The Windows Network Connection Status Icon (NCSI)

Last night, whilst working in the Premier Inn close to the office, I noticed the browser going to an interesting URI after I connected to the hotel Wi-Fi.  That URI was http://www.msftconnecttest.com/redirect and a little more research tells me it’s used by Windows 10 to detect whether the PC has an Internet connection or not.

The feature is actually the Network Connection Status Icon (NCSI) and, more accurately, the URIs used are:

The URI I saw actually redirects to MSN whereas the ones above return static text to indicate a successful connection.

For those who want to know more, there’s a detailed technical reference on TechNet, which dates back to Windows Vista and an extensive blog post on the Network Connection Status Icon.

Consumer banking security: two (or three) tales of farce

I’ve written before about the nonsensical nature of UK banking websites, with security theatre that’s supposed to make us feel that a sequence of restrictive usernames, passwords, passcodes and memorable words (all passwords of one form or another) linked with publicly available information (date and place of birth, etc.) is somehow keeping us safe.

Unfortunately, that farce looks set to continue for some time to come…

Second factor authentication

Recently, my bank (First Direct) went a step further in an attempt to introduce a second factor to its logon process (i.e. something I have, in addition to something I know).

“Bravo”, I thought, “at last, similar security measures for consumer banking, to those that are used on the back-end by employees”… except I was wrong.  At least, I hope I was.

First Direct gave me three options:

  1. Send me a device to generate a secure key.
  2. Use an app to generate a digital secure code.
  3. Continue using the old methods for Internet Banking logon, with reduced functionality.

On the basis that any device sent to me is unlikely to be where I am when I need it, I elected for the app option and, after upgrading the First Direct app on my phone, I went through a registration process.  I don’t recall the details of the process but the end result is that I now have a “Digital Secure Key password” (oh goody, another password!) in the mobile banking app, that can be used to generate a code to log on to the full website via my browser.

And how complex is this “Digital Secure Key”? Just 6-9 alphanumeric characters – no better than a very simple password – and as that’s now the only level of security between a mobile phone thief and my bank account (aside from a PIN on the phone), the app on my phone actually less secure than it was previously with the username/memorable data combination!

Still, at least there is some kind of second factor for website access…

Never write down your PIN (except when the bank does that for you…)

We all know that we shouldn’t write down the PIN for our cards, yes?

Ever.

It’s in the terms and conditions for your account – and if the bank suspects you have compromised security in this way they are unlikely to be able to help if there is fraud.

I have a Hilton Hhonors Visa card, provided by Barclaycard and, a few weeks ago, they sent me a new card as part of the rollout for Visa payWave (contactless) functionality.  The card had a sticker attached, telling me to use it from 23 June – and in the meantime I could use my old card. Separately, they sent a new PIN (quite why my new card couldn’t use my old PIN is beyond me) and, as soon as I received it, I went to an ATM to change the PIN to one I would remember.  Except I couldn’t – because the card wouldn’t work until 23 June!  I even tried using a Barclays ATM.

In the end, I had to keep the card and the PIN in my house for a few weeks until they were both valid.  Doesn’t seem very secure to me… and I wonder who would be liable if the card and the letter had both been stolen in the meantime?

And don’t get me started about 3-D secure

Verified By Visa.  Mastercard SecureCode. Just another password to remember – and as far as I can tell just a way for the banks to pass fraud risk on to merchants!

Half-baked cookies…

I don’t know if this website uses cookies. I think it probably does beacuse I have Google Adsense code and Google Analytics code in place. It wouldn’t surprise me if WordPress uses some cookies too but, like many bloggers, I use off-the-shelf software and, as long as it works, I don’t worry too much about how things happen.

Unfortunately, some half-baked EU directive about privacy and cookies (half-baked – get it…) takes effect this month after even the UK government needed a year to get its act together (the Information Comissionners Office, which is responsible for enforcing the associated UK legislation, only removed its last cookie in March).

