The Evolution of Online Safety: A Conversation with Tom Newton
In a this episode of The Defender’s Log, David from ADAM Networks sat down with Tom Newton in Leeds to discuss the evolving landscape of online safety. The conversation explored Newton’s journey from early programming on the Amiga to his current mission of protecting children online through his work with Smoothwall and the Internet Watch Foundation.
The “Internet Gap” and Digital Permanence
A central theme was the “internet gap”—the permanent nature of modern digital footprints compared to the ephemeral BBS era. This permanence creates a risky environment for young people to explore and make mistakes. Newton highlighted how students use sophisticated methods, like “unblocked games” sites hidden behind AI-generated educational facades, to bypass traditional filters.
Exploiting Vulnerabilities: The UNDERMINR Tactic
The pair also delved into the UNDERMINR vulnerability, a method where malicious apps or VPNs “blind” DNS servers to their true intent. This tactic allows traffic to break out of managed environments, often exposing users to highly sexualized ads or extremist content.
A “Village” Approach to Cybersecurity
Newton emphasized that defending the internet requires a “village” approach involving parents, schools, and tech providers. Despite the rise of AI, he remains a firm believer in the power of human connection, noting that while technology is a tool, personal relationships are the true authors of change. For those in cybersecurity, the mission remains clear: balancing privacy with the essential safety nets needed to protect the next generation.
Full episode of The Defender’s Log here:
TL;DR
- Digital Permanence: Unlike the past, modern digital footprints are permanent, making childhood mistakes riskier.
- Filter Evasion: Students use AI-generated “educational” shells to hide unblocked games and bypass security.
- UNDERMINR Vulnerability: Malicious apps “blind” DNS servers to escape managed environments, exposing users to harmful content.
- The “Village” Model: Effective safety requires a collaboration between parents, schools, and tech providers.
- Human Connection: AI is a tool, but human relationships remain the most vital component of digital defense.
Links
View it on YouTube:https://www.youtube.com/watch?v=Cw-vEupEtxk
Listen to the episode on your favourite podcast platform:
Spotify
https://open.spotify.com/episode/5gqGQKxWVWMWLV1dv0SUfb
ADAMnetworks
https://adamnet.works
Full Transcript: The Defender’s Log - Episode 022
Introduction
David: Well, I’m very excited about this Defender’s Log episode today, Tom, because we’ve known each other for some time. And, just doing this in person is a new format for me, and thanks for having me over here in Leeds of all places.
Tom Newton: Yeah, I didn’t realize that this was the first time you’d done one in person, but really great to have you in our hometown. It’s lovely to see you again.
David: Well, when I originally planned on coming to DNS-OARC, it was, like, your comment about, “Hey, I’m not that far from Leeds, so just a short train ride.” And so I took you up on that, and it’s really cool. Um, for anybody who hasn’t been to a place, it’s an aspect of sensory overload when there is so much about the environment that’s different than what we’re used to, that it’s like, “Okay, what do I need to take in here?” But, I’m especially pleased that you have as many coffee shops as we have Tim Hortons.
Tom Newton: We are. We are blessed with Brew Society being an awesome coffee shop right next to the office, yeah, that’s not the norm. They’re a bit out of the ordinary, those guys. And, yeah, your train experience is arguably not the norm in the UK either, but Leeds to Edinburgh is one of those that actually does tend to work. Hoping I’m not jinxing you there for the return journey, but yeah, that, it tends to work, and it’s a nice journey.
David: It was. Unbelievable. All these years of talk about all the sheep. It’s real. Yeah. It’s real. Yeah, so I had a very beautiful experience coming here, that’s for sure. And what brings us together is actually being in the same space.
Tom Newton: Yeah.
David: And I really enjoy getting to know other Defenders. You and I met for the first time online at Andrew Campling’s Weekly DNS Encryption Podcast that he hosts over Zoom. So thank you, Andrew, for allowing these kinds of Defenders to find each other. And that’s when I learned about Smoothwall, where you’ve been for some time. But before we get into that, how did you end up in the space of being in tech to begin with? Like, what was your childhood like with events that would lead up to that? Tell us about that.
Early Experiences with Computers
Tom Newton: I guess my first experience of computer programming was with Microsoft Basic, but not on a system you’d realize. Microsoft actually were contracted to write Basic for the Amiga. And that was my first system back in '85 or something like that. My dad decided he’d buy us a computer for Christmas. I don’t think me and my brother had been asking for something. I’m not sure even, like, knew it was possible. But my dad was one of these guys who always thought about what we could learn. He was a teacher, so that was always top of mind. And he thought, “Well, this is new.” He ran a business on the side, and he was one of the first businesses in Yorkshire to really go computerized.
Tom Newton: I remember those guys running serial cables across the office to VT100 terminals. They had one of those VT100 terminals in my basement for the longest time 'til my wife made me throw it out. She says, “You’re never gonna use that.” I said, “No, but I like it.” Anyway, this is an argument I was never gonna win. Along with the old full-height five-and-a-quarter-inch hard drive that was used as a bookend. Like, that’s ugly. Get it out. Anyway. Yeah, another one I lost. But no, we, yeah, me and my brother, Will, who’s 18 months younger than me, we started on the Amiga or the Miggy as it was sort of colloquially known. Obviously, you know, What was it known as? The Miggy. Miggy. Yeah, yeah.
David: So that’s another Britishism that I have never heard. Maybe. Yeah, I don’t know.
Tom Newton: Maybe it’s just an Amigarism. Maybe it’s just a Commodorism. But yeah, we were, you know, people were, like, fiercely sort of tribalistic about their computers in those days. The other kids who had Atari STs or the Commodore 64 or the Specky or whatever have you. And it was a fun time. It was a fun time in computers. I mean, obviously we played a lot of games. It’s a great machine for gaming. But it had Basic and it had a language called REXX that was actually developed by IBM on there, ARexx. I loved REXX. That was what I first started doing bits of programming in. And when we were sort of 16, 17, we’d do daft things like, you know, dialing random numbers with a modem. So I got a modem, got a 2400 baud modem.
