Friday, March 31, 2006

So what's this news about tax records? 

Near as I can tell, some of the commentary is alarmist. The IRS will keep your tax records as private as they ever have.

However, a private tax preparer can sell your return to someone who wants it for marketing information.

And if you file electronically you have to use a private preparer.

Options are to mail in your return yourself, or ask your tax preparer not to share your return with anyone else and trust them to do the right thing.

Reference here.


Thursday, March 30, 2006

Here's one trick to get you to a dangerous web site 

These particular crooks are posting real BBC News stories with a "Read More" link pointing to a web site designed to exploit a security bug in Internet Explorer.

Once on the poisoned web site, if you were still running IE (nobody who listens to my advice does) then you'd be hit by all sorts of nasty, hard to cure software.

My advice to avoid shady web sites is getting less useful all the time.


Mac OS X users, stay alert 

Mac users have had a better security experience than Windows users. People like to debate the reasons but no matter what, the Mac runs software, software has bugs, and some bugs allow bad guys to take over your computer.

Someone named Tom Ferris found a picture which exposes a bug in some of Apple's image handling code. View this image and Safari crashes. It can allegedly crash the Finder as well. Don't visit Ferris's blog, he's got a copy of the crash-triggering image on it.

What does this mean for real people? Not much yet. It's a storm cloud on the horizon. Before you get hurt several more things would have to go wrong. First, this would have to be the kind of crash that can be turned into a security hole. Second, someone would have to figure out how to turn it into a security hole. That's not exactly easy, but it only takes one person and there's a lot more than one person qualified to do it. Third, bad guys would have to decide to deploy an attack that wouldn't work against the vast majority of personal computers.

Meantime, keeping your system software up to date is the best single defense.


Wednesday, March 29, 2006

Is your vote secure? Salt Lake City this time 

Emery County Clerk Bruce Funk, state Elections Director Michael Cragun, and Diebold Election Systems are locked in conflict over Diebold voting machines. The gist is that Funk saw some irregularities in the machines when they were delivered and hired an independent investigation. Diebold demanded $40,000 (for two machines which are low-end PCs) to do a warranty inspection. Funk's superiors blamed him.

So what was the real story? We don't know yet. There is an incomplete and occasionally cryptic report on the Emery County machines at Black Box Voting. Sample quotes:
The remaining machines showed several defects -- crooked paper feeds that jam, memory card bay doors that wouldn't close, parts getting stuck, coming loose, falling off.
Funk's concerns escalated when he heard a particularly unusual statement by Diebold sales rep Dana LaTour.

"Some of you are going to hate my guts on Election Day," she said to the assembly of elections officials. Later, another Diebold representative named Drew was asked what LaTour meant when she said "Some of you are going to hate my guts..."

"We're going to have problems on Election Day, and we're just going to have to work through them," he said.


Monday, March 27, 2006

The Internet Explorer problem(s), heads up, getting worse 

Bad guys are taking advantage of the bug(s) now to plant nasty software on the computers of people who visit the wrong web site. Microsoft says there have been only "limited" attacks. The Washington Post's Brian Krebs says that as many as 200 previously safe and legitimate web sites have been taken over by bad guys who then use the web sites to attack the web sites's visitors.

My usual advice to avoid sleazy web sites therefore doesn't help much. Firewalls are irrelevant to this problem, and antivirus might help but doesn't seem to have caught up yet.

If you're stuck at a company standardized on Internet Explorer, I'd suggest only using it to visit company internal sites. You could try turning off "Active Scripting" and then using the security zones feature to re-enable it for sites that require it, but really it's not worth the effort. Switch to Firefox or Opera. The switch can even be fun and is certainly less painful than trying to fix a computer wrecked by a security problem.


Sunday, March 26, 2006

Politics keeps creeping in to security 

There's no way to avoid talking about politics when you talk about security because laws (sometimes) make a difference. Good laws, like the laws against drunk driving, can reduce a safety problem to a dull roar. Bad laws can make things worse.

One bad law, according to a lot of security and privacy experts, got passed a few years ago and required phone companies, at their own expense, to reprogram their equipment to enable mass eavesdropping. Privacy activists warned that this was a dangerous amount of power for the government to have available. Nobody listened because everyone thinks of privacy activists as nutcases who scream on street corners about conspiracy theories. Security experts warned that if the technical capability was there then bad guys could make criminal use of the facilities that were meant for law enforcement. Nobody listened because, well, nobody ever listens to security people.