What’s worse is that the ICO’s guidance for website owners is really difficult to follow. Peter Bryant (@PJBryant) pointed me at an article in PC Pro magazine that suggests I should be OK without doing anything, meanwhile Kuan Hon (@Kuan0) from the Cloud Legal Project at Queen Mary University suggested a few weeks ago that we all need to be looking carefully at our sites if we want to avoid a fine…

I’m no lawyer and I can’t afford to be paying fines so I checked out some WordPress plugins that might help me. Some were linked to websites that should check my site for cookies… except they didn’t seem to work – and, anyway, I don’t really want to be making a big deal about cookies (they are, mostly, harmless).

I selected a very simple plug-in called Cookie Warning that presents a message (importantly, not a pop-up) to first time site visitors. The message is customisable (although changing the size of the text on the buttons will involve me editing the plugin) and it seems to be enough for me to gain consent from users. Importantly, it doesn’t seem to impact the way in which search engines see the site.

Only time will tell if this change negatively impacts my traffic – I’d like to think that most of my visitors understand enough about cookies to realise that this is not really such a big deal – but it will be interesting to see how this pans out over the next few months as companies big and small update their sites to comply with the legislation.

IPv6 switchover – what should CIOs do (should they even care)?

It’s not often that something as mundane as a communications protocol hits the news but last week’s exhaustion of Internet Protocol (IP) addresses has been widely covered by the UK and Irish media. Some are likening the “IPocalypse” to the Year 2000 bug. Others say it’s a non-issue. So what do CIOs need to consider in order to avoid being presented with an unexpected bill for urgent network upgrades?

Focus have produced an infographic which explains the need for an IPv6 migration but, to summarise the main points:

  • The existing Internet address scheme is based on 4 billion internet protocol (IPv4) addresses, allocated in blocks to Regional Internet Registries (RIR) and eventually to individual Internet Service Providers (ISP).
  • A new, and largely incompatible version of the Internet Protocol (IPv6) allows for massive growth in the number of connected devices, with 340 undecillion (2^128) addresses.
  • All of the IPv4 addresses have now been allocated to the RIRs and at some point in the coming months, the availability of IPv4 addresses will dry up.
  • Even though there are huge numbers of unused addresses, they have been already been allocated to companies and academic institutions. Some have returned excess addresses voluntarily; others have not.

The important thing to remember is that the non-availability of IPv4 addresses doesn’t mean that the Internet will suddenly stop working. Essentially, new infrastructure will be built on IPv6 and we’re just entering an extended period of transition. Indeed, in Asia (especially Japan and China), IPv6 adoption is much more mature than in Europe and America.

It’s also worth noting that there are a range of technologies that mitigate the requirement for a full migration to IPv6 including Network Address Translation (NAT) and tunnels that allow hybrid networks to be created over the same physical infrastructure. Indeed, modern operating systems enable IPv6 by default so many organisations are already running IPv6 on their networks – but, whilst there are a number of security, performance and scalability improvements in IPv6, there can be negative impacts on security too if implemented badly.

Network providers are actively deploying IPv6 (as are some large organisations) but it’s likely to be another couple of years before many UK and Ireland’s enterprises consider wide-spread deployment. Ironically, the network side is relatively straightforward and the challenge is with the hardware appliances and applications. The implications for a 100% replacement are massive, however a hybrid approach is workable and will be the way IPv6 is deployed in the enterprise for many years to come.

So, should CIOs worry about IPv6? Well, once the last IPv4 addresses are allocated, any newly formed organisation, or those that require additional address space, will only be accessible over the new protocol. Even so, it will be a gradual transition and the key to success is planning, even if implementation is deferred for a while:

“The move to IPv6 will take a long time – ten years plus, with hybrid networks being the reality in the interim. We are already seeing large scale adoption across the globe, particularly across Asia. Telecommunication providers have deployed backbones and this adoption is growing, enterprise customers will follow. Enterprises need to carefully consider migrations: not all devices in the network can support IPv6 today; it is not uncommon for developers to have ‘hard-coded’ IPv4 addresses and fields in applications; and there are also security implications with how hybrid network are deployed, with the potential to bypass security and firewall policies if not deployed correctly.” [John Keegan, Chief Technology Officer, Fujitsu UK and Ireland Network Solutions Division]

As for whether IPv6 is the new Y2K? I guess it is in the sense that it’s something that’s generating a lot of noise and is likely to result in a lot of work for IT departments but, ultimately it’s unlikely to result in a total infrastructure collapse.

