The unmasking of a National Security Agency intelligence program, which allegedly collects and analyses data from some of the worlds biggest companies has come as a shock to some and no surprise to others.
Leaked slides from a former CIA employee appear to show reasoning for their access to several high profile companies servers and leave the reader in no doubt to the ease of access they allegedly have.
The companies implicated in the leak include Microsoft, Yahoo, Facebook, Google, Apple, Dropbox PalTalk and AOL.
Naturally, the companies have released statements regarding the issue. After all, to not do so could a) imply truth in the claims and/or b) be corporate suicide.
Lets take a look at what they’ve said.
Facebooks Chief Executive Officer Mark Zuckerberg had this to say:
“We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”
“Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a backdoor for the government to access private user data.”
“We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
“We do not have any knowledge of the Prism program. We do not disclose user information to government agencies without a court order, subpoena or formal legal process, nor do we provide any government agency with access to our servers.”
“We have not heard of PRISM. Paltalk exercises extreme care to protect and secure users’ data, only responding to court orders as required to by law. Paltalk does not provide any government agency with direct access to its servers.”
Included in the leak were also mentions of YouTube and Skype.
Who’s Telling The Truth?
For sure? Well we can’t tell. However, intelligent speculation would dictate that there is no smoke without fire.
The problem for the general public is that, it isn’t in any of the parties interests to be fully frank about the situation.
On the side of the US government and intelligence agencies including GCHQ admitting to this kind of indiscriminate mass collection and studying of data, no matter how noble or well meant the intentions are, would be damaging to public confidence in the US administration.
Equally, in the UK, rising public concern and tension is building up despite there only being claims that the UK had access to the US PRISM intelligence program, not that the UK government or intelligence services were directly collecting this themselves.
In addition, it would be highly damaging to any potential (or possibly continuing) support by companies of the PRISM program if there was a confirmation on behalf of the government or the security services.
Equally, for the companies – admitting this kind of definitely questionable, potentially (legally) murky situation would likely be corporate suicide. The strong denials from all of the companies allegedly involved with the PRISM program come as no surprise.
You could expect mass panic and potentially mass boycotting of services provided by a company which was allowing unrestricted and unmonitored access to all their servers data.
If a mass panic develops after such an admission, investors could lose confidence in the companies and pull all their funding and advertisers may also flee if the user base of servers dwindles and to avoid negative press by association.
Despite all of the companies shown in the leaked slides being multi billion pound companies, the scale of damage that could be done if there are truth in these allegations could be far reaching, long lasting and ultimately inflicting a indeterminate amount of damage.
I was semi-surprised to find out that Playmobil had created a ‘security checkpoint’ toy. We used to get race tracks, mini towns and doll / action man houses. Oh how times have changed. Anyway, I guess this is the world we live in post the world going bonkers.
Anyway…. here’s the toy:
And now what follows is a work of literary genius! (even 8 years after it was written, its as funny and relevant as ever)
I was a little disappointed when I first bought this item, because the functionality is limited. My 5 year old son pointed out that the passenger’s shoes cannot be removed. Then, we placed a deadly fingernail file underneath the passenger’s scarf, and neither the detector doorway nor the security wand picked it up. My son said “that’s the worst security ever!”. But it turned out to be okay, because when the passenger got on the Playmobil B757 and tried to hijack it, she was mobbed by a couple of other heroic passengers, who only sustained minor injuries in the scuffle, which were treated at the Playmobil Hospital.
The best thing about this product is that it teaches kids about the realities of living in a high-surveillence society. My son said he wants the Playmobil Neighborhood Surveillence System set for Christmas. I’ve heard that the CC TV cameras on that thing are pretty worthless in terms of quality and motion detection, so I think I’ll get him the Playmobil Abu-Gharib Interogation Set instead (it comes with a cute little memo from George Bush).
OK, so we’ve all be guilty of it. Yes, even you! Miss Butter Wouldn’t Melt! ;).
That’s right, its been an long tradition that although we love our friends to pieces we sometimes can’t be bothered speaking to them – for one reason or another. In the good old days (OK, the 90s), this involved maybe ignoring the phone or a knock at the door.
Effective, but not specific enough to just ignore the person(s) that you are trying to avoid.
Then came the mobile phone – and with it, caller ID – what an invention. With texts and calls now having a name attached the process got much easier.
Fast forward to the noughties and we get social media. And soon after social media based chat, like Facebook Chat.
Similar to texting, you could always just ignore those who you didn’t want to talk to and they’d be non the wiser. That was until the tens – as in the 2010s.
Hide No More Ignorant Friend!
