Thursday, December 30, 2010

Setting Belkin wireless security

I don't currently own a Belkin router, but the Belkin wireless router I had beat the tar out of the Linksys I have now. Even though I don't own one I thought I'd be able to download a manual and use images from it to walk people through setting one up. I learned one thing. Belkin manuals are poor excuses for manuals.

I found a good instructions for setting up Belkin routers at I'd been looking for good images to use, but good images of Belkin router setup pages are hard to find. His are fair, and his right up is good.

Tomorrow I will have instructions for DLink routers. The first wireless router I had was a DLink router, and it was probably the best. I need to order one and use the Linksys as a spare.

Wednesday, December 29, 2010

Securing Linksys wireless routers

Securing a wireless router isn't hard, but it does take a little thought. How many devices are hooking up to your wireless? What encryption modes to they support? What is the best mode supported by all of them?

You can worry about things like whether or not to broadcast your SSID, filter MAC addresses, or using static IP's instead of DHCP, but in most cases the defaults will be fine. The main benefit is to make your wireless more of a pain to crack than your neighbors. The trouble of maintaining a list of MAC and/or IP addresses just isn't worth the slight added security most of the time.

Today we're looking at the wireless security settings of the Linksys WRT54GS2. If you have another model Linksys router the settings should be similar enough for this to help setting it up.

The first thing to do is to use a Cat-5 or Cat-6 ethernet cable to connect to your router. That way you don't have to change the settings on your computer every time you save a wireless setting on the router. To connect to a Linksys router, type in the URL field on your browser. A login dialogue will popup. The default user is 'admin' (you can't change it). There isn't a password by default.

The router basic setup page will load. Leave the pull-down menu on automatic configuration. Change the local IP address to any address in the public ranges. Don't leave it at the default. If the DHCP server isn't enabled, enable it. Set the starting IP address for the router to give to other devices. I usually just set it to start right after the routers IP (ie if the router is


Once you have the basics setup, click on wireless security. The Wireless Basic setup page will load.


Linksys has 6 security options. WPA2 Enterprise and Radius require security servers and are intended for corporate use. If you can, use WPA2 with AES, otherwise, use the best security all of your devices support.



There are no other settings that you really need to worry about for security, but there are settings you may want to look into for information. You can block computers on your network from the internet, route a VPN through, open ports for specific services. It's a fairly versatile consumer router.

Tuesday, December 28, 2010

Securing your router

Time's tight tonight, so I will list the settings you should change to make your wireless router more secure. Tomorrow I will cover specifically how to change those settings on a common Linksys router, the WRT54GS2. If I have time I'll also look at a Belkin router. Thursday I will look at Belkin if I don't have time Wednesday, and last we will look at a DLink router. Generally once you know how to change the settings on one model router you can figure out how to change the settings on other models by the same company. Linksys, Belkin and DLink are the most common consumer routers, so those should help most people get set up.

The steps are really pretty simple:

  1. Change the user name and/or password. Not all routers allow you to change both. There are lists of default usernames and passwords for most routers and most other electronic devices available online.

  2. Set the encryption to the strongest you can. If you have older devices that only support WEP use it. It's not much, but it will discourage people looking for open wifi. If at all possible use WPA2.

  3. Change the default SSID. Make it anything you want, just don't leave it as the default. There are lists of default SSID's.

  4. Change the default IP address. All routers use IPv4, although the new standard IPv6 is supported by a few. Most devices don't support IPv6 yet, so we only need to worry about IPv4 addresses.

Here are the private IP ranges for IPv4: to to to

Wednesday, December 22, 2010

This is why you use strong wireless security

This will be my last post until December 28th.

I read the story on, although I had to go to to find more details. Barry Vincent Ardolf's neighbors learned a hard lesson. Use the strongest encryption and password you can on your wireless router. If you don't, you could be face the same nightmare they did. Matt and Bethany Kostolnik were initially suspected of sending emails containing sexual messages and child pornography to Matt Kostolniks boss. But that wasn't enough. Death threats were sent to Vice President Biden and other politicians in Kostolniks name.

Ardolf hacked into the Kostolnik's wireless router, then used the connection to create fake myspace pages and email accounts in the Kostolniks name. He then proceeded to send messages and child pornography to important people. The plan was to frame the neighbors. Fortunately Ardolf was only almost as smart as he thought he was, and a slip pointed investigators to him.

His story, predictably, is that he is the one who was framed. While it's possible, enough evidence was found on his computers and other devices to show that he needs to be taken off the streets, regardless. If it was a frame, it was a very thorough one.

If you have a wireless router be sure to use the strongest encryption you can. In most cases that should be either WPA or WPA-2. Next week we'll look at a few different routers and how to setup the security on them.

The battle for our data: a holiday allegory

The following is a repost of Brian Proffitt's December 20th blog entry on ITWorld. He has kindly granted me permission to repost it. In it he looks at free speech, privacy, and Personally Identifyiable Information in ways that few people have - or if they have, they've shied away from the implications. His original post is here. I encourage you to check out his blog and let him know what you think.

The battle for our data: a holiday allegory

Did the cloud just head-fake all of our data away?

While many software developers and enthusiasts have been focusing on the push for open source software, did we miss the fact that somewhere along the line companies got a hold of something even more important: our personal data?

I am not someone that's typically the tin-foil-hat type. But I am seeing a marked increase in the tension between the public users who claim inheritance to the Internet and the private entities that may actually control it.

Every time there's a site blocked on the Internet, supporters usually first go to the "free speech" defense. First off, that's a lovely sentiment--if users and site operators all uniformly lived in nations where free speech was actually the letter of the law. Freedom of expression is something that's denied to billions of people on a daily basis--so any whining about loss of freedom is coming from citizens or subjects of countries that have the luxury of freedom of expression to begin with.

So, after eliminating a big chunk of the world's population, what about the notion of freedom of expression in countries that do have it? There again, we are beginning to see a problem between the theory of freedom and the actual implementation. The problem is this: while citizens have the right to say what they want to say in these countries, they are using a medium that is owned and operated by corporate interests. Phone, cable, satellite, and hosting providers are all beholden to their owners or stockholders, and are all uniformly out to do one thing: make money.

That, coupled with political systems that are closely tied to corporate interests thanks to the practice of political contributions and lobbying, makes for a dangerous recipe for freedom of information.

Right now, I could, if I were so inclined, get on the Web and build a web site that declared that all of Santa's elves were really part of a secret cabal who's real mission was to promote the corporate agenda of the world's major toy manufacturers. I could present leaked documents of secret meetings between Hasbro, Mattel, and the North Pole on exclusive elf-labor practices, and attempts to marginalize misfit in-house elf resistance organizations led by Herbie the Elf with marketing campaigns.

Scandal would ensue, to be sure. My web site would gain in popularity, as more evidence would mount highlighting multiple ties between global toy interests and elf factions. The big bombshell: Purina fingered in an exclusive marketing deal with the North Pole Transportation System. "ReindeerGate" would rock the holiday season.

But resistance would grow. Detractors would mock my efforts, citing a bias against short people with pointy ears... perhaps making up stories of how I was bullied by elves as a child. Or because of my Linux ties, my South Pole, pro-penguin bias was causing me to make up facts in my quest to tear down the efforts of the North Pole. Eventually Fox News would decry my site as one more offensive in the War on Christmas, and the real nastiness would begin. Whispers of being moved to the naughty list after a 44-0 nice list record would come out of the headquarters of the Big Guy himself.

The real coup would come when a US Senator would decry my site as "anti-Christmas." Faced with such public pressure, and without a hint of legal evidence, my hosting provider would drop my site like a hot potato. DNS services would unregister my site, forcing me to change my site address repeatedly, even as hosting providers around the world would refuse to give my site a home--or drop me after learning I'd set my site up on their servers.

And the final insult? Under the tree on Christmas morning, in a gift-wrapped box addressed with me, I discover not a lump of coal, but the latest Barbie fashion accessories... with a note signed "Love, the Elves."

Whimsical and far-fetched? The former, certainly. But recent events in the real world have given us all a peek behind the curtain: when push comes to shove, Internet companies will default to what they perceive as a safe mode when confronted with any real controversy. You can argue, thankfully, whether this is an appropriate response, but the problem is, we're all arguing the point after the fact. The damage has already been done: speech has been blocked, without one bit of legal action.

Faced with that kind of activity, how safe is our information on the Internet? We worry a lot about data thieves stealing our data, but what about our data just up and disappearing one day?

