weekend concerned online safety. Was a good opportunity for me to chat to him about it.

Tweet

The mobile communications market has for years been characterised as a commodity space. Selling mobile services was largely a matter of who offers the best price.  The rise of the smart phone and the pursuant growth in mobile data is changing this.

Price is still important but these devices are so expensive that the amount of hard cash people (consumers) are willing to spend on their mobile contract has grown considerably. I know this from first hand experience having a 19 year old student son who spends not an insubstantial amount of his monthly budget on an iPhone4 contract.

This in turn is a source of angst for businesses who have not traditionally provided the bulk of their staff with top of the range handsets. Unless you have been in a media vacuum over the last six months you will know that this has led to a phenomenon known as Consumerisation of IT and the Bring Your Own Device (BYOD) revolution.

I have written about this before. As a provider of mobile services

to business customers BYOD is a real area of interest. BYOD poses a problem to our customers because their employees are using personal handsets to access corporate assets without the traditional levels of scrutiny security and control that came with, for example, the BlackBerry Enterprise Server.

A lost phone can now be a real source of concern to a business, in particular because of the greater amounts of information these devices are capable of storing. They are no longer phones. They are hand held computers.

The growth of “the cloud” and its increased use by Small and Medium sized Businesses is bringing the problem into the domain of smaller companies. Suddenly information security is important to them.

Aside from anecdotal evidence and the occasional high profile PR stunt aka the lost iPhone5 there is very little data around to highlight the extent of this problem. Reports that do exist are USA based and cover the enterprise market. Big business has always taken more care over mobile device security. This is partly because the Mobile Device Management tools used to address the problem are expensive and partly because their exposure is greater in the event of an issue (ie lost phone).

As a mobile ISP with a significant stake in the SMB market Timico decided to commission a “Mobile Working Report – Consumerisation of IT and Bring Your Own Device Trends”. Using research organisation One Poll we talked to SMB Directors and had some interesting results.

72% of businesses were concerned about employees bringing their own devices to work. 42.5% of businesses questioned lost (or were stolen) up to 20 handsets a year. 30.5% of businesses lost between 20 and 100 devices a year. This did astound me somewhat but I did a sanity check with our customer service teams  and found that customers reporting lost phones is almost a daily occurrence.

Only 31% of respondents said they don’t have a policy for BYOD. You have to read between the lines here because the high number of organisations with such a policy almost certainly do not allow staff to use their own phones at work.

81.5% of those concerned about BYOD said they would probably allow it if they had a Mobile Device Management solution that protected company data on the personal phone.

Cost appears to be the least of their worries (21.5%) with security (75%) at the top of the list.

The report covers a number of vertical markets and has some interesting sector based output. “Not for profits” see BYOD as a real opportunity to save cash. Allowing people to use their own phones means not having to provide a company device as long as “proper management” of these phones is addressed.

For me the biggest surprise was that of all the market sectors looked at the finance industry came out as the least likely to have addressed the security issues – 77% of directors in this area either did not protect or did not know if they protected company data if the phone was lost. What’s more 55% of the finance firms questioned lost more than 20 devices a year!

This report has certainly given us food for thought and suggests to me that there is a real market opportunity in providing a solution to the BYOD issue in the SMB space.

The full report is here – it is definitely worth a quick read.

Tweet

If you have been trying to access the telegraph online or TheRegister tonight you might come in for a bit of a surprise as the sites look as if they have been hacked.  More specifically it looks like some  Domain Name Servers have been hacked, diverting traffic to other pages.  Many people will not notice.

Click on the header to see more of what the Register site currently looks like. At this point in time the hack is less than 30 minutes old so I don’t have any more info but if I get a chance I’ll update the post as news comes in. Or just Google it. I saw it first on Twitter.

Tweet

Interesting to note that 8 out of the top ten keywords for visitors to this blog over the last month have been related to either FTTC or silkroad with 4 each.

I can understand the FTTC interest and I was an early writer on this subject so get decent Google rankings. As far as SilkRoad goes either there is not much written out there about the subject or there are huge numbers of people trying to find out more about it – human nature I guess!

As far as Bitcoin goes the underground currency seems to have recovered following the Mt. Gox crash. My original source for info seems to have stopped publishing at the time of the crash – 19th June. However it is now visible elsewhere and is trading at not far off the levels seen at Mt.Gox before the crash (for what it’s worth!).

PS whilst the two subjects seem totally separate FTTC and SilkRoad do obviously inhabit the same online universe. People will be using FTTC to access Bitcoin trading sources. I’m not sure that we will ever see the day when BT accepts payment for FTTC using Bitcoin though.

Tweet

Meet @Dantiumpro aka Dan Summers, UK National Cybersecurity Champion.  Dan came to stay with the Davies family on Saturday night and we went out for a few beers to belatedly celebrate his win.

I met Dan through Twitter and, believe it or not, this was our first physical meeting.  In fact we only decided to do it that lunchtime via Twitter – he had the day off on Sunday. Dan currently works as a postman for the Royal Mail in Wakefield but following his victory, in which he beat off 4,000 contenders, he is moving departments to look after Information Security for the Royal Mail Group.

It’s a great story and clearly Dan is no ordinary postman. The competition involved cracking ciphers to break through different layers of security. I’d tell you more but it’s on a need to know basis:)  Dan is no one trick pony.  He is also a poet and has started contributing to philosopherontap under the pseudonym Dantiumpro which happens also to be his Twitter handle.

