Friday, May 9, 2014

Tell the FCC to Secure Net Neutrality

Viharts extremely good explanation of net neutrality and how it is being gutted by proposed FCC regulations.

At I've talked a little bit about net neutrality and how important it is to the Internet as we know it. Currently there are two things happening that seriously threaten both net neutrality and the Internet in general. The are the proposed FCC rules to replace those struck down by the Supreme Court of the United States (SCotUS) earlier this year and the proposed merger of Comcast and Time Warner (or buyout of TW by CC, of you prefer). The merging of Comcast and Time Warner is important, but the most urgent of the two are the FCC's proposed net neutrality rules.

Why the Rules Are Changing

The SCotUS has decreed that the FCC cannot enforce common carrier rules on ISP's because the current definition of a common carrier doesn't clearly fit an Internet service provider. Thank you, Comcast and Verizon. The simple solution would be for the FCC to explicitly define ISP's as common carriers, but it could be hard to make this happen because the head of the FCC, Tom Wheeler, used to be a lobbyist for the cable companies. Several other FCC officials also used to fight net neutrality. 

What the Changes Mean

The proposed FCC rules would allow ISPs to charge different companies or groups different rates to use ISP networks, or even to refuse customers access to sites the ISP deems inappropriate. Each ISP can determine its own rules. So Comcast might charge Netflix one rate and Hulu a less, while Suddenlink charges Netflix more than Comcast does, but charge Hulu more than it charges Netflix. Both might decide you can't go to - or this blog. It's their choice.

What We Can Do

We can email, snail mail, and call FCC officials and let them know that true net neutrality is important to us. One enterprising (or foolish) fellow even throttled the FCC's access to his main page down to 28.8kbps - that's slow dial-up speeds by todays standards. Sign the petition at the White House web site supporting net neutrality. Contact your representatives. Raise a ruckus!

To contact FCC leadership:

To contact your senators:
In Texas:  

Cornyn, John - (R - TX) Class II
517 Hart Senate Office Building Washington DC 20510
(202) 224-2934

Cruz, Ted - (R - TX) Class I
185 Dirksen Senate Office Building Washington DC 20510
(202) 224-5922

The rest of the U.S.:

Find your state in the pull menu in the top right of the senate home page,

To contact your representative:

Texas has 32 Representatives. for the Lubbock, Abilene and Big Spring area ours is:

Randy Neugebauer
611 University Ave. Suite #220
Lubbock, TX 79401
Phone: (806) 763-1611
Fax: (806) 767-9168

In other parts of Texas and the rest of the U.S. you can find your representatives by entering your zip code in the form at

Saturday, September 22, 2012

Facial recognition: Nowhere to hide

Originally posted 08/10/2011 on

Jaikumar Vijayan reports on that at the Black Hat hackers conference security researcher Alessandro Acquisti presented a disturbing paper on facial recognition, social sites like Facebook, and privacy.

The research involved taking pictures and applying facial recognition software - of the shelf software, not custom software written for the research. They did use a custom program to extract images from Facebook and a dating site - all from the same city - and then used the facial recognition software to identify the people in the pictures. The results were interesting:

In all, about 5,800 dating site members also had Facebook profiles. Of these, more than 4,900 were uniquely identified. The numbers are significant because a previous CMU survey showed that about 90% of Facebook members use their real name on their profiles, Acquisiti said. Though the dating site members had used assumed names to remain anonymous, their real identities were revealed just by matching them with their Facebook profiles.

Ok, more than interesting. Disturbing. They pulled the pictures from Facebook and a dating site, but what if they had sat in the mall taking pictures of people walking past, then compared those photos to Facebook? What if they had been stalkers taking pictures of potential victims?

Thoughtless implementation of facial recognition software could be very dangerous. What happens when the only way to hide is to actually change your face? People trying to escape abuse, people in the witness protection program, or others needing or wanting to escape will find it much harder, if not impossible, without changing their face. That is...unfortunate.

Sunday, August 19, 2012

Is your ISP selling your search?

Originally posted 08/09/2011 on

Karl Bode at reports that ISP's in the U.S. are hijacking our searches and redirecting them to a company called Paxfire. Paxfire is more than just a redirect service for ISP's, it's a revenue generator:

"Under specific conditions, the Paxfire proxies do not merely relay traffic to and from the search engines. When the user initiates searches for specific keywords from the browser's URL bar or search bar, the proxy no longer relays the query to the intended search engine, but instead redirects the browser's request through affiliate networks, as the equivalent of a click on advertisements. Using the names of popular websites, we have so far identified 170 brand-related keywords that trigger redirections via affiliate programs and result either on the brands' sites or on search assistance pages unrelated to the intended search engine results page."

There is also an article on the EFF website. In that article is a link to Netalyzr, which can be used to find out if you might be a victim of search hijacking. Don't use Netalzyr at work, it scans your network and could get you in trouble.

I ran Netalyzr at home, and found out that my ISP is probably redirecting my searches to make money off of them. Without asking or notifying me they are profiting from my work and effort. Or if it's not redirecting my searches, it's at least is doing some strange things with them.

To stop that I switched my DNS server from my ISP to Google's DNS. There is also OpenDNS and other options. As a bonus, with Google DNS I've lost a lot of latency (my connections are faster). Later this week we'll look at alternative DNS solutions and how to change DNS providers.

Saturday, August 18, 2012

Justice Department shuts down a nightmare

Originally posted 08/08/2011 on

Matthew Lasar at Ars Technica reports that, despite pseudonyms, anonymous proxy servers and encryption, the Justice Department has indicted 72 members of an online child pornography community, Dreamboard. All but 20 of them have been arrested.

Usually I read any additional documentation available and link to it when I talk about a story, but in this case I was sick enough from the watered down report. If you are curious about details, click the link to the story. Matthew has links to JD documents that go into greater detail if desired. 

Privacy is important. Preventing abuse of power by law enforcement (and other government agencies) is important. But occasionally we need to see stories like this to remind us that there are legitimate purposes for accessing citizens information. Neither privacy or the governments right to snoop into it can be absolute. There is a proper balance, and it's very hard to maintain because both sides, by nature, seek more control. But striving to find and maintain that balance is crucial, because it allows us to enjoy privacy while allowing the people who are supposed to protect us the freedom to catch people like those involved in Dreamboard.

If you give the government a good enough reason to find you they will, if you stay online. There are ways to make it incredibly hard, but if you give them enough reason, they won't give up. Sometimes that's a good thing.

British government promises to reform copyright law.

Originally posted 08/05/2011 on

Timothy B. Lee reports on Ars Technica that the British government has pledged to make significant changes in UK copyright law.