On the Internet there is still an element of rebellion. You can still find places to get content and data hosted. The distributed nature of the Internet makes it difficult to block everything. Which is perhaps why private and public organizations are getting more enthused about the walled gardens of the Internet. Get everyone on Facebook, corporations will reason, and they will be on a single platform on which to market. The message can be controlled, and more importantly the users and their friends can be tracked far more easily than ever. That Facebook makes it more than a little difficult to extract all of a user's data should a user drop Facebook is no accident.

Nor, I suspect, was the recent naming of Mark Zuckerberg as Time's Person of the Year. Traditional media outlets are finding it more and more difficult to generate revenue in the face of the wild and open Internet, where advertising is sporadic at best and subscription paywalls fail almost universally.

I would imagine that governments would be a bit interested in Facebook and its brethren. Warrants become a lot easier to serve when it's only one or two mega-social sites involved rather than a multitude of host providers and network companies. (Conspiracy theorists are already taking note of that same Person of the Year article's mention of FBI Director Robert Mueller just dropping by to say hello to Zuckerberg in the midst of a company meeting.)

This isn't just Facebook. Apple's App Store approach to its iPhone and iPad users reflects the same kind of centralization of user activity and data and to some extent so does Google's Android and ChromeOS though to its credit, Google has been a lot less restrictive about what gets on its platform than Apple. That may be a key difference down the road.

Free software advocate Richard Stallman sees much of the cloud as a problem, regardless of how you get to it. Despite its Linux--excuse me, GNU/Linux--origins, Stallman criticized Google's ChromeOS as promoting what he calls "careless computing" by users who blindly stick their data on the cloud without regard to who else might be able to get to it.

Stallman and I have our differences, but in this regard, I find myself in agreement with him. And we are not alone: a far-less-whimsical article I wrote on recently highlights what others think about the situation, and some of the tools being created to deal with the issues.

Am I advocating a complete withdraw from the networks upon which we do business? That is a very hard question to answer: it would certainly be safer to remove data from the Internet, but it would be harder to conduct business. Consider credit report ratings: for those lucky folks who are entirely debt-free and deal only on a cash-only basis for their purchases, they have a credit score of 0. This would make getting reasonable loans for things like a mortgage or a college education exceedingly difficult--even though they had managed their finances so well and paid off every creditor. Similar difficulties would arise for anyone who could get off the grid (if this is even possible anymore), I am sure.

Instead, as in all things, I suggest not an extreme solution, but a carefully managed compromise. By stingy with your data. Don't reveal too much about yourself online, whether on a social network or the Internet. Pay attention to what web sites and networks can do with your data now, and what they are doing. Visiting a commerce site often might make it tempting to store your credit card data there for return visits, but don't succumb. (One thing I do: keep a low-limit card just for online purchases. If something goes wrong, thieves aren't getting much from you.)

If you have kids online: don't be the cool parent that lets them run willy-nilly out on the Internet talking to whomever they please. Be the parent, and keep track of where they go and who they talk to. Don't assume every online network they visit will want or be able to protect them. That's your job.

I have painted the cloud as a dark and scary place, and perhaps that's unfair: there are positives about being in the cloud. But any new frontier may look pleasant and inviting but can also contain hidden dangers.

It's time we all pay attention.

Can Florida Sheriff enforce Florida law on Colorado citizens?

I didn't know who Phillip Greaves was until I saw a tweet that said, "First Amendment Alert! Author arrested for writing a book," and gave a shortened URL to a post of the same name by Marc J, Randazza on the Citizen Media Law Project blog.

Mr. Phillip Greaves is an author. He has written a very controversial book. To be honest, I'm almost afraid to tackle this event. Mr. Greaves wrote a book entitled "The Pedophiles Guide." Apparently it was exactly what it says. The book was written in Colorado, and apparently violates no laws there.

Enter Sheriff Grady Judd in Polk County, Fla. He heard about the book and had a deputy order a copy of the book from Greaves. When it arrived they checked it out and determined it was in violation of Florida Obscenity laws. They issued a warrant which was served by Colorado police.

Frankly, I don't have a problem with Mr. Greaves being arrested for writing his book. I've never believed the First Amendment protected all speech, and cases like this merely point out why.

What I do have a problem with is the way the sheriff developed his case. Colorado law hadn't been broken, so he ordered a copy of the book and determined that it broke Florida law and took the steps necessary to issue and prosecute a warrant.

So what? Most people would probably agree that the authors choice of topic marks him as scum. Why should his arrest concern us?

What if, instead of someone from another state whose laws differed from Florida's, he used similar tactics to arrest someone from another country, even though there was nothing illegal being done? Do we want local law enforcement searching for jurisdictions to issue arrest warrants from if they can't find anything illegal in local codes? Do we want local law enforcement looking around the country to find citizens doing things that are legal in their city or state, but illegal in the officers jurisdiction and looking for ways to be able to charge and arrest them for breaking the law where their activity is illegal?

I don't like topic of the book Mr. Greaves wrote. I believe he should be in jail. But there are proper ways to do things, and Sheriff Grady is not using them.

Monday, December 20, 2010

UN wants to take over internet

The United Nations is considering whether to set up an inter-governmental working group to harmonise global efforts by policy makers to regulate the internet.

So opens an article by John Hilvert at ITNews. I think Mr. Hilvert must moonlight as a lawyer.

The upshot is that the UN is seeking to coordinate the control of the internet. But not to "takeover". Good idea, take control without taking over, if you can figure out how to do it. Not that I believe the UN is actually trying.

Apparently this push is inspired Wikileaks, but it was made possible by a resolution last July:

The resolution invited the UN Secretary-General "to convene open and inclusive consultations involving all Member States and all other stakeholders with a view to assisting the process towards enhanced cooperation in order to enable Governments on an equal footing to carry out their roles and responsibilities in respect of international public policy issues pertaining to the Internet but not of the day-to-day technical and operational matters that do not impact upon those issues."

I'm not sure, but I think just about anything governments do to regarding public policy and the internet will impact the day-to-day technical and operational matters. Especially since any UN group will probably support - if not push - many of the provisions of the ACTA treaty (I blogged here). Many of those provisions will directly affect both individual citizen and ISP's.

Fortunately there are people who see beyond the immediate gut reactions and see the wider picture. Defeating Napster actually had the opposite effect the RIAA had hoped for. The MPAA is in the process of learning that lesson, and the UN and other governments will likely learn the same thing. Data Control on the internet is like fighting the hydra. Once the beast is free, cutting one head off sees two more rise from the stump of the old. The time to control data is before it gets out, not after.

Friday, December 17, 2010

The most popular password on Gawker? 123456

I commented a couple of days ago that '12345' was probably about as popular a password as 'password' on Gawker. After analyzing roughly 1/3 of the passwords stolen from Gawker, researchers have learned that the most popular password is '123456.' Second is 'password.' I remember laughing at King Roland in Spaceballs because the combination to the air shield was '12345,' and laughing more when President Skroob announced it was the same as the combination to his luggage.

Strong passwords aren't as important as they used to be. Sites limit the number of password attempts before locking you out, so it's not as easy for someone to brute force an account. And if a site doesn't lock you out after so many failed attempts, a "strong" password may not matter. Using rainbow tables a strong 12 character password will hold out less than 3 minutes.

But '123456' is still a poor choice for a password.

Thursday, December 16, 2010

EFF wins Privacy case in Third Circuit

The Electronic Frontier Foundation has won a major victory protecting your cell phone location data from unreasonable seizure by the government. The decision by the Third Circuit Court of Appeals says that judges can deny requests for "D Orders and require a warrant to avoid possible Fourth Amendment complications.

This is more important than it looks at first glance. Though the case deals with cell phone location data, "D Orders" are used for a variety of communications related, including email. In the Third Circuit the government can no longer assume it will be able to demand communications from ISP's or other communications companies and automatically be granted access by the courts. The EFF is intending to use the decision in similar cases in other circuits, and expects others will, too.

This is a good decision. The governments position on "D Orders" is that they should be granted automatically. Now the government has to be sure of it's case before seeking information. They can still get information using "D Orders" but they have to make sure they won't run afoul of the Fourth Amendment by doing so. At least in the Third Circuit. That will decrease the number of cases that can be disputed on Fourth Amendment grounds, saving time and money. We can only hope other Circuits (or the Supreme Court) will agree with this decision.

Wednesday, December 15, 2010

McDonalds suffers data breach reports that McDonalds has suffered a data breach. According McDonald's the servers breached contained email addresses, birthdates and other info, but no social security numbers or financial information.

That's very nice, but with an email address and birthdate you can probably steal an identity. If the email address includes a full name, you can definitely steal an identity. With an identity you can get driver's license, credit cards, jobs, etc. In the modern connected world, there is no minor data breach.