The security experts were right. A recent spying scandal in Greece proved them right. Some unknown party ran a massive spying operation on the mobile phones of everyone from journalists to human rights activists to the Greek Prime Minister. The wiretappers used the mobile phone company's back door for police wiretaps. The phone company computers can't tell whether you're a police officer.

But what if it really is the government that's doing the wiretapping? That should be OK, right, because they're out to keep us safe and wouldn't abuse their spying powers? The US government actually admits that they would: they told Congress that they might eavesdrop on conversations with doctors and lawyers and they would feel free to use the information in court. The US government has also had trouble figuring out what an actual criminal is, going so far as to prosecute someone and threaten a six-month Federal sentence for carrying a "No War For Oil" sign.

Casting informed votes and writing to your elected representatives are security measures that need to be part of your security strategy.


He knows what you did last summer 

There's an eye-opening Forbes article about the kind of information someone can find about you on the web. There's more to it than just Googling you. Have you ever put your real name and address into a "survey" or "sweepstakes"? Have you ever used an "adult verification" service to get into adult-only material?

If so then all your information has been carefully compiled into lists and put onto a fast-moving market for personal information. A site like lets a marketer or a private detective look up the names of people in a particular zip code who are into alcohol, smoking, or "adult entertainment".

You could try clicking those tiny check boxes to opt out of marketing pitches, and hope that doing so deters web sites from selling your name. It's better to minimize how much personal information you ever release in the first place.


Saturday, March 25, 2006

Just say "no" to drugs from spammers 

"If it's spam, it's a scam" is an old 'net maxim. If you've ever been tempted to do business with a spammer, consider the guy who was filling your your mailbox with prescription drug offers. That spammer has been charged with plotting to kill a witness against him.

The linked article goes on to say "Smith also is accused of charging customers' credit cards multiple times without delivering the drug and shipping a drug that was not the medicine purchased."


Friday, March 24, 2006

Caller ID spoofing: unsafe for the spoofer 

Whisteblowers, skip tracers, and private investigators have legitimate reasons to make the wrong caller ID information appear when they call someone. There are about five companies that offer a service to let them do that.

Funnily enough, not all the people who use a service that changes their caller ID information are honest. Some of them have been stealing from stupid companies that rely on caller ID to authenticate customers.

Which has led to government investigations. Some of these have been fishing expeditions, demanding detailed information about every user of the service, regardless of whether they were suspecting of wrongdoing.

Caller ID spoofing firms have given government investigators complete customer lists and records. If you called the New York Times anonymously under fake caller ID to report that your company is paying kickbacks on a government contract, guess what? You're toast.


Thursday, March 23, 2006

Media files dangerous, Yet Again 

If you have RealPlayer or RealOne Player installed, then a bad guy taking advantage of a recently discovered bug can at least crash your computer by getting you to visit the wrong web page and/or play the wrong file, and maybe even take it over.

Real Networks has fixes and advice.


Risks of antivirus show up again (know anyone on AOL)? 

There's a good Computer Weekly article about the botched upgrade to Symantec's Norton Security Suite which cut off Internet access for AOL users. There's a fix with installation instuctions from Symantec, but that's where the sick humor comes in -- AOL users can't download the fix because they're cut off from the Internet. If you know anybody on AOL whom you'd like to see back online, print out Symantec's bulletin and hand it to them.

This sort of thing is why, unlike some colleagues whom I respect, I recommend against antivirus software for Mac OS X and other operating systems that are currently at low risk for viruses. That recommendation may change as soon as next month if the risk increases.


Wednesday, March 22, 2006

Yet another critical Internet Explorer bug 

Via Watchguard, there's another critical security hole in Internet Explorer which could lead to your computer being taken over if you visit the wrong web page.

There's an example out in public showing how to take advantage of the flaw. Soon bad guys will adapt the example to do bad things.

Turn off Javascript, which Microsoft calls Active Scripting, if you can live with having some web sites not work. Only visit web sites that you know are reputable and that don't have third-party ads on them. Or (again) use another browser. If you don't like Firefox, Opera is another good bet.

