Home  |  Sarah  |  Services  |  Blog  Contact

Thursday, 17 Sep , 2015

Diary Of An InfoSec Kid – Mindfulness, Moshi Monsters & Minecraft

Share this article

A journey from first internet encounters to Minecraft mods, while mindful of the risks and benefits of online adventuring

Striking a balance between freedom and safety is a constant challenge for parents in the Information Age. Kids have to be able to explore what the internet has to offer and to some extent learn from their mistakes. But online mistakes can have some very far reaching consequences.

Trying to strike that balance when you have even a little security knowledge multiplies the nightmare…ignorance can be bliss…until a future employer finds ‘that’ 10 year old Facebook post (I’m avoiding mention of the worst potential fallout for our children as that’s one thing parents have no problem imagining).
So here’s part of my journey with my under 10 InfoSec kid. Obedience without question has a very short shelf life and every day we cede a little control to prepare her for the world and build mutual respect. It’s all about equipping her to be safe, extending her boundaries (online and offline) and trying not to make her terrified of the wonder our online knowledge stores can offer.

Mister Maker and Monitoring

In the beginning there was Daddy’s computer and CBeebies (the BBC’s TV channel and complimentary site for young kids. It has great educational, well-designed and ad-free content and was briefly at risk being culled as a cost-cutting measure – REALLY BBC powers that be!?). Tiny girl was only just starting to read, but already knew what a browser was. Cue a first quick and dirty solution to stop the other half’s profile offering all sorts of opportunities for mischief:

  • CBeebiesSet her up a separate locked-down-to-heck profile with a cute kitten theme
  • Cleared stuff from the desktop and start bar
  • Set up individual desktop shortcuts with direct links to child friendly sites.
  • Set up activity monitoring…just in case (blessed/cursed with a smart child).

6 months on and I look up to see her typing ‘cute puppies’ into a Google Image search…cue a dive worthy of a premiership goalkeeper. “How did you do that?” I asked her. “I watched Daddy find the ‘eh’ picture and put ‘wuh wuh wuh dot guh oooh guh l eh dot com’ in the box at the top” she replied (phonics are a wonderful thing, unless you’re my other half who wasn’t taught them. He ends up sounding like a head injury victim when trying to sound out words for the kids). I knew not to underestimate how sponge-like and wiley she was, but obviously her Daddy (who’d let her watch while he launched Internet Explorer to find a link for a new shortcut), didn’t.
From then on life got more interesting…

Moshi Monsters and Menageries

Over the course of the next 5 years what she wanted to do online exploded. The first big obsession…like for millions of other kids worldwide…Moshi Monsters. It’s built to be privacy conscious, age appropriate and secure, but there are still risks linked to adults setting up profiles for the purpose of grooming. Her use was closely supervised (the PC is in direct line of sight of the sofa), but we had lots of conversations about what it is and isn’t appropriate to put in ‘Moshi mails’ and chat windows.
I knew she’d got it when she showed me how Moshi Monsters flag any obvious personal information in typed messages and block it.
Woohoo! I was one chuffed InfoSec Mum…then came Minecraft.

Minigames, Mods and Millions of Movies

The newest craze has set up a whole new range of challenges. Minecraft is a culture not a game. It’s as deep, long, complex and appropriate as you want to make it. I’ve seen it dubbed the world of the giant dick statue (boys with blocks – sigh) and there are mods for EVERYTHING…just let your smutty imagination run wild.