Tom Newton: Because, as I said, my folks had computerized their business, and they’d a modem to talk to the sort of technical support. So technical support could dial in and deal with this kind of, this mainframe computer, mini-computer, whatever they had in the business. And that modem was upgraded to something fancy, like a 9600 baud, and we got this old 2400. Started, like, dialing BBSs. You know, as you’re like a 15, 16-year-old kid dialing a BBS that’s run by some guy you don’t know, like, there’s pirate software on there. There’s all sorts on there. There’s hacking tools. There’s groups of people doing odd things. There was like Amiga user groups and people like that, and we’d go and visit, like, public domain houses where you’d buy a floppy disk with something on it for a pound.
Tom Newton: And then you’d walk into this old scuzzy office, and there’s a what you call 17-bit software, that bit better than the rest. So that dates it, you know. It was in the 16-bit era. And you’d go in this horrible little office behind Argos in Wakefield and get a disk copied for you for a pound. And there’d be a big catalog that you could look through of all these public domain and shareware stuff. And so that’s how we got into mucking about with computers and these modems we’d, you know, use to dial BBSs or try and find random numbers that would answer and see what was on the other end of them. And the days when there was like no security on anything and, you know, people were just getting into systems left and right and center.
Tom Newton: And you’d, you know, you’d read all these sort of hacker handbooks and things like that, and you’d imagine all the things that you could do and never really get on and do them. But you know, for me, it was always a hobby. It was always something you do for a laugh. Writing software, you know, always something you just do for a bit of fun. One of the first bits of software I wrote was something to generate a wide variety of amusing insults. So it demanded, like, looking at words, looking at the grammar and understanding grammar and being able to create sentences that were, whilst incredibly vulgar, also reasonably understandable grammar. And I found that quite useful later on, actually, that early experience. But I never intended to go into IT at all. I went to university and I studied chemistry.
David: Oh.
University and the Switch to Computer Science
Tom Newton: Largely because my A-level grades, which is the grades in the UK that you do, like, when you’re just about to go to university or to college, as you’d say across the pond, my A-level grades were s***. Like, let’s not beat about the bush. I was always bright in school. I could always succeed, and I considered that I could succeed without doing any work, and it turns out you kind of can’t. And with science courses, the universities would take you if you could walk and spit, and if you couldn’t walk, we’d send a taxi.
Tom Newton: So you could get in. So I got into chemistry at Leeds, which is a good university, with, like, some pretty ropey grades, and I was sort of all right at chemistry. I was kind of enjoying it. You know, particularly enjoying, like, the practical laboratory stuff because you could bang it all out in the morning and then go in the pub in the afternoon. But you got to choose a minor subject. I don’t think it’s the same as it is in the US where there’s an official sort of major and a minor, but we got to choose some elective modules, and one of those I chose in the computing department. And I ended up writing some Pascal and learning a bit more about the professional ways to write software.
Tom Newton: And at the time, I was living in some student accommodation up in North Leeds, and we had a computer lab there and it was connected back to the university and to the wider internet by a 64K ISDN, like for 15, 20 computers. It’s horrendous. And Doom had just come out, and so we’d find all the computers that were facing away from people who might spot it and dual boot them into Linux and play Doom on the local network. And one of the lads who I did this with was a guy called John Hodrien, still works at the university. John’s incredibly smart chap and really generous as well. He’s very generous with his time and talking to me about what he was doing in the department.
Tom Newton: His major was computer science, and he said, “Tom, you’re good at this. You should do this.” You know, you’re probably not wrong, John. You’re probably not wrong. So I went to the tutors. I said, “Could I change? Could I switch?” And they said, “Well, we’ve seen what you’ve done. We’ve seen you’re capable of this, but you’d have to start again, and you’d have to do another year.” So I went home to my mom and dad, and I thought, “My dad’s gonna absolutely lose his nut at this one. He’s not gonna be so happy with me because, well, number one, I’ve kind of wasted a year, and he’s been paying my rent.” Anyway, he was absolutely overjoyed about it. He was like, “I’m glad you found something you really want to do. I’m fully supportive.” So I got away with that one.
Tom Newton: And I ended up doing three years of computer science at Leeds and I ended up helping write the course material when I was in my third year for the first years. We switched from Pascal to C++, a language I’ve always enjoyed. My two languages now are Pearl and C++, which are things like probably nobody really should use. And every time I write Pearl…
David: Don’t say that. Don’t say that.
Tom Newton: …I wish it were C++, and every time I write C++, I wish it were Pearl. But mostly I only do these for hobbies these days. But, yeah, that was fun. And in fact, John met his wife there. She did, like me, she was a physicist, and she did an elective module in her final year in computer science. And I ended up working to mark her work and things like that, and that’s how they got together. And they have two kids now who are my godson and goddaughter. So, yeah, that early interaction with that one person, like, changed my career path and also got me, like, basically an extension of my family. So it was a really important moment in my life to meet those guys.
Tom Newton: So that’s how I ended up studying computer science. And of course, when you study computer science, you turn out at the other end with a piece of paper in your hand saying you were all right at this stuff, and you go and get a job as a programmer, right? And that’s what you do.
David: Right.
The First Job, Blinky Lights, and Smoothwall
Tom Newton: So that’s what I did. I got a job as a programmer at the worst company in Leeds. I shan’t name them. I don’t think they’re still going, thank God. But it was a company writing some mapping software, and their modus operandi was to take cheap graduates and work the bejesus out of them and produced some really quite terrible software because, well, there was nobody there with any sort of real experience of how to do this properly. It was the blind leading the blind. I wasn’t totally unenjoyable. You know, I enjoyed maps. So I enjoyed combining maps and programming. So, you know, the Dijkstra’s algorithm and pathfinding and the post office problem and all that sort of stuff that, like writing that sort of stuff in C++, it wasn’t the worst thing I could ever do with my life.