[This post originally appeared on the Fujitsu UK and Ireland CTO Blog and was written with assistance from John Keegan.]

How to be an Internet private eye

This post makes me slightly uneasy… most of the information is taken from a presentation I saw recently – so I would like to give credit to the original presenter, except that he specifically asked me not to.  The reason for this is that he’s not a lawyer, and he was worried that perhaps some of this advice may not be legal in certain jurisdictions.  I’m not a lawyer either, so I’ll make a statement up front: I think the activities suggested in this post are legal in the UK (where I live), but I’m not qualified to give advice on this.  Before carrying out any of the actions in this post, it may be advisable to check the legal situation in the country where you live (and/or where the websites you are checking out are hosted).  I can not be held responsible for any actions taken by others based on the advice I have published here and my sole purpose in publishing this information is to share what may be useful to others when trying to protect their personal or professional identity online… in short, I am aiming to do the right thing here…

Your identity (whether it’s personal, or a corporate brand) is precious.  Sometimes, unscrupulous individuals, or those who may have a grudge against you, may impersonate you or your brand online.  When that happens, it can be useful to know a little more about who is using your identity as you attempt to reclaim it. Hopefully some of these suggestions will be useful in tracking down who is using your identity, whether it’s to send unsolicited e-mails, to (mis-) use your brand or trademark online, or just to get some idea of your own online footprint.

It can be quite interesting to understand your Internet footprint – and automated tools such as RapLeaf can be used to see the social profile for given e-mail address(es) on a number of popular sites across the web.  Companies can find out about their customers, but individuals can check their details too – I was surprised to find when I logged in that it had already identified me on Flickr and WordPress previously (suggesting that one of RapLeaf’s customer had already run a search on me)… it’s far from complete but may provide a few more clues about who someone is (or highlight to you the information that you publish online). Even more of an eye-opener was Gist which, once supplied with my public Facebook and Twitter accounts, found a huge amount of information about me from a variety of online sources and most of it was accurate (it had linked me to my employer’s sister company – probably because that was the information it gained on me from one of my contacts).

The next tool that may be useful Open Site Explorer.  This link popularity checker and backlink analysis tool can be used to understand where links to a given URL originate from, including the URL’s page authority, domain authority, linking domains and total links. So, if you find an anonymous blog, it will show where links to that blog – which may provide a clue as to whose site it is (i.e. an anonymous blogger may also have other online personas).

If you want to find something on the ‘net, Google is your friend: by searching for snippets of text, comments, etc. it’s possible to identify the original source of an item.  And Google’s cache is a goldmine – even after a website has been taken offline, its contents may well still exist in the Google cache!

Sites like Knowem can be used to see who is using a particular name (or trademark) on a variety of sites across the Web – that can be useful if you want to protect your brand.

IP tools can provide all sorts of information for would-be Internet sleuths. Many are just standard Unix tools, exposed via a website and not everything can be relied on (for example my IP address belongs to my ISP, who are several hundred miles away, but they know who I am if I’ve been up to no good). Domain tools information can provide a detailed site profile as well as whois information including reverse IP lookups to understand who else shares my server (noting that they may or may not be affiliated in some way).  You can also find out which sites share a given IP address using a decision engine such as Bing.  Try searching for ip:ipaddress to see all of the sites at a given address.

E-mail headers can be useful to find out where an e-mail originated (or which servers it passed through).  In Microsoft Outlook, view the message headers or, in Google Mail, select Show Original.  The resulting information (IP addresses, etc.) can be fed into some of the IP tools (e.g. traceroute or whois) to find out more about the message – e.g. to track down a spammer (and block them!).

Of course, if you wanted to find out who someone was, you could send them an e-mail and try and trap them using the same techniques that the phishers use… that wouldn’t be a good idea – it’s almost certainly illegal, and I’m not condoning it – indeed, the only reason I mention it here is to say “don’t do it”.

