Facebook selling users info and opinions

Barbara Ortutay of the Associated Press reports that Facebook users may soon find themselves in advertisements promoting stores they visit using their Facebook login or items/companies they hit the 'like' button on. The good news is the privacy settings you have will carry over on the ads. The bad news is that there is no option for refusing to be in the ads.

Yesterday I was talking about Facebook protecting it's users from a government intent on controlling what they could say and here. It was short lived. Today Facebook is getting ready to use the images, likenesses and names of its users for profit without permission or compensation. If a newspaper or TV station were to do that they would be in big trouble. Actors, politicians and other public figures take people to court for it. But Facebook is above such petty concerns. They aren't a media company, and they don't provide a free service. As I heard a security researcher say, we are not Facebooks customers, we are it's product. That's something we should all remember. You don't pay a product, you get paid for it.

Facebook plays the hero in Tunisia

Alexis Madrigal at The Atlantic reports on Facebook's reaction to an attempt to steal all of the Facebook logins in Tunisia.

It took a while to figure out what was happening. The problem was that the Tunisian government was stealing the usernames and passwords. Facebook was able to solve the problem and protect it's users identities. But the solution was susceptible to a basic fact of the internet - the solution required using https, and ISP's can force the use of http. After solving the problem of Tunisian password theft Joe Wallace, Facebook's Chief Security Officer, noted:

When you step back and think about how Internet traffic is routed around the world, an astonishing amount is susceptible to government access."

It is really astonishing. And safe guards need to be in place to protect us from government betrayal like the citizens of Tunisia experienced. Earlier today I saw a tweet earlier today saying that we don't need government regulation to solve our internet privacy issues. I'm afraid I have to disagree. If the biggest threat to our privacy online is the government, the only way to protect our privacy is regulations that bind the government. It is setting the fox to watch the henhouse, but the only way to limit governments invasions of our privacy is have rules protecting it. Although large companies like Facebook can help.

Mozilla announces "Do not track" feature in Firefox

Mozilla has announced that they will include a "do not track" feature in Firefox 4.1 in response to the FTC's call for the one. Google and Microsoft have also announced "do not track" features, but Firefox 4.1 will probably be released first.

It's a nice first step, or maybe a nice gesture. If the tracking companies don't agree to honor the do-not-follow requests of the browsers, nothing will change, and tracking will be business as usual. Right now no tracking company has agreed.

In reality, though, it may be too late for "do not track." We enjoy a mostly free web surfing experience. "Do not track" could be the end of that. A lot of the free sites that we enjoy are paid for by information gathered while we surf and used to help better target ads at us. Remove that source of revenue and the sites have a choice. Charge for service, or go away. How much would you pay a month for what is now free on ESPN.com. How about Youtube? ? Facebook?

We should control who gathers data on us, how data about us is gathered, and who is doing the gathering. But we have allowed things to get way out of hand. Tracking is central to doing business on the internet and cannot be removed without replacing the revenue it generates (directly and indirectly) unless you want to see a lot of online businesses go under.

Berkeley Artificial Intelligence beats human Starcraft player

Berkeley Artificial Intelligence beats human Starcraft player

Haomiao Huang is a graduate student in the Artificial Intelligence (AI) and robotics labs at UC Berkeley. Last week he told the story of how they created the "Berkeley Overmind," their entry in the 2010 Starcraft AI competition.

Why have a Starcraft tournamet for Artificial Intelligences? Sure, Starcraft is one of the most successful computer games of all time. A decade and more since it's release it is still popular and still being updated - though that may come to an end soon since Starcraft II is out. But what makes it a good way for testing AI? I can't say it any better than than the article:

“Chess is hard because you have to look far into the future, and go is harder because there are lots of pieces. With poker there’s uncertainty,” he says. “In StarCraft, you have all of these things going on simultaneously, and you have very little time to compute a solution.”