Tom Newton: But one afternoon, I was walking out the office. Load of NT workstations in there. And back in the good old days, you know, when all this was fields, you had a network card in your machine that had a little blinky light on the back. It told you when packets were being transmitted. And as I was walking out the office, I turned around, and I saw blinky lights. Like, “What’s going on here? I’m the last out the office.” It doesn’t happen anymore, by the way. I’m first out these days, straight down the pub. But no, I was the last out of the office. There shouldn’t have been any blinky lights. You know, it’s not like today when you imagine the machines are probably doing updates or something.
Tom Newton: Like, back then, like automated updates over the wire, like that sort of stuff didn’t happen. So the idea that there was network traffic was odd, and it turned out it was a worm. I think it was probably Code Red. It was one of those NT worms, because NT came out the box with no firewall.
David: That was like mid, late '90s.
Tom Newton: It’ll have been 2001, I reckon. 2001.
David: 2001?
Tom Newton: Yeah. Code Red was still around? I thought it was late '90s. Might’ve been. Oh, okay. Yeah. One of those. Okay. One of those that infected NT because no firewall, and it came out the box with a web server that was running regardless of whether you needed a web server or no, which of course people thought was a great idea in those days. Like just imagine, just imagine that environment in the days of AI. Oh, wow. We’d be annihilated, wouldn’t we? We’d be annihilated. You know, back when you could just find open SMTP relays to ping mail through. Wow. You’d get away with murder in those days. But yeah, so this worm crept in, so first I really knew of what a worm was.
Tom Newton: So discovered what it was, eradicated it from the machines, patted myself on the back for doing a good job. Came in the next morning, it’s back again. What’s this? We needed something called a firewall, it turns out. Now, I’d sort of known what a firewall and router was, because at the time I was living in a sort of student house type affair. Shared house with four or five other people, and some of them had computers, and we had a crappy old cable modem internet, and we needed something to basically do a NAT. And I fired up an old Red Hat box and configured NAT on it, and I thought, “Probably do.” Hmm. But, you know, for a company, like me configuring a NAT on a Red Hat and blocking a few ports, is that gonna work?
Tom Newton: Well, that’s probably a bad idea. Rang up our ISP, Demon Internet, again, dates it. “Can we have a firewall, please?” “4,000 pounds,” they said. “We’ll send you a firewall.” Wow. “4,000 pounds.” Well, you know, you can imagine what my boss said, you know. He’s this guy who recruits graduates at the cheapest possible rate. And, you know, he wasn’t interested in spending 4,000 pounds. He went, “Back to the drawing board with you, Tom. What can you do?” So I found SmoothWall. SmoothWall, at the time, had an open source firewall. Which persisted a very long time. I mean, it’s lost its relevance now as the idea of an open source firewall like that really because it can be done so cheaply elsewhere.
Tom Newton: But at the time, the SmoothWall open source firewall gave people like me a choice between 4,000 pounds for probably some quite decent Cisco gear or pretty much nothing for a firewall I could download off the internet. Sure. And I figured this firewall must have been built not by somebody like me doing sort of basement dweller part-time hacking, but by some professional security people. So I download this firewall. I got the old mail server PC and a PC that was being used as a doorstop.
Tom Newton: Because the SmoothWall firewall didn’t support SCSI drives. I would need an IDE drive, and the IDE drive was in the doorstop and the SCSI controller was in the old mail server. But between them, these two machines made a serviceable firewall and a serviceable doorstop. Wow. So, by swapping a few parts, we remained the weight in the doorstop, and we got ourselves a firewall. And that was my first exposure to being a defender to SmoothWall. And I ended up on their mailing list, and a few months later, George, our CEO at the time, put out a message saying, “I’m looking for a salesperson.”
Tom Newton: And I went, “Hey, I’m a software engineer. I can do that as well.” Nice. It turns out I can’t. Like, sales is a skill. Yeah, don’t let anyone tell you otherwise. But I was what the company needed, right? Then there were no salespeople, there were no pre-salespeople. There were some support people, but they needed somebody who could come and sort of translate what people knocking on the door looking for firewalls and filters and all that sort of business wanted and work out what was the best for them.
Tom Newton: So that’s what I did for Smoothwall until they employed an actual professional salesperson, and then I moved into that sort of pre-sales role. And, barring a little break to go and look at some other companies and find I did enjoy working there, that has been me ever since. So between, that was '03. Smoothwall founded in 2001. I joined in '03. And I’ve pretty much been here ever since. Part of that journey, we’ve morphed from being more about filtering than firewalling and to being entirely focused on education rather than, at the time, we had the broadest applicability when I joined.
Tom Newton: We would sell to anybody who could cross our palm with silver, regardless of what they wanted or where they were in the world, leading to some amazing contacts I still have with people across the world. So many interesting people, in all parts, in all walks of life. Yeah, I remember once selling a firewall to a guy in Luxembourg who run a cow sperm depository. It was one of the odder companies we worked for. Good guy. Yeah. We didn’t sample his product. On the other hand, we did have a Trappist brewery in the Netherlands who had taken a vow of silence, but they used our filter, and they made some very, very good beer. So, you know, it takes all sorts, as they say.
Tom Newton: So yeah. That was a bit long-winded, but that’s roughly how I ended up sitting here today, thinking about keeping kids safe on the internet.
David: So we have to thank Johnny. We have to say thank you, Johnny. Yes, we do. For the little bit of a nudge. Yeah, for the encouragement to say, “Hey, you’re good at this.” Yeah.
Tom Newton: Oh, yeah. He was instrumental there. Probably doesn’t know how instrumental he was, but maybe he’ll watch this and find out.
David: Yeah, everyone needs a Johnny at some point in their life to basically say, “Hey, there’s something in you that is already completely oriented towards this particular role.” And, most of us have a Johnny in our lives, so I’m glad to know that you have one as well. Yeah.
Tom Newton: And the weird thing is that obviously I spent that time thinking about building software, and then really within Smoothwall, I’ve never actually built software. Is some of my code lying about in the product? Yes. Thankfully not very much of it, because I am deeply mediocre at building software. Turns out my brother went down the same route. He started studying law, and then when he saw my success at switching codes, shall we say, he also switched to software. He is an excellent software engineer, one of the best I know.