One more clue as to who is watching you online (unfortunately not free, but potentially useful when tracking down an impersonator) is a dashboard called Trovus, which can be used to build a profile of who accesses your website and from where.

If you discover that your identity is being used inappropriately, the first thing to do is to contact the relevant service providers (perhaps a hosting company for a website or mail server, or maybe a public website) and, even though you may not see a response, they may be taking action that’s not visible to you (e.g. offline, via another medium, or using lawyers) – hopefully you’ll at least get a response to say “thanks, we’ll be in touch”.  Whilst the actions in this post may not provide all the answers on who is impersonating you, they are at least the first steps to allow you to contact the appropriate organisations for further assistance.

Safer Internet Day: Educating parents on Internet safety for their children

A few weeks ago, I mentioned that today is European Safer Internet Day and, here in the UK a number of organisations are working with the Child Exploitation and Online Protection centre (CEOP) to educate parents and children in safe use of the Internet.  I don’t work for Microsoft but, as an MVP, I was invited to join in and tonight I’ll be delivering a session to parents at my son’s school, using Microsoft’s presentation deck (although it has to be said that this is not a marketing deck – it’s full of real-world examples and practical advice about protecting children and young people from the specific dangers the Internet can pose, whilst allowing them to make full use of the ‘net’s many benefits: turning it off is not the answer).

The BBC’s Rory Cellan-Jones has reported some of the activities for Safer Internet Day; although the Open Rights Group’s suggestion that this is all about scoring a publicity hit for a little cost are a little cynical – Microsoft has a social responsibility role to play and by working with CEOP to produce an IE 8 browser add-in the UK subsidiary’s activities are laudable.  If other browser-makers want to follow suit – then they can also work with CEOP (ditto for the social networking sites that have yet to incorporate the Report Abuse button).  Indeed, quoting from James O’Neill’s post this morning:

“We are part of the UK Council for Child Internet Safety (UKCCIS) and Gordon [Frazer – Microsoft UK MD and VP Microsoft International]’s mail also said ‘This year as part of the ‘Click Clever Click Safe’ campaign UKCCIS will be launching a new digital safety code for children – ‘Zip It, Block It, Flag It’. Over 100 Microsoft volunteers will be out in schools in the UK teaching young people and parents alike about child online safety and helping build public awareness for simple safety tips.

Our volunteering activities today mark our strong commitment to child online safety. Online safety is not only core to our business, as exemplified by particular features in Internet Explorer 8 (IE8) and our work in developing the Microsoft Child Exploitation Tracking System (CETS) which helps law enforcement officials collaborate and share information with other police services to manage child protection cases, but it is also an issue that our employees, many parents themselves, take very seriously. As a company we put a great deal of faith in our technology, however, we are also aware that the tools we provide have to be used responsibly.”

Anyway, I digress – part of the presentation I’ll be giving this evening will include a fact sheet, produced by Microsoft, that I’ll leave with parents and I’d like to repeat some of the advice it contains here (with a few edits of my own…).

Safety Considerations

The Internet is a fantastic resource for young people but we must remember that the same as in the real world, there can be potential dangers to consider:

  • Control – Personal information can be easily accessed if it is posted online. Consider what information about your child someone could access online.
  • Contact – Paedophiles use the Internet to meet young people and build up a relationship.  This is often done in a public environment such as a chat room or online game before trust is built up to become an online friend for 1-1 conversations.
  • Cyberbulling – Other people may make use of technology to bully a young person 24/7.  By using online technology a bully can gain an instant and wide audience for their bullying. Cyberbullying can be threats and intimidation as well as harassment and peer rejection.
  • Content – The Internet can contain inappropriate images of violence and pornography that you might be unhappy for your child to have access to.