The change is in part due to an independent report to the UK Prime Minister. The report is 130 pages, but it boils down to this: Copyright policy in the UK has been driven more by lobbyists than by any real evidence. Based on the report the UK is looking at allowing DVD ripping for personal use and making it impossible to take away rights by removing them using contracts - including EULA's on software and music.

It looks like the UK is serious about reforming copyright law to be something closer to the original intent - allow creators exclusive right to profit from their creations for limited time before allowing others freedom to adapt, modify and build on them, thereby encouraging innovation. The current system - one pushed by special interests such as the RIAA and MPAA in the US - creates hurdles and places barriers on innovation by extending copyright protections so far from the original creation that the creator may have died of natural causes after a long life. Hopefully the British government is only the first to see the benefits in reforming copyright law. It's in their own best interest.

The actual report to the Prime Minister is here (PDF)

Germany declares Facebook facial recognition illegal

Originally posted 08/04/2011 on

It looks like Facebook is learning the lesson Walmart learned when it comes to doing business in Germany. Germany is not the U.S. Matthew Shaer reports in the Christian Science Monitor that Facebooks facial recognition 'feature' has been declared illegal in Germany.

I don't know how much affect this will actually have on Facebook. It will depend on what kind action Germany decides to take and Facebook's response. Honestly, even if Germany successfully blocked Facebook, would Facebook care? The German government might feel the pressure more than Facebook. There will probably be some type of compromise, but I honestly don't see Facebook giving up it's facial recognition software completely.

H.R. 1981 presumes we are all child pornographers

Originally posted 08/03/2011 on

In her "Pulp Tech" blog at ZDNet Violet Blue reported that the House Judiciary Committee has passed the "Protecting Children From Internet Pornographers Act of 2011," a bill that is supposedly designed to protect children from Internet pornographers. Violet has several concerns with this bill, ranging from the fact that it seems to confuse pornographers - people engaged in a legal, if unsavory to some, activity - with pedophiles, who are among the most despicable people on the planet.

That is a big problem, but it surpassed by the specifics of the bill itself. Section 4 requires "A provider of an electronic communication service or remote computing service shall retain for a period of at least 18 months the temporarily assigned network addresses the service assigns to each account." That makes it a requirement for ISP's to keep complete records of everywhere you surf for at least 18 months. Further into the bill (Section 11) it modifies Section 3486(a)(1) of title 18 regarding administrative subpoenas.

A lot of people have been complaining about this bill. It is a privacy nightmare, requiring ISPs to keep records of everything you do online for a year and a half and allowing the records to be requested by just about anyone for any purpose. Violet Blue quotes Representative John Conyers:

“The bill is mislabeled,” said Rep. John Conyers of Michigan, the senior Democrat on the panel. “This is not protecting children from Internet pornography. It’s creating a database for everybody in this country for a lot of other purposes.”

From small ISPs (most large ISPs folded to government pressure years ago), privacy groups like the EFF and EPIC to congressmen, the concern over this bill is widespread. But if we don't get involved it will pass. The next step will be to make technologies like TOR illegal so you can't hide what you are doing from the government. The next likely step would be to outlaw open wifi. As long as people can go to Starbucks and surf this law will be easily circumvented, so open wifi will have to go. And there might be another attempt to outlaw encryption technologies. That was unsuccessfully attempted before, but the steady erosion of rights and civil liberties since 9/11 make it's passage more likely now, especially if bills like "Protecting Children From Internet Pornographers Act of 2011" pass and are not overturned by the courts.

Contact your senators and representatives and let them know that this bill serves only one purpose, and that is to make it easier for government agencies to spy on law abiding citizens.

The text of the H.R. 1981 is here (PDF).

Online safety just takes a little common sense

Originally posted 08/02/2011 on

Google has backed off the 'real name' on Google+ policy. That's good, but it takes both more and less than pseudonyms to be safe online. The internet is a wild and wooly place. If you're not careful you can reveal a lot more of yourself than you intend.

So what kinds of things do you need to do to protect yourself? It's not very hard. There are three simple things you can do that will help you stay safe:

    • You can't take it back. Once you put something online it's out there. You can delete every copy you can find, but you'll never know who read it or how many copies were made of it.
    • The internet is not the place to put your darkest secrets. If there is ANYONE you would not want to see what you are about to post, don't post it.
    • Be careful what you put online. Without even trying we are far more exposed after a few days (maybe even hours) of online activity. When you tell about your pets, your childhood, you hobbies, you are giving people information that can be used to attack you.

It's very easy to give up too much information online, but you can protect yourself without having to sever all ties to the online world. Just use a little common sense makes your online experience more fun and a lot safer.

Is it a felony to video police in public?

Originally posted 08/01/2011 on

On Rania Khalek reports on the increasing number of people being charged with crimes for shooting video of on duty police in public places. This is becoming more common as cell phones with video cameras are the norm.

The article covers several episodes from recent years, some you've probably heard of, some you may not have. One of the most recent was the case of Narces Benoit, the man who saved his phones memory card from police confiscation by putting it in his mouth. The video showed both police shooting a suspect and pointing guns at Mr. Benoit to confiscate his cell phone.

Several laws have been used in attempts to justify police confiscating cell phones used to video them. From privacy laws to wiretapping laws, citizens have found themselves charged with crimes ranging from misdemeanors to class one felonies for shooting video of on duty police in public places. Many of those cases were of police doing things they shouldn't have. Many more cases were probably of police doing their jobs properly, but those don't make headlines. The point is, the police are public employees and supposed to protect the rights of citizens. While on duty and in public places (and maybe some private places) they should have no expectation of privacy and every expectation that they could be photographed or videoed.

Is it a felony to video police in public? It shouldn't be, but at this point the courts have come down on both sides of this question. Most cases have been dismissed, but a few people have been convicted. Whether or not you are committing a felony by recording police performing their duties in public can depend on where you are and what judge you draw. In the end it will be the pressure we put on our congressmen to write laws addressing this issue, or a decision by the Supreme Court that will decide if we can legally take video of police performing their duties in public.

Contact your senators and representatives and let them know citizens should not be harrassed for taking pictures or video of policemen doing their duty in public.

Thank you Ian Williams for pointing out that if I'm going to ask a question like that I need to provide an answer.

Randi Zuckerberg: Anonymity on the Internet has to go away

Originally posted 07/29/2011 on

Bianca Bosker at the Huffington post tells us that Randi Zuckerberg, Facebook marketing director and Mark Zuckerberg's sister, believes anomymity on the internet has to go away. Bianca quotes Randi as saying:

“I think anonymity on the Internet has to go away,” she said during a panel discussion on social media hosted Tuesday evening by Marie Claire magazine. “People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.

