Setting Belkin wireless security

I don't currently own a Belkin router, but the Belkin wireless router I had beat the tar out of the Linksys I have now. Even though I don't own one I thought I'd be able to download a manual and use images from it to walk people through setting one up. I learned one thing. Belkin manuals are poor excuses for manuals.

I found a good instructions for setting up Belkin routers at corenetworkz.com. I'd been looking for good images to use, but good images of Belkin router setup pages are hard to find. His are fair, and his right up is good.

Tomorrow I will have instructions for DLink routers. The first wireless router I had was a DLink router, and it was probably the best. I need to order one and use the Linksys as a spare.

Securing Linksys wireless routers

Securing a wireless router isn't hard, but it does take a little thought. How many devices are hooking up to your wireless? What encryption modes to they support? What is the best mode supported by all of them?

You can worry about things like whether or not to broadcast your SSID, filter MAC addresses, or using static IP's instead of DHCP, but in most cases the defaults will be fine. The main benefit is to make your wireless more of a pain to crack than your neighbors. The trouble of maintaining a list of MAC and/or IP addresses just isn't worth the slight added security most of the time.

Today we're looking at the wireless security settings of the Linksys WRT54GS2. If you have another model Linksys router the settings should be similar enough for this to help setting it up.

The first thing to do is to use a Cat-5 or Cat-6 ethernet cable to connect to your router. That way you don't have to change the settings on your computer every time you save a wireless setting on the router. To connect to a Linksys router, type 192.168.1.1 in the URL field on your browser. A login dialogue will popup. The default user is 'admin' (you can't change it). There isn't a password by default.

The router basic setup page will load. Leave the pull-down menu on automatic configuration. Change the local IP address to any address in the public ranges. Don't leave it at the default. If the DHCP server isn't enabled, enable it. Set the starting IP address for the router to give to other devices. I usually just set it to start right after the routers IP (ie 192.168.1.2 if the router is 192.168.1.1).

Once you have the basics setup, click on wireless security. The Wireless Basic setup page will load.



Linksys has 6 security options. WPA2 Enterprise and Radius require security servers and are intended for corporate use. If you can, use WPA2 with AES, otherwise, use the best security all of your devices support.

There are no other settings that you really need to worry about for security, but there are settings you may want to look into for information. You can block computers on your network from the internet, route a VPN through, open ports for specific services. It's a fairly versatile consumer router.

Securing your router

Time's tight tonight, so I will list the settings you should change to make your wireless router more secure. Tomorrow I will cover specifically how to change those settings on a common Linksys router, the WRT54GS2. If I have time I'll also look at a Belkin router. Thursday I will look at Belkin if I don't have time Wednesday, and last we will look at a DLink router. Generally once you know how to change the settings on one model router you can figure out how to change the settings on other models by the same company. Linksys, Belkin and DLink are the most common consumer routers, so those should help most people get set up.

The steps are really pretty simple:

1. Change the user name and/or password. Not all routers allow you to change both. There are lists of default usernames and passwords for most routers and most other electronic devices available online.
   
   
2. Set the encryption to the strongest you can. If you have older devices that only support WEP use it. It's not much, but it will discourage people looking for open wifi. If at all possible use WPA2.
   
   
3. Change the default SSID. Make it anything you want, just don't leave it as the default. There are lists of default SSID's.
   
   
4. Change the default IP address. All routers use IPv4, although the new standard IPv6 is supported by a few. Most devices don't support IPv6 yet, so we only need to worry about IPv4 addresses.

Here are the private IP ranges for IPv4:

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255.255

This is why you use strong wireless security

This will be my last post until December 28th.

I read the story on Securityweek.com, although I had to go to Startribune.com to find more details. Barry Vincent Ardolf's neighbors learned a hard lesson. Use the strongest encryption and password you can on your wireless router. If you don't, you could be face the same nightmare they did. Matt and Bethany Kostolnik were initially suspected of sending emails containing sexual messages and child pornography to Matt Kostolniks boss. But that wasn't enough. Death threats were sent to Vice President Biden and other politicians in Kostolniks name.

Ardolf hacked into the Kostolnik's wireless router, then used the connection to create fake myspace pages and email accounts in the Kostolniks name. He then proceeded to send messages and child pornography to important people. The plan was to frame the neighbors. Fortunately Ardolf was only almost as smart as he thought he was, and a slip pointed investigators to him.

His story, predictably, is that he is the one who was framed. While it's possible, enough evidence was found on his computers and other devices to show that he needs to be taken off the streets, regardless. If it was a frame, it was a very thorough one.

If you have a wireless router be sure to use the strongest encryption you can. In most cases that should be either WPA or WPA-2. Next week we'll look at a few different routers and how to setup the security on them.

The battle for our data: a holiday allegory

The following is a repost of Brian Proffitt's December 20th blog entry on ITWorld. He has kindly granted me permission to repost it. In it he looks at free speech, privacy, and Personally Identifyiable Information in ways that few people have - or if they have, they've shied away from the implications. His original post is here. I encourage you to check out his blog and let him know what you think.

The battle for our data: a holiday allegory

Did the cloud just head-fake all of our data away?

While many software developers and enthusiasts have been focusing on the push for open source software, did we miss the fact that somewhere along the line companies got a hold of something even more important: our personal data?

I am not someone that's typically the tin-foil-hat type. But I am seeing a marked increase in the tension between the public users who claim inheritance to the Internet and the private entities that may actually control it.