Oh, wait, two IE bugs. There's also one which "only" crashes the browser.

Be sure to run Windows Update on the second Tuesday of April, when Microsoft will release fixes.


The other danger is Flash animations 

Many of those irritating ads that flash and spin and make your eyes hurt are done with a technology called Flash. A web site sends your browser a file that describes the animation, and your web browser passes the file along to a program with a name like Shockwave Player or Flash Player. That's where the problem is.

If a bad guy puts a booby-trapped animation file onto a web page that you visit, he can take over your computer.

You can get details on the Flash problem and download a fixed player at Adobe's web site. That will protect you against this particular problem. If you run Firefox, you can protect yourself against whatever the next problem is with an extension called FlashBlock. FlashBlock stops the stupid ads but lets you turn Flash animations back on with a single click (if you find a site where they're worthwhile).


Critical Internet Explorer bug 

This is another of the problems where browsing to the wrong web page can cost you control over your computer.

Watchguard has details.

All the usual advice applies: use a safer browser, stay out of bad neighborhoods on the web, and if you're still using IE then install the fix as soon as it ocmes out (Microsoft is already testing their fix to make sure it doesn't break anything else).

No reports yet of bad guys actually using the newly discovered attack.


Tuesday, March 21, 2006

Here's another approach to securing your data 

via securitymonkey:

A program called Private Disk seems like a me-too product at first, except that it has one extra cool feature. You can set access to a virtual disk on a program-by-program basis. You can tell it, for example, that only Quicken can read the encrypted disk where your Quicken files are.

I haven't used Private Disk, so check reviews and commentary carefully before you try it, and for heaven's sake keep good backups. If crypto software goes bad (bugs, power cords knocked out at the wrong time, etc.) it's likely to make your data completely unrecoverable.


Should you install anti-phishing software? 

via Dancho Danchev's blog:

MIT researchers have done a study of how effective anti-phishing toolbars are in real life. Real life includes having them used by real people, and that's where the trouble started.

Their experimental subjects kept going to simulated phishing sites even after their protective software tried to warn them. Sometimes they decided the site looked right so the anti-phishing toolbar must have made a mistake. Sometimes they said they were in too much of a hurry to finish the simulated tasks in the experiment to get bogged down in warnings from security software. Sometimes they didn't even notice the warnings.

This newsletter is here to offer concrete advice. What can we learn from the MIT study?


Monday, March 20, 2006

Screen all your employees 

A GM security guard has been arrested for unauthorized access to a database.

Physical security matters

A press story said he "hacked" into a database. Actually he took advantage of being able to prowl around the office and find paperwork with employee Social Security Numbers on it. Then he used those to log into a database.

Don't keep databases you don't need

Maybe GM had a reason to keep track of the make, model, year and options package of the cars their employees were driving. But it's hard to see how they'd get a lot of use from it.

Try not to hire crazies, as well as not hiring crooks

What did the security guard do with his ill-gotten knowledge? He posed as a QA representative and sent people repetitive email asking how well they liked their cars. He didn't get money or revenge or any of the usual motivators for computer crooks. The closest thing to an explanation he ever gave was that he was bored.


Saturday, March 18, 2006

"Antispyware" scammer busted 

The government caught up with one of the vendors selling bogus anti-spyware software. Give the article a once-over -- it talks about how the package got advertised and what it did, which might help you spot similar scams in the future.

Here's the Federal Trade Commission's advice on keeping your computer secure. It's not bad.


Friday, March 17, 2006

More than one kind of security -- airports 

Most of us will put up with a lot of delay at the airport, invasion of privacy and even screeners acting like Communist bureaucrats. As long as we're reducing the chance of another terrorist horror, we know it's in a good cause.

So how much security are we getting, exactly?

The Transportation Security Administration says their top priority is to keep explosives off jetliners. The government very sensibly tested how effective they were by sending agents to board jetliners while carrying chemicals that should set off explosives detectors.

The screeners don't have to be perfect. Suppose they were only 50-50 on detecting explosives. That would be enough to deter a suicide bomber. Even if the detection rate were 25%, no terrorist group could count on pulling off a simultaneous multi-target attack.