Tom Newton: I am deeply mediocre. So that’s why, you know, my talents lie elsewhere. That’s why I’ve ended up in pre-sales and in product management, and more recently in the sort of advocacy and internal affairs sort of a sphere.
David: Okay. So we won’t go down the path of Pearl and C++ very much. But we might have to revisit that in the future. I love hearing real experts debate the value of C++ versus any other language of choice. And it gets into the nuances where it’s going to have a role for the foreseeable future. But yeah, we’re probably not the best experts to do a deep dive on that. Yeah. Or I’m certainly not.
Tom Newton: There’s a lot of argument about, and for me I always think if you’ve got the right people with the right engineering standards, it almost doesn’t matter what tool you use, you can make something secure.
David: Correct. And I would also argue that the best C++ developers that I know would say if you’re doing it right, then C++ is your best bet. But it’s a big if, right? It depends on the developer very much so. Whereas you take something that’s memory safe, like, Rust for example, and it’s really hard to create a problem. Whereas a C++ developer can very easily create a problem, right? So there’s all kinds of arguments at different levels that we can make. But what’s amazing is that it’s multi-language, just like you can have your English, and in Canada, we can have our English. We’re still somewhat interoperable.
The Internet Gap and Recording Everything
Tom Newton: Sometimes we’re on the right side of it and sometimes you guys are. I think it’s nicely analogous as well when you’re thinking about kind of the difference between your kind of garbage collector languages and your memory safe languages and the rest. It’s kind of analogous to that ability to make mistakes and know about those mistakes early on, or the ability to be in a safe environment to make mistakes. It’s analogous to that childhood. You know, I spent my childhood making mistakes, which weren’t thankfully recorded on the internet. Oh. You know, it’s amazing, like, there’s a kind of internet gap, like things that we did on FidoNet and on BBSs and things like that, like, it’s all gone.
David: Right.
Tom Newton: Like it was electronically recorded and is now gone. And that’s advantageous to people of our era, David.
David: Yes.
Tom Newton: We’ve got away with some stuff, I’m sure, that we’re glad is not public forevermore, or not available forevermore. And, you know, young people growing up today don’t have that advantage. What they put out, that’ll be recorded and will stay because of the cheap storage and the sort of ubiquitous resale and reuse of content, what you do is permanent and that’s a challenge I think that drives a lot of what we do.
Tom Newton: How can we make the environment safe for young people to still express themselves as young people want to do, to still make mistakes and remain safe? It’s not something that many organizations who run the backbone of the internet and the balkanized little communities of the internet really think too hard about.
David: That reality seems to affect other spheres in life, too. Someone explained to me just on the way here, someone I was sitting beside said that the reason that young people today don’t ask a girl for a dance is because someone’s going to be recording their foolish movement. Someone’s going to have a photo of them being foolish, and they just don’t wanna take that risk. So we have this aspect of today’s population that knows that most likely anything you do will be recorded, and that might be a liability, so they stay away from it.
David: But so important to explore in, especially in tech, being a defender, the way many of us got to a place of defense is that we noticed stuff happening that shouldn’t be happening. Yeah. And sometimes it was us doing things that we shouldn’t be doing, that we don’t want our kids to do, right? So yeah, it’s a different time today. But maybe it comes with advantages that we don’t recognize yet. Yeah,
Tom Newton: I mean, the ubiquity of recording comes with advantages. We can hold power to account more easily.
David: True.
Tom Newton: You know, somebody powerful could easily and quietly violate the law, you know, even if those were people who are supposed to uphold the law. You know, police brutality reports have gone up. It’s not probably because the police are worse than they were before. In fact, they’re probably better, we would hope. But it’s because that’s recordable.
David: Yes.
Tom Newton: You know? Some of these things that have rocked the world in the reports of horrible things that have happened are only known about because of the ubiquity of recording, you know? But on the downside, like, UFO sightings are way down. Yeah. Yeah, because everyone’s like, “Where’s the evidence? Oh, yeah, there is none.” Well, there should be now because we’ve all got a camera in our pocket. So, yeah, I think there’s positives and negatives to that really, isn’t it, to that ubiquity of recording. But as a society, we haven’t had a chance to get to grips with that.
Tom Newton: And while we’re getting to grips with it, you know, Meta are bringing out smart glasses and things like that, you know. People could be recording you without your knowledge very easily. It’s really obvious when someone’s holding up a smartphone at you that they’re recording you maybe, and maybe they’re doing that for good or for ill. But when it’s smart glasses with a LED that’s been turned off, like who knows. This is gonna get smaller. This is gonna get more ubiquitous. It’s a changing world, and it’s frightening in many ways. Yeah.
Defending Kids Online
David: Tom, let’s talk about being a defender for kids and to kids. It’s kind of a tricky situation.
Tom Newton: It is. And you rightly pull at the nub of it there in that what we defend against is often who we’re defending. We’re often defending young people against young people. Sometimes defending young people against themselves when exploration goes a little too far, when pushing the boundaries goes a little too far, when kids cross the virtual street into a shady neighborhood, and unfortunately, the internet is replete with shady neighborhoods, with some deeply unpleasant characters in them.
Tom Newton: As a trustee of the Internet Watch Foundation that works to keep child sexual abuse material off the internet and reduce this problem to absolute zero is our aim at the IWF. I see and hear of a lot of those shady environments, and there are places where we would consider a safe environment which just simply aren’t, and this includes online games. This includes productivity tools. There are dangers everywhere. And those dangers don’t always come from the archetypal guy in a dirty mackintosh standing on a street corner that we always think about as some sort of a predator. But young people will endanger one another.