Every time there's a site blocked on the Internet, supporters usually first go to the "free speech" defense. First off, that's a lovely sentiment--if users and site operators all uniformly lived in nations where free speech was actually the letter of the law. Freedom of expression is something that's denied to billions of people on a daily basis--so any whining about loss of freedom is coming from citizens or subjects of countries that have the luxury of freedom of expression to begin with.

So, after eliminating a big chunk of the world's population, what about the notion of freedom of expression in countries that do have it? There again, we are beginning to see a problem between the theory of freedom and the actual implementation. The problem is this: while citizens have the right to say what they want to say in these countries, they are using a medium that is owned and operated by corporate interests. Phone, cable, satellite, and hosting providers are all beholden to their owners or stockholders, and are all uniformly out to do one thing: make money.

That, coupled with political systems that are closely tied to corporate interests thanks to the practice of political contributions and lobbying, makes for a dangerous recipe for freedom of information.

Right now, I could, if I were so inclined, get on the Web and build a web site that declared that all of Santa's elves were really part of a secret cabal who's real mission was to promote the corporate agenda of the world's major toy manufacturers. I could present leaked documents of secret meetings between Hasbro, Mattel, and the North Pole on exclusive elf-labor practices, and attempts to marginalize misfit in-house elf resistance organizations led by Herbie the Elf with marketing campaigns.

Scandal would ensue, to be sure. My web site would gain in popularity, as more evidence would mount highlighting multiple ties between global toy interests and elf factions. The big bombshell: Purina fingered in an exclusive marketing deal with the North Pole Transportation System. "ReindeerGate" would rock the holiday season.

But resistance would grow. Detractors would mock my efforts, citing a bias against short people with pointy ears... perhaps making up stories of how I was bullied by elves as a child. Or because of my Linux ties, my South Pole, pro-penguin bias was causing me to make up facts in my quest to tear down the efforts of the North Pole. Eventually Fox News would decry my site as one more offensive in the War on Christmas, and the real nastiness would begin. Whispers of being moved to the naughty list after a 44-0 nice list record would come out of the headquarters of the Big Guy himself.

The real coup would come when a US Senator would decry my site as "anti-Christmas." Faced with such public pressure, and without a hint of legal evidence, my hosting provider would drop my site like a hot potato. DNS services would unregister my site, forcing me to change my site address repeatedly, even as hosting providers around the world would refuse to give my site a home--or drop me after learning I'd set my site up on their servers.

And the final insult? Under the tree on Christmas morning, in a gift-wrapped box addressed with me, I discover not a lump of coal, but the latest Barbie fashion accessories... with a note signed "Love, the Elves."

Whimsical and far-fetched? The former, certainly. But recent events in the real world have given us all a peek behind the curtain: when push comes to shove, Internet companies will default to what they perceive as a safe mode when confronted with any real controversy. You can argue, thankfully, whether this is an appropriate response, but the problem is, we're all arguing the point after the fact. The damage has already been done: speech has been blocked, without one bit of legal action.

Faced with that kind of activity, how safe is our information on the Internet? We worry a lot about data thieves stealing our data, but what about our data just up and disappearing one day?

On the Internet there is still an element of rebellion. You can still find places to get content and data hosted. The distributed nature of the Internet makes it difficult to block everything. Which is perhaps why private and public organizations are getting more enthused about the walled gardens of the Internet. Get everyone on Facebook, corporations will reason, and they will be on a single platform on which to market. The message can be controlled, and more importantly the users and their friends can be tracked far more easily than ever. That Facebook makes it more than a little difficult to extract all of a user's data should a user drop Facebook is no accident.

Nor, I suspect, was the recent naming of Mark Zuckerberg as Time's Person of the Year. Traditional media outlets are finding it more and more difficult to generate revenue in the face of the wild and open Internet, where advertising is sporadic at best and subscription paywalls fail almost universally.

I would imagine that governments would be a bit interested in Facebook and its brethren. Warrants become a lot easier to serve when it's only one or two mega-social sites involved rather than a multitude of host providers and network companies. (Conspiracy theorists are already taking note of that same Person of the Year article's mention of FBI Director Robert Mueller just dropping by to say hello to Zuckerberg in the midst of a company meeting.)

This isn't just Facebook. Apple's App Store approach to its iPhone and iPad users reflects the same kind of centralization of user activity and data and to some extent so does Google's Android and ChromeOS though to its credit, Google has been a lot less restrictive about what gets on its platform than Apple. That may be a key difference down the road.

Free software advocate Richard Stallman sees much of the cloud as a problem, regardless of how you get to it. Despite its Linux--excuse me, GNU/Linux--origins, Stallman criticized Google's ChromeOS as promoting what he calls "careless computing" by users who blindly stick their data on the cloud without regard to who else might be able to get to it.

Stallman and I have our differences, but in this regard, I find myself in agreement with him. And we are not alone: a far-less-whimsical article I wrote on Linux.com recently highlights what others think about the situation, and some of the tools being created to deal with the issues.

Am I advocating a complete withdraw from the networks upon which we do business? That is a very hard question to answer: it would certainly be safer to remove data from the Internet, but it would be harder to conduct business. Consider credit report ratings: for those lucky folks who are entirely debt-free and deal only on a cash-only basis for their purchases, they have a credit score of 0. This would make getting reasonable loans for things like a mortgage or a college education exceedingly difficult--even though they had managed their finances so well and paid off every creditor. Similar difficulties would arise for anyone who could get off the grid (if this is even possible anymore), I am sure.