Imagine if when you ignored a phone call that your phone called the person back straight away and said, “the owner of this phone is deliberately ignoring you, please try again or never”. Wouldn’t go down to well would it now? (NB. This might not be too far off – Siri is a reality after all ;)).
Well thanks to advancements in technology, Facebook has implemented this much (?) sought after feature. No more shall the ignored be ignored without their knowledge….. well not as easily anyway.
Facebook outs you as Mr/Miss/Mr/Dr Ignorant with one word and a timestamp – ‘Seen xx:xx’ (replaces x’s with desired time).
So when a friend types a message and you look at it and close it, and you think you’ve gotten away with it, think again.
They get a nice little call back from Facebook and just above where they type there message it shows them this:
Whoopsie! You’ve been outed. So remember, if you look, and you want to preserve you friend ship and not get your ears chewed off, you better reply to that message that you just sneakily looked at and though you got away with! ;).
Of course, its ok to ‘ignore’ a message that doesn’t need a reply – just make sure you’re judgement is correct before you don’t respond to the ‘does my bum look big in this‘ question that your significant other has just typed in chat to you.
Now normally in life, going for the cheap option doesn’t always work out well in the medium to long term – or if you’re really unlucky in the short term.
Although not free, we can definitely confirm that sometimes the best things in life are cheaper (OK, that’s not quite as catchy granted!).
SSL or Secure Socket Layer certificates are understandably (and rightly so) becoming more popular. For companies of all sizes with an online presence they are pretty much a given these days. And for most personal sites as well – even if its “just” protecting a members area, forum or blog.
SSL certificates can range from in the tens of pounds a year to the thousands of pounds a year
The Big SSL Myth
There’s a myth going round about SSL certificates, and its been going around for a while now. So I only feel its right to dispel it.
“More expensive SSL certificates usually offer 0% extra protection”
Shocked? Most are. Apologies if you’ve just spat out your cornflakes as you’ve spent loads on one recently.
Most of the time more expensive on an SSL certificate means no extra protection. The likely difference is the company providing it – i.e. there are well respected companies that have been around for a long time and have gained the trust of users – so they can be seen as more ‘valuable’ when it reality its the same as a genuine new start up that’s offering them much cheaper.
It’s the online equivalent of saying this site is protected by ‘Well Repsected and Established Company Ltd’ rather than ‘New Startup Ltd’. The fact is, if they both sold you the same security, but for vastly different prices, your security would still be the same – the only difference would be the price you pay.
Having Said That….
Sometimes you do get nice extras thrown in – maybe a financial warranty backing up the certificate in case something goes wrong – however the chances of a claimable situation arising aren’t very likely and the benefit to most people will likely be nil (or not a lot).
However, the core point remains – the strength of the security offered is likely to be the same!
Lets Compare A Typical Offering…
123-Reg are a popular domain name, web hosting and SSL certificate provider (among other things web related).
Lets take a quick look at the SSL certificates they are offering:
Now, as you can see, we’ve got everything ranging from just £9.99 a year to £249.99 a year. A big difference in price.
For some big businesses maybe the warranty or extra add ones might possibly be useful at some future point in time. Might. However, for all personal sites, 99.9% of contractors and the self employed as well as probably a great deal of small to medium sized businesses, the £9.99 a year 123-Reg SSL is probably going to be enough for your needs.
Need a little more convincing?
Lets take it line by line:
Activates Browser Padlock
Important feature – not from a security point of view but from a reassuring the user and giving them the signal that they are connected securely to your website.
Good job its included as standard with all of the SSL certificates. No expensive SSL certificate is going to provide you with a nice padlock! ;).
Activates Browser Green Bar
Yes, a browser green bar is a nice little touch. But are you really considering spending £249.99 on an SSL certificate? If not, then as you can see, there’s no difference between the first three (except £60 a year in price!).
Unless you’re a bank, your users aren’t going to bat an eyelid about it not being there. Pretty much the only organisations that have these are banks, the government and multi million pound corporations (and even some of them don’t bother with it).
Yes, it can sometimes give an extra warm fuzzy feeling of security to your user – but quite frankly, the vast majority of users don’t actually notice its there.
The extra security, you will probably not be surprised to find out, is not based on the browser bar being green rather than white (if only it was this easy….) but on the extra checks they have to go through to get the certificate – usually including some offline verification checks.
The green bar kind of validates that you are ‘speaking’ to who you think you are speaking to. However if you don’t know ‘who’ is behind the website that you’re about to enter you personal details on, maybe you shouldn’t be entering them on the site at all (green bar or otherwise)?
In short, for 98% of websites – this isn’t a deal breaker. Forget the green bar (and the extra setup pain that comes with it)!
This is the number of years you can buy the SSL certificate for in one go – i.e. how long you can choose to buy it before you have to renew it. When applied to domains for example, the ‘Validity Period’ of a .co.uk domain would be between 1-10 years.