At 21 airports, screeners found bomb making materials exactly zero times


Thursday, March 16, 2006

Check your street smarts. Can you spot a spyware site? has an online quiz which shows you pictures of the front page of various sites and tests you on whether you can tell if they distribute spyware.

It's hard to do, which is exactly their point -- they want you to use their product, which sits in your browser and checks the reputation of a web site before you go there.

If you're concerned with privacy you might be interested in how SiteAdvisor's product works. There are two ways to program a product like SiteAdvisor. One is to download the list of good and bad websites to your computer. The other way is for the plugin to phone home to SiteAdvisor and say the electronic equivalent of "my user is about to visit '', is that all right?". Which means that SiteAdvisor is getting a continuous stream of what web sites people are visiting. Here's part of their privacy policy:
Our database of ratings is far too large and too frequently changing for us to send it to you in advance when you download our software.

We never store information about where specific users go online or about what they do online. We do keep master anonymous logs of which sites our users visit so we can prioritize those sites for retesting.

I know you're dying to ask how your friendly security consultant did on the quiz. I got 6 right out of 8, was unsure about one of my wrong answers, and was just plain dead flat wrong on the eighth. To do even that well I had to use a lot of what I know about the economics of web sites, the names of some of the crooks, and the "feel" of a page prepared by an honest software developer. I don't think anyone who's normal or who has a life could do better than chance.


Tuesday, March 14, 2006

Apple users, you need a security update today 

Apple's fixed a dangerous bug in the Safari web browser. Run Software Update.


More urgent than Microsoft's patches today 

Today's a relatively quiet Patch Tuesday from Microsoft, with the most dangerous problem being one that could let someone take over your computer by giving you a booby-trappped Excel spreadsheet.

But there's a really dangerous non-Microsoft problem you should fix ASAP.

You know those annoying spinning and flashing ads on some web pages? They're an abuse of a (potentially) useful and legitimate technology called Flash. There's a display program on your computer that starts an animation on your screen directed by a file on the website you're viewing.

Flash files are complicated and so is the display program. Sometimes there are security bugs. Sometimes these bugs are so severe they allow for taking over your computer. This is really bad because you're downloading Flash files all day long from strangers and even from (gasp) advertisers. Your chances of hitting a booby-trapped file from someone malicious are worryingly high.

This is dangerous no matter what web browser you use.

Fortunately the patch is alread out. Secunia has the list of download locations for fixed Flash player programs.

All well and good but what about the next bug? This wasn't the first.

I personally use a Firefox extension called FlashBlock. It stops the animations from getting played and replaces them with a button you can click if you actually want to play one. Don't laugh, in the last several years I've seen two or three valuable and helpful applications of Flash technology. The other 99.99% of the time you're protected from toxic Flash files because they don't even get loaded.


Who writes viruses and how do antivirus companies get them? 

There are more good people than bad people, and there are more good people fascinated by writing self-reproducing computer programs than there are bad people. Security Focus just interviewed one of the good (I think) people, Kevin Finisterre, discoverer of the Mac OS X Bluetooth security vulnerabilities and author of "proof of concept" worms that illustrate the problem but are written so they can't spread. He sent copies to Apple and to antivirus companies. Read the interview to get an idea how his mind works, and to remind yourself that originally "hacker" meant "tinkerer".


Monday, March 13, 2006

Lessons from the McAfee disaster 

In case you've been living in a cave (and these days I don't blame you if you do), today's news is that an update to McAfee's antivirus product went berserk and misidentified many legitimate programs and components as viruses. Many companies were brought to a halt by the ensuing "friendly fire" incident.

Other antivirus companies have had incidents like this, but none so bad.

Set your antivirus to "quarantine" files it doesn't like, or if you're certain you know what you're doing set it to warn you about them. I've never set my antivirus software to delete files, and all the McAfee customers who did set it that way were very, very sorry today.

Have good backups no matter what.

Research your antivirus software. The "market leader" isn't necessarily the best. People who buy from "market leaders" bought cars from General Motors in the 70s and 80s. Some antivirus firms are coasting on reputation while rotting inwardly like GM did. An anonymous writer who claims to be a former McAfee employee says
I am forced to use McAfee where I work now, but it is coming off all of my home systems until I am convinced that they have cleaned up their QA practices and put product quality ahead of shipping "On Time".