Instead, as in all things, I suggest not an extreme solution, but a carefully managed compromise. By stingy with your data. Don't reveal too much about yourself online, whether on a social network or the Internet. Pay attention to what web sites and networks can do with your data now, and what they are doing. Visiting a commerce site often might make it tempting to store your credit card data there for return visits, but don't succumb. (One thing I do: keep a low-limit card just for online purchases. If something goes wrong, thieves aren't getting much from you.)

If you have kids online: don't be the cool parent that lets them run willy-nilly out on the Internet talking to whomever they please. Be the parent, and keep track of where they go and who they talk to. Don't assume every online network they visit will want or be able to protect them. That's your job.

I have painted the cloud as a dark and scary place, and perhaps that's unfair: there are positives about being in the cloud. But any new frontier may look pleasant and inviting but can also contain hidden dangers.

It's time we all pay attention.

Can Florida Sheriff enforce Florida law on Colorado citizens?

I didn't know who Phillip Greaves was until I saw a tweet that said, "First Amendment Alert! Author arrested for writing a book," and gave a shortened URL to a post of the same name by Marc J, Randazza on the Citizen Media Law Project blog.

Mr. Phillip Greaves is an author. He has written a very controversial book. To be honest, I'm almost afraid to tackle this event. Mr. Greaves wrote a book entitled "The Pedophiles Guide." Apparently it was exactly what it says. The book was written in Colorado, and apparently violates no laws there.

Enter Sheriff Grady Judd in Polk County, Fla. He heard about the book and had a deputy order a copy of the book from Greaves. When it arrived they checked it out and determined it was in violation of Florida Obscenity laws. They issued a warrant which was served by Colorado police.

Frankly, I don't have a problem with Mr. Greaves being arrested for writing his book. I've never believed the First Amendment protected all speech, and cases like this merely point out why.

What I do have a problem with is the way the sheriff developed his case. Colorado law hadn't been broken, so he ordered a copy of the book and determined that it broke Florida law and took the steps necessary to issue and prosecute a warrant.

So what? Most people would probably agree that the authors choice of topic marks him as scum. Why should his arrest concern us?

What if, instead of someone from another state whose laws differed from Florida's, he used similar tactics to arrest someone from another country, even though there was nothing illegal being done? Do we want local law enforcement searching for jurisdictions to issue arrest warrants from if they can't find anything illegal in local codes? Do we want local law enforcement looking around the country to find citizens doing things that are legal in their city or state, but illegal in the officers jurisdiction and looking for ways to be able to charge and arrest them for breaking the law where their activity is illegal?

I don't like topic of the book Mr. Greaves wrote. I believe he should be in jail. But there are proper ways to do things, and Sheriff Grady is not using them.

UN wants to take over internet

The United Nations is considering whether to set up an inter-governmental working group to harmonise global efforts by policy makers to regulate the internet.

So opens an article by John Hilvert at ITNews. I think Mr. Hilvert must moonlight as a lawyer.

The upshot is that the UN is seeking to coordinate the control of the internet. But not to "takeover". Good idea, take control without taking over, if you can figure out how to do it. Not that I believe the UN is actually trying.

Apparently this push is inspired Wikileaks, but it was made possible by a resolution last July:

The resolution invited the UN Secretary-General "to convene open and inclusive consultations involving all Member States and all other stakeholders with a view to assisting the process towards enhanced cooperation in order to enable Governments on an equal footing to carry out their roles and responsibilities in respect of international public policy issues pertaining to the Internet but not of the day-to-day technical and operational matters that do not impact upon those issues."

I'm not sure, but I think just about anything governments do to regarding public policy and the internet will impact the day-to-day technical and operational matters. Especially since any UN group will probably support - if not push - many of the provisions of the ACTA treaty (I blogged here). Many of those provisions will directly affect both individual citizen and ISP's.

Fortunately there are people who see beyond the immediate gut reactions and see the wider picture. Defeating Napster actually had the opposite effect the RIAA had hoped for. The MPAA is in the process of learning that lesson, and the UN and other governments will likely learn the same thing. Data Control on the internet is like fighting the hydra. Once the beast is free, cutting one head off sees two more rise from the stump of the old. The time to control data is before it gets out, not after.

The most popular password on Gawker? 123456

I commented a couple of days ago that '12345' was probably about as popular a password as 'password' on Gawker. After analyzing roughly 1/3 of the passwords stolen from Gawker, researchers have learned that the most popular password is '123456.' Second is 'password.' I remember laughing at King Roland in Spaceballs because the combination to the air shield was '12345,' and laughing more when President Skroob announced it was the same as the combination to his luggage.

Strong passwords aren't as important as they used to be. Sites limit the number of password attempts before locking you out, so it's not as easy for someone to brute force an account. And if a site doesn't lock you out after so many failed attempts, a "strong" password may not matter. Using rainbow tables a strong 12 character password will hold out less than 3 minutes.

But '123456' is still a poor choice for a password.

EFF wins Privacy case in Third Circuit

The Electronic Frontier Foundation has won a major victory protecting your cell phone location data from unreasonable seizure by the government. The decision by the Third Circuit Court of Appeals says that judges can deny requests for "D Orders and require a warrant to avoid possible Fourth Amendment complications.