Tom Newton: Peer-on-peer abuse is incredibly common. So you think about some kids in a school. They’re using Google Docs because that’s the productivity tool in the school. It’s what they’re using to write their essays. I can share a Google Doc with David, and I can write some unpleasant things about him in it. Right. And I can encourage him to open it and then delete them, and it’s kinda hard to police as a teacher. But I can amplify the worst of my bad points if I’m a bully, or if I’m just frustrated or if there’s a couple of friendship groups just fighting. Things that would ordinarily have been seen by a teacher in the playground, in the class, would be shouted across, would be visible, audible, are now hidden, and often happening in the places where we think, like, kids should be using. You know, if you look at like, “Hey, well, you know, Tom was saying that he was on the G Suite the whole day. Like, what? He’s probably doing his work.” Maybe, or maybe had a Google Doc full of links to games.
Tom Newton: Hmm. Yeah. Kids are incredibly sophisticated. It’s quite fun. There’s a sophisticated network of web filter avoidance tools and unblocked games. Just the other day, I went on a website that looked like an education website, stock imagery, standard text, almost certainly produced by AI. But at first, second, and probably third glance, it looked like a fairly anodyne website talking about education.
Tom Newton: If you tap the “G” key twice, the website goes away, and it’s a bunch of games. Just to prove it worked, I played a little football game for two minutes until I realized it didn’t have Leeds United in it. And I was absolutely out. But yeah, this is built by kids for kids. And with the advent of AI, you know, Dave and I were talking earlier about malware being built by AI, but also AI coding tools are being used by kids to create websites that are incredibly well-hidden. I mean, you cannot help but be slightly impressed by the kid who’s put this together, found a way to proxy these games off other websites, put it behind a website.
Tom Newton: It’s probably running on a free tier on Heroku or something like that, and then hidden it ever so well. Yeah? And it’s brilliant because that’s hidden from other web filters, because a lot of web filters look at a URL they’ve never seen before or a domain they’ve never seen before. That goes back to web filter HQ. That gets looked at by probably machine learning. This site looks completely innocent. Even if that gets analyzed very quickly by a person, looks completely innocent. It’s probably gone into a uncategorized list. It might even, more fun, get categorized as education, and then it might end up actually in allow lists on people’s filters.
Tom Newton: Right. Which is why one of the things we do here at Qoria and Smoothwall and Linewize, which are our two brands, we do real-time content filtering. Right. We think you’ve got to look at the content that student’s actually pulling down onto the device, because otherwise you can’t see what they’re up to. And that applies because of these incredibly clever obfuscations. But it also applies because, like, bad things happen in good places. It’s not good enough just to say, “This is docs.google.com, therefore it’s safe.” The presumption of safety is a bad one in the same way like ADAM Networks presumes what’s going out for network is bad until shown to be good.
Tom Newton: We ought to presume that places on the internet are safe until proven otherwise. And the incentives to make them safe from the people who build these systems aren’t there. Right. You might get fined by the EU. You can sit and argue about that for quite some time before any money leaves your bank account. And the money that does leave your bank account is probably immaterial compared to your profits. It’s like fining a multimillionaire 60 quid for parking his car on double yellow. Doesn’t care. That’s the cost of doing business. And I’m not saying that all of the mega corporations out there that are producing our internet properties that we use every day are filled with people who don’t care.
Tom Newton: Absolutely, I’m sure some of them do care. I’m sure many of them do care, and I’m sure the trust and safety people there care very, very deeply about this. But there may be that like we can’t leave it all on their shoulders to resolve this. It’s gonna involve parents. It’s gonna involve kids themselves. It’s gonna involve schools. It’s gonna take a village just like it did when we were lads. It’s gonna take a village to keep kids safe on the internet, and we can’t leave it all in the hands of, and just say, “Well, big tech have gotta fix it.” Big tech absolutely have to be part of fixing it. Like, big tech are making big money on the backs of some transactions that are quite unpleasant happening. Like, that’s gotta stop. They’ve gotta help.
Tom Newton: But we can’t just throw our hands up in the air and say like, “That’s those guys responsible to fix it.” In the same way as we don’t say, “Well, car manufacturers are responsible for all road accidents”, and we don’t teach our kids to cross the road, you know? We don’t teach our kids to look both ways when they cross the road. It’s not just about that one place to fix. Our job as defenders is to bring people together to defend globally. Right. And I think that’s partly because some of the people we are defending are also the people we are defending against.
Tom Newton: You know, we can’t go, “You’re on this side of the wall, and you’re on this side of the wall.” Yeah. “You’re the malware guys, and you’re the bank.” Yeah. Those guys don’t have much of a Venn diagram crossover. Not, hopefully not many of the malware guys work in the bank. But in our case, some of the people who are victims are also victimizers.
David: Yeah. And the more we look at the origin of that, the more it’s not surprising. I mean, we both come from cultures where we cherish liberty, where we cherish personal freedom. And so when children grow up, and that is part of the culture that they’re brought up in, and then they’re given a screen and they’re saying, “But this screen comes with conditions,” then they naturally wanna break out of those, right? And so there is an element of wanting to break out of the white picket fence that is there, that we kind of smile at and say, “Okay, go ahead and keep on trying,” because the more you try to break out, the more I recognize where the weaknesses are, and the better we can defend against those. Because those exact same tricks are being used for malicious purposes.
David: So I smile and I encourage people to try and identify weaknesses, right? Think of that like legitimate red teamers.
Tom Newton: Absolutely.
David: Yeah. And we wanna know about those, because it allows us to then protect against those that would actually have real malicious intent.
Tom Newton: And we also want young people to be able to explore. Yeah. You know, to be given the freedom to explore that I was given. Right. You know, to be given some freedom from the consequences of some of my more stupid actions. But, you know, just like for example, I had the freedom to change what I was studying. That was incredible freedom for me.
Tom Newton: I had the freedom to think about what this meant for me, what I enjoyed doing. If kids can’t go off and explore what they can do on the internet, what they can do with AI, what they can do with their computers, how are we gonna have the next generation come through with that curiosity, with that drive that we need? So we’ve gotta temper our attempt to keep young people safe with the also the ability to give them that safe space to explore and to push boundaries and that sort of thing, which is a challenge.