There are some decent free antivirus programs but I don't know of any that allow you to use the free version in a business. Among commercial programs, Kaspersky has been well regarded but has had an embarrassing rash of security problems lately. I'm using NOD32, which has an annoyingly cryptic interface but a stellar rate of detecting new viruses, which runs efficiently even on an older laptop, and which most importantly doesn't ^*&*&$%@! get in my way


Sunday, March 12, 2006

Analogies are like goldfish 

Sometimes they don't contribute to the discussion.

I try to offer analogies that illustrate computer security concepts, but it's hard to get them right. Microsoft's chief security educator Michael Howard says most security analogies are misleading in an entertaining but insightful post.


How hard is privacy? The CIA can't manage it. 

"How do you establish a cover for them [CIA covert agents) in a day and age when you can Google a name . . . and find out all sorts of holes?" -- retired CIA analyst Melvin Goodman, quoted in the Chicago Tribune.

The Chicago Tribune, as part of their job, subscribes to all sorts of commercial databases with phone numbers, addresses and so on. Bill collectors use these databases to track people who've skipped out on debts. Newspapers use them for investigative reporting.

The Tribune's latest investigate report was about CIA facility and operative information showing up in commercial databases. They found so much sensitive information that they decided not to publish it or even publish their search techniques. But the vulnerability is still there: "I don't know whether Al Qaeda could do this, but the Chinese could", said an unnamed senior US official.

Hmm. Wonder if we'll see some real privacy legislation pass on national security grounds?


Saturday, March 11, 2006

How does a security consultant protect himself? 

Just say No

"Additional plugins are required to view this page. Download? (y/n)". We've all seen that one, along with things like "Would you like to enhance your browing experience with the SleazyMarketingCo extension (y/n)?" and things that mean, though they don't come out and say it, "Would you like us to spam you? (y/n)".

Someone pointed out to me the other day that the lettering is worn off one, and only one, of the keys on my keyboard. It's the N key. I've used it that much.


Friday, March 10, 2006

Is your vote secure? Voting machine news roundup 

You'd expect that Diebold, a company with decades of experience making ATMs, should be able to put together an acceptable electronic voting machine.

The state of Maryland doesn't accept them. Their House of Delegates voted to ban Diebold machines from state elecions, by a margin of 137 to 0. North Carolina passed an election integrity law which Diebold couldn't or wouldn't comply with, pulling out of bidding instead.

So what's the big deal? Is it just a few noisy cranks kicking up a fuss, or is it the growing pains of a new technology, or is there something going on that a normal citizen with a life outside of politics ought to care about?

Noisy cranks and corporate shills are going to hit the newspaper ahead of everyone else. But if you poke around the forums where everyday information technology people hang out, the more they know the more concerned they are. They object to the lack of crosschecks and to having no good way to do a recount. For example, one computer professional under the handle tkrotchko wrote in part
do computer stuff for a living and if analyst came forward with a business process to handle credit card authorizations that simply authorized it with no audit trail and no means to verify anything about that authorization, you'd reject the design out of hand. You wouldn't even need to see the program specs, or source code or anything to know it's a bad design. You don't even have to ask a lot of questions. It's just a bad design. ...and the more the programmer/analysts would defend it, the more it would make you suspicious about what they're trying to pull.

Normal citizens can use common sense and look at how well a voting machine company responds to problem reports. For example, if the company illegally installs uncertified machines and gets caught, do they make sure not to do it again, or do they prosecute the whistleblower? When an election official finds security problems that are independently confirmed, does the company thank him or retaliate? You don't need to be a computer expert to evaluate the answers to those questions.

Here are some questions you should demand that your elected officials answer:


Thursday, March 09, 2006

Security versus civil liberties? 

That's the wrong question, according to security guru Bruce Schneier. He takes a look at the numbers behind the government's Total Information Awareness program and discovers that it won't improve security.

The problem is that any realistic rate of false alarms will swamp the system and divert police to checking out dead ends. TIA will be like the mother of all car alarms.


Privacy: 17 million potentially embarrassing records leaked 

So you protect your credit card information. Are the organizations you give it to equally careful? How 'bout the organizations they pass it along to?