This is more important than it looks at first glance. Though the case deals with cell phone location data, "D Orders" are used for a variety of communications related, including email. In the Third Circuit the government can no longer assume it will be able to demand communications from ISP's or other communications companies and automatically be granted access by the courts. The EFF is intending to use the decision in similar cases in other circuits, and expects others will, too.

This is a good decision. The governments position on "D Orders" is that they should be granted automatically. Now the government has to be sure of it's case before seeking information. They can still get information using "D Orders" but they have to make sure they won't run afoul of the Fourth Amendment by doing so. At least in the Third Circuit. That will decrease the number of cases that can be disputed on Fourth Amendment grounds, saving time and money. We can only hope other Circuits (or the Supreme Court) will agree with this decision.

McDonalds suffers data breach

Salon.com reports that McDonalds has suffered a data breach. According McDonald's the servers breached contained email addresses, birthdates and other info, but no social security numbers or financial information.

That's very nice, but with an email address and birthdate you can probably steal an identity. If the email address includes a full name, you can definitely steal an identity. With an identity you can get driver's license, credit cards, jobs, etc. In the modern connected world, there is no minor data breach.

Gawker breach compromised government sites

It's no secret now that Gawker had a major data breach. 1.3 million user names have been made available in a torrent file. These days that would almost be no big deal. For everyone but the 1.3 million, anyway. Even the more interesting statistics aren't surprising. Almost 2000 people used "password" for their password. I'm sure there are similar numbers using '12345'.

But those aren't the usernames and passwords that cause concern. The Rundown News Blog on PBS.org reports that what appears to be a sublist of accounts belonging to federal, state and local governments. Apparently they were parsed for future attack. Gawker has been telling people to change their Gawker password but many, if not most, people use the same username and password for multiple sites. So there is a good (or bad) chance that we will see a government breach resulting from this - unless all of the government employees whose Gawker accounts are compromised change their passwords on all of their accounts.

Even if they don't use the same password on all sites, it would be a good idea to change all of their passwords. Unless they use a password generator, many people tend to use similar passwords. Old girlfriends names, old pets, take a word, add a number or symbol and rotate the number or symbol, action heroes, comic book characters, etc.

We see talk of how interconnected we are and how exposed online. Incidents like this serve to drive that lesson home. Because of a data breach on a private web site an unknown amount of government data of unknown sensitivity is at risk. Not to mention the citizens accounts that risk compromise. The damage is done in this breach, but what can we do to prevent the next one? And the next one?

FBI faking terrorist threats?

In an interesting piece on Alternet.org, Seth Freed Wessler asks, "Why are the Feds cultivating their own 'Homegrown Terrorists'?"

An intriguing question. I hadn't asked myself that question, but I had wondered that the thwarted terrorist attacks we've heard about seemed to involve young men duped into believing they were being recruited by Islamic terrorists. But none of them ever actually communicated with terrorists. Apparently none of them actually had any plans to commit terrorist acts until recruited by the FBI.

Mr. Wessler gives a brief recounting of the case of Antonio Martinez. Martinez converted to Islam, and was eventually approached on Facebook by the FBI, who set him up with (fake) explosives and a plan to use them. Martinez never had contact with any actual terrorists, and other than comments on Facebook saying he supported Jihad, wasn't looking for contacts. So what exactly made him a terrorist threat?

A former FBI agent who has been involved in the defense of persons arrested using these techniques claims that the majority of such cases are bogus - and even rely on hysteria more than hard evidence. In an interview on PBS's Frontline, former agent James Wedick lays out all the problems with the case against Hamid and Umer Hayat, a father and son convicted of planning a terrorist attack. Based on Wedick's interview and the FBI response given to Frontline, I tend to think Seth Wessler may be onto something.

Sitting here it's hard to be sure what's the truth. But it is interesting that in recent history the terrorists who were stopped were setup by the FBI, and the terrorists who almost succeeded were ignored by our intelligence community.

Wikileaks: What happened to freedom of speech?

Wikileaks publishing of 250,000+ diplomatic cables is a defining moment for the Western world. A young soldier allegedly stole volumes of classified and secret information from the U.S. government. The documents were acquired by Wikileaks, who is in the process of putting them all on the web.

Why do I call this a defining moment? Because now the United States' dirty laundry is being aired, and how we deal with it will say much about our ideals and our realities. I said we, and I said it for a reason. We, the citizens of the U.S., now have access to some very damning diplomatic cables sent by our government. We see our government pressuring other governments to arrest and imprison the editor-in-chief of Wikileaks. Pressuring businesses to stop hosting Wikileaks.

From the cables we see that the U.S. is pushing to influence the internal policies of other countries. That could be considered an act of war.

So how are we going to react to our governments actions? Both those revealed in the cables and those revealed in our governments response to it? Are we going to sit back because there is nothing we can do, or are we going to make our voices heard and tell our elected representatives that we expect them to act in accordance with the finest ideals of our nation, not like playground bullies?

I strongly believe that just releasing the cables was irresponsible. But I also know that Mr. Assange is not a U.S. citizen and Wikileaks is not a U.S. company. He did not hire the soldier to get him secret U.S. documents. He didn't steal them himself. He runs a whistleblower site in a foreign country. The documents he received contained things that needed to be revealed. He revealed them. He did what whistleblowers do.