David: Yeah. Maybe we should call out to the Johnnys of the world to say, “When you identify these kids, let them know that they could become really good defenders.” Because they can explore the offensive opportunities probably more efficiently than non-defenders would. Yeah. And so that can…
Tom Newton: I will confess to paying my godson, James, John’s son, £5 every time he finds me a way that can get round our filter.
David: That’s good. That’s good.
Tom Newton: Keeps him in Switch games. He does all right out of me, so he is definitely the next generation coming up. But yeah, it’s also interesting that we’ve got this kind of battle between privacy of adults and protection of young people. It’s something, you know, you and I see a lot at the IETF, when we’re with people like Andrew Campling and David Wright, from the UK Safer Internet Centre, when we’re talking to people about spotting CSAM, for example, to put the Internet Watch Foundation hat back on for a moment. Recently, the EU failed to continue that derogation to allow the likes of Facebook to scan for known CSAM, and it’s easily pushed back on because there’s a welter of people who come at this saying, “This is invading my privacy.”
Tom Newton: To scan this media before I upload it into Meta’s ecosystem is an invasion of my privacy. To hash match it without uploading it to a server with a cryptographic hash to check. Well, it’s not crypto, it’s perceptual hash. With a hash to check whether this might be known child sexual abuse material is an invasion of my privacy. And that’s an opinion, sure. Not one I necessarily agree with. I see where it comes from. Yeah. But we have challenges in this world, and we have victims, and most of the people who are advocating for this sort of mega privacy environment are suffering from survivorship bias. They’ve never been through it or known somebody who’s been through it or seen the damage that it can do, and they’re on the privileged side, and they need to understand that privilege they have and understand that others don’t necessarily have the same privilege.
Tom Newton: I think that’s something we can say about the development of the internet over the years, is in many ways it’s allowed people who are disadvantaged to get ahead, but in many ways it’s also excluded them.
Helmets and Breaking Distance
David: I just had a picture, a reminder of an early day experience when I really loved the freedom of being able to ride a motorcycle without a helmet. In some parts of the United States, you are not required to wear a helmet. When we had first moved to Canada, a friend of mine had a motorcycle and I said, “I’d like to give it a ride.” And so I took it for a ride on a private road. And at the end of the road, it was quite sandy, and I did not have an appreciation at the time of your braking distance is dramatically impacted when you don’t have plain raw pavement.
David: The moment there’s a little bit of sand, that obviously impacts your braking distance by a lot. And fortunately, this friend of mine, John. Wow, we have another John. What’s up to, John B. Forced me to wear his helmet, I didn’t want to. So then, okay, fine, I put on the helmet, and I take it for a spin and I come back to where he was at the end of this roadway that was sandy.
David: And with my misjudging of the distance, I came in too strong, and as I braked, I laid the bike down, unintentionally, obviously, and spun all the way to the end of the street where there was a big post. And my helmet smacked the post, and the helmet broke, and I was safe. And I’ll never forget that experience because, like to your point, that if people don’t have the experience where protection actually saves them, they don’t necessarily have the appreciation for it. Absolutely. That was a very real-life example for me. Now I’m back into having my motorcycle license again, and one of my sons wants to ride with me, and I’m excited about it, but I’ll be wearing a helmet. Yeah. And if it wasn’t for that experience, I’d be inclined to go to one of the states where I don’t have to wear a helmet to be able to enjoy the freedom.
Tom Newton: I mean, on the plus side, David, you’re not really missing out on the wind in your hair, are you?
David: You have a fair point there. I can’t argue that. You’re coming along, too. Yeah.
The UNDERMINR Vulnerability
David: So let’s talk about the UNDERMINR.
Tom Newton: Yeah. Yeah, so that is a real shock to see that there’s still methods to get around filtering that obviously somebody knows about them. Yeah. Because you discovered this empirically, yeah? Right. I think that’s one of the great things I love about the sort of ADAM Network’s ethos, is you guys are, we’re gonna treat outbound traffic as harmful until it’s proven otherwise. I think what that leads you to is a lot of what-the-heck-is-that moments. Right. And it feels like that’s the sort of thing that uncovered UNDERMINR.
Tom Newton: That’s exactly it. Yeah. Like, hang on, this traffic is going here, and yet there isn’t a DNS request for it. Right. I’ve got DNS requests to a lot of sites that are on my allow list, and I’ve got traffic with SNI that isn’t. And that must have been a puzzling moment for you, I guess.
David: It was absolutely a puzzling moment because what we noticed was that in environments where it was a requirement to enforce BYOD devices not to be able to make a third-party VPN connection, stuff was breaking out. And as we were looking at the apps that were doing this, we’re starting to explore. So up until that point, we had had very good success at making sure that third-party VPN apps couldn’t break out because of the allow list thing, because of don’t talk to strangers. It was basically, we had advanced past the cat and mouse game, and it was now a way to protect an environment from having a breakout like that.
David: When we saw this happen for the first time, it was like a, an eyebrow-raising moment. Wait a minute. What’s going on here? How is this happening? And these were very sketchy VPN apps that after they connected were displaying some pretty nasty ads. So that really was, like, doubly bad. Not only is it breaking out, but clearly someone here has intent that is monetary, that is deceptive, that, like, oh, and by the way, it breaks Google’s terms of service, but the app has tens of millions of downloads. How does that work? So it had all of these attributes that really made us look at this more deeply.
Tom Newton: And I imagine it has one of the worst attributes on the internet, the F word. It’s free.
David: Yes. When something is free, we all know then you are the product.
Tom Newton: Absolutely. And when something is free, it’s also orders of magnitude more attractive to young people who generally don’t have the means to pay for things. Right. And, you know, what we’re seeing for BYO is suffering a bit of a resurgence in education. BYO’s always a challenge, and it’s a challenge for many reasons in education. You know, it brings heterogeneity into education establishments, which is not really very useful because when you’re teaching something and there’s three kids using three different bits of software, you have… That’s then the teacher’s job to ameliorate those challenges where we’d rather them be teaching.