Tuesday, December 14, 2010

Gawker breach compromised government sites

It's no secret now that Gawker had a major data breach. 1.3 million user names have been made available in a torrent file. These days that would almost be no big deal. For everyone but the 1.3 million, anyway. Even the more interesting statistics aren't surprising. Almost 2000 people used "password" for their password. I'm sure there are similar numbers using '12345'.

But those aren't the usernames and passwords that cause concern. The Rundown News Blog on reports that what appears to be a sublist of accounts belonging to federal, state and local governments. Apparently they were parsed for future attack. Gawker has been telling people to change their Gawker password but many, if not most, people use the same username and password for multiple sites. So there is a good (or bad) chance that we will see a government breach resulting from this - unless all of the government employees whose Gawker accounts are compromised change their passwords on all of their accounts.

Even if they don't use the same password on all sites, it would be a good idea to change all of their passwords. Unless they use a password generator, many people tend to use similar passwords. Old girlfriends names, old pets, take a word, add a number or symbol and rotate the number or symbol, action heroes, comic book characters, etc.

We see talk of how interconnected we are and how exposed online. Incidents like this serve to drive that lesson home. Because of a data breach on a private web site an unknown amount of government data of unknown sensitivity is at risk. Not to mention the citizens accounts that risk compromise. The damage is done in this breach, but what can we do to prevent the next one? And the next one?

FBI faking terrorist threats?

In an interesting piece on, Seth Freed Wessler asks, "Why are the Feds cultivating their own 'Homegrown Terrorists'?"

An intriguing question. I hadn't asked myself that question, but I had wondered that the thwarted terrorist attacks we've heard about seemed to involve young men duped into believing they were being recruited by Islamic terrorists. But none of them ever actually communicated with terrorists. Apparently none of them actually had any plans to commit terrorist acts until recruited by the FBI.

Mr. Wessler gives a brief recounting of the case of Antonio Martinez. Martinez converted to Islam, and was eventually approached on Facebook by the FBI, who set him up with (fake) explosives and a plan to use them. Martinez never had contact with any actual terrorists, and other than comments on Facebook saying he supported Jihad, wasn't looking for contacts. So what exactly made him a terrorist threat?

A former FBI agent who has been involved in the defense of persons arrested using these techniques claims that the majority of such cases are bogus - and even rely on hysteria more than hard evidence. In an interview on PBS's Frontline, former agent James Wedick lays out all the problems with the case against Hamid and Umer Hayat, a father and son convicted of planning a terrorist attack. Based on Wedick's interview and the FBI response given to Frontline, I tend to think Seth Wessler may be onto something.

Sitting here it's hard to be sure what's the truth. But it is interesting that in recent history the terrorists who were stopped were setup by the FBI, and the terrorists who almost succeeded were ignored by our intelligence community.

Wikileaks: What happened to freedom of speech?

Wikileaks publishing of 250,000+ diplomatic cables is a defining moment for the Western world. A young soldier allegedly stole volumes of classified and secret information from the U.S. government. The documents were acquired by Wikileaks, who is in the process of putting them all on the web.

Why do I call this a defining moment? Because now the United States' dirty laundry is being aired, and how we deal with it will say much about our ideals and our realities. I said we, and I said it for a reason. We, the citizens of the U.S., now have access to some very damning diplomatic cables sent by our government. We see our government pressuring other governments to arrest and imprison the editor-in-chief of Wikileaks. Pressuring businesses to stop hosting Wikileaks.

From the cables we see that the U.S. is pushing to influence the internal policies of other countries. That could be considered an act of war.

So how are we going to react to our governments actions? Both those revealed in the cables and those revealed in our governments response to it? Are we going to sit back because there is nothing we can do, or are we going to make our voices heard and tell our elected representatives that we expect them to act in accordance with the finest ideals of our nation, not like playground bullies?

I strongly believe that just releasing the cables was irresponsible. But I also know that Mr. Assange is not a U.S. citizen and Wikileaks is not a U.S. company. He did not hire the soldier to get him secret U.S. documents. He didn't steal them himself. He runs a whistleblower site in a foreign country. The documents he received contained things that needed to be revealed. He revealed them. He did what whistleblowers do.

John Naughton of tells us that governments are going to have to learn to Live with the Wikileakable world or shut down the net. He reminds us that Hillary Clinton just last January gave a speech on the importance of the free flow of information is for citizens to hold governments accountable. I wonder if she sees the irony in our governments response to Wikileaks?

Do public servants have right to privacy?

A conversation I saw on Twitter pointed me to an article on titled, "The War on Cameras" about the right of citizens to record public officials. Thanks @mckeay & @georgevhulme, this is better than what I had planned. :)

The article talks mostly about citizens recording police officers, but the first case involving a man in Illinois actually involved a judge. Michael Allison was cited for violating the towns eyesore ordinance. The day before the trial he went to the courthouse to request a court reporter because he wanted a record of what went on for a lawsuit he was planning. He told the court clerk that if a court reporter wasn't there he would record the trial himself, and showed her his digital recorder. He was refused a court reporter. When he appeared before the judge the next day the judge asked if he had a recorder in his pocket and if it was on. Mr. Allison answered yes to both questions. The judge informed him that that he (Allison) had broken Illinois wiretapping law and violated his (the judges) right to privacy. Despite the fact that he had not been informed of the law the day before, only had the recorder because a court reporter wasn't provided, and had no prior criminal record he was charged with five counts of wiretapping (15 years each if convicted) and had bail set at $35,000.

How much privacy can a judge expect while performing his duties in the courtroom? How much privacy can a police officer expect during a traffic stop? Anthony Graber recorded an officer who stopped him and was arrested for posting the video on youtube. The charges were evenually dropped.

In their private lives officials have the same privacy rights as we do. But often in the performance of their duties their privacy right will be much more limited. Police have the right to privacy when interrogating suspects. Judges have the right to limit or deny cameras in the court room. But that doesn't give them a right to "privacy" in the court room. There can be hundreds of people in the court. There often will be a court reporter. There may not be cameras, but there still won't be privacy. An officer writing a ticket on the side of a public highway can't expect any type of privacy. Everybody and their dog can see what's going on. And citizens should be totally able to monitor on-duty police if they can do it without interfering in the policemans performing of his/her duties.

Wikileaks is a symptom, not the disease

Wikileaks has created a tempest with the release of millions of stolen U.S. secret documents. It's also created serious problems for it's founder. Problems that may exist more for the convenience of the embarrassed governments than for any real events. But that's not the reason for this post. Wikileaks has forced governments in general, and the U.S. government in particular to look at just what types of security they have, and how close it really is to what they need. reports that the U.S. lags behind safeguarding against cyber attacks. I don't know if anyone really finds that idea surprising. If we can't even prevent a soldier (trusted with clearance or not) from physically stealing secret documents, why should we think we're successfully securing the networks that hold those documents from outside intruders?

The Department of Homeland Security (DHS) has plans to secure those networks, but they will take time to implement. Steps are being taken to plug the holes that made the wikileaks revelation possible, too. The problem is, those steps should have been taken years ago. There should have been no thumb drives allowed, and the ability to burn CD's should have been limited to particular people, if it was allowed at all.

For at least a decade government agencies have been getting a failing grade when it comes to network and computer system security. The DHS has been receiving failing grades since it's creation - though I think last year for the first time it received a "D." It was one of the few sections of our government to do so. If we want to remain a real player in the world - not just in politics, but in economics, science, and technology - we have to step back and look at what we are doing. We have to honestly evaluate everything. Is this policy effective? Or does it just "look good?" Is there a more effective way? If it is effective, is it effective at the right thing? If we are trying to keep thieves from stealing data off of our networks, do our policies at least make it harder to get data off of our network, even if you are sitting on a computer inside the network perimeter?

If I am trying to keep our businesses competitive with foreign companies, are my policies doing that, or are they actually hurting the competitive capabilities of U.S. companies?

We have to look at ourselves honestly, evaluate ourselves dispassionately, and work at improving diligently if we are going to secure our networks and our borders. If we aren't willing to do that, we should fold up now.

How many people's identity is stolen? 1 in 7.

Whether you know it or not, you probably know at least one person whose Social Security number has been stolen. Bob Sullivan at MSNBC's "The Red Tape Chronicles" reports that a new study shows that 1 in 7 people's Social Security number is being used by someone else, too.

That's a lot of SS fraud. Think of 6 people you know. Odds are that at least one of you is sharing your Social Security number with someone. Probably without knowing it. I know two people whose purses were stolen out of their cars. That could be two more shared SS #'s. Is someone using yours? How many someones? 10 people or more are using some numbers. Some are illegals using them to get jobs, some are getting credit, some are legitimate mistakes.

