Postergate: the unintended consequences of the best of intentions

• by Ellie Hurst
• Advent IM Blog

Thank you to Craig Moan, Security Consultant, for a cool headed look at the poster that got the infosec community hot under the collar and reaching for its Twitter feed.

Last month, a poster was distributed by Local Authorities in West Midlands in an attempt to raise awareness amongst teachers, parents and guardians to help them to advise children on how to stay safe online.  However, the poster was uploaded to social media and was roundly criticised by cyber security professionals for scaremongering and failing to explain that the use of these tools could be used to teach children about vital digital skills.

Pic of The Poster, via The Register and a hundred outraged Twitter accounts

The poster was issued by the West Midlands Regional Organised Crime Unit and details several common information security tools that can be used for hacking.  The poster urges parents to contact the Police if they notice their children using the software.

The poster failed to point out that whilst some of the tools can be used for malicious purposes, such as hacking, they also have a legitimate purpose and are a common tool set for information security professionals who conduct security testing or secure development activities.  Other tools, such as virtualisation software, are common amongst anyone with a good level of interest in computers and its existence alone shouldn’t raise a parent’s suspicions.   If young people are using these tools and they have a genuine interest in information security or other technical areas such as coding or networking with virtual machines, these skills should be encouraged by others to help young people to grow and practice their skill sets.

West Midlands Police responded to the criticism by stating the poster was produced by a third party from wider information that was designed as an aide memoire to assist teachers with safeguarding in schools and help with identifying cyber tools which could be used to commit cyber-attacks, but have a legitimate purpose.

The National Crime Agency, whose logo is also listed on the poster, were quick to distance themselves from it by stating “The NCA was not involved in the production or release of this poster.  There are many tools which tech-savvy children use, some of which can be used for both legal & illegal purposes, so it is vital that parents and children know how these tools can be used safely.”

Offensive Security, who maintain the Kali Linux software, stated the following regarding the poster: “The whole situation reminds me of the generational scares that happen with rock music, video games, and so on. Hopefully, no parent would take it seriously and feel like they have to call the police on their own children if they find them using Kali or chatting with others on Discord as that’s pretty ludicrous. These are all awesome opportunities for parents to engage with their children, find common interests, and spend time together while helping the child learn skills that will help them later in life. If you don’t understand something your child is into, instead of freaking out about it, just ask the kid and learn from them. In the end, none of this entire issue has anything to do with Kali or any of the other tools called out in the poster, instead it just has to do with how to be a good engaged parent and some people’s misunderstanding of what that means.”

Whilst the execution may have been flawed, I believe the intentions behind the poster was well meaning and it was a genuine attempt to raise awareness of these tools to parents.   I believe parents should have an understanding of the powerful tools listed on the poster if their child is using them, but they should also understand that these can be used as a force for good and they should engage with them to better understand how their children use the tools.  In addition we should also be raising awareness amongst parents, teachers and guardians of the excellent opportunities that are available for children who have a technical interest, such as the NCSC’s CyberFirst scheme, which is committed to developing the UK’s next generation of cyber professionals through student bursaries, courses and competitions, and the various coding clubs available to young people.   These type of schemes are excellent outlets and should be used to encourage and develop those with a keen interest in cyber.

However, the thing that concerns me more than the genuine attempt to raise awareness by West Midlands Police, was the response to the poster by security professionals who were falling over themselves to point out how bad the poster was and how out of touch the guidance contained within it was.  As I scrolled through the responses I was saddened to see so few people provide constructive criticism of the poster or offer advice to West Midlands Police on how it could be improved. It frustrated me because I believe there has been so much work done over the last few years by security professionals to change their perceived unapproachable holier than thou image and ensure they integrate and communicate better within the organisations they work in.  However, the responses to the poster highlight there is still some way to go to completely shedding that image as there are still security professionals out there who can’t wait to look down their noses and judge people when they may have made a genuine mistake.  As the phase goes, ‘everyone’s a critic’ and in security it appears undoubtedly so.