Top Tips for Parents

These simple rules can help to keep children safe:

  • Keep your PC in an open space where possible to encourage communication.
  • Discuss the programs your children use.
  • Keep communication open with regards to who they are chatting to online.
  • Discuss their list of contacts and check they know all those they have accepted as friends.
  • Consider using the same technology so you can understand how it works.
  • Talk to your children about keeping their information and photos private using privacy settings on sites such as Bebo and Facebook.
  • Teach your children what personal information is and that they shouldn’t share it online with people they don’t know.
  • Make use of Parental Controls where available. These can allow you to control the amount of time your children are online, the sites they can access and the people they can talk to.   Controls are available for many products including Windows (Vista and 7), Mac OS X, Xbox and Windows Live (Family Safety), or more technical users might consider using an alternative DNS provider such as OpenDNS.

Some useful links include:

How to Get Help

For Young People:

For Adults:

  • Adults can speak to The Samaritans. The Samaritans provide confidential emotional support for people who are in emotional distress. If you are worried, feel upset or confused and just want to talk you can email the Samaritans or phone 08457 90 90 90.

I forgot that presenting at a school where I have an association means that some of the people in the audience are my friends (blurring my personal/professional boundary…) but hey, there are some important messages at stake here.  If all goes well tonight, I’ll be contacting other schools in the area to do something similar.

[Updated 24 November 2014: CBBC Stay Safe link updated; Metropolitan Police link added]

Raising parents’ Internet awareness

UK-based readers of this blog who also subscribe to Microsoft’s UK TechNet Newsletter may have noticed a reference to the upcoming European Safer Internet Day. Quoting from the newsletter:

“To support the day and the launch of the new digital code for children, Microsoft is offering all UK schools the opportunity to host their own parent’s awareness session. These virtual sessions offer the opportunity to host a parents evening with a web cast presentation led by a Microsoft volunteer to inform and educate parents on the technology their children are using and how they can keep them safe when online. To find out more or to book a presentation for your school please call Karina Gibson […]”

[Microsoft TechNet Newsletter, 21 January 2010]

I was able to see Karina present this session a few months ago, and I have to admit that I found it a moving and worthwhile experience – my children are still very young but it certainly taught me some of the issues that children and young people face in our online society and what parents can be doing to support safe Internet usage (turning it off is not the answer!). Consequently, I’m now liaising with my local schools and hope to be delivering at least one session soon. If you want to know more – contact Karina Gibson at Microsoft UK (I’ve left her contact details out of this blog post to avoid spam, but the Microsoft UK switchboard number is 0870 60 10 100).

Establishing parental control: easy when you know how

This week, Channel 4 is running a series of sex education television programmes looking at how young people today are gaining their sex education from Internet porn – and as a result are exposed to some disturbing content on the web.

I like to think that I’m fairly open-minded but my eldest son is reaching the point where I am considering giving him his own computer and, whilst I’d like to think that his computer time will be supervised, that will not always be possible as he grows up, or when he uses systems at friends’ houses, school, Internet cafés, etc..

One of the points that Channel 4 is highlighting is the lack of awareness (and knowledge, based on visits to a PC World, Sony Store and Micro Anvika stores) about the parental controls that are available in modern operating systems so, in this post, I’ll give a quick rundown of how to set up parental controls on your child’s PC – without resorting to additional software like that listed on the Kids’ safety advice on GetNetWise.

First up, the operating system on most of the world’s PCs – Microsoft Windows. Windows XP may not have any parental controls within the operating system but Vista and 7 do – as long as you are not running in a domain! Yes, that’s right – no parental controls on domain-joined PCs. I suspect this is something to do with the prospect of being hauled up in front of the United States Department of Justice or the European Union Competition Commission by the vendors of content filtering solutions if businesses relied on the controls built into the operating system to stop their employees from visiting the less salubrious portions of the web but for me, with several domain-joined PCs in the home, this effectively means my children will have to use their own PC. Not necessarily an issue but nevertheless an unnecessary constraint, particularly for those who have a single PC used for both home and business activities and also joined to a corporate domain (perhaps in a small business environment).

Assuming that your Windows Vista or Windows 7 PC is not joined to a domain, it’s parental controls are accessed via Control Panel and include limits on web content, limits on computer access times and games, as well as the ability to block access to specific applications. More information on Windows Parental Controls is available on the Windows help site and it’s also possible to view activity reports.