Think about all the times over the years you've rattled off your Social Security number in public. If you're old enough you may have been getting to the front of a line at Tech (or another university) and giving your full name and social with 10 people in hearing range. All it takes is one crook with a good memory. Or a recorder. Fortunately today most places will only ask for the last 4 of the social, if that. But how many times have you handed your identity to a room full of people without thinking about it?

It was going to be the perfect geek gift for your girl

I saw this the other day on a Bit Rebels blog. It was a post by Richard Darell titled, Gear for girls - Only the coolest thing you can give your girl. It really is the coolest thing you can give your girl. Check out the pics. Any girl, geek-girl or nongeek-girl would totally appreciate this - if it were beyond the design stage.

It's a really nice little MP3 player disguised as an earring designed by Lu Won-jun. Or it would be, if it had made it into production. I saw the link in a tweet and assumed it was current. It was actually from this past April, and talked about a fresh, new, and still unproduced MP3 player design. An earring MP3 player. So cool, so unnoticeable. Even the latest iPod can't match it for cool factor.

But it hasn't made it into production. Possibly because some of the comments regarding technical difficulties were dead on. Or maybe not. But it sure would have been cool if it was for sale.

FTC recommending privacy options for Internet users

Edward Wyatt and Tanzina Vega at the NY Times report that the FTC is recommending internet users be allowed to decide whether or not their surfing and buying habits tracked. Groups like the Electronic Privacy Information Center (EPIC) are encouraged, but don't see a "do not track" option as the perfect solution to online privacy concerns. Online advertising groups are not happy about the proposal, saying that if "Do not track" saw the same rate of adoption as "do not call" it would cause the industry "significant harm."

There is no doubt an opt-out of tracking option would require radical changes in the way online ads are targeted. But I should have the option not to be tracked. Just like I can choose whether or not to take part in CVS's data gathering ExtraCare reward card, I should be able to choose whether or not the sites I visit gather data on me. I should be able to see what type of data is being gathered and I should be able to have that data purged. Or I should be paid for the information. It is my information, after all.

There's a battle over how law enforcement can track us.

The EFF Deeplinks blog reports this week on three court cases regarding the feds use of cell phone and GPS tracking. Over all it looks promising, although the feds are predictably arguing that they should be able to track us using our cell phones and other geo-location technology without a warrant. But although it looks hopeful, we have to remain vigilant or have our right abridged, limited, and nullified.

It wasn't in the Deeplinks blog, but the reports that a federal appeals court in Washington D.C. ruled that D.C. police had violated Antoine Jones rights by placing a tracking device on his car without a warrant. The appeals court agreed with a lower courts opinion that a:

"reasonable person does not expect anyone to monitor and retain a record of every time he drives his car, including his origin, route, destination and each place he stops and how long he stays there."

A wise ruling on the part of both courts. If you can't get a judge to issue a warrant, you don't have enough reason to put a GPS on a car, any more than you have enough to tap a phone. There are reasons law enforcement is limited in it's ability to spy on us. We don't live in a police state. There has to be probable cause for police to search citizens, otherwise we could be pulled over and searched because the cop is having a bad day. Or because we post something critical of the President, or the mayor, or the police chief.

There are no reasons to pirate music

According to Paul Boutin at, The Age of Music Piracy is Officially Over. He may be right. Paul says that there is no reason to steal music anymore, unless you're just cheap.

Now that most music can be downloaded as high as 256Kbps quality, songs are 99 cents or lower, and there are a variety of legal sources, he makes a good argument. You can even legally download the Beatles now. Other than sheer unwillingness to pay for music, there isn't really a good reason to download pirated songs. The quality usually isn't as good - there's no guarantee you'll even get the whole song - and there's always that risk, however slight, that you'll get tagged as a downloader and sued.

If you absolutely have to have free music, there are alternatives out there, like Jamendo, a service full of free music that is available under various Creative Commons licenses. Most of the licenses are pretty liberal, allowing you to sample, remix and in general rework the tracks for your pleasure. A similar service is Magnatune, which provides music that is free for any type of personal use. For commercial use there is a one time fee and no royalties. That means that now matter how much profit your project makes, you only pat the one time fee.

On further thought, Paul Boutin is right. There is no reason to pirate music anymore.

What is happening to Intellectual Property law in this country?

The last couple of months have seen interesting developments in Intellectual Property (IP) law. The Combatting Online Infringement and Counterfeits Act (COICA) made it through Committee in the Senate. The Department of Homeland Security (DHS) is being used to enforce IP law by the Department of Justice (DOJ). Internet domains are taken down with no warning to disrupt the sale of counterfeit goods. According to the press release from the DOJ:

The coordinated federal law enforcement operation targeted online retailers of a diverse array of counterfeit goods, including sports equipment, shoes, handbags, athletic apparel and sunglasses as well as illegal copies of copyrighted DVD boxed sets, music and software.

Makes sense and seems reasonable. But they seized at least one search engine that never hosted torrents or knock-off items. That is disturbing. What would happen if DHS suddenly decided to seize Google? Bing? You can find torrents and knock-offs on those sites, too. Shutting down a search engine because you can find pirated movies is like shutting down a library because you can find the formula for TNT.

Historically IP crimes have been civil matters. But recently they have begun to be pressed as criminal offenses. Take a case reported by, the case of Matthew Crippen. Crippen is charged with two counts of circumventing DRM on XBox video consoles by installing mod chips that allowed people to run homegrown software, RIPped DVD's, and other 'unofficial' content, although he could have been charged with many more counts. His lawyers are trying to use the recent decision granting jail-breaking the iPhone an exemption under fair use as part of their defense strategy. If they lose he's facing 3 years in jail, although it could have been as long as 10 years.

Why is the Department of Homeland security enforcing copyright law? Why are IP cases being tried as criminal cases? Why are we changing our IP suspects guilty until proven innocent? How can we fix these problems?

ICE takes down 77 Internet domains without warning

According to Mashablecom,  Friday the Immigrations and Customs Enforcement (ICE)  division of the Department of Homeland Security seized approximately 77 domains for copyright infringement. The seizures were made without any warning and without going through the hosting ISP's. reports a Torrent of Gov't Seizures in Online Piracy War, and tells us that ICE is taking down domains that host pirated movies and music in a move to combat piracy. They are supposedly getting court orders based on complaints received.

The reports also tell you that not everyone agrees with this move. I know I don't. It's not that I condone piracy. I disagree with the current copyright law for several reasons. One reason is that it makes it illegal for me to exercise my fair use right to make a backup copy of a movie, software, ebook, etc. It's wrong to rip a movie and put make copies for my friends or put it online for anyone to copy. But making a single copy for personal backup is allowable according to the fair use provisions of U.S. copyright law.

The big problem with ICE taking down infringing domains is that entire domains are being taken down without warning - possibly without recourse - regardless of whether or not the entire domain is involved or even aware of the alleged infringements. What information was used to determine the domains should be taken down? What kind of checking was done to verify infringement took place?

The U.S. (and other) government(s) have the right and duty to enforce their laws. Sharing copyrighted movies without permission of the copyright holder is immoral and illegal. So taking down sites who exist to make it easy to share illegal copies is proper. But doing so in a manner that takes down that are not involved in illegal activity is not. It is very likely that there were legitimate sites taken down by this action. Possibly even legitimate businesses. That is not just wrong, it's irresponsible.

The government has a responsibility to enforce it's laws, but it also has a responsibility to enforce them in a fashion that causes the least pain and suffering possible to the law abiding citizens. The very nature of file sharing sites makes it possible for cease and desist letters to be sent and/or investigation into the suspect domain to determine exactly which sites are guilty to be done without risking the case. Taking down entire domains without considering that a domain can contain many different totally unrelated sites could result in more harm than the illegal file sharing.

The government has a responsibility to enforce the laws, but please don't trample on law abiding citizens to do it.

Happy Thanksgiving!

Next blog Monday, Nov. 29.

Cookie Monster imitates Betty White

Cookie Monster has decided that what worked for Betty should work for him, too. so has a Facebook page, and is looking or supporters to get him a hosting gig. Go show your support.

PS: If you're flying this Thanksgiving, remember, the poor shmuck "touching your junk" probably doesn't like it any more than you do, so try to take it easy on him (or her).

Bullies video beating, post on Facebook

Another case of Facebook being used by bullies is being investigated, this time in Schenectady, NY. But instead of using the site to bully other students, the bullies made a video of the beating they gave another student and posted it on Facebook.