Tom Newton: So BYO, which is often driven by sort of financial constraints, by schools needing devices, but not necessarily being able to afford devices for every young person, bring in their own devices. So it brings that heterogeneity challenge, but it also brings the challenge that these devices are de facto unmanaged. Any software can live on them. Right. Those devices might be managed to a degree by the parents. There might be something like Qustodio on there limiting the apps that kids can use. But that’s not always entirely likely. Even that’s a minority of young people whose parents come to the realization that monitoring and protecting their device is good, a good and useful thing. But those devices can have these VPNs on them. And when those VPNs are free, it’s another barrier that doesn’t exist to downloading those. And as you say, once it’s free, your data’s being used for some sketchy stuff. Right.
Tom Newton: And the adverts that you see. Even adverts for games these days are highly sexualized. So much stuff is highly sexualized. It’s unreal. It’s absolutely unreal because it drives the clicks, it drives the monetization, and our young people are exposed to this. And you might think it’s kinda harmless, but I don’t.
Tom Newton: It’s perpetuating attitudes that bleed from the online world into the real world. The Andrew Tates of this world, the looks maxing, the red pill, the incels, that’s not half there on its own. It’s there because sex sells, and that’s never been more true. And the sexualization of advertising and of all of the platforms is worse than ever.
Tom Newton: And when you’re on something that’s already breaching Google’s terms of service, likely these aren’t, you know, ads coming from a decent ad network. These are ads coming from whichever ad network will take their business. That’s right. And it’s, not only is it from that, but I’m sure it’s full of malware as well. As we know, we know ads are an absolute goldmine for malware authors as well.
David: They are. I mean, each year there’s billions of malicious ads being served by Big Tech, and they keep on getting away with it because they can show that when it’s reported, they stop it. But again, it’s that’s a whack-a-mole game. Yeah. But some of the worst ads that I saw too are very clearly targeting the vulnerable fringe. And so for example, I saw ISIS ads. Pro-ISIS. We’re talking 2026.
Tom Newton: Yeah.
David: And yet that was the default ad. Every time it broke out, there was a pro-ISIS ad. That would be the first one that would be displayed. So I don’t know if some of these developers are from the Middle East and there is a personal motivation on behalf of the developers, but it is not something that we would want our kids or being accessible to kids in schools zones, that we defend against, that’s for sure. So when we saw this, we immediately saw that not only is this being used actively in this way with free VPN apps, but it would make it trivial for that same methodology be to apply, to be applied to click fix campaigns, or for it to be written into malware, or for it to be written into some shell script that’s part of a download package that someone needs.
David: And so that is what really raised our attention, was really raised when we saw that there’s no end in sight for this. And once large language models have this capability built in, then the next malicious author that has his AI writing malware is just gonna have this built in and not even be aware of the UNDERMINR method. And so that’s why we have to take action.
Tom Newton: We’ve spoken for a while there about the UNDERMINR method without really saying clearly that at its heart, UNDERMINR is a way to lie about where you’re going to your DNS server. That’s right. Like, it’s a way to blind your DNS server to your true intentions, and it makes protective DNS, which is sadly one of the more common ways to deal with BYO, because it’s straightforward, and until now has worked, one of the more common ways to deal with BYO.
Tom Newton: But that, literally that, until now caveat is there. Even if you were playing whack-a-mole against VPNs, you could whack your moles reasonably effectively. Particularly in a school, you know. VPN A goes around the kids, mole whacked. VPN B crops up a few weeks later, whack. You know, it’s fairly easy to spot because you’ve got a lot of fairly careless attackers who are probably sharing this, like, loudly near the people who want to defend. So it’s fairly easy to whack those moles. But with UNDERMINR, it makes those moles impossible to whack because you’ve suddenly, like, this analogy is broken completely, but someone has stolen your mole-whacking hammer at this point.
Tom Newton: Like, oh, oh, oh, no, no, maybe out of the holes, the moles are coming and it’s not, but it’s a frog. And you’re like, “What? I can’t whack that. That’s mean. I only whack moles. My animal cruelty is very limited here.” Um, like, But, yeah, we’ve, the mole-whacking hammer is suddenly completely pointless. You can’t block it because you don’t know what to block. Right. Right. That’s huge. Yeah. It’s absolutely huge.
David: Essentially, the UNDERMINR has found a way to arbitrage information that is disconnected between what happens at the content delivery network end versus what happens at the egress end. And so by using that blind spot to hide what the actual intent is, protective DNS by itself, unfortunately in this case, has no ability to see it, and therefore it cannot protect against it.
Tom Newton: Yeah. And I think, you know, I always like to refer Occam’s razor. You know, the simplest explanation is most often the truth, or the adaptation of that of, you know, never attribute to malice what can be adequately explained by ignorance.
David: Right.
Tom Newton: And I like, thinking about your ISIS adverts, I suspect it’s more ignorance of what’s on those ad servers, or at least I hope it is, than it is malice. But I also, I extend that to never attribute to ignorance what could be adequately explained by environment. And that’s what our young people have, is an environment in which they can combine their environmental need of, “I want to get past the thing that’s blocking me from getting on games during lesson time, and therefore I’ve got a VPN.” And then comes the ignorance. “I’m ignorant of the potential harms that could come to me from using this VPN.”
Tom Newton: And none of this is really malicious. Yeah, it’s environmental and it’s low information, and that’s what’s giving you your unpleasant situation, not a sort of malicious attacker, which is the trope that we are pushed when we’re talking about security on the internet is there’s literally a guy with a black hat doing something evil, and actually I think most of the problems aren’t that guy. Like, oh, that guy’s causing a lot of problems. Right. If someone could find him, steal his hat from him, you know, the world would be a better place. But there’s a lot of other problems caused by other things that aren’t simply just are malicious actors.
Solutions, Privacy, and Trust
David: Yeah. Thank you for calling that out, because there is clearly a need for educating our young people to understand that what you’re attempting to do may come with consequences you did not consider, and that educational element is probably a weak link at the moment where we’re at. Yeah. But let’s talk about real quick for the audience to know how Linewize and how Smoothwall handles the UNDERMINR method.