It’s also a great place for kids to problem solve and pick up engineering principles. Even better, with tools to build mods, there’s huge motivation and a meaningful context to get them coding. Here’s a 2machines article on what Minecraft can offer.
We started with the free Pocket Edition on tablets. Single player or multi-player on a LAN server (no-one from outside allowed into our worlds). I tried to keep up. You should have heard the derision at my attempts to build stuff “Muuuum, you’ve destroyed my wall! Be careful!”. Within a fortnight I was banished to the mines to find materials for construction. I still got grief: “Is this coal or diorite?” I asked for the umpteenth time to weary sighs from the offspring and I kept getting killed before I’d made it back to put my spoils in the chest.
Then came Dan TDM (The Diamond Minecart), ohhh Dan TDM. Never has one individual kept my daughter’s attention for so long. Minecraft YouTube channels are BIG business. Dan has a child friendly channel where he records gameplay, tips and mods. After I’d got sucked in doing my duly diligent review of a number of videos (here’s hoping the Minecraft community can work with YouTube to put some age certificates in place like the music industry will for their videos), she was set free to browse. She was instantly hooked. With my tablet on Dan’s channel and her tablet on the game, she meticulously copied his construction ideas, often adding her own twists.

Moving On Up

Then it wasn’t enough any more – “Dan plays this minigame Mum and I reeeeaaaally want do do some mods” You need the full paid version of Minecraft to do both.
All the time I was juggling safety, security, screen time and real time. Rationing was in place – x hours per day (Kindle Fire kids’ profile settings are very handy), x days with no screen, screen-confiscation as punishment for poor behaviour. Did i want to open up another life-sucking can of worms? If I wanted her to get that coding experience building mods, then yes.
She doesn’t play under anything resembling her real name. The email contact details are mine. A new address was created for the purpose with 2 factor authentication turned on. There’s also a VPN running on her profile. The birth date is not hers, except for the year to make sure age appropriate restrictions Minecraft offers are applied. Chat is turned off in multi-player environments and she has a complex password stored in her own version of my password safe (she came up with a respectably long, random, complex and cheeky master passphrase and has surprised me by remembering it).
So she’s a fully fledged Minecrafter now, already asking about setting up her own YouTube channel. She’s becoming a Hide and Seek afficionado, mods are getting worked out (I’m studying to help!) and the stuff she’s making blows my mind.
The latest is an automatic door opening mechanism for her ‘Mansion’ using pistons powered by red stone. All of which she researched and found raw materials for, before manufacturing the refined materials and tools needed. That manufacturing is a multistep process (e.g. gold ore, to gold bars, to gold nuggets, to armour or tools). All steps require fuel, most require multiple materials and some need catalysts (which she also had to mine or find). Then she experimented, bug fixed and researched problems until she got it to work as she wanted (you need a sticky piston you know!). THAT is impressive and takes a level of design nous, planning, preparation and above all patience I’ve rarely seen in a child of her age.


Having said all of that, a couple of incidents have underlined the importance of our rules and keeping a close eye on what the kids are into. I monitor her internet usage so she knows I’ll know when she visits a new site. The rule is to ask first and she’s given me no reason not to trust her. If I have to say no, I explain why. As an illustration:

She watched an unusual video where Dan had a guest crew on for some mini gaming. For the first time language got nasty (swearing with a homophobic theme – nothing to raise dire concerns for an adult or even mature teen, but not appropriate for younger kids). My girl, rather than hiding it, came through in tears. “Mum I didn’t know!” she said. “Dan never says that stuff, it was the other guys” She didn’t want me to think she’d wilfully disobeyed and it took a while for both of us to persuade her we weren’t angry and it wasn’t her fault.
Putting all of this in context she probably hears worse in the playground and will have a whole new world of inappropriateness, offensiveness and sometimes downright cruelty on offer when she transitions to high school. Does this negate some of the need to be mindful of risks? NO! But I’m (mostly) confident we are building the respect, knowledge base and trust to navigate the ever-changing world of ‘online’ safely.

Other Sources Of Advice For Child Friendly Internet Use

The caveat to any ‘InfoSec Kid’ article is that no two families are the same. You have to match your rules, restrictions, monitoring and teaching to what works for you and your kids. What you can’t do is bury your head in the sand. Hopefully what’s here gives some useful pointers. If you arm yourself to work through this minefield (pun intended) together, you can help your kids reap huge benefits from being confident, well informed and respectful citizens of the internet.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...