Other students visiting the Facebook page said they would like to see the girl in the video beat up at school. The police are investigating, and given the schools history, I don't think they'll go lightly on the bullies. In the 2008-09 school year four girls committed suicide, and two of them were probably being bullied when they did it.

This case is different than the usual Facebook bullying you hear about. The girl wasn't abused by messaging and wall posts, she was beat up, video'd, and more students said they would like to see her hurt at school. While it's easy to create an anonymous Facebook page, most camera's today put identifying information on the video, so the students who beat her may get a surprise visit from the police, even if none of the students who visited the page used their real names on their accounts. And I'm glad. This is one time that I wouldn't mind if Facebook was even more dismissive of users privacy than it already is.

The terrorists are winning

I got a kick out of this cartoon by Mike Keefe on the Cagle Political Cartoon blog. I thought it was pretty close to right, but amusing.

Then I read about Thomas Sawyer, a survivor of bladder cancer who was humiliated by thoughtless TSA employees. He was chosen for an enhanced pat down after going through the full body scanner. He tried to warn them about his urostomy bag, but they ignored him and broke the seal, leaving him wet and smelling of urine. The TSA employees acted as though nothing had happened despite the wet spot on his clothes. And I realized that the changes we're enduring because of terrorism are no laughing matter.

Next I read a headline, "Qaeda Branch Aimed for Broad Damage at Low Cost," referring to the failed (or not) parcel bomb last month. The terrorists claim the operation may not have blown up a plane, but it had the desired effect of causing the U.S. to revamp security again, a time consuming and expensive prospect. In fact they've shifted emphasis from flashy attacks to simple, low grade attacks that cause maximum return in things like expanded security procedures.

The terrorists have won. They control our airport security. We need to turn things around and come up with reasonable procedures for airport security that respect human dignity and treat airline passengers like customers, not suspects.

Combating Online Infringement and Counterfeits Act makes it out of committee

Public Knowledge reports that the Senate Judiciary Committee has approved COICA. COICA is a nasty piece of legislation that allows a person to get a website taken down by complaining that it is infringing on someone's intellectual property. No hearings, no trials, no investigation necessary. Complain to the ISP of the allegedly offending site, and down it comes. It won't work the way it's intended, and will have little effect on criminals, but it could have a profound effect on legitimate businesses who deal with file storage and encryption. I blogged about some of the problems last month.

Write your senators and representatives. This is important, and could change the face of the internet completely if left unchecked. It's made it out of committee, but it can be stopped short of passing the Senate and be kept out of the House entirely. Find your senator's physical and email addresses here Find your representative's physical and email addresses here.

TSA procedures fail most important test: Effectiveness

The Transportation Security Administration (TSA) is coming under a lot of fire lately. Privacy advocates and groups are attacking full body scanners and "enhanced" pat downs while overzealous, poorly trained or just plain drunk with power employees do things that are fueling the fires of citizen backlash against the ridiculous procedures.

From the (over)reaction to Johnny Edge's refusal to get either full body scanned or an enhanced pat down to a three year old girl terrorized by a too literal interpretation of the rules by a TSA employee, it has become obvious that the TSA and our government have forgotten who the enemy is. And I think even the low level employees know how ineffective their procedures are. The frustration, and maybe even fear that they will be the one that let's a bomber through cause them to react to any resistance, even a tired, scared three year old, as if it's a serious threat.

Of course, not everyone thinks the TSA is wrong. Even though there are experts who refute the TSA claims that the full body scanners are harmless. Even though there is doubt that the scanners would detect explosives of the type used by the crotchbomber. Even though no one knows if the scanners will detect or scan through artificial flesh. Even though the GAO recommended more testing before buying or deploying any more of the scanners earlier this year. Even though there is so much doubt about the real usefulness of the scanners The Christian Science Monitor supports the TSA, as does Alex Altman at the Time Swampland political blog. Mr. Altman cites a CBS poll showing that 81% of Americans are ok with the TSA procedures. But the problems with TSA procedures will persist even if 100% of the citizens are ok with them.

You can say that any security can be breached by someone clever and determined enough. And you wouldn't be lying. But it doesn't even take a particularly clever or determined terrorist to get through the body scanners and pat downs.

But that's not the worst. The way airport security works now, all you have to do is get into the airport and approach the people lined up at the checkpoints. Not as spectacular as the flaming remnants of a passenger jet falling from the sky, but possibly even more effective as a terror tactic. Maybe as effective psychologically as hitting the Twin Towers on 9/11.

Could Israel's system scale to work with our aviation system? Can any part of it? Has anybody checked? If it can, then leaving the system we have in place unaltered is criminally negligent.

Dept. Of Transportation launches "Faces of Distracted Driving" site

Phone calls, text messages, screens in the dash. There was a time when it was kids and the radio. Now there's an army of driving distractions to pull our attention from the road. Transportation Secretary Ray LaHood announced on his official blog today the launch of "Faces of Distracted Driving, a site devoted to the danger of driving while distracted.

There is a lot of information on the site, including a summary of state laws, a FAQ and statistics. There are also three stories of people killed by distracted driving with more to be added. It's sobering, and thought provoking. Just a few days ago I received a text on the way home and started to reply when I realized I was veering to the ditch. I straightened out and put away the phone, but I was seconds from being a statistic. I resolved not to text while driving, and these stories reinforced that resolve.

We often don't think about the consequences of our actions, and when we do, we think the worst won't happen to us. But it can. I don't know which scares me more, the thought of leaving my family without a husband and father or taking someone elses loved one away forever because I couldn't be bothered to pull over or get where I'm going before talking or texting.

Facebook messages - We want to license to the rest of your life.

Facebook is beginning a "slow rollout" of a new service, Facebook Messages. Messages will combine chats, sms messaging, and email. Eventually it may include VOIP messages. It's pretty cool. If you want you can have an email address, or if you want to keep your current address you can. It keeps a history of all of your conversations. You can even add friends that aren't on Facebook and keep records of your conversations with them. The only tradeoff is that Facebook now has license to make use of all of that content per the statement of rights and responsibilities, section 2:

You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition: For content that is covered by intellectual property rights, like photos and videos ("IP content"), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License"). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. (emphasis mine) When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others). When you use an application, your content and information is shared with the application. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, read our Privacy Policy and About Platform page.) When you publish content or information using the "everyone" setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture). We always appreciate your feedback or other suggestions about Facebook, but you understand that we may use them without any obligation to compensate you for them (just as you have no obligation to offer them) (emphasis mine).

The provisions giving Facebook a license to all of my data doesn't seem too bad since it's subject to my privacy and application settings. If only I could know that my settings would not change without my wanting them too. It would also help if my privacy settings wouldn't be set to wide open every time Facebook decides to make changes to their privacy settings.

Facebook's new Messages is a really good idea. But there are few companies I would trust less with my private messages.

In Palestine, impersonating God could be bad for your health

Eric Berry on reports that Walid Husayin of Qalqilya in Palestine is facing possible life in prison for claiming to be God in several Facebook groups he created. He also criticized the Islamic faith and created mock Quran verses that encouraged people to smoke marijuana.

It's somewhat risky to criticize Islam over the internet while in an Islamic country. It's a little riskier to claim to be God in an Islamic country. To do both from an internet cafe in a small conservative town in an Islamic country is asking for trouble.

Walid Husayin spent 7 hours a day on one computer of the local internet cafe. The owner became suspicious and had employee take screenshots while Walid was on the computer. He turned them over to the police, who arrested Walid while he was at the cafe blogging. The maximum sentence by law is life in prison, but people in Qalqilya - people he has known his entire life - want him executed by burning.

I guess we should count our blessings. In the U.S. we can say what we want about our government or any religion without fear of arrest. But as our government continues to monitor as many of the countries phone calls as it can and law enforcement seeks the power to decrypt any and all private encrypted communication, can we be sure that will always be the case?

Not if we don't make sure it is.

The lighter side of airport security

After seeing stories like "Pregnant Traveller: TSA Screeners bullied me into a full body scan it's nice to see people aren't letting the idiocy break their spirit. Here are a few links to sites that take the TSA with a grain of salt:

A (fake) children's book to help you're kids understand the security process.

Here are T-Shirts that I could wear through airport security. And because those weren't enough, the stop groping me T.

Thursday, November 11, 2010

National Labor board: Can't fire employees for Facebook comments

Monika Plocienniczak reports on that the National Labor Relations Board (NRLRB) issued a complaint against American Medical Response, an Ambulance company that fired one of their employees after she had made some negative comments about her job on Facebook.

AMR, of course, denies that the woman was fired for her Facebook comments. They say that she was fired because of multiple complaints about job performance and her treatment of patients.