Miss Zuckerberg also alleges that requiring people to use their real names will end cyberbullying. Apparently she was never bullied on the playground growing up. For that matter, she must not have paid attention to things going on on Facebook the last few years.

The Toronto Sun reports that a 16 year old girl will be sentenced on August 15th for stabbing another 16 year old girl after making threats on Facebook. After stabbing the other girl she went home and threatened to do worse if the other girl messed with her again.

A little over a month ago I told you about Jason Valdez, who holed up in a motel room with a (maybe) hostage and talked about his police standoff on Facebook while friends and family informed him of police movements. Jason's account was in his real name, and I'm pretty sure most of the others were, too.

And for good measure, we have London Eley, who I told you about a week earlier than Mr. Valdez. Miss Eley tried to hire a hitman on Facebook. Her Facebook account is down now, but I visited it when I first read the story. It was easy to find because she used her real name.

While using real names can make it easier to find people who are doing wrong, using real names does little to prevent bad behavior. Requiring real names on Facebook has not stopped bad behavior. It would be hard to say real names have even slowed bad behavior down. Why would anyone expect "real name only" policies to work any better on the internet at large than they do on Facebook?

The need for pseudonyms

Originally posted 07/28/2011 on

Tuesday I told you about Google deleting the accounts of users using pseudonyms. There has been a lot of discussion online about the situation, some of it very well thought out, some less so. Kee Hinckley wrote an excellent piece and put it under the Creative Commons Attribution-ShareAlike license. The full article is here. Because his original post is so long, I'm going to mildly condense 3 of his sections: Red Herrings, Who needs a pseudonym and Arguments against pseudonyms. I will keep the order of his points intact:

First, the red herrings:

Anonymous speech on the Internet is a mess

This is absolutely true. Fortunately, nobody is asking for anonymous speech on Google+; we're asking for the ability to use pseudonyms—persistent names that aren't tied to our real life address, home and personal information. All the usual validation processes (SMS messages, voice activation on the phone, etc.) would apply to them. When people give examples of how pseudonyms create hostile environments, they are almost always referring to comment systems, not social networks.

If people use pseudonyms, I won't be able to track down a stalker

If you have a legal complaint, then Google will reply to a subpoena with all the information they have, which at least includes IP addresses and any linked accounts, and perhaps the number of the phone used during verification. The process of tracking a real "John Smith" to an originating computer is not going to be any different from tracking down "Demosthenes" to that same computer. Since Google isn't verifying every address, they have no more information about "John Smith" than they do about "Demosthenes".

I want a service where I know that everyone I talk to is using their real name

Then you need a paid service where every person is required to provide a credit card and/or government ID. So far as I know, no such service exists, nor does anyone have any plans to create one. Google is only suspending accounts that have odd characters in their name, or which are reported by other users. They have given no indication that they wish to ask for a photo ID from every single one of their users, nor would such a process be viable in an international community.

This policy is necessary to stop spam.

See the previous item. With no ID requirement, spammers simply require a phone and a name that looks real. I'm sure Google will be using phone data, content filters, social graph analysis, and user complaints to help track down spammers, but allowing or disallowing pseudonyms has zero impact on the problem. Bad behavior is bad behavior, it doesn't matter if you do it with a real name or a fake one.

Next, who needs a pseudonym?

Mr. Hinckley starts this with personal examples, times it was important that he not use his real name, then talks about a couple of friends, then generic examples.


When the attempted revolution broke out in Iran, I had in-laws there, I had information about what was happening that I wanted to share online with people who were interested in the situation. I wanted to educate them about what was happening. But I couldn't do that under my real name, because the Iranian government was actively searching Twitter for posts about Iran, and they could easily have connected me to my wife and her relatives.


My father has Alzheimer's. It's getting pretty bad, he's starting to get paranoid, my mother has to bathe him and help him go to the bathroom. She and my aunt care for him, and it's pretty tough, and when I go there to help, it's pretty hard on me. Fortunately I can talk about this publicly, about all the things that happen and all the stress it causes me. And when I do, I get support and discover that there are other people out there amongst my public correspondents who are also having these problems, and we offer each other suggestions and support. I don't do this under my real name because I really don't want to be putting private information about my father, my mother, my aunt and myself out on the Internet. So I do it under my pseudonym. And not surprisingly, most of the people who respond to me are doing so under their pseudonyms. Is Alzheimer's a topic we aren't supposed to talk about publicly on Google+? There are many many topics like this which are not in the slightest bit controversial, but which people would prefer to talk about without their boss, neighbors, or strangers connecting to their real name.

Dating the Wrong Guy

Her boss is a total misanthrope, he hates blacks. He rails about them day in and day out. What he doesn't know is that she's living with her black boyfriend. She's been looking for a new job for months, but this is all she can find. Where can she go where she can talk publicly online with her friends and her boyfriend about politics, the latest tech toys, and her interests?

Here is part of a list of examples from +Shava Nerad:

The Lawyer

This is setting a precedent for the small town lawyer who wants to be able to keep their ability to blog about local politics, even though it might alienate their clients in their law practice.

The Abuse Survivor

It's about a middle aged guy who wants to blog about surviving sexual family abuse as a kid, even though his abusers are still very much alive, living in the same town.

Arab Spring

It's about the woman who wants to blog about how her husband and several of her cousins are activists in the Arab Spring movements in Syria, and how she and her mother and sister are getting by at home while they are away.

I have a pseudonym I use on the Internet. It has a blog, a paid Flickr account, a YouTube account, over 1000 Twitter followers, over 40,000 tweets (that's about 1000 pages of writing). It has its own domain name, and three years worth of 50,000 Google references associated with it (twice as many as I have under this name). Why does that account, with it's obvious pseudonym, have less accountability than some guy named "John Smith" who lists no location, links to no other info, and shows no connections to any other people on the Internet? My persona lives and dies on reputation alone. "John Smith" gets a free ride because he can produce a driver's license to Google and continue being an anonymous asshole to everyone else. Does that really make sense?And if you grant my persona's right to exist here, then are we saying that Google+ is a network only for people who already established their connections somewhere else; the "old boys' club" of social networks? We don't ask people for their passport before we talk to them. As +Sai . asks, "Have you ever slept with someone without first asking to see their ID?" If we'll do that, why do would we require one to talk online?

Arguments against pseudonyms

People don't really need to hide

I hope the earlier set of examples has put this argument to rest, but in the end, this is no business of anybody except the person who wishes to have some privacy. This isn't about hiding. It's about privacy and control of the key that gives every stranger access to my doorstep; my name.