It’s good to know that the Royal Mail is going to be secure in his hands. Note they are making him deliver the mail right up until next Saturday after which he gets one day off before starting the new job.

It’s also good to know I have a very understanding wife who puts up with these spur of the moment houseguest decisions:)

Tweet

Yesterday I read a flurry of reports on a new web service called silk road. This is a “totally anonymous” website that looks like it has initially been set up to facilitate drug deals. Payments are made using Bitcoin, a “virtual” digital currency that allows “untraceable” transactions to be made using distributed Peer to Peer technology.

A quick Google search for Silk Road last night revealed nothing but changing search terms this morning I found it.The first result took me to the following post:

Hi everyone,

Silk Road is into it’s third week after launch and I am very pleased with the results. There are several sellers and buyers finding mutually agreeable prices, and as of today, 28 transactions have been made!

For those who don’t know, Silk Road is an anonymous online market.

Of course, it is in its infant stages and I have many ideas about where to go with it. But I am turning to you, the community, to give me your input and to have a say in what direction it takes.

What is missing? What works? What do you want to see created? What obstacles do you see for the future of Silk Road? What opportunities?

The general mood of this community is that we are up to something big, something that can really shake things up. Bitcoin and Tor are revolutionary and sites like Silk Road are just the beginning.

I don’t want to put anyone in a box with my ideas, so I will let you take it from here…

-Silk Road staff

This is a fairly astonishing post in itself. It was published on 1^st March and has since then attracted 36 pages of responses and comments.You can see for yourselves.

The signature in the post leads to two sites: silkroadmarket dot org (I don’t particularly want to link to it) and a hidden service with a .onion link.

This first on is merely a placeholder with a challenge for you to look a little harder. The clue lies in the second link.

Clicking on it gets you nowhere but if you dig into the.onion address format you will find the Tor Project.

“Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.”

“The Tor Project wins the “Project of Social Benefit” award from the Free Software Foundation and GNU Project. We are honored to win this award and to be listed amongst the former winners.”

Tor uses a P2P client on your desktop to protect your anonymity. Silk Road is only accessible using Tor.

Now I’m a nice guy. I tend to not knowingly mix with the criminal fraternity and indeed I haven’t downloaded the Tor client, accessed the Silk Road marketplace or “bought” any bitcoins, though I’m not sure that taxation and control issues apart, the latter is any different to paying for virtual products on the likes of Facebook using real money.

This whole story reveals some interesting points.

Firstly there is a burgeoning internet underworld that most of us don’t see or in which we do not participate. No different to the real world there I guess.

Secondly the technology that has been developed to access this underworld has legal uses as well as illegal – journalism, activism, market research, private personal communications are a few named on the torproject website. Anything really where someone might want to do something but remain anonymous. So possession of a Tor client is not in itself a pointer towards any kind of guilt, though it might attract a finger of suspicion amongst some folk of a specific human nature.

Bringing P2P into the picture makes tracking and control hugely difficult for those whose job it is to bring criminals to book. Not necessarily impossible but not something that can be done at a flick of a switch.

The real point is that whilst buying drugs from Silk Road (or weapons, racehorses or any other potentially stolen goods etc) might not be your thing there is a very real possibility that this type of technology will become established as an everyday tool for everyday people.

It doesn’t take a huge leap of the imagination to see how an anonymity client could go mass market.

For example I have been playing with Location based services. I periodically check in on Foursquare and am now proud to be able to say that I am mayor of 14 locations including Lincoln Cathedral, two pubs and the local rugby club (believe me they are compatible ). I also allow my location to be published on Google Latitude.

I don’t know where any of this is going but I am stringing along with it for now. There will however come a time where 4square needs to give me something back, something more than the “kudos” of being mayor of arbitrary locations (bring on the bling!). Otherwise it runs the risk of losing its attraction and being seen as intrusive.

Also yesterday I was using Google to search for a waterproof coat for one of my kids. Sometime later, as I was reading the Guardian article on Silk Road, an ad was pushed to my screen selling me a brand of waterproof clothing. I was uncomfortable with this. I realise that I can probably control this, delete cookies, private browsing etc but it is a faff and the whole thing brought Phorm to mind. It also makes you think hard about the practices of what by now are huge corporations such as Google.

So it isn’t hard to see how everyone might want to adopt technology such as Tor. It would likely be a single, fire and forget, installation. We would need to build up a degree of confidence in Tor itself but being an open source proposition with full transparency takes contributes a lot towards this. I can imagine subscribing to a fully managed serviced that does it all for me.

Government also needs to take note. Tracking a criminal may be doable, with huge amounts effort but tracking millions of people allegedly infringing copyright for example would just not be viable. This technology would also render efforts to filter pornography (or any other content considered to be out of favour by the government of the day) totally useless.

And there is no way we could stop it. It may be that privacy services such as Tor become the norm though there are clearly huge issues that  society will have to get to grips with. For example it is difficult to imagine the whole economy moving to a bitcoin model.  Whatever happens it seems that technology relating to the internet is developing far faster than legislators can think. Interesting eh?

PS I don’t know whether you can buy a racehorse at silkroad. I haven’t looked myself and I wouldn’t advise getting involved.

Tweet