The validity period has absolutely zero impact on the security provided by the SSL certificate.
Discounts are usually given for ordering multiple years in advance – although you can of course buy 1 year and renew yearly if you like – whichever is more convenient.
In this example, the most expensive SSL certificate is actually the most inconvenient! You can only order that one for up to 2 years in advance (most likely due to the rigorous – and largely irrelvant for most – security hoops that you have to jump through).
The first three are much of a much – all being able to be ordered for between 1 and 5 years.
Multi Year Savings
Savings – we all like savings! As mentioned above, ordering for multiple years in one go produces a saving.
The most expensive SSL certificate actually puts you at a disadvantage here as it can only be ordered for a maximum of two years in advance, whereas the others can all be ordered for up to 5 years (see above).
Prepare for the shocker!
Encryption level. Probably – no wait definitely – the most important feature of your SSL certificate. How strong is the encryption it provides.
As you can see above, paying more gets you 0% more security! That’s it, not extra protection for your extra £240 a year!
This is what I mean when I say that paying more for an SSL certificate doesn’t get you more security – it just gets you a bigger brand name to stick on your site. And if over a decade of web development has taught me anything its this:
99% of customers won’t care if your website is ‘Secured by’ VeriSign or ACME Ltd.
That statement is of course with the caveat that you pick a reputable company – not Card Fraud R Us Ltd etc.
Big names just mean big price tags – nothing else.
Secures WWW and non-WWW sites
Standard feature – as evidenced by the fact that its available on all SSL certificates from the cheapest to the most expensive.
Using DPS Computing’s website as an example this means that using any of these certificates we could secure pages starting both www.dpscomputing.com and dpscomputing.com – i.e. with or without the www prefix.
This is the biggie difference – without actually meaning a lot in reality.
Warranty – as described by 123-Reg is:
The more expensive GlobalSign certificates come with an insurance policy. If the certificate is issued or used incorrectly (i.e. they cock up or an act of fraud is commited against you).
I’m not sure on the number of claims that there are on these warranties by the people that have cover from them, but it is likely a very small percentage.
Don’t forget the amount specified isn’t the amount you’d get paid out in the rare situation that the certificate is issued or used incorrectly. It’s the maximum amount you would be entitled to.
The ‘value’ or a warranty – or lack there of – shouldn’t influence which SSL certificate you pick. Spend the money on something else – something that will help your website or business more than this is ever likely to – and don’t forget, its not just a one off cost – its a recurring, and for most people, unnecessary cost.
Again there’s one key thing to remember:
The value (or lack of) a warranty has 0% impact on your security
It doesn’t make your site any safer. And even if you were in a claimable situation (extremely unlikely!), its not just going to be a hand over of the maximum amount in a cheque to you – prepare for a drawn out process, potentially even a legal battle (at which point, is it worth it any way?).
Typical Issuance Speed
Again, on the issue of speed from purchase to being live and available for use on your site, cheaper is better.
Due to the, for many, unnecessary extra security checks you have to wait nearly an entire working work compared to just 10 minutes for the lower paid options.
Vetting – here’s some of the extras that you get – kind of.
As the name implies, the increased levels of vetting available with more expensive SSL certificates basically mean that you’ve had more background checks done to ensure your website (and with the more expensive ones, your business) is who it says it is.
It does not, I repeat does not impact on the level of security offered by your SSL certificate.
Con men and fraudsters can successfully complete these checks on occasions just as they can with other systems designed to protect authenticity.
Reputable businesses usually have many ways for their customers to check their history, trading status, previous customer experiences etc through sites like Companies House, TrustPilot etc.
Coupled with the fact that most con and fraud websites are discovered relatively quickly and the people behind them stay in ‘business’ by setting up and closing down in a matter of weeks (or at most months), one of the biggest free security checks that can be done by anybody with an Internet connection is check the age of company.
Now, not all new companies are scammers, obviously. But most scammers are, or appear to be, new companies, with little trading history and probably not a big online footprint. This alone, evidently, doesn’t confirm devious intentions but it should raise a healthy level of suspicion – after all, if you were fully confident in their identity in the first place you wouldn’t be investigating who they are ;).
Also, things like checking addresses exist, ringing the office phone number, consulting previous customers can also yield important information.
All in all, despite the extra checks offered with the more expensive SSL certificates, there are probably more cost effective and beneficial ways to do these checks. Unless you’re a big business, probably not much point in having any more checks than the basic 123-Reg SSL certificate offers.
Simple Set Up With AutoCSR
Again, on this one, it doesn’t matter how expensive you go, you get the same auto set up service which helps you install the SSL certificate on your website.