John Naughton of guardian.co.uk tells us that governments are going to have to learn to Live with the Wikileakable world or shut down the net. He reminds us that Hillary Clinton just last January gave a speech on the importance of the free flow of information is for citizens to hold governments accountable. I wonder if she sees the irony in our governments response to Wikileaks?

Do public servants have right to privacy?

A conversation I saw on Twitter pointed me to an article on reason.com titled, "The War on Cameras" about the right of citizens to record public officials. Thanks @mckeay & @georgevhulme, this is better than what I had planned. :)

The article talks mostly about citizens recording police officers, but the first case involving a man in Illinois actually involved a judge. Michael Allison was cited for violating the towns eyesore ordinance. The day before the trial he went to the courthouse to request a court reporter because he wanted a record of what went on for a lawsuit he was planning. He told the court clerk that if a court reporter wasn't there he would record the trial himself, and showed her his digital recorder. He was refused a court reporter. When he appeared before the judge the next day the judge asked if he had a recorder in his pocket and if it was on. Mr. Allison answered yes to both questions. The judge informed him that that he (Allison) had broken Illinois wiretapping law and violated his (the judges) right to privacy. Despite the fact that he had not been informed of the law the day before, only had the recorder because a court reporter wasn't provided, and had no prior criminal record he was charged with five counts of wiretapping (15 years each if convicted) and had bail set at $35,000.

How much privacy can a judge expect while performing his duties in the courtroom? How much privacy can a police officer expect during a traffic stop? Anthony Graber recorded an officer who stopped him and was arrested for posting the video on youtube. The charges were evenually dropped.

In their private lives officials have the same privacy rights as we do. But often in the performance of their duties their privacy right will be much more limited. Police have the right to privacy when interrogating suspects. Judges have the right to limit or deny cameras in the court room. But that doesn't give them a right to "privacy" in the court room. There can be hundreds of people in the court. There often will be a court reporter. There may not be cameras, but there still won't be privacy. An officer writing a ticket on the side of a public highway can't expect any type of privacy. Everybody and their dog can see what's going on. And citizens should be totally able to monitor on-duty police if they can do it without interfering in the policemans performing of his/her duties.

Wikileaks is a symptom, not the disease

Wikileaks has created a tempest with the release of millions of stolen U.S. secret documents. It's also created serious problems for it's founder. Problems that may exist more for the convenience of the embarrassed governments than for any real events. But that's not the reason for this post. Wikileaks has forced governments in general, and the U.S. government in particular to look at just what types of security they have, and how close it really is to what they need.

Redorbit.com reports that the U.S. lags behind safeguarding against cyber attacks. I don't know if anyone really finds that idea surprising. If we can't even prevent a soldier (trusted with clearance or not) from physically stealing secret documents, why should we think we're successfully securing the networks that hold those documents from outside intruders?

The Department of Homeland Security (DHS) has plans to secure those networks, but they will take time to implement. Steps are being taken to plug the holes that made the wikileaks revelation possible, too. The problem is, those steps should have been taken years ago. There should have been no thumb drives allowed, and the ability to burn CD's should have been limited to particular people, if it was allowed at all.

For at least a decade government agencies have been getting a failing grade when it comes to network and computer system security. The DHS has been receiving failing grades since it's creation - though I think last year for the first time it received a "D." It was one of the few sections of our government to do so. If we want to remain a real player in the world - not just in politics, but in economics, science, and technology - we have to step back and look at what we are doing. We have to honestly evaluate everything. Is this policy effective? Or does it just "look good?" Is there a more effective way? If it is effective, is it effective at the right thing? If we are trying to keep thieves from stealing data off of our networks, do our policies at least make it harder to get data off of our network, even if you are sitting on a computer inside the network perimeter?

If I am trying to keep our businesses competitive with foreign companies, are my policies doing that, or are they actually hurting the competitive capabilities of U.S. companies?

We have to look at ourselves honestly, evaluate ourselves dispassionately, and work at improving diligently if we are going to secure our networks and our borders. If we aren't willing to do that, we should fold up now.

How many people's identity is stolen? 1 in 7.

Whether you know it or not, you probably know at least one person whose Social Security number has been stolen. Bob Sullivan at MSNBC's "The Red Tape Chronicles" reports that a new study shows that 1 in 7 people's Social Security number is being used by someone else, too.

That's a lot of SS fraud. Think of 6 people you know. Odds are that at least one of you is sharing your Social Security number with someone. Probably without knowing it. I know two people whose purses were stolen out of their cars. That could be two more shared SS #'s. Is someone using yours? How many someones? 10 people or more are using some numbers. Some are illegals using them to get jobs, some are getting credit, some are legitimate mistakes.

Think about all the times over the years you've rattled off your Social Security number in public. If you're old enough you may have been getting to the front of a line at Tech (or another university) and giving your full name and social with 10 people in hearing range. All it takes is one crook with a good memory. Or a recorder. Fortunately today most places will only ask for the last 4 of the social, if that. But how many times have you handed your identity to a room full of people without thinking about it?

It was going to be the perfect geek gift for your girl

I saw this the other day on a Bit Rebels blog. It was a post by Richard Darell titled, Gear for girls - Only the coolest thing you can give your girl. It really is the coolest thing you can give your girl. Check out the pics. Any girl, geek-girl or nongeek-girl would totally appreciate this - if it were beyond the design stage.