If you've never played Starcraft, it is a very challenging game. To help them build their AI, the boys at Berkeley (apologies to any female team members) recruited Orial Vinyals, a PhD student in computer science. He is also a former world class Starcraft player who was ranked #1 in Spain and in the top 16 in Europe. That means I would probably last all of 10 minutes in a match with him. If I was having a very good day and his was very bad. Using Orial as the opponent for the AI they were able to refine their algorithms. Eventually the AI was able to defeat Orial. It's a statement on how far AI has come, both hardware and software. Here's an example of the AI controlling mutalisks - a flying weapon.

They've built an AI that can locate, gather and allocate resources to produce and control military units. One that is capable of outthinking a human who is expert at doing exactly the same thing. Once someone thinks to set it to controlling the GRASP labs quadrocoptors we'll be needing John Conner, because Skynet will be on the way.

Sony hammers researchers with DMCA

On the Deeplinks blog at eff.org Corynne McSherry and Marcia Hofmann report on the case of Sony vs Hotz. The implications of the case are broad reaching and frightening. Sony is suing researchers for the crime of exposing security holes. The researchers found security holes that allow users to run Linux on the Playstation 3 - something Sony allowed until recently.

This is the ultimate result of the Digital Millenim Copyright Act (DMCA). The DMCA makes it a crime to circumvent security measures on electronic media and devices - even if you have purchased the device and are exercising rights granted to you by other laws. Copyright fair use and modifying your own equipment on your own network for otherwise legal uses are two examples.

Sony is also suing under the Computer Fraud and Abuse Act (CFAA) because the the researchers violated the terms of use for the Playstation Network - even though it appears the researchers used their own network, not Sony's. As McSherry and Hofmann point out, Sony is suing the researchers for using computers (PS3's are computers) they bought in a way Sony doesn't like. If Sony wins this case we could find ourselves facing criminal charges for installing software that didn't come with the computer or connecting our television to the wrong provider.

You think that sounds farfetched? Sony is suing these researchers because they installed Linux on Playstation 3's. Something Sony allowed until recently, but now is willing to go to court to prevent. If Sony wins how long before Dell insists you can't install Linux on their computers, or HP decides that you can't install Open Office, AbiWord, or any other replacement for Microsoft software?

Can you have too much security?

How much security software do you have on your computer? A lot of people just have whatever came with their computer (not realizing it quit working after 90 days). Other people pay the license fee, or load software of their choosing. Some people use the "if some is good, more is better" theory. Unfortunately, when it comes to protecting your computer, more can definitely be worse.

If you have an anti-virus, anti-spyware, and a firewall you are probably as safe as the technology can make you. How safe will depend on how good the programs you are running are, but you won't be made safer by running multiple anti-virus. There's a good chance you will be made less safe as the different softwares interfere with each other and cause false positives, or worse, cause malware to be overlooked. On top of that, security software can take a lot of computing power. Set several anti-virus and anti-spyware programs running and they can really slow down your computer.

Multiple firewalls on a single computer won't increase security because both will either be set exactly the same, or they will conflict with each other. Running the firewall that comes with your operating system and one on a router can increase security by adding one more layer of protection for attackers to go through. 

So if you can only have one one anti-virus, which should it be? There are several good ones available. The suites from Symantec, McAfee and Kaspersky are all good. But if you don't like them, or don't want to spend money, I like Avast Free. Just as good (or arguably better) are AVG Free, Avira Antivir or Microsoft Security Essentials. Dottech.org reviewed all four, and found them to be in a virtual dead heat, though specific strengths and weaknesses varied between them.

You can have safely have multiple anti-spyware programs running. For free anti-spyware I like Spybot S&D and Adaware. There are others excellent programs out there, such as Spyware Doctor, and Prevx.

One more point for online security: It's a good idea to switch to Firefox from Internet Explorer. Firefox has had a few issues this last year, but is still far better than IE for security. It also has add-ons like No-Script available that greatly enhance it's security.