In some ways it doesn't matter why she was fired. It does matter what the final decision is. If a court agrees with the NLRB, then venting about your boss on Facebook becomes protected speech under the National Labor Act. That is very important. Right now employers can monitor Facebook and determine who is hired, who is promoted, who is demoted using what they find there. If Facebook comments fall under the National Labor Act then the won't be able to do that. It may not prevent employers from using social media to look at prospective employees, but it will make it illegal for social media to be used to determine who to fire, promote or give raises.

One of the biggest problems with social media is that it makes parts of our lives that used to (and still should) remain private are public. Now those private things are being used to determine whether persons would make good employees. We know things now about past Presidents that might have, had they been generally known at the time, been major scandals. Maybe even have derailed their presidency. John Kennedy was a womanizer. So was Clinton. Whatever you may think of his womanizing (and his politics), Clinton was one of the most astute statesmen the U.S. has had in the Oval Office.

Much of what is on Facebook is "not safe for work" and much isn't safe for your career (current or future) either. The bad thing is, much of that isn't really a good indicator of what kind of employee a person will be. Employers shouldn't be allowed to use it for that purpose.

Using stolen Social Security number isn't identity theft

The Colorado Supreme Court has overturned the identity theft conviction of Felix Montes-Rodriguez. This case is important because according to the courts decision, the fact that he used a stolen Social Security number did not make his action identity theft:

Montes-Rodriguez admitted to using the false social security number. However, he contested the criminal impersonation charge. He argued that he did not assume a false identity or capacity under the statute because he applied for the loan using his proper name, birth date, address, and other identifying information.

and further down:

We reverse. Consistent with previous Colorado case law, we hold that one assumes a false or fictitious capacity in violation of the statute when he or she assumes a false legal qualification, power, fitness, or role. We also reaffirm our earlier holding that one assumes a false identity by holding one’s self out to a third party as being another person.

When I first saw this decision I thought, "No Way! How could they say that?!"

But after rereading, I realized that the court was right. This particular criminal didn't steal anyones identity, he just committed fraud. He never claimed to be someone else. He used all of his own identifying information except for his Social Security number. By the definition of identity theft in Colorado law, he didn't steal anyone's identity.

That doesn't make his crime less serious. It should make it easier to get any bad marks on credit report removed, since it's fairly easy to prove they were the result of fraud by a third party. It should. In practice it may not be so easy. If a car dealer or bank was willing to accept a Social Security number that was not connected in any way to any of the other identifying information given, and approve a loan based in part upon that number, then the financial reputation and identity of the rightful holder of the number has been stolen. It doesn't matter that the name, address, phone number and everything else on the application belongs to the actual applicant. The credit score(s) attached to the Social Security number is a, possibly the, major factor in the approval of the loan.

Forty years ago the idea that a Social Security number isn't tied to identity might have worked. Today it is so entwined with our identities that it can be difficult to do anything without one. The law needs to catch up to that reality and recognize that sometimes the financial history attached to a Social Security number can be more important than the name - as evidenced by this case.

Tuesday, November 9, 2010

Using stolen Social Security number isn't identity theft

The Colorado Supreme Court has overturned the identity theft conviction of Felix Montes-Rodriguez. This case is important because according to the courts decision, the fact that he used a stolen Social Security number did not make his action identity theft:

Montes-Rodriguez admitted to using the false social security number. However, he contested the criminal impersonation charge. He argued that he did not assume a false identity or capacity under the statute because he applied for the loan using his proper name, birth date, address, and other identifying information.

and further down:

We reverse. Consistent with previous Colorado case law, we hold that one assumes a false or fictitious capacity in violation of the statute when he or she assumes a false legal qualification, power, fitness, or role. We also reaffirm our earlier holding that one assumes a false identity by holding one’s self out to a third party as being another person.

When I first saw this decision I thought, "No Way! How could they say that?!"

But after rereading, I realized that the court was right. This particular criminal didn't steal anyones identity, he just committed fraud. He never claimed to be someone else. He used all of his own identifying information except for his Social Security number. By the definition of identity theft in Colorado law, he didn't steal anyone's identity.

That doesn't make his crime less serious. It should make it easier to get any bad marks on credit report removed, since it's fairly easy to prove they were the result of fraud by a third party. It should. In practice it may not be so easy. If a car dealer or bank was willing to accept a Social Security number that was not connected in any way to any of the other identifying information given, and approve a loan based in part upon that number, then the financial reputation and identity of the rightful holder of the number has been stolen. It doesn't matter that the name, address, phone number and everything else on the application belongs to the actual applicant. The credit score(s) attached to the Social Security number is a, possibly the, major factor in the approval of the loan.

Forty years ago the idea that a Social Security number isn't tied to identity might have worked. Today it is so entwined with our identities that it can be difficult to do anything without one. The law needs to catch up to that reality and recognize that sometimes the financial history attached to a Social Security number can be more important than the name - as evidenced by this case.

Monday, November 8, 2010

You've probably never heard of Oliver Drage

I hadn't until I checked the "Conspicuous Chatter" blog and saw the latest entry about enforcement of Britians Regulations of Investigatory Powers Act 2000(RIPA).

Mr. Drage has been convicted of not giving his encryption key to investigators when they requested it, which is a violation of RIPA. He's been convicted of that crime and sentenced to 16 weeks in jail. Conspicuous Chatter is very clearly on the side of Mr. Drage and not happy with the way the BBC reports the story so I checked out what the BBC said.

The BBC reports that Oliver Drage was arrested by police investigating "Child Sexual Exploitation." Apparently they had enough evidence to arrest him and confiscate his computer, but not enough to charge him. His 50 character encryption key had them stumped, so they asked him for it. He refused. They charged him with violating RIPA and convicted him. The police reaction to the conviction and 16 week sentence:

Det Sgt Neil Fowler, of Lancashire police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.

I don't know British law, but I have to assume that 16 weeks is the stiffest sentence allowed for failing to surrender your password. Otherwise I can't imagine a judge not giving a longer sentence when the purpose is to get a man accused of sexually abusing children to give up the encryption key to his computer.

I don't know if he is guilty, and it's important to remember that although it looks incriminating, he could have perfectly legitimate reasons for not giving police the key. It could be principle. He could have some other type of incriminating evidence on his computer but be innocent of child sexual exploitation. It could be some other reason.

This is a question that is still being decided in the U.S. Is your encryption key protected by the Fifth Amendment? Should it be? I think the answer to both questions is yes. But cases like this one raise questions, I admit.

What do you think?

Friday, November 5, 2010

The first free anti-virus for OS X

On November 2nd reported that Sophos is releasing a free antivirus for the Mac. Other security companies are releasing software for the Mac, but Sophos is the only one to release free AV software.

The recent release of Koobface for Mac is only the latest malware designed for Mac. It was dead on arrival, but that was most likely a coding error, so a virulent version could show up any time. Sophos free software is available now and offers protection against Koobface and the other known Mac malware. There is a forum for discussing the software here and you can download it here

There are still people who argue that anti-virus on a Mac is unnecessary. Well, that may be true for now, but that will soon change as Koobface Mac was a hairs breadth from being the real deal. Mac users can't afford to keep being complacent about malware.

Thursday, November 4, 2010

Britian proposes allowing site takedowns with just complaint

The U.S. wants to wiretap the internet. The UK wants to make it easy to get 3rd party content removed. MarkJ reports on that:

The UK governments Minister for Culture, Communications and Creative Industries, Ed Vaizey, has ominously proposed that broadband ISPs could introduce a new Mediation Service that would allow them the freedom to censor third party content on the internet, without court intervention, in response to little more than a public complaint.

The proposal is supposed to be for the benefit of regular citizens, but it is easy to imagine the abuse by corporations and organizations (RIAA, MPAA, et al) who would use it as a club to attempt to force consumers to conform to industry ideas of how things should be.

It is sad that proposals to help protect citizens must be either be so carefully crafted and limited almost to the point of uselessness or risk abuse that does more harm than not having legislation would have.

Tuesday, November 2, 2010

Do us all a favor. Vote.

It's election day, and every eligible citizen should go vote. I'd say I don't care how you vote, but that would be a lie. I'd prefer you vote for conservative candidates who believe in citizens and states rights.

But regardless of my preferences, for our government to work the way it's supposed to every eligible voter needs to vote. We get the government we deserve, whether it's because we don't make our will known, or because we do. If you vote you are making your opinion known. Even if your candidate loses, how much or how little he (or she) loses by sends a message. That message can be more important than winning, if it tells other politicians they need to pay attention to what their constituents want.

So whatever your politics, go vote.