You only need a pseudonym if you're bad

Mark Zuckerberg is famous for having said, "Having two identities for yourself is an example of a lack of integrity.". (Okay, that's not theonly reason he's famous.) So speaks a man who has never had to work for someone else and never had children. He also said "The days of you having a different image for your work friends or co-workers and for the other people you know are probably coming to an end pretty quickly." ( It's pretty clear that Facebook is doing its best to make this true, it's not so clear that people want it to be true.

A forum with pseudonyms lacks respectful discourse

There is an element of truth to this. Someone may in fact chose a pseudonym in order to troll and create havoc. Removing pseudonyms will probably reduce this. There are however, a couple of problems with the argument.

  1. People troll under their "real" names too. So with or without pseudonyms, the service must provide mechanisms for dealing with abusers. Google+ does provide some of these already. Over time, Google will need to provide additional tools; whether or not they allow pseudonyms.
  2. Google is not providing a mechanism to prevent fake accounts. They are providing a mechanism to report fake accounts and validate them after the fact. So if someone signs on as John Williams, and starts flame fights in the comments, it's going to be a while before it occurs to anyone that it might be a fake account. You'll still need the moderation tools.
  3. People who have persistent pseudonyms are noticeably different from the trollers. They have lots of friends, you can Google them, they have many online posts. Even on Twitter, in the land of 140 character tweets, it's pretty easy to glance at the follower list and tweet stream of someone and tell whether they are a spammer, a jerk, or an actual social person. It has nothing to do with name, and everything to do with behavior and content.
  4. A person with a persistent pseudonym lives and dies on one thing; reputation. If they lose their reputation, they lose their voice. All they have is what they say. So in fact, they are more inclined to carry on a respectful conversation. Especially in a forum where being blocked is a mouse click away.

One common argument is to point at other services as an example of the failure of pseudonymity, but the comparisons are almost always apples and oranges. Examples include Techcrunch's comment forum prior to switching to Facebook, YouTube, Myspace, and any newspaper comment forum. They also provide no benefits to creating a social network of friends. On the other hand, there are social networks, like Flickr, LiveJournal, Twitter, and others, which have a huge mix of pseudonymous and "real" names, and have civil discourse and a very active community. If they can have a vibrant user community with both "real" and pseudonymous accounts, why can't Google+?



Mr. Hinckley makes many other good points, but the upshot of them all is that there are a lot of good reasons to allow pseudonyms. Reasons that easily outweigh the objections to them. In fact, he quotes Googles policy blog:

Pseudonymous. Using a pseudonym has been one of the great benefits of the Internet, because it has enabled people to express themselves freely—they may be in physical danger, looking for help, or have a condition they don’t want people to know about. People in these circumstances may need a consistent identity, but one that is not linked to their offline self. That quote is from Google's own policy blog. The question isn't whether Google gets it. The question is why on earth they thought that wasn't a useful feature of a social network. Here lies the huge irony in this discussion. Persistent pseudonyms aren't ways to hide who you are. They provide a way to be who you are. You can finally talk about what you really believe; your real politics, your real problems, your real sexuality, your real family, your real self. Much of the support for "real names" comes from people who don't want to hear about controversy, but controversy is only a small part of the need for pseudonyms. For most of us, it's simply the desire to be able to talk openly about the things that matter to every one of us who uses the Internet. The desire to be judged—not by our birth, not by our sex, and not by who we work for—but by what we say.

The first 15 years I was online I used pseudonyms. One was 'Lord Hawkmoon' and was used primarily on local BBS's. The other big one was 'Bright Warrior' and I used it on 3 national BBS subs.It's only in the last 10 or so that I've used my real name online. That is my choice, and it should be a choice.

In that 25 or so years most of the people I've known online used pseudonyms, and even when we met in person we seldom asked for 'real' names. There were people who were total jerks, but often when we met it turned out they were total jerks in real life. The small sacrifice of dealing with the occasional jerk seems a small price to pay for the benefits of allowing pseudonyms.

Edited at 9:00am for formatting because this software ignores 98% of html formatting

Scammers exploiting Winehouse, Norway tragedies

Originally posted 07/27/2011 on

Bill Brenner of CSO online reports that scammers are taking advantage of the death of Amy Winehouse and the tragedy in Norway. The attacks use social engineering to convince people to click on links that will infect their computers with malware.

It sounds paranoid, but you should be suspicious of any shared link. Creating emails, tweets, and updates that will allow scammers to hijack legitimate accounts to spread their (mal)wares has become both a science and an art. Even seasoned, super suspicious security experts can find themselves hooked by a well crafted scam. So be a little paranoid, and be a lot safer.

Google deleting/suspending users for using handles

Originally posted 07/26/2011 on

Google+ (g+)has gotten off to a good start. Unfortunately it's hit a rocky spot that could, if not handled properly, destroy the momentum it's enjoyed so far. Rafal Los (aka Wh1t3Rabbit) reports that the hacker community is in an uproar. Apparently Google has been disabling the accounts of people who are using handles instead of their real names. Some people have lost everything they had in Google. This is a problem because Google's terms of service apparently don't say you have to use your real name, but to use the name your friends know you buy. I'm not a hacker but, like Rafal Los, I am acquainted with people who do not use their real names. I've never known their real names, and if they contacted me using their real names I might ignore it because I wouldn't know who it was. The other side of the problem is, Google is biting the hands of the early adopters. As I said a few days ago, the majority of Google+ early adopters are male, and as far as I can tell, in the technology sector. A large number of those use handles, and don't appreciate being told they have to use their real names. People who have been using Gmail since it's inception also don't appreciate losing all their archived emails and other data. How many people will turn away from g+ rather than wrestle with Google over usernames?

But it may not be as simple as that. According to Peter Smith at ITWorld there appear to be two types of account issues: Accounts being suspended for naming violations, and accounts being suspended for violations of the terms of service. Naming convention violatiosn are relatively minor. You can still get your Gmail and you just have to prove that poeple normally know you by your username, either through links or ID's. But the TOS violations are worse. You are not given a clear description of the violation, and you lose access to your entire Google account.

Another article on, this one by Juan Carlos Perez, talks about the different groups being affected by the account deletions, which include people who have unusual names and people who don't want to use their real names for privacy reasons. As quoted in the article, Google's response seems to be:

Asked for comment, a Google spokeswoman said via e-mail that Google Profiles are designed to be public Web pages whose purpose is to "help connect and find real people in the real world." "By providing your common name, you will be assisting all people you know -- friends, family members, classmates, co-workers, and other acquaintances -- in finding and creating a connection with the right person online," she wrote.