Easy to set up service if you are hosting elsewhere, even easier to set up service (it’s done for you) if you have 123-Reg hosting.
Secure Unlimited Sub Domains (Wildcard SSL)
Wildcard SSL – again something you are only likely to require if you’re a big business. Only available as standard in the most expensive certificate.
Wildcard SSL lets not not only secure your main domain.com but also any subdomain.domain.com.
So without wildcard SSL you could have securely via https (using DPS Computing as an example):
What you couldn’t have would be:
With wildcard SSL you can have subdomain.domain.com as well as domain.com/subdomain.
The cheapest ‘optional’ extra wildcard SSL is on the 123-Reg variety – but that still increases the price from £9.99 to £79.99.
Again, if you’re not a big business, its not really likely to be of any use. In fact would it really matter to a big business if it was domain.com/subdomain rather than subdomain.domain.com? Possibly – there are some evidence that using subdomains can help with SEO but for individuals and small to medium sized businesses, there are probably many more (cheaper) things that you can do to improve your SEO.
Strong Security In Older Browsers With SGC
Strong security in older browsers – always a good thing as some of us don’t update (for free) our web browsers ;).
However, we can relax as its offered as standard on all the SSL certificates on offer.
Unlimited things are nice, but largely unnecessary.
Most website run by individuals, small to medium sized companies will be hosted on one server. Even if there not it will usually involve ‘only’ a main server, a backup server and a mirror server which would cater for a fairly busy website.
Even with 3 servers, the cheapest SSL certificate will still cater fully for your needs. If you’re using 4+, then maybe consider the next one up (£49.99/year) – which is unlimited. If you’re getting to the stage of needing 4 servers, you’re likely not to be as bothered about the extra £40/year. But just remember, there’s no point spending it if you don’t need it. 3 servers or less – plump for the cheapest option.
Browser support – important for both the reasons given above regarding web users not always being the best at updating their browsers on a regular basis but also the fact that there are many different browsers being used by a significant proportion of web users now, examples being Internet Explorer, Firefox and Google Chrome, to mention a few.
Again, all the SSL certificates from the cheapest right up to the most expensive cover you in exactly the same way.
Mobile Device Support
With the ever increasing popularity of mobile devices, including smart phones and tablets and also the rise in m-commerce (mobile commerce) we need to consider security not just among desktops and laptops but also on mobile devices.
As you can see from the above, the cheapest SSL certificate covers you across mobile devices.
Use With Intranet
Building an Intranet? No, then you don’t need it.
Again, even if you are building an Intranet, you’re only going to likely need this kind of security if you’re a big business – individuals and SMEs probably aren’t going to have extensive intranets – and even if you do have (and require security) you can always use some self signed certificates (issued by yourself but still just as secure).
Secured By Site Seal
A deal breaker of course – not!
It doesn’t matter whether it you have a site seal that says secured by MI5 or the Secret Service – its no more or less safe than the Secured By 123-Reg SSL seal!
We’re talking about being security here, not an fancy image ;).
For the developers and programmers among us adding a context menu to an application is a fairly basic requirement of many pieces of software. Adding a context menu in Web DynPro looks on the face of it to be an extremely easy process – and it is, as long as you don’t forget anything ;).
Although there are a fair few guides on the Internet that explain how to add a context menu in Web DynPro they all seem to miss out one important detail, which without knowing it, means that your context menu fails to appear at all and can make the process extremely stressful.
That’s why I’m sharing this top tip with you today. Firstly, follow one of the many guides available such as this one. And while using this or another guide don’t forget our…..
Context Menu Top Tip
Firstly, note that whether you are implementing a dynamic or a static context menu in your application this tip applies to both.
In newer versions of the SAP GUI, according to reports at least from version 7.00 – maybe even earlier, there is a new option to add a context menu to most User Interface elements in the properties tap (i.e. this no longer has to be done programmatically).
However, most, if not all guides seem to have missed out the fact that as well as setting the context menu you want to use in the properties menu you also have to change the ‘ContextMenuBehaviour‘ property to ‘Provide’ rather than the default setting of ‘Inherit’.
As the name suggest, if you leave this on ‘Inherit’ you will be left puzzled by the fact that no matter what you do, you context menu simply won’t appear – only the default one will.
When this property is pointed out, it becomes fairly obvious – however it can be frustrating until you figure it out and waste time!
The conclusion to all this is that it is frustrating but understandable. Technically however, I think that the SAP GUI could help you out by ‘defaulting’ the ContextMenuBehaviour property to Provide when you actually pick a context menu in the properties.
However, until that happens, every time you set the context menu on a UI element, don’t forget to set the ContextMenuBehaviour property as well!