Monday, November 1, 2010

Predicting employee behavior available now

In a column titled, "'Pre-crime' Comes to the HR Dept.", Mike Elgin talked about a new industry, fortune telling.

Ok, he's not actually talking about fortune telling in the traditional sense. He is talking about predicting how people and companies will act in the future based on how they've acted in the past. He talks about two companies. The first is Social Intelligence, a company that scours social networks to provide information on prospective employees to companies. The idea is that information found on social networks is a better indicator of what kind of employee you will be than your resume.

The second company he talks about is Recorded Future. Recorded Future also scours the web to predict the future actions of people and companies. It attempts to find logical links that make it possible to make those predictions.

These are two companies, but how long before this type of algorithm is common in HR departments? What happens when hiring, firing and promotions are determined by predictions of future performance rather than past performance? What happens when software predicts that you will leave within 6 months? Will the company fire you preemptively?

For many of us, having an online presence is unavoidable, or even necessary. What does our online presence say about us? What kind of impression are we giving, and what kind of predictions can be made from it? As new and better predictive algorithms are developed the tidbits we leave online will become more important. Having control over as many as those tidbits as possible is the only way to have any control over our own lives. As things are now, we are at the mercy of the data miners who build profiles to predict what we like, what we don't like and how to convince us we need things. In the near future they will also be determining whether and how much money we have by telling our employers whether we should be given a raise, a promotion, or even a job.

Friday, October 29, 2010

Midland, Arkansas school board member resigns over Facebook comments

It started Tuesday...well, it actually started Sunday or Monday, but it became a national spectacle Tuesday when "The Advocate" reported that a school board member in Arkansas was saying he wanted gays dead on his Facebook page.

Clint McCance was definitely old enough to know better. He made what he probably thought were cute, funny comments (they weren't) that his friends would laugh at. But the report in "The Advocate" had a screenshot of McCance's Facebook wall, and he was officially outed as a gay hating bigot. He probably isn't, he's probably just an unlucky, careless schmuck.

With thousands of hate mails, emails, and more than a few death threats bombarding him Mr. McCance sent his family away for their safety and resigned his school board seat. He is forever branded in the blogosphere as an Evil Man.

I don't care how secure your Facebook is, if you have friended people, it's insecure. Once something is online it's fair game for everyone. Don't put anything online you wouldn't want all of your friends and family to see.

Thursday, October 28, 2010

Welcome to the world of dangerous malware, OS X

We have another piece of malware for MacOS X. Once again, it had a few moments of fame, but is a dud because it doesn't actually do anything. But there is a difference this time, and that difference makes OSX/Koobface.A potentially a serious threat to Mac users.

Until now all of the malware created for OS X has been distributed through relatively limited channels. Compared to Facebook and Twitter, extremely limited channels. A few porn sites and a couple of infected pirated programs add up to next to no traction for Mac malware. But a variant of a successful Windows trojan written in Java so it attacks all the major computing platforms and spreads through Facebook and/or Twitter and you have malware gold. The only thing that prevented a major outbreak of MacOS malware was what appears to be a bug in the malware that prevents it from downloading the files that would infect the computer.

This piece of malware suffers from the same weakness any Mac malware has - the user has to ok the install. You hope that Mac users wouldn't be that careless, but the truth is Mac users are people, and a lot of people hit those dialogs without thinking.

With somewhere around 600,000,000 users on Facebook there should be about 60,000,000 Mac users. If only 10% of them allowed the trojan to be installed that would be 6 MILLION infected Mac's. Plus all the infected Windows computers since it's a cross platform piece of malware. All it will take is a bug fix and OSX/Koobface.A will be the first successful piece of OS X malware.

But even if it does get fixed you and I don't have to be victims. Don't click on links posted to your wall or twitter feed without verifying their authenticity. Don't authorize any installations that you don't initiate yourself.

It always feels like there should be a third item in the list. But those two will probably be enough. Until someone finds and uses an OS X exploit that allows privilege escalation.

If you want more details about all the things OSX/Koobface.A will do once it's fixed, check out Intego's writeup.

Mac OS X Trojan - real, but broken

It's the real deal, but broken, so it's mostly harmless for now. But when I say broken, I mean fixable. So at any moment it may become dangerous. If you receive an update saying something to the affect of:


Are you in this video?


Don't click on it.

This is a variant of the koobface trojan written in java. That means it will also affect Windows and *nix variants.

Yes, fellow Apple fans, we've now seen a how a real, potentially serious trojan for OS X can be done.


Wednesday, October 27, 2010

Is Apple's Mac App store a game changer?

The Mac App Store is coming in roughly 90 days. Steve is excited, and so are quite a few other people. According to two articles with brief developer interviews on Cult of Mac Most developers are looking forward to it. (1, 2) They also aren't sure exactly how it's going to work into their business strategies, yet, but they're excited about figuring it out.

What does an App store on Mac mean to the rest of us, though? It's hard to say right now, but the idea of high quality software for $0 and up is enticing. The software in the iPhone/iPad app store is generally of high quality. Apple's App review policy ensures that it stays that way.

Will the App store put an end to traditional software distribution? I doubt it. Not in the near future anyway. Apple wants 30% of the apps sale price, which won't fly with companies like Adobe or Microsoft. Not to mention that internet speeds are still slow enough in many places that downloading the installer for something like the Adobe Creative Suite - especially the Master Collection - would take too long for most people. But Adobe and Microsoft may find themselves left in the cold if they continue to push bloated programs that no one can truly master because no one uses most of the 'features' they have. Why spend $150 for a program that does more than you'll ever need if you can spend $20 and get a compatible program that will do everything you do need?

Another good thing for consumers is that Apple's approval process, while flawed, does create a minimum quality that developers won't be allowed to fall below. It will put a dent in shareware on the Mac, if not kill it. Why hunt for shareware of questionable quality when you can go to the app store and download an app you know will at least do what it says, and probably cheaper than a shareware program.

What about competitors? Will Microsoft create an App store for desktop Windows? For all versions? What about Google and the Chrome OS? If they do, will either have an approval process similar to Apple's? I can already answer that last question. They won't. Google's Android has an app store, but there is no review process that I'm aware of. Microsoft won't because it's not in the companies DNA. Steve Jobs has always been a micromanager, at least of projects he's really interested in. He has always wanted to control as much about the Mac's user experience as he can. The App store is one more step to total control.

If successful the Mac App store will have a profound change on software delivery on the Mac, and quickly. It's already having an effect. The effect it will have on other OS's is harder to predict, but unless it totally flops, it will have an effect. If it is as popular as the iPhone app store, Microsoft will have an App store for Windows by Summer 2011 at the very latest. They're probably already working on one. So the Mac App store has kept a few Microsoft software engineers employed for a few more months even if it flops.



Tuesday, October 26, 2010

Amazon wins customer protection case.

Declan McCullagh of CNET reports that Amazon has won it's case against the state of North Carolina. Amazon doesn't have a physical presence in N.C., so the state can't collect sales tax on items sold on Amazon. But North Carolina has a usage tax that is supposed to be paid by citizens of the state. Because the tax wasn't being collected N.C. wants Amazon to give up the names and items purchased by citizens of N.C. so they can be charged for the tax.

Amazon had offered anonymized data, but the state wouldn't accept it. The judge ruled that the N.C. was asking for more information than it had a right to. In addition, the data ran afoul of the First Amendment by giving the state access to information on what people were reading, watching, and listening to.

The decision was in line with previous court decisions on states asking etailers for customer information. States have no need to know exactly what we purchase unless they have reason to believe we are breaking the law. Even then they should need a court order or search warrant.

Monday, October 25, 2010

33 States ok online voting, but it's not ready reports that there are 33 states allowing some form of online voting. But there are serious questions about the security of the systems.

There should be some concern just because the system is only as secure as the system the voter is on. But in one test by a team from the University of Michigan had complete control of one of the systems in 36 hours. Worse, they discovered other hackers, some from hostile foreign powers, trying to break in, too.

At this time there really isn't any way to guarantee the security of online voting. There is no standard to test against, no agreed development strategies, no real checks an balances. This election might be safe enough, but what about the Presidential election in 2012? What if in a close election a foreign power can take control of 5% of the votes? Or in a really close election, .5% of the vote?

Online voting is coming, and it will be a good thing. But implementing it must be done in a proper and careful manner. Accepting online ballots without proper development and testing opens our political system to manipulation by people who would benefit by affecting the outcome of elections. Sometimes it wouldn't even be necessary to determine the outcome. Sometimes controlling how close a vote is will change policy.

Making sure online voting is secure should be of the highest priority. Contact your state and federal representatives and tell them not to adopt any online voting system until it has been fully tested and certified secure.