It's a really nice little MP3 player disguised as an earring designed by Lu Won-jun. Or it would be, if it had made it into production. I saw the link in a tweet and assumed it was current. It was actually from this past April, and talked about a fresh, new, and still unproduced MP3 player design. An earring MP3 player. So cool, so unnoticeable. Even the latest iPod can't match it for cool factor.

But it hasn't made it into production. Possibly because some of the comments regarding technical difficulties were dead on. Or maybe not. But it sure would have been cool if it was for sale.

FTC recommending privacy options for Internet users

Edward Wyatt and Tanzina Vega at the NY Times report that the FTC is recommending internet users be allowed to decide whether or not their surfing and buying habits tracked. Groups like the Electronic Privacy Information Center (EPIC) are encouraged, but don't see a "do not track" option as the perfect solution to online privacy concerns. Online advertising groups are not happy about the proposal, saying that if "Do not track" saw the same rate of adoption as "do not call" it would cause the industry "significant harm."

There is no doubt an opt-out of tracking option would require radical changes in the way online ads are targeted. But I should have the option not to be tracked. Just like I can choose whether or not to take part in CVS's data gathering ExtraCare reward card, I should be able to choose whether or not the sites I visit gather data on me. I should be able to see what type of data is being gathered and I should be able to have that data purged. Or I should be paid for the information. It is my information, after all.

There's a battle over how law enforcement can track us.

The EFF Deeplinks blog reports this week on three court cases regarding the feds use of cell phone and GPS tracking. Over all it looks promising, although the feds are predictably arguing that they should be able to track us using our cell phones and other geo-location technology without a warrant. But although it looks hopeful, we have to remain vigilant or have our right abridged, limited, and nullified.

It wasn't in the Deeplinks blog, but the News-Register.com reports that a federal appeals court in Washington D.C. ruled that D.C. police had violated Antoine Jones rights by placing a tracking device on his car without a warrant. The appeals court agreed with a lower courts opinion that a:

"reasonable person does not expect anyone to monitor and retain a record of every time he drives his car, including his origin, route, destination and each place he stops and how long he stays there."

A wise ruling on the part of both courts. If you can't get a judge to issue a warrant, you don't have enough reason to put a GPS on a car, any more than you have enough to tap a phone. There are reasons law enforcement is limited in it's ability to spy on us. We don't live in a police state. There has to be probable cause for police to search citizens, otherwise we could be pulled over and searched because the cop is having a bad day. Or because we post something critical of the President, or the mayor, or the police chief.

There are no reasons to pirate music

According to Paul Boutin at Wired.com, The Age of Music Piracy is Officially Over. He may be right. Paul says that there is no reason to steal music anymore, unless you're just cheap.

Now that most music can be downloaded as high as 256Kbps quality, songs are 99 cents or lower, and there are a variety of legal sources, he makes a good argument. You can even legally download the Beatles now. Other than sheer unwillingness to pay for music, there isn't really a good reason to download pirated songs. The quality usually isn't as good - there's no guarantee you'll even get the whole song - and there's always that risk, however slight, that you'll get tagged as a downloader and sued.

If you absolutely have to have free music, there are alternatives out there, like Jamendo, a service full of free music that is available under various Creative Commons licenses. Most of the licenses are pretty liberal, allowing you to sample, remix and in general rework the tracks for your pleasure. A similar service is Magnatune, which provides music that is free for any type of personal use. For commercial use there is a one time fee and no royalties. That means that now matter how much profit your project makes, you only pat the one time fee.

On further thought, Paul Boutin is right. There is no reason to pirate music anymore.

What is happening to Intellectual Property law in this country?

The last couple of months have seen interesting developments in Intellectual Property (IP) law. The Combatting Online Infringement and Counterfeits Act (COICA) made it through Committee in the Senate. The Department of Homeland Security (DHS) is being used to enforce IP law by the Department of Justice (DOJ). Internet domains are taken down with no warning to disrupt the sale of counterfeit goods. According to the press release from the DOJ:

The coordinated federal law enforcement operation targeted online retailers of a diverse array of counterfeit goods, including sports equipment, shoes, handbags, athletic apparel and sunglasses as well as illegal copies of copyrighted DVD boxed sets, music and software.

Makes sense and seems reasonable. But they seized at least one search engine that never hosted torrents or knock-off items. That is disturbing. What would happen if DHS suddenly decided to seize Google? Bing? You can find torrents and knock-offs on those sites, too. Shutting down a search engine because you can find pirated movies is like shutting down a library because you can find the formula for TNT.

Historically IP crimes have been civil matters. But recently they have begun to be pressed as criminal offenses. Take a case reported by Wired.com, the case of Matthew Crippen. Crippen is charged with two counts of circumventing DRM on XBox video consoles by installing mod chips that allowed people to run homegrown software, RIPped DVD's, and other 'unofficial' content, although he could have been charged with many more counts. His lawyers are trying to use the recent decision granting jail-breaking the iPhone an exemption under fair use as part of their defense strategy. If they lose he's facing 3 years in jail, although it could have been as long as 10 years.

Why is the Department of Homeland security enforcing copyright law? Why are IP cases being tried as criminal cases? Why are we changing our IP suspects guilty until proven innocent? How can we fix these problems?

ICE takes down 77 Internet domains without warning

According to Mashablecom,  Friday the Immigrations and Customs Enforcement (ICE)  division of the Department of Homeland Security seized approximately 77 domains for copyright infringement. The seizures were made without any warning and without going through the hosting ISP's.