Google claims to want to make it easier to connect to people we know. Ironically, they are undermining one of the goals they had when they put Google+ into private Beta. The goal for us to connect to each other the way we do in real life. In real life online (and sometimes off) people use handles, nicknames, pseudonyms, whatever you want to call them. If Google really wants people to be connecting on Google+ the way they do in real life, and they aren't concerned with things like being able to accurately identify people, then Google is being disengenious. In fact, if someone is using a handle and has followers, especially if they have dozens or more, then their username and profile are helping to, "connect and find real people in the real world." There is no problem, and Google has no reason to suspend accounts because the creator used a handle.

Facebook overexposes videos

Originally posted 07/05/2011 on

Jason Kincaid of TechCrunch reports that Facebook suffered a privacy glitch in it's Videos feature for about a week, but it's fixed now. He explains:

Unfortunately, those controls haven’t been working as they should: for the last week it’s been possible to see a full listing of your friends’ Facebook videos, including the name, thumbnail, description, and people tagged in each clip — regardless of whether or not you were supposed to have access to the videos.

You couldn't actually see the videos, only the title and description and a thumbnail, but that could be enough to cause some embarrassment. It's important to understand that in the complicated, connected world we live in glitches and breaches will happen. But Facebook has a more than it's share of snafu's, and it's hard to believe they couldn't have fixed this issue in less than a week. Facebook is king of the hill in social networking, but if they don't watch it they could find themselves being replaced. It's happened before. At one time IBM was king of the technology world. They are still big, but they were supplanted by Microsoft. Microsoft may be in the process of being supplanted by newer companies that understand the connected world better. Facebook could find themselves in the same situation, but in the lightning fast world of the internet, Facebooks dominance could be measured in years instead of decades.

Will Google+ games threaten Facebook?

Originally posted 07/22/2011 on

According to Tricia Duryee at the All Things Digital blog, Google is about to hit Facebook in the pocketbook. Google is launching a social gaming network that may cost developers less than the traditional 30% it costs them to play in the Facebook and Apple App store universes.

Facebook probably isnt' quaking in their boots about the prospect of a Google+ gaming network just yet, but they have to be eying the possibility with some concern. Google+ has over 18 million users now, and that number is growing at an amazing rate. But that fast early growth could be misleading. The vast majority of Google+ adopters are male, and it seems a large percentage are in technology industries. The real test of Google+ will come when it starts gathering a more diverse group of users. Google+ is a strong offering in the social networking arena, but it's coming relatively late into the game. Will it be able to appeal to a wider audience, one that is used to just putting everything in the open on Facebook? Will most people be willing to make the effort to move to a new social network and sort their friends into circles? Will they opt to use similar, but mostly ignored, functions in Facebook instead of joining Google+. Or just opt to keep using Facebook as they always have and pass on google+?

Can we trust the MPAA with our internet?

Originally posted 07/20/2011 on

The EFF has taken a closer look at agreement reached between big content providers (read MPAA and RIAA) and major ISP's (AT&T, Verizon, Comcast, etc.) to help enforce copyright, and it's not very pretty. Corynne McSherry and Eric Goldman report on what they found in the Deeplinks blog.

I strongly recommend you read their report, but a few of the major points are:

There are no checks and balances. All input on the process comes from content providers and ISP's. Consumers have a single representative who can speak only when spoken to.

There is no due process. All that is required for an ISP to start punishing a user is accusation by a content provider.

Consumers have few rights under the agreement. There is limited time (10 days) to formulate a response.

The entire process assumes guilt. Instead of the content providers having to provide proof of infringement, consumers have to prove lack of it. This turns US law on it's head.

There is no transparency. I can't say it any better than they do in their blog:

The MOU contemplates ongoing evaluation of the system through a variety of reports. That seems like a good idea, but neither subscribers nor the general public get to see or comment on those reports. Similarly, the statement of “prevailing legal principles” used to instruct reviewers also should be made public so that subscribers know how reviewers are interpreting U.S. copyright law. Simply put, if subscribers are supposed to treat the system as credible, they need enough information to determine that the system actually is credible.

This agreement concerns me. We are a connected household and use massive amounts of bandwidth every month. According to our ISP, between 4 and 5 times the average for homes with our data plan, which is enough to download 20 or more DVD's. I can almost gaurantee that I will be going through this process if my ISP is one of those involved. Instead of them having to prove I'm guilty, I'll have to prove I'm innocent. In theory I shouldn't have any trouble doing that, but I shouldn't have to. Our criminal justice system is built on the idea that I am innocent until proven guilty. Corporations shouldn't be able to ignore that because it makes their lives easier.

Do you secure your wireless?

Originally posted 07/05/2011 on

In the Defensive Computing blog at Computerworld Michael Horowitz updates us on the fate of Barry Ardolf. Barry was the genius who hacked his neighbors wifi network then proceeded to try to frame them with crimes ranging from child pornography to death threats on Vice President Biden. He was sentenced to 18 years in prison for his efforts.

Barry was able to hack his neighbors wifi because the neighbor used the totally cracked WEP encryption. With the proper software you can crack a WEP network in well under a minute. WPA has the same problem if you don't use strong passwords.

If Barry Ardolf had been a little smarter he might have actually gotten away with framing his neighbor as he'd planned. All because the neighbor used the weakest encryption on his network. Sort of like using 1/8" balsa wood for the door of a bank vault. Sometimes you don't have any choice because of legacy equipment, but you should always use the strongest encryption available. A WEP encrypted network almost got an innocent man implicated in child pornograghy and threatening the vice president.

There are a lot of different routers, and setting the security is different on all of them. The fastes way to learn how to setup the security on your router is to go to the manufacturers website and download the manual.

Facebook saves lives, too.

Originally posted 07/15/2011 on

Deborah Copaken Kogan is a successful photographer, author and mother. On MSNBC yesterday she recounted how Facebook saved her son's life. Last Mother's Day her 4 year old son woke up with a rash. Over the next three days there was trip to the doctor and steadily worsening symptoms. Also during the three days she put photos of her sick son on Facebook. While the doctors were trying to figure out what was wrong some of her Facebook friends, including 2 pediatricians, urged her to go to the hospital and get him checked for Kawasaki disease.

Long story short, her son did have Kawasaki disease. Her family pediatrician had begun to suspect it, but Facebook beat him to the punch. There are a lot of problems with social media, but there are pluses, too. One of those pluses is the almost instant access to the combined experience of dozens, hundreds or even thousands of people. As Deborah Copaken Kogan learned, that experience can be very powerful.

Note: There is a children's author with a similar name, Deborah Kogan Ray.

More free software

Originally posted 07/14/2011 on

Yesterday we looked at a few free software programs for taking care of your computer. Today we'll look at a few more programs to help you get things done.