Twenty years ago you could put your computer on the internet without security software. I actually didn't start using anti-virus on my PC's until after 2000. But today it only takes moments to be compromised once you connect to the internet. So the proper use of anti-malware is essential.

Thanks to BikerDoug for his excellent suggestions to improve this entry

Facebook giving developers access to users address, phone number

Jacqui Cheng at Ars Technica reports that Facebook is making another 'helpful' move. It is allowing 3rd party developers to use the Facebook API to access users phone numbers and addresses. According to Facebook users will have to allow developers access. But if an app requires that access to be used, how many people will say no? The developers have to agree to follow strict guidelines on how they can use the data.

That's worked so well in the past.

Google closes the door on an open standard?

Is it licensing?

Peter Bright at Ars Technica reports that Google is dropping H.264 video support from it's Chrome browser. You might not think that would be a big deal. It was announced Firefox wouldn't support H.264 and hardly anybody blinked. But Firefox isn't Google.

Peter points out that Googles stated reason - to support open formats - doesn't hold water. H.264 is an open standard. What it isn't is a free standard - the licensing is capped at $6.5 million a year. But Google has a video codec of it's own, WebM. It may not fulfill the traditional definition of an open standard, but it's free. And cost effects even as rich a company as Google - but maybe not quite in the way Peter believes.

Or Infrastructure?

Jason Perlow, a ZDNet contributor, believes there is another reason Google wants to drop H.264. The cost of using H.264 is negligible for Google. But Google has properties that dwarf the cost of H.264 licensing. Chief among them would be YouTube. H.264 is widely supported, but Google's removed of H.264 support has raised the concern that H.264 support may be dropped from YouTube next.

According to Jason the real cost of supporting H.264 is in the infrastructure required to support it. Servers, storage space, and the bandwidth required to support multiple video formats are not cheap. Being able to get rid of one could put a significant dent in those costs. Getting rid of one that also has 6.5 million in licensing puts an even larger dent.

That's understandable, but it could effectively scuttle the efforts to simplify video on the web. HTML5 has a new tag, the VIDEO tag, that is supposed to work like the IMG tag - the type of image doesn't matter, and neither would the type of video. But it won't work if the browser won't support the video format. It may not work if the largest distributor of streaming video on the web doesn't support the standard.

It's amazing that a company that claims to promote open standards could be responsible for scuttling one online.

Going after Wikileaks causing more problems

The ancient Polynesians navigated the Pacific using the moon, stars and motion of the waves. As the ripples from the Wikileaks scandal travel around the planet I wonder if we can chart a course that brings us to greater privacy and security by seeing the way various governments, agencies and businesses react to them.

Last week we learned that the U.S. government tried to force Twitter to release user information on people who had been associated with Wikileaks. Wikileaks fought back, and has been widely praised for it. Wired's Threatlevel blog even stated that Twitter's response should be the industry standard when such requests are made.

As ripples move across the water they strike object and bounce back. In the Privacy Inc blog at CNET Declan McCullagh reports that a group of European politicians is protesting the U.S. subpoena of information from Twitter. Along with concerns that EU privacy rules may have be broken by the subpoena's, there is concern over the fact that one of the accounts subpoenaed belongs to a member of Iceland's national parliament. That does not please the government of Iceland, which summoned U.S. Ambassdor Luis Arreaga to a meeting at their foreign ministry.

Wikileaks did not steal the information it is releasing. By the governments own admission most of the data shouldn't have been classified, and nobody believes any of it is more than embarrassing. There was a similar case in the '70's that determined journalists releasing secrets were covered by the First Amendment. Is going after Wikileaks and Julian Assange worth causing international incidents? To have a trial that will probably go in Assange's favor?

Is this an attempt to catch and punish a wrongdoer or just to cover somebody's embarrassment?

Twitter stands up for users privacy.