Friday, October 22, 2010

Esther Dyson to marketers: wise up

After years of tracking users as quietly as possible and feigning shock when caught, somebody in marketing gets it. Liz Gannes of reports that Esther Dyson, chairman of Edventure Holdings spoke to the Pivot Marketing Conference.

Ms. Dyson has a clear message to marketers, and it can be summed up easily. Communicate. Get rid of the complicated, obfuscating privacy policies. Use the same targeting skills you use on ads to tailor your message to the individual surfer, tell them what you are gathering, why, and what you are doing with it. Then, give them the real option to opt out. Her assertion is that many won't because once they know how they benefit by being tracked they won't want to lose it.

I don't know why that is so hard to figure out - although I'm not sure I like the idea of them using the information illicitly gathered to craft a message especially designed to convince me to give more information. But it would be too much to expect that marketers would simply open up and let us choose. They have the information, and the don't want to lose the source.

Esther Dyson marveled that marketers can figure out how to target ads to individuals but can't figure out how to target the message that tracking benefits them. She is correct on both counts. It's amazing that marketers haven't figured out how to create targeted messages about tracking, and there are benefits to being tracked. I don't think the benefits are worth it. You might disagree. But neither of us is being allowed to make that choice, and that is the problem.

Thursday, October 21, 2010

Med students don't understand confidentiality

George Hulme of InformationWeek blogged about medical students tweeting about patients He referenced a Time article that shed more even more light on the subject.

The brunt of both articles is that medical students think what they put on their personal accounts is private. For some reason they think that walking out of the hospital and sitting at their own computer puts them outside the constraints of HIPAA. I'm here to tell them, "You are always under the constraints of HIPAA." This is even worse than the Oxford students a couple of years ago who thought they're privacy was violated when the school provost saw pictures of them acting like fools on Facebook. If you put it online, it's not private. If it's somebody else's private (especially medical) information, you're risking fines, convictions, and job or career loss.

Be careful what you put online. It will bite you in the butt.

Wednesday, October 20, 2010

Big Brother - it's not who you think

George Orwell foresaw a future with no privacy and no security from government control. We aren't there yet. Not with the government. With corporations it's almost completely a done deal. But that can be changed.

It can be changed, but only if enough people are willing to take charge of their own information. Willing to be inconvenienced by denying cookies and turning off scripting. Willing to use private browsing all the time. Willing to leave Facebook until it the privacy policy is improved and enforced. In short, willing to force corporate America to change the way they gather marketing information.

Don't think it will be easy. The tracking information gathered when we search, buy, or just surf the web has become almost indispensable. Or at least corporations think it has. They won't willingly give it up.

I'm not sure most of us will be willing to give it up, either. A lot of the convenience of the web is a direct result of that data gathering. The nice personalized pages, the suggested items on eBay, Amazon, etc. are all a result of gathering and keeping data. Using your Facebook or Twitter sign-in to log-in to other sites requires gathering and sharing data.

Most of these things could probably be done with less tracking and data gathering. But they won't be unless we insist on it. And without insisting on simplified privacy policies written in plain English things will go back to the way they were. The sad truth is, even with privacy policies, the data gathered and held is still outside of our control.

The truth is, to enjoy any activity there has to be give and take. It only becomes a problem when one side either doesn't know what it's giving, or the exchange is far more beneficial to one side than the other. Most people do not realize just what they are giving up simply by participating in online life. If they did, they might not think they were getting their money's worth. They should be given the opportunity to make that choice.

If you would like to get a basic idea of just what can be figured out about you online you might try searching for your own name in Google, Bing and Yahoo. Depending on how active you are online, you might be surprised.

Tuesday, October 19, 2010

Facebook apps transmitting users, friends data

Facebook apps are broadcasting user data. That's against Facebooks privacy policy. Worse, at least some of the apps are also broadcasting the users friends data. Emily Steel and Geoffrey A. Fowler of the Wall Street Journal reported that tens of millions of users are affected, even if they have their privacy settings set to the strictest privacy Facebook allows.

A short while later Mr. Fowler reported that this "breach" is severe enough the co-chairs of the House Bipartisan Privacy Caucus, Representatives Edward Markey (D, Mass) and Joe Barton (R, Texas) sent Facebook founder Mark Zuckerberg a letter of concern.

This isn't a new issue. There have been similar problems found with Facebook in the past. The problem is that Facebook - and a host of other companies - have a business models that require gathering and analyzing user data. The more data they can gather, the better the information they can sell to other parties.

It wasn't just names that were gathered. Facebook ID numbers were gathered. Then they were either sold to other companies or put in cookies for tracking. Of course, all of the companies involved say they didn't store, collect or use any of this information

I have a Facebook account for the purpose of seeing the changes they make to their privacy settings and policies. I had thought about breaking down and actually using it. But until Facebook gives me actual control over my information, it's not happening. When my friends can involuntarily give up my information, that's more than a problem, that's criminal.

Monday, October 18, 2010

COICA: RIAA and MPAA at it again?

In the comments on Friday's postI said I might talk about the free speech problems inherent in the administrations desire to wiretap the internet. That's not happening today, although it's still an important topic. Today we are going to talk about COICA, the "Combating Online Infringements and Counterfeits Act". The Electronic Frontier Foundation has a very good resource page, including a list of legitimate and pseudo-legitimate sites that could be taken down using COICA, and a page explaining why.

This bill (S111=3804) does what has never been done in the United States - it censors the internet. Probably in a much more far-reaching manner than expected by the Senate, or by the groups pushing for it. If it is as effective as it's elder brother, the DMCA, it will also have little effect on criminal, but will have far more serious effect on law-abiding citizens.

Actually, this ties in with my concern over the proposal to make the wiretap friendly. Businesses such as and Mozy.comstore your data encrypted. They cannot access it because they don't have your encryption key. Then there are free sites like Dropbox and Carbonite and Mozy are for-profit businesses, and presumably can prove that their primary purpose is not sharing pirated music and/or movies. Dropbox and Oosah may have a harder time. And if push came to shove, none of them could prove the files on their servers are not stolen intellectual property - unless they have the ability to decrypt their customers files. So to make COICA work they will have to make the internet wiretap friendly. Except that still won't make COICA work, it will just harm legitimate businesses and services.

If I were into conspiracy theories I'd say we were seeing a two pronged attack. If the RIAA amd MPAA can get COICA passed, the 'wiretap bill' (whatever it will be called) will be passed because it COICA will require it to be able to prove a site's primary purpose is piracy. It could even be made part of COICA. The Fed, the MPAA and RIAA would all get what they want. It wouldn't work the way they expect it to, because the bad guys don't obey the law. Steve Gibson of the Security Now (show transcript)podcast stated the problems well:

Well, and you end up with cat and mouse, too. You end up with those sites that are blacklisted register under a different name. And for a while they're there, until the blacklist catches up with them. And then they move again. I mean, the whole thing is just brain dead. It makes no sense. But we have a problem, and that is that we're dealing with technology that the legislatures probably don't understand. And who knows what the unintended consequences are going to be. But the idea that we're facing state-sponsored censorship of the Internet...

The bill specifies that domain names will be blacklisted. That's wonderful, but blacklisting a domain name may not be enough. The bill does not mention IP addresses, and I don't think those get blocked if the domain name is. If the IP address isn't blacklisted, then the whole thing is an exercise in futility. All the domain name system does is say, "IP address will map to domain name "" If you type in the IP address you'll get to the site, even if the domain name is blacklisted.

When it comes to wiretapping the internet and putting backdoors on encryption, in the same podcast, Steve said:

Now, the problem is, and we said this a little bit at the top of the show, is this is too late. I mean, I completely sympathize with what law enforcement wants to do, with the dilemma they have. But this technology exists. It is in the public domain. It is in open source tools all over the world. It's already escaped. And there's nothing they can do about it.

What Steve is talking about, is that current encryption technology is pretty much uncrackable. The best way to crack it is to use things like rainbow tables and try to find collisions - which mean you find passwords that give the same results. The weaker or more common the password used, the easier it is to crack the encryption. So if you use "Rover" it may not take long to discover it through rainbow tables. "e3'w53eksw;1" may take centuries. That might not be such a big deal if encyrption software was proprietary, with every company creating it's own and keeping the codes and algorithms secret secret. But encryption technology is almost 100% created by people and teams who have given the code and algorithms free and clear for anyone to use. So if we install backdoors in our encryption products, the only people it will have any effect on will be law-abiding U.S. citizens. Criminals and foriegn citizens will not care because they can roll their own encryption software.

I haven't even talked about free speech, but it's late, so I'll leave this here for now.