Have you ever wanted to manipulate photos like the pros do, but don't want to spend $700 for Adobe Photoshop? You might want to look at The GIMP. An open source image editor with many (but not all) of the features of Photoshop. That's not surprising since Photoshop is at version 13 or so and The GIMP is at version 2.6. It has layers, channels, filters and a scripting language. The one thing it doesn't do is CMYK images, but unless you're sending things to a print shop, that won't matter. It might not matter even then because a lot of modern RIPs will automatically convert images to CMYK. All of the images (when I have them) on this blog are worked in The GIMP. Oh, almost forgot to tell you, GIMP is an acronym. That's why it's in all caps. It stands for the Gnu Image Manipulation Program. The GIMP is available for Mac, Windows and Linux.

Photo editing is fun, but if you want to create scaleable images that can be used on your website and be enlarged to put on a t-shirt (or a bus) without getting all blocky and ugly you need a vector imaging program like Adobe Illustrator. There are a number out there of varying complexity. But even the simplist are pretty powerful when you know how to use them. There is Google's Sketchup, Googles vector graphic editor. It looks pretty powerful and there is plenty of help available. Another program with lots of hidden potential is Inkscape. The interface is much simpler than Sketchup, but judging from some of the art created with it there's a lot hidden behind that simple interface.

No list of free productivity programs would be complete if it didn't include an office suite. Again, there are several options. Some full suites, some individual programs. The office suite usually considered most compatible with MS Office is OpenOffice. It's a full suite with word processor, spreadsheet, presentation, database and graphics software. It's available for Mac, Windows and Linux. If you own a Mac and want your office suite to take advantage of OS X's native graphics your best bet is NeoOffice, a port of OpenOffice. A second option for Windows users is Go-OO. It's based on OpenOffice, too, but boasts additional features.

I was hoping to list some good free games, but I'm out of time again. I may do that tomorrow, but maybe not.

Free (as in beer) software can replace commercial software

Originally posted 07/13/2011 on

Have you been thinking maybe its time for a change? Could be you've used Windows all your life and you're ready to see why those Mac fanatics are so loyal - and despite Mac Defender, Mac's are still far safer from malware than Windows PC's. Maybe you've been using Mac's for years and are tired of the way Apple just drops support of equipment regularly and far faster than Microsoft. But the expense of replacing all your Windows software is just too great.

Or maybe you're just getting tired of the expense of getting good software and keeping it up to date. But you don't have to spend a fortune to get good software whether you're running Windows, Mac or Linux. Here are some good examples:

For your security software, it's possible to ditch Kaspersky, McAfee, etc. and use the free software available from a variety of reputable vendors. There is Microsoft Security Essentials for the PC, as well as AVG Free and Avast Free, to name just a few. For the Mac, there is Avast Free Mac (beta) and Sophos Mac Home Edition. There may be other free anti-virus for Mac, but I'm not aware of any at the moment.

If you're looking for good maintenance software, there are options on the PC and on the Mac. CCleaner is a very good tool to for cleaning up Windows systems. It clears up unneeded old files and cleans up the registry. I've heard that iobits Advanced SystemCare Free is also good, but I've never used it. On the Mac there is MacJanitor and Onyx. Onyx versions are specific to the version of MacOS, and the developers site has versions going all the way back to OS X 10.2.

I've run out of time today, so tomorrow we'll look at some free productivity software

Social Intelligence protects employers, prospective employees

Originally posted 07/12/2011 on

Last year I told you about a company called Social Intelligence that scours the web for your social media presence as a (for fee) service for companies. It took a while longer, but the guys and gals at heard about them, and decided to test out the service on six of their people. Mat Honan was the (un)lucky employee that failed the test and as a consequence, got to tell the tale.

He tells it in unflinching detail, including the full report, which is redacted by Social Intelligence to prevent any inappropriate details from being divulged. Inappropriate in this case means details that it is illegal for an employer to ask prospective employees. Social Intelligence is very dilligent about that. The one really good thing about this service is that it protects both the employer and the prospective employee. Social Intelligence only passes on data that is allowed by law, which protects the employer from charges of discrimination, applicants from actual discrimination.

This isn't really surprising, it's a natural progression from the data mining that is already being done. While it does shield both parties from the possibility of illegal discrimination there's no way of knowing what it might find and how irrelevant it might be now. I've been online since 1987, and while I don't think I've ever done anything online that might cost me a job, I have to ask myself, what might they find?

Edited @ 8:20am for clarity by Bert

Google+ has a small hiccup

Originally posted 07/11/2011 on

Ricky at reports that Google+ ran out of disk space on a notifications server this weekend. It was a small glitch in a service that's still in limited field test, so it's not a big deal. But it should be a wake up call for Google, who admit that they should have foreseen the rapid expansion in notifications. 

This might have been a nightmare for Google, if Google+ were a widely available public product. The lack of server space caused notifications to be sent repeatedly for about 80 minutes, which was inconvenient for some people. But Google+ isn't finished and isn't in wide use yet. All problems with the service have been fixed rapidly and without attempt to gloss over them, so Google is actually looking good, and the reviews for Google+ keep getting better. This 'field test' is giving Google invaluable data on usage which will help prevent large scale versions of the glitch this past weekend. 

Facebook Friday: Teacher trouble

Originally posted 07/08/2011 on

People never learn. Facebook is not a private place. You have more privacy in the local pub than on Facebook. Assuming no one posts they saw you there on Facebook. Or tweets it. But people still insist on treating it as a private forum. Winnie Hu of the NY Times tells us that a teacher in New Jersey is on (paid) administrative leave after complaints that she posted that she felt like she was a warden over future convicts on Facebook.

I wish I could say this was the first time, or at least unusual. But for some reason teachers seem to be particularly susceptible to the keyboard equivalent of loose lips. From teachers posting questionable pictures to detailing their religious conflicts with their students, teachers are the epitomy of too open on Facebook.

This is a situation that will only get worse unless something changes. Privacy and the control of individuals personal and identifying information will continue to move from the individual to third parties who may have no interest in protecting the individual or his data. That is something we should all be up in arms over.

How do search social media?

Originally posted 07/07/2011 on

Last Friday Nick at the Police-Led Intelligence blog posted "Social Media Search Tips for Cops & Law Enforcement Analysts." It covers the basics of social media searching, from kurrently, a search engine for Facebook and Twitter, to Google hacking to Facebook's search engine.

I don't know about the usefulness of kurrently. It only found 1 out of 5 people I searched for. I was one of the people it didn't find. But Google hacking and the Facebook and Twitter search tips are great. On the downside, these same tips work for stalking. But if you're looking for long lost friends and relatives - or a socially networked perp, these tips are a big help.

Do police need military hardware?

Originally posted 07/06/2011 on I've included the comments on this one. Good information. asked an interesting question yesterday. "Why Do the Police Have Tanks? The Strange and Dangerous Militarization of of the US Police Force." I know about the 'war on drugs' and the 'war on terror' but are SWAT teams and armored personel carriers really necessary?