The Threatlevel blog reports that Twitter did not cave in to a U.S. government subpoena for data on members associated with Wikileaks. Twitter fought a gag order and won, enabling the micro-blog site to notify members so they could fight the subpoena.

Tell me what you think. Should Twitter's action be acknowledged?

Intel completes Light Peak. Verizon to offer unlimited iPhone data plan?

Intel completes Light Peak

According to Electronista.com Intel has completed work on it's Light Peak technology. Light Peak is ultimately an optical communications protocol, but to bring it to market faster the initial offering uses copper cables. It currently has a top transfer rate of 10Gb/s, which according to Intel will transfer a full Blu-Ray movie in under 30 seconds. When the fiber optic version is released it will have a top speed of 100Gb/s, which I suppose means it will transfer 10 Blu-Ray movies in 30 seconds. I'm sure the MPAA will be thrilled when they hear about it.

But the high bandwidth offered by Light Peak may not be it's most interesting feature. Light Peak is a multiple protocol technology. What that means is that with one Light Peak port you can support multiple data transfer technologies. For example, after Light Peak becomes available you may be able to buy a multi-protocol hub that has USB, Firewire, SCSI, PS/2 and maybe other ports, connect it to a Light Peak port and connect all of your peripherals to the one port. The idea is to reduce the number and type of ports necessary on the computer. If you like computers with small form factors like netbooks, you can understand the need for such a port.

Verizon may offer unlimited data plan for iPhone

According to the Wall Street Journal, Verizon will be offering an unlimited data plan for the iPhone - if the rumors are true and a Verizon iPhone will be announced later this month. If they can support the added demand of millions of iPhones, that will be a major feather in Verizon's hat - and a major reason for people to move from AT&T to Verizon.

EFF fights bad patent, copyright claims

I'm going to close the week with another intellectual property post. From where I sit, it can be hard to see the downside of overly strict copyright law. Patent law, on the other hand, can be a little more clear. To people on the outside looking in, anyway. The problem is real. According to the EFF's "Patent Busting Project,"

Now some patent holders have begun to set their sights on the new class of technology users - small organizations and individuals who cannot afford to retain lawyers. Faced with million-dollar legal demands, they have no choice but to capitulate and pay license fees - fees that often fund more threat letters and lawsuits. And because these patents have become cheaper and easier to obtain, the patentee's costs can be spread out quickly amongst the many new defendants. Our patent system has historically relied on the resources of major corporate players to defeat bad patents; now it leaves these new defendants with few if any options to defend themselves.

Here are some examples of patents considered bad by the EFF:

• One-click online shopping (U.S. Patent No. 5,960,411.)
• Online shopping carts (U.S. Patent No. 5,715,314.)
• The hyperlink (U.S. Patent No. 4,873,662.)
• Video streaming (U.S. Patent No. 5,132,992.)
• Internationalizing domain names (U.S. Patent No. 6,182,148.)
• Pop-up windows (U.S. Patent No. 6,389,458.)
• Targeted banner ads (U.S. Patent No. 6,026,368.)
• Paying with a credit card online (U.S. Patent No. 6,289,319.)
• Framed browsing; (U.S. Patent Nos. 5,933,841 & 6,442,574.) and
• Affiliate linking (U.S. Patent No. 6,029,141.)
  

Imagine if the holder of U.S. patent No. 4,873,662 - the hyperlink - were to sue all of the websites using hyperlinks. Every website would have to either pay up or cease to exist. Ok, they could refuse to pay up and continue to exist, but they'd be pretty boring without any links to click on.

The EFF also asserts that bad patents can also threaten free expression by allowing the patent holder to threaten anyone using the technology for any purpose, whether or not the use causes any harm to the patent holder, is used for non-commercial purposes, or the user had any idea they were even using an infringing technology.