Over on the Mac, it’s pretty much the same story – OS X 10.4 (Tiger) and 10.5 (Leopard) include parental controls in the user account properties. In addition, OS X can display a simplified Finder window for young or inexperienced users, only allow access to certain applications, hide profanity in the dictionary (yes, I used to look up rude words in a paper dictionary when I was a boy!), limit website access (including the ability to create allow and deny lists) limit the users with whom mail and IM can be exchanged, enforce computer time limits (with different limits for weekdays and weekends!) as well as bedtime on school nights and weekends (I should try setting this on my own account).

The principles are similar in Windows and on the Mac but I’m using the Mac in these screen grabs (because my Windows machines are domain-joined). If I search for the first thing that a schoolboy might think of when given Internet access, it’s blocked:

Parental Controls preventing website access in Safari on Mac OS X 10.5

Unless I happen to know the administrator password:

Parental Controls requesting authentication on Mac OS X 10.5

Similarly, if I try to open an image, using an application that’s not allowed (in this case the OS X Preview application)… computer says “no”:

Parental Controls preventing application access on Mac OS X 10.5

And, assuming I’m not watching over my child like a hawk, I can keep an eye on their computing activities from a distance using the logs:

Parental Controls logging activity on Mac OS X 10.5

By now, you have probably got some idea of what’s possible on the mainstream consumer operating systems. Over in Linux-land it’s a little more complicated but still possible using a combination of IP filters, third party applications and limited DNS (e.g. OpenDNS). I’m sure I’ll write more as I become exposed to child computing habits but, for now, hopefully this has highlighted the ability to easily put in place some controls to protect your children from the Internet, whilst simultaneously allowing them some freedom.

Net neutrality is really important

The Internet was brought to us by the United States (when it was probably the best thing to come out of the cold war). Then Sir Tim Berners-Lee invented the web. Now we all rely on it and the telcos want to set up a two-tier Internet (maybe that really should be called Web 2.0!) with additional charges for access to high-speed content provision (we already pay more if we want a faster connection, now we may have to pay “tolls” for the extra lane on the “information superhighway”).

The cartoon below is the best illustration I’ve seen so far of what they are trying to do:

Net Neutrality

Various websites feature a recording of Senator Ted Stevens speaking in the US Senate on net neutrality (if you thought George Bush or Tony Blair were bumbling idiots, beleive me they have nothing on this guy). It’s worth listening to the whole clip but particularly from the 8′ 45” seconds point (“the Internet is a series of tubes” etc.) to see just what a poor grip on technology the US Senate has on this subject.

For, quite simply, the best-written desciption of why this is a big problem that affects all Internet users, read Sir Tim Berners-Lee’s blog post on net neutrality. There’s more information at Save the Internet.

Accessing a public Internet connection from a virtual machine without getting charged twice

Last night, I stayed away on business in a hotel with broadband Internet access in my room (1.5Mbps according to a bandwidth speed test). Having paid almost as much for a 24 hour connection as I pay for a month at home, I decided to remain in my hotel room this morning and take advantage of a fast connection, rather than competing for a meagre amount of bandwidth in the office.

That sounds fair enough, but as I’m now working (rather than just surfing the ‘net and writing new blog posts) I also need to access corporate applications and data. My notebook PC is running Windows Vista but my corporate desktop runs in a Windows XP virtual machine using the VMware Player, so whereas last night I’d been using the host machine to access the Internet, this morning I need to use the virtual machine too.

The host PC is still working with the hotel ISP‘s systems but when I originally connected with the virtual machine (which is normally configured for bridged networking to logically separate the guest and host machines so it has it’s own IP address) I was presented with a welcome page which invited me to pay again for access.

Quickly changing the VMware Player’s Ethernet connection from a bridged connection to a NAT connection, disconnecting and reconnecting the Ethernet connection and then running ipconfig -release and ipconfig -renew in the virtual machine gave the Windows XP guest a new NATted IP address and me the ability to access the Internet from either the virtual guest or the physical host machine. Unfortunately I still can’t create a VPN connection to the company network (probably something to do with the NAT) but I can live with that for a few hours.