CBSnews.com reports a Torrent of Gov't Seizures in Online Piracy War, and tells us that ICE is taking down domains that host pirated movies and music in a move to combat piracy. They are supposedly getting court orders based on complaints received.

The reports also tell you that not everyone agrees with this move. I know I don't. It's not that I condone piracy. I disagree with the current copyright law for several reasons. One reason is that it makes it illegal for me to exercise my fair use right to make a backup copy of a movie, software, ebook, etc. It's wrong to rip a movie and put make copies for my friends or put it online for anyone to copy. But making a single copy for personal backup is allowable according to the fair use provisions of U.S. copyright law.

The big problem with ICE taking down infringing domains is that entire domains are being taken down without warning - possibly without recourse - regardless of whether or not the entire domain is involved or even aware of the alleged infringements. What information was used to determine the domains should be taken down? What kind of checking was done to verify infringement took place?

The U.S. (and other) government(s) have the right and duty to enforce their laws. Sharing copyrighted movies without permission of the copyright holder is immoral and illegal. So taking down sites who exist to make it easy to share illegal copies is proper. But doing so in a manner that takes down that are not involved in illegal activity is not. It is very likely that there were legitimate sites taken down by this action. Possibly even legitimate businesses. That is not just wrong, it's irresponsible.

The government has a responsibility to enforce it's laws, but it also has a responsibility to enforce them in a fashion that causes the least pain and suffering possible to the law abiding citizens. The very nature of file sharing sites makes it possible for cease and desist letters to be sent and/or investigation into the suspect domain to determine exactly which sites are guilty to be done without risking the case. Taking down entire domains without considering that a domain can contain many different totally unrelated sites could result in more harm than the illegal file sharing.

The government has a responsibility to enforce the laws, but please don't trample on law abiding citizens to do it.

Happy Thanksgiving!

Next blog Monday, Nov. 29.

Cookie Monster imitates Betty White

Cookie Monster has decided that what worked for Betty should work for him, too. so has a Facebook page, and is looking or supporters to get him a hosting gig. Go show your support.

PS: If you're flying this Thanksgiving, remember, the poor shmuck "touching your junk" probably doesn't like it any more than you do, so try to take it easy on him (or her).

Bullies video beating, post on Facebook

Another case of Facebook being used by bullies is being investigated, this time in Schenectady, NY. But instead of using the site to bully other students, the bullies made a video of the beating they gave another student and posted it on Facebook.

Other students visiting the Facebook page said they would like to see the girl in the video beat up at school. The police are investigating, and given the schools history, I don't think they'll go lightly on the bullies. In the 2008-09 school year four girls committed suicide, and two of them were probably being bullied when they did it.

This case is different than the usual Facebook bullying you hear about. The girl wasn't abused by messaging and wall posts, she was beat up, video'd, and more students said they would like to see her hurt at school. While it's easy to create an anonymous Facebook page, most camera's today put identifying information on the video, so the students who beat her may get a surprise visit from the police, even if none of the students who visited the page used their real names on their accounts. And I'm glad. This is one time that I wouldn't mind if Facebook was even more dismissive of users privacy than it already is.

The terrorists are winning

I got a kick out of this cartoon by Mike Keefe on the Cagle Political Cartoon blog. I thought it was pretty close to right, but amusing.

Then I read about Thomas Sawyer, a survivor of bladder cancer who was humiliated by thoughtless TSA employees. He was chosen for an enhanced pat down after going through the full body scanner. He tried to warn them about his urostomy bag, but they ignored him and broke the seal, leaving him wet and smelling of urine. The TSA employees acted as though nothing had happened despite the wet spot on his clothes. And I realized that the changes we're enduring because of terrorism are no laughing matter.

Next I read a headline, "Qaeda Branch Aimed for Broad Damage at Low Cost," referring to the failed (or not) parcel bomb last month. The terrorists claim the operation may not have blown up a plane, but it had the desired effect of causing the U.S. to revamp security again, a time consuming and expensive prospect. In fact they've shifted emphasis from flashy attacks to simple, low grade attacks that cause maximum return in things like expanded security procedures.

The terrorists have won. They control our airport security. We need to turn things around and come up with reasonable procedures for airport security that respect human dignity and treat airline passengers like customers, not suspects.

Combating Online Infringement and Counterfeits Act makes it out of committee

Public Knowledge reports that the Senate Judiciary Committee has approved COICA. COICA is a nasty piece of legislation that allows a person to get a website taken down by complaining that it is infringing on someone's intellectual property. No hearings, no trials, no investigation necessary. Complain to the ISP of the allegedly offending site, and down it comes. It won't work the way it's intended, and will have little effect on criminals, but it could have a profound effect on legitimate businesses who deal with file storage and encryption. I blogged about some of the problems last month.

Write your senators and representatives. This is important, and could change the face of the internet completely if left unchecked. It's made it out of committee, but it can be stopped short of passing the Senate and be kept out of the House entirely. Find your senator's physical and email addresses here Find your representative's physical and email addresses here.

TSA procedures fail most important test: Effectiveness

The Transportation Security Administration (TSA) is coming under a lot of fire lately. Privacy advocates and groups are attacking full body scanners and "enhanced" pat downs while overzealous, poorly trained or just plain drunk with power employees do things that are fueling the fires of citizen backlash against the ridiculous procedures.