The latest patent infringement claim on the EFF's radar is made by a company called Flightprep against a company called RunwayFinder. The EFF believes the copyright is one that should never have been granted. In their words:

this dispute is emblematic of a patent system that has lost sight of its purpose. Instead of spurring innovation by encouraging folks to invent new and better ways to do things, the system is often used to impede the development and use of interesting and valuable new tools and services.

And that is a problem. The EFF works both to fight bad copyrights and to educate people about their rights when it comes to intellectual property. To facilitate the latter they have formed a joint venture with several university law departments called the Chilling Effects Clearinghouse.

The Chilling Effects website has information for people who are active online, whether it's commenting on blogs, creating fanfiction, blogging or creating an information site about your favorite hobby, or giving your opinion of your favorite (or least favorite) person. But it's primary purpose is to catalogue, analyze and clarify cease and desist orders so if you receive one the legaleze won't overwhelm you.

The purpose of the Chilling Effects Clearinghouse isn't to enable IP infringement, it is to help people stand up to IP bullying. In the last twenty years it has become much easier to steal intellectual property. It has also become much easier to threaten and bully people into submission if what they're doing could hurt your business - regardless of whether they're doing anything wrong or not. Especially if you have a lot of money and they don't.

What is the cost of copyright?

Have you ever been to the Internet Archives Wayback Machine? It's pretty neat. There are copies of thousands of sites - more likely millions - dating back to mid-90's. I tried to find my old "Securely Private" blog there when I found out the provider that had hosted the A-J blogs was no longer hosting them. Unfortunately it had links to it, but the actual pages were missing.

When I was looking for my old blogs I looked at some other sites just out of curiosity. I don't remember what they were now. It didn't even occur to me at the time that what I was looking at was copyright infringement on a massive scale. Nate Anderson at Ars Technica looks at the Internet Archive's potential liability. How does he calculate that liability? He takes the figures from the Electronic Frontier Foundation (PDF). According to them:

As of December 18, 2010, the Internet Archive had 600 preserved images of the website for the Recording Industry Association of America (RIAA). Were the RIAA to sue the Internet Archive for copyright infringement based on these preserved images and prevail, the Archive would face up to $89 million in statutory damages, even absent a finding of actual harm or any reprehensibility. And these 600 images of the RIAA website are but a small drop in the large lake of information that the Archive has collected, which includes over 150 billion web pages. Based on this figure, if all copyright owners of those webpages (or a certified class of them) were to sue and prevail, the Archive would face potential statutory damages of close to 2,000 times the United States’ national debt.

The point of the whole exercise is that rewards in copyright infringement cases should reflect actual damages. It makes perfect sense. Why should someone who holds a copyright or other Intellectual Property rights get huge sums of money if they haven't actually suffered any harm?

That's not to say that there aren't legitimate infringement cases. But even those should have realistic penalties. The EFF contends that copyright infringement penalties as they've been awarded in the past are unconstitutional and ignore due process. They further contend that the extremely punitive damages hurt the intent of copyright law.

Article I section 8 of the Constitution lists among the powers of Congress the right (among other things):

To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries

The idea is to temporarily give authors and inventors exclusive right to the fruits of their labors, their intellectual properties (IP), then open the IP up to the world at large. That serves the dual purposes of providing incentive for original creation and allowing disseminating information for derivative works. What copyright has become doesn't really qualify as temporary.

If the intent was to provide temporary compensation to IP holders, then allow others to use them - both for the purpose of promoting the "Progress of Science and useful Arts" then it is likely true that the extreme punitive damages have the opposite effect that was intended when that clause was put into the Constitution. I know they would discourage me.

Cellphones fair game for police in California

Jacqui Cheng of Ars Technica reports that in California police don't need a warrant to search your cell phone. In a decision (PDF) filed Monday the California Supreme Court ruled that text messages on a cell phone were not protected by the Fourth Amendment. They cited previous cases that denied protection to items that were on suspects persons or in their vehicles.