U.S. law prohibits the use of the military to enforce U.S. law. That is what civilian police are for. The purpose of the military is to protect us from invasion and kill the enemy. The mission of the civilian police is supposed to be to enforce the law and protect the citizens. "To protect and to serve" was the slogan on the police cars in Adam-12, the late 60's TV police drama. What happens when you give military hardware to police and train them in military tactics, tactics designed to kill the enemy?

For one thing, you see SWAT teams being used to serve search warrants, whether they are needed or not. You see military style raids used to quickly resolve standoffs. A little over a month ago a little girl in Detroit was shot and killed when the SWAT team raided the home she was in. The only shot fired (under disputed circumstances) was fired by a SWAT officer and hit her in the neck. A stun grenade thrown in the window allegedly singed her blankets (or her, depending on who's telling). Almost 10 years ago in Lubbock Sgt. Kevin Cox was fatally shot by friendly fire in standoff that might have been better handled by waiting out the man inside the house than by military style operations - though the situation did fit department guidelines for calling the SWAT team. Just last week in Lubbock the SWAT team was used to serve at least one search warrant. The performed admirably, but were they necessary?

For the past 50 years, give or take, US law prohibiting use of the military to enforce US law has been increasingly subverted by militarizing our civilian police forces. There are good reason the police should not be militarized, but all of them are for the good of the citizens. The only ones who actually benefit from having a militarized police force is the government. When the military and the police are one we have a police state, and we are moving in that direction, slowly but surely.

Friday, August 17, 2012

Can police search your cell phone?

Originally posted 07/05/2011 on

What do you do if you are pulled over and during the stop the officer asks to look at your cell phone? Your laptop? According to the EFF you politely decline, unless he has a warrant that includes the device. Your cell phone and laptop contain tons of private information, and the 4th Ammendment to unreasonable search and seizure applies to them. They have a detailed page of what police can and can't do on their website, have a single page cheat sheet for posting on websites. Which I am doing here.



Thursday, August 9, 2012

Have you seen the entire Declaration of Independence?

Originally posted 07/04/2011 on

On the 4th of July I thought it would be good to look at the Declaration of Independence. In this document are the seeds of the U.S. Constitution and the Bill of Rights as well as the declaration of the split of the American colonies from England. It's amazing how much was said in so short a space.Imagine my surprise when I saw the transcript residing at and learned that I had never seen then entire document. It includes a list of the grievances the colonies held against King George that I had never seen. You may have seen it before, but you may not have, so I'm providing it to you here with no analysis, no interpretation, just a desire to provide some historical perspective on the day of the birth of our nation:

IN CONGRESS, July 4, 1776. The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation. We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.--That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, --That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.--Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

He has refused his Assent to Laws, the most wholesome and necessary for the public good.

He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them.

He has refused to pass other Laws for the accommodation of large districts of people, unless those people would relinquish the right of Representation in the Legislature, a right inestimable to them and formidable to tyrants only.

He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records, for the sole purpose of fatiguing them into compliance with his measures.

He has dissolved Representative Houses repeatedly, for opposing with manly firmness his invasions on the rights of the people.

He has refused for a long time, after such dissolutions, to cause others to be elected; whereby the Legislative powers, incapable of Annihilation, have returned to the People at large for their exercise; the State remaining in the mean time exposed to all the dangers of invasion from without, and convulsions within.

He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands.

He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers.

He has made Judges dependent on his Will alone, for the tenure of their offices, and the amount and payment of their salaries.

He has erected a multitude of New Offices, and sent hither swarms of Officers to harrass our people, and eat out their substance.

He has kept among us, in times of peace, Standing Armies without the Consent of our legislatures.

He has affected to render the Military independent of and superior to the Civil power.

He has combined with others to subject us to a jurisdiction foreign to our constitution, and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:



For Quartering large bodies of armed troops among us:


For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States:

For cutting off our Trade with all parts of the world:

For imposing Taxes on us without our Consent:

For depriving us in many cases, of the benefits of Trial by Jury:

For transporting us beyond Seas to be tried for pretended offences

For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies:

For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments:

For suspending our own Legislatures, and declaring themselves invested with power to legislate for us in all cases whatsoever.

He has abdicated Government here, by declaring us out of his Protection and waging War against us.

He has plundered our seas, ravaged our Coasts, burnt our towns, and destroyed the lives of our people.

He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation and tyranny, already begun with circumstances of Cruelty & perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

He has constrained our fellow Citizens taken Captive on the high Seas to bear Arms against their Country, to become the executioners of their friends and Brethren, or to fall themselves by their Hands.

He has excited domestic insurrections amongst us, and has endeavoured to bring on the inhabitants of our frontiers, the merciless Indian Savages, whose known rule of warfare, is an undistinguished destruction of all ages, sexes and conditions.

In every stage of these Oppressions We have Petitioned for Redress in the most humble terms: Our repeated Petitions have been answered only by repeated injury. A Prince whose character is thus marked by every act which may define a Tyrant, is unfit to be the ruler of a free people.

Nor have We been wanting in attentions to our Brittish brethren. We have warned them from time to time of attempts by their legislature to extend an unwarrantable jurisdiction over us. We have reminded them of the circumstances of our emigration and settlement here. We have appealed to their native justice and magnanimity, and we have conjured them by the ties of our common kindred to disavow these usurpations, which, would inevitably interrupt our connections and correspondence. They too have been deaf to the voice of justice and of consanguinity. We must, therefore, acquiesce in the necessity, which denounces our Separation, and hold them, as we hold the rest of mankind, Enemies in War, in Peace Friends.

We, therefore, the Representatives of the united States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor.



Practically unbreakable (but memorable) passwords

Originally posted 07/01/2011 on

A month ago in the June 1st edition (episode 303) of his Security Now! podcast Steve Gibson announced that he had experienced an epiphany on what makes a secure password. The traditional requirements for a secure password have been missing an important point. What's the point? That a secure password doesn't have to be what is known as a 'strong' password.