From the (over)reaction to Johnny Edge's refusal to get either full body scanned or an enhanced pat down to a three year old girl terrorized by a too literal interpretation of the rules by a TSA employee, it has become obvious that the TSA and our government have forgotten who the enemy is. And I think even the low level employees know how ineffective their procedures are. The frustration, and maybe even fear that they will be the one that let's a bomber through cause them to react to any resistance, even a tired, scared three year old, as if it's a serious threat.

Of course, not everyone thinks the TSA is wrong. Even though there are experts who refute the TSA claims that the full body scanners are harmless. Even though there is doubt that the scanners would detect explosives of the type used by the crotchbomber. Even though no one knows if the scanners will detect or scan through artificial flesh. Even though the GAO recommended more testing before buying or deploying any more of the scanners earlier this year. Even though there is so much doubt about the real usefulness of the scanners The Christian Science Monitor supports the TSA, as does Alex Altman at the Time Swampland political blog. Mr. Altman cites a CBS poll showing that 81% of Americans are ok with the TSA procedures. But the problems with TSA procedures will persist even if 100% of the citizens are ok with them.

You can say that any security can be breached by someone clever and determined enough. And you wouldn't be lying. But it doesn't even take a particularly clever or determined terrorist to get through the body scanners and pat downs.

But that's not the worst. The way airport security works now, all you have to do is get into the airport and approach the people lined up at the checkpoints. Not as spectacular as the flaming remnants of a passenger jet falling from the sky, but possibly even more effective as a terror tactic. Maybe as effective psychologically as hitting the Twin Towers on 9/11.

Could Israel's system scale to work with our aviation system? Can any part of it? Has anybody checked? If it can, then leaving the system we have in place unaltered is criminally negligent.

Dept. Of Transportation launches "Faces of Distracted Driving" site

Phone calls, text messages, screens in the dash. There was a time when it was kids and the radio. Now there's an army of driving distractions to pull our attention from the road. Transportation Secretary Ray LaHood announced on his official blog today the launch of "Faces of Distracted Driving, a site devoted to the danger of driving while distracted.

There is a lot of information on the site, including a summary of state laws, a FAQ and statistics. There are also three stories of people killed by distracted driving with more to be added. It's sobering, and thought provoking. Just a few days ago I received a text on the way home and started to reply when I realized I was veering to the ditch. I straightened out and put away the phone, but I was seconds from being a statistic. I resolved not to text while driving, and these stories reinforced that resolve.

We often don't think about the consequences of our actions, and when we do, we think the worst won't happen to us. But it can. I don't know which scares me more, the thought of leaving my family without a husband and father or taking someone elses loved one away forever because I couldn't be bothered to pull over or get where I'm going before talking or texting.

Facebook messages - We want to license to the rest of your life.

Facebook is beginning a "slow rollout" of a new service, Facebook Messages. Messages will combine chats, sms messaging, and email. Eventually it may include VOIP messages. It's pretty cool. If you want you can have an @facebook.com email address, or if you want to keep your current address you can. It keeps a history of all of your conversations. You can even add friends that aren't on Facebook and keep records of your conversations with them. The only tradeoff is that Facebook now has license to make use of all of that content per the statement of rights and responsibilities, section 2:

You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition: For content that is covered by intellectual property rights, like photos and videos ("IP content"), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License"). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. (emphasis mine) When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others). When you use an application, your content and information is shared with the application. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, read our Privacy Policy and About Platform page.) When you publish content or information using the "everyone" setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture). We always appreciate your feedback or other suggestions about Facebook, but you understand that we may use them without any obligation to compensate you for them (just as you have no obligation to offer them) (emphasis mine).

The provisions giving Facebook a license to all of my data doesn't seem too bad since it's subject to my privacy and application settings. If only I could know that my settings would not change without my wanting them too. It would also help if my privacy settings wouldn't be set to wide open every time Facebook decides to make changes to their privacy settings.

Facebook's new Messages is a really good idea. But there are few companies I would trust less with my private messages.

In Palestine, impersonating God could be bad for your health

Eric Berry on Allfacebook.com reports that Walid Husayin of Qalqilya in Palestine is facing possible life in prison for claiming to be God in several Facebook groups he created. He also criticized the Islamic faith and created mock Quran verses that encouraged people to smoke marijuana.

It's somewhat risky to criticize Islam over the internet while in an Islamic country. It's a little riskier to claim to be God in an Islamic country. To do both from an internet cafe in a small conservative town in an Islamic country is asking for trouble.

Walid Husayin spent 7 hours a day on one computer of the local internet cafe. The owner became suspicious and had employee take screenshots while Walid was on the computer. He turned them over to the police, who arrested Walid while he was at the cafe blogging. The maximum sentence by law is life in prison, but people in Qalqilya - people he has known his entire life - want him executed by burning.

I guess we should count our blessings. In the U.S. we can say what we want about our government or any religion without fear of arrest. But as our government continues to monitor as many of the countries phone calls as it can and law enforcement seeks the power to decrypt any and all private encrypted communication, can we be sure that will always be the case?

Not if we don't make sure it is.

The lighter side of airport security

After seeing stories like "Pregnant Traveller: TSA Screeners bullied me into a full body scan it's nice to see people aren't letting the idiocy break their spirit. Here are a few links to sites that take the TSA with a grain of salt:

A (fake) children's book to help you're kids understand the security process.

Here are T-Shirts that I could wear through airport security. And because those weren't enough, the stop groping me T.