Tom Newton: So right now, the vast majority of our customers take some sort of onsite hardware, so that gives them the capability of doing the SNI inspection even without pushing certificates, because obviously pushing certificates to do full man-in-the-middle to BYO is challenging. Right now, with the state of the internet as it is, we can still do SNI inspection because we can, with the help of the right DNS server, we can strip ECH headers, so we can still see that SNI. And when we see that SNI, well, that gives us the underlying destination so that we can show the mistruth that is being peddled by our VPN, and we can recover our mole-whacking hammer, and we can give it a little tickle. And whack that mole. The challenge here comes from retaining the SNI visibility.
Tom Newton: I think over time, we’ll see things like don’t talk to strangers coming in to help enforce that visibility onto networks. And again, it’s this endless struggle between privacy, which we all want in our personal lives, which we all think you know, end-to-end encryption’s great. But there’s this struggle between privacy and safety. That’s right. And it’s cropping up in so many organizations. And we know the fathers of the internet and the fathers of DNS all tell us that this was intended to be something that gave control to the local network admin.
Tom Newton: There’s a degree of trust that needs to exist between a local network admin and their users. And yet as we work in a zero trust world, some of the things we need for zero trust operation mean we give up that level of trust between admins and users, which means we also give up the safety that they can provide to us. So I think a lot of the questions we face over the next few years is how do we mediate that? Right. Schools are a really interesting case because they’re more than anywhere, there’s a level of trust required between the young people in their care and IT and the safety staff and the teachers.
Tom Newton: And there’s a level of visibility of one to the other that we need to maintain in order to provide that safety net. Again, with kids and parents, there’s a level of visibility that’s needed of young people’s activity that parents need to make sure that they’re kept safe. But there’s also that level of trust, and how do we keep that trust? How do we know when the trust is broken? How do we know when there may be bad actors who are in our safety crew, you know? All parents are not good and supportive. All people who work in education are not good and supportive. There are bad apples everywhere. How do we put this together with the right third parties, with the right people in technology, that we can at least solve this problem for the vast majority?
Tom Newton: That’s a mission that we’ve chosen here because we’re crazy. Yeah. If we were in it to make piles of gold and sit upon it like some sort of evil dragon out of The Hobbit books, we wouldn’t be in this business. Because I’m telling you now, we fly economy. It sucks. It’s interesting, you know, one of the things I learned building products in education is half the time you can’t use the third-party software you want. You can’t authenticate people using Auth0. That’s stuff for the big boys. That’s stuff for the guys who are charging $10 per seat per month. We aren’t charging $10 per seat per year. Education can’t afford that. Therefore, we can’t afford the fun toys. Sometimes we have to build them ourselves.
Tom Newton: You know? We have to go out there and build things to a margin, because people can’t afford to pay a big premium to be safe. People shouldn’t have to afford to pay a big premium to be safe. So we have to build things in, like, a different way to other tools to traditional SaaS, to B2B SaaS. We’re a different ballgame. But that’s because we’re mission-driven. We’re here for one thing. We’re here to try and make the internet incrementally slightly safer for young people. And really, that means making it safer for adults, too. That means making it harder for adults to get in trouble for, you know, running into young people in the wrong environment.
Tom Newton: Right. You know? It means making it harder for adults to get scammed, to lose their life savings to the romance scammer or whatever have you. Because part of this is education, part of it’s technology, and part of it’s just preventing people from being in those situations in the first place.
Tom Newton: Every time I talk about it, I feel a dread sense of overwhelmed, like, there’s too much. Just go and hide under a rock. And, like, I’m not gonna lie to you, my life’s ambition is to live in a forest. The last thing I’ll do is order online a sign that says, “Tom’s forest, naff off.” Like, I wanna live in one of those, like, fairy tale witch’s cottages that people are scared to come up to. I just wanna go away and hide from it all. But, like, until that day, we’ll keep fighting the good fight.
Closing Thoughts
David: Right. Yeah. I couldn’t have said it better, Tom. That is, you have basically described the complexity that we are faced with in our industry. You wanna provide every element of safety you possibly can for the people that are most vulnerable, but you have very real constraints. You have economic constraints. You have awareness and educational constraints. You have geographic language constraints. And we basically have to keep on working. Our mission is to protect people, so we are completely aligned with what you’re doing.
David: And so I’m very glad that we’ve gotten to know you personally and that Smoothwall and ADAM Networks are both serving the same common good purpose. And I really do see a long road ahead of a lot of work to do. So with that, is there any piece of wisdom that I have not extracted from you yet today that you wish to share with our audience?
Tom Newton: I think I’m pretty short on wisdom these days. They say, you know, youth is wasted on the young and wisdom wasted on the old. I’m not sure when my wisdom’s gonna come, but, you know, what I would like to say, though, is that the thing that has been the author of change everywhere has been personal connections.
Tom Newton: And as I’ve heard, the author of change in my life was a personal connection. I’m hopeful that the author of change in something maybe we can do with ADAM Networks is the connection. And you mentioned earlier, the reason we connected was Andrew Campling. Like, that guy’s a guy who knows everybody.
Tom Newton: Find people who know people, get introductions, you know, go and sit in a bar with that weird Canadian guy that you met at the IETF meeting because, like, who knows what fun you’re gonna have down the line. In this increasingly impersonal world where we sit and talk to ChatGPT or Claude. And by the way, one of my awful opinions is that AI bots should not be allowed to have human names. At the very best, they should be given dog names, so we don’t anthropomorphize them too much. Right. And so we don’t trust their output quite as much as we should. But yeah, you know, in these days when people are sitting there behind screens, maybe talking to AI, like, those personal connections, doing things like this, being face-to-face, sitting talking is the one of the most valuable things you can still do.
Tom Newton: And these horrible bits of silicon will never replace that. And one day I’ll throw them all in the river and go and live in a forest.
David: I’ll find you.
Tom Newton: Thanks, Tom. Cheers, David. See ya.