I can see the reasoning, but it ignores a basic reality of modern life. Your personal computer cannot be searched without a warrant. It is granted Fourth Amendment protection because contains information about your private life that police shouldn't be able to access without proving they have good reason, and you have a reasonable expectation that the information is private. Many people have most, if not all, of that same information on their cell phones or other portable computing devices, and they have that same expectation of privacy.

Hopefully this case or one like it will make it to the U.S. Supreme Court and the decision will be that warrants are required to search mobile devices like cellphones and tablet computers. By allowing warrantless searches of cellphones the California Supreme Court has almost wiped out Fourth Amendment protections in California. Do you check your bank account on your cell phone? Receive email from your lawyer, doctor, accountant? What about risque texts with your significant other? Whether or not you're doing anything illegal, it should not be possible for police to get all that information without proving they have good reason.

Technology changes the way we live our lives, often in unexpected ways. Laws and the courts often can't keep up with the changes. It is important that decisions like this be challenged or the Constitution will become a meaningless document, undermined by poorly formed decisions based on failure to understand the changes modern technology has made in the way people live their lives.

TSA protects itself, not us

According to an article by Laura Curting in the Washington Examiner the TSA has great concern over privacy. To that end it has successfully evaded Freedom of Information Act (FIA) requests for years. Despite abysmal grades in security evaluations (even when tipped off ahead of time) the TSA continues to act as if nothing is wrong.

In it's effort to avoid shining the light of day on it's failures, the TSA ignores FIA requests, retaliates against whistleblowers (which is illegal) and even claimed they couldn't verify the identity of an air marshall.

The TSA is a rogue agency that puts appearance above function and is endangering us by their (in)actions. No security is better than a false sense of security. At least with no security you aren't blindsided when the bomb goes off. Just surprised it's in your neighborhood.

Verizon iPhone pretty definite in 2011; another iPhone alarm fail

iPhone on Verizon soon

If reports on Pocketnow.com are drawing the correct conclusions Apple should be announcing a Verizon iPhone soon. Apparently there are accessories availble for Verizon iPhones, and Verizon is buying iPhone related domains like "iPhoneVerizon.com" among others. Apple exclusive contract with AT&T ended in 2010, so there's nothing to keep Apple from making deals with other carriers - and if they want tocontinue to grow and remain a power in the smartphone market, they need other carriers. So there will probably be an announcement in January with phones available March or April. Or they may make a low end iPhone available immediately with higher end phones later. They may make high and low end available immediately, it's just not the way Apple usually does these things.

Another iPhone Alarm fail

It's over now, but for the first two days of January 2011 if you set a one time alarm on your iPhone it wouldn't go off. No word on what caused the problem, only that it would fix itself January 3rd. So if you missed something important because the alarm you set in your iPhone didn't go off, it won't happen again. Really.

Securing DLink wireless routers

I like DLink routers. I like the configuration options, the user interface, and the detailed and well written manuals. If you want to log traffic you can choose to filter the information so you only see only what you want to. But there is one downside if you have legacy WEP devices. The new DLink router I checked doesn't support it. So if you have WEP only devices you can't use secured mode on DLink routers.

Open your browser and enter the IP address to the router. DLink routers use 192.168.0.1 as the default IP:

The default admin user is admin with no password:

The first thing to do is go to the Tools tab and add an admin password and add a user password for times you just want to check things, not change them:

After adding an admin password go to network settings and change the IP from the default 192.168.0.1 to one of the ranges below the graphic:

Use an address in one of the following ranges:

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255.255

The last thing to do is turn on the wireless and setup the security. You can probably leave these at their default settings unless you have trouble picking up the signal. An exception is the SSID, which you should change. 'Enable Auto Channel Scan" lets the router find the channel with the least interference, so it should be checked if it isn't. 'Visibility Status' should be changed to 'invisible'.

That concludes the "Securing your router" series. I hope it was helpful.