Basically, you want to make the search for your password as hard as possible. The way we are usually told to do that is to make passwords as far from normal words as possible. Unfortunately, that results in impossible to memorize 'passwords' like rP$23)JL#j01p3a!9h9. Steve's revelation was that it isn't the complexity of the password, it's the length and the size of the 'alphabet' it uses that makes it really secure. Alphabet size is easy to understand. If you only use lowercase letters, your alphabet size is 26. Add uppercase and it's 52. Add digits and you've added another 10. Symbols add even more. On top of that, as Steve points out, figuring out a password is all or nothing. Hollywood makes a nice show of computers figuring out one character of a password at a time, but it doesn't work that way. You try a password and it works or it doesn't. If it fails there is no indication if it was too long, too short, or should have had that 'a' capitalized. So for the most secure password you don't have to make something impossible to memorize, you just have to make it long with a large alphabet. So pick a length - I'll use 20 characters - and this is what you do:

  1. make a base passcode that has at least 1 lowercase letter, 1 uppercase letter, one number, and one symbol. For example, aB3$. For that I just used 1,2,3,4 - a (1st letter), B (uppercase 2nd letter), 3 (number 3) and $ (shift-4). Large alphabet, but easy to remember.
  2. Next add padding - it really doesn't matter what as long as you can remember it. I'll use 8 '!' and 8 '&'.
  3. Combine your padding with your base. I'll put the base in between the padding.

My new password is !!!!!!!!aB3$&&&&&&&& and it's extremely secure (except you know it), easy to memorize and hard to crack. But by traditional standards it's extremely weak. There is too much repetition and not enough randomness. But if I hadn't just shown it too you it would be very hard to crack because an attacker won't know how long my password is, won't know how large the alphabet is and will have to try every possible combination from 1 character (well, I'd probably start with 4) and work until he made it up to 20 characters and then guessed my password. Not a simple task.

Steve has created the Password Haystack to help show how effective these types of passwords are. Note that the page does not test the strength of the passwords, just their security.

If you need more evidence strong passwords aren't, here's an interesting link on 'strong' passwords in the era of cheap GPU's (graphics processing units). It's one of many on Steve's 'Password Haystack' page, but this one points up the importance of long, large alphabet passwords: Cheap GPU's are rendering strong passwords useless

So rethink your password strategy and put in some hardcore secure passwords that are easy to memorize.

Is the FBI an agency out of control?

Originally posted 006/30/2011 on

Kevin Gosztola at looked at 5 types of FBI abuse of power. That abuse of power was, and is, assisted by the FISA court. The FISA court is supposed to oversee the FBI investigations, but unless oversight means rubberstamping electronic surveillance (1506 requests in 2011, 1506 approved) it's falling down on the job.

The court also granted "National Security Letters" on 14,000 people. National security letters pretty much give the FBI full access to your life:

They were also generous with granting “national security letters," which allow the FBI to force credit card companies, financial institutions, and internet service providers to give confidential records about customers’ subscriber information, phone number, email addresses and the websites they’ve visited. The FBI got permission to spy on 14,000 people in this way. Do they really think there are 14,000 terrorists living in the US?

With that backdrop, Kevin tells us that the FBI is seeking greater investigative power, and tells us of 5 types of investigations that show the last thing the FBI needs is more power:

  1. Warrantless GPS tracking (I blogged about this last year)
  2. FBI Targeting WikiLeaks and Bradley Manning Supporters. The FBI intimidated peole involved with the "Bradley Manning Support Network," a legal grassroots organization, for one.
  3. FBI Spied on Children While Using 'Roving Wiretaps,' Intentionally Misled Courts on Freedom of Information Act Requests. Comparing documents from different FOIA requests discovered the deception.
  4. FBI Entrapment of Muslims.
  5. The Criminalization of Travel by the FBI. Vocal activists (not terrorists) are targeted because of disagreement with policy and travel abroad.

I think you should go read the whole article. It's 6 pages, but they're short, and the details he provides are compelling. The last point strikes me a little harder than the others because if I travelled internationally, I could be one of the people targeted. As it is I'm just a harmless crank who blogs in Lubbock, TX and occasionally emails congressmen and the President on issues I feel strongly about. But how long before that isn't enough to protect me from harassment?

Google tries privacy friendlier attack on Facebook

Originally posted 006/29/2011 on

Yesterday on the Official Google Blog a new social networking experience was announced. Dubbed Google+ it's similar to Facebook and Myspace in some ways, but if it works as advertised, it will give more control over privacy. You will be able to segment your friends the way you do in real life in 'circles' that won't have any connections you don't want them to have. At this point Google+ is invite only, so it's too early to tell, but it looks like it has the potential to be a winner.

Here are links to a more indepth stories by people who have already been invited into Google+:

The Epicenter Blog at

News & Opinion at

The New York Times Inside Technology

Wednesday, August 8, 2012

LulzSec ends hacking business

Originally posted 006/27/2011 on

LulzSec Security is closing it's doors. As reported on Mashable and a host of other places they are claiming that the intent from the start was to disrupt the security industry for 50 days in an attempt to restart the 'anti-security' movement. They believe they have fulfilled that goal. They might have, but I doubt it. Not for very long, anyway. 

I also have my doubts that they are disbanding because the time they decided on for their fun was past. I think it has more to do with the arrest of a British youth and their own carelessness. For a group of law breakers involved in activities traditionally performed in secret (for good reason) they didn't take many pains to cover their tracks. Unlike most black hat hackers who work in secrecy and often don't admit when they've performed a hack, LulzSec loudly proclaimed their accomplishments. They setup a Twitter account and a Facebook page. It wasn't their illegal activities that did them, or some timeline, it was their own pride and belief they couldn't be caught.

Felon updates Facebook while police trash room next door

Originally posted 006/24/2011 on

He fought the law

Jason Valdez was in a standoff with police. It was so intense he took time to update his Facebook page. I saw the story when it first came out and pondered how his status updates didn't seem to bear up the claims that he was holding a hostage. Police claim the woman with him initially was with him willingly, but once she expressed a desire to leave, she became a hostage. Reports like this one from TechDirt also indicated that some of his Facebook friends could be facing obstruction of justice charges for telling him what police were doing.

A report on Fox13 in Utah covers the aftermath of the standoff. Mr. Valdez is looking at 20 years for attempted murder (he shot at two police officers), and the police department has egg on it's face for the shape it left two hotel rooms adjacent to Mr. Valdez after the standoff:

SWAT's rescue team was in the neighboring motel rooms where gas, power and water had been cut off. After police safely rescued Jensen, there was considerable damage to the motel rooms, holes in the walls, bottles filled with urine. The residents returned home to a mess that was never cleaned up.

I'm not sure who's the actual bad guy in this story, the felon or the cops.

Should google release a website vulnerability scanner?

Originally posted 006/23/2011 on

Google announced it's experimental Chrome extension, DOM Snitch, to expose vulnerabilities on websites. It's intended for site developers to test their sites from the browser end. As Radoslav Vasilev notes in the blog, most site testing tools focus on the server side of testing. DOM Snitch let's you see what's going on from the browser side.

I like this. I think it'll be pretty cool to go to websites and find out what kinds of vulnerabilties they have. Then again, I might find out things about my bank that would scare the bejesus out of me.