A company called iBill, in the business of taking credit card info from web sites and handling the Visa/Mastercard billing in exchange for a cut of the revenue, lost control of the names, addresses, phone numbers, and email addresses of seventeen million web site customers. In case you haven't heard of iBill, it turns out they specialized in handling billing for porn websites.

No credit card numbers lost, as far as anyone knows. Security people who've looked at the size and format of the stolen information say it looks like an inside job.

More details in the Wired article about the iBill privacy breach.

How to protect yourself? It's tempting to say "What do you expect? Lie down with dogs, get up with fleas". The "adult" website industry isn't the only place with crooks but seems to have more than its share. But that's not an answer, since this could have happened anywhere. We may need to resort to national privacy legislation to control problems like this one.

UPDATE 3/10/2006:

iBill says the leaked records didn't and couldn't have come from them.


Wednesday, March 08, 2006

Mac security contests, some perspective 

The story so far

One person set up a web site on a Mac and issued a challenge for people to vandalize it. The computer survived only half an hour. Someone else thought the conditions of the test were unrealistic and ran their own break-in challenge. Their Mac survived for the duration of the trial.

So, what does it all mean?

Not much.


Contests are a bad research tool and not much of a testing tool. A lot of good security people are completely unmotivated by the prospect of racing hundreds or thousands of others to a "prize" with no cash attached. So you don't benefit from their expertise, since they don't participate.

Bad people are even less motivated. If there's someone out there with a way of breaking into Macs that nobody else knows, that person can make hundreds of thousands installing spyware and stealing credit cards. That person is not going to blow his secret weapon on an unpaid contest.

The first contest suffered from testing something that isn't on most people's minds. The tester in the first contest allowed attackers to log on to the machine. It was a test of how well the Mac could protect one authorized user against another authorized user.

Isn't there any value?

We know from these tests that bad guys are aware of bugs that could let them take over your entire computer even if you don't put in your administrator password. If you were complacent and thought you could safely run strange software just because you have a Mac, well, stop thinking that.

We know that a Mac with all security patches installed can stand up to the steady acid rain of Internet attacks for almost two days if it has good passwords.

In other words, I'm still giving you the same advice as always: pick good passwords, install a firewall, keep your OS up to date, and don't feed your computer software you find in back alleys.


Computer security: everything's a computer now 

I've written about how you need to be careful when you sell, donate or throw away a used PC to make sure that sensitive information is really gone from the hard disk.

Your cellphone is a computer. It's probably powerful enough to fly the Space Shuttle, in fact. It stores information. There's your contact list, of course, and some kind of history of what numbers you've called. Then there's all the records the web browser keeps if you use the phone for web access.

Imagine that falling into the wrong hands if you ran a battered women's shelter. Or had a mistress. Or volunteered for the "wrong" political party in a bigoted area.

You can erase all that information but it's often not easy. There are lots of useful links in this David Pogue column about erasing/sanitizing a cellphone before disposing of it.


Monday, March 06, 2006

Citibank customer? About to go abroad? 

via Bruce Schneier's blog: possible major Citibank ATM compromise.

Details are hard to come by. Here's the closest thing to an official statement. What we know so far is that if you try to use your Citibank ATM card outside the US (specifically in Canada, the UK, and Russia) it may get frozen, and you'll be locked out of your account until you get a new card, which you can only do in the US.

UPDATE 3/8/06:

Anonymous "banking executives" say the problem was a leak of information from Office Max, which was storing PINs.

How do you protect yourself against things like that? For one thing, limit the damage by using a credit card rather than a debit card. Federal law protects you from liability from credit card fraud. Only the good nature of your bank protects you from getting stuck for debit card fraud.

Aside from that you're pretty much at the mercy of the merchants you do business with. Keep watch and consider supporting legislation, if any gets proposed, to require credit card processors to take minimal precautions.


Saturday, March 04, 2006

Many a true word is spoken in jest 

A security company says that about 5% of Web communication is with dangerous web sites, most often the kind that install spyware.

Someone on a geek forum responded to this news, in a post marked "Funny":

Five percent dangerous traffic.
by corngrower (738661) on Saturday March 04, @09:20PM (#14852500)

That's about the same percentage of dangerous traffic that's on the road on Friday and Saturday nights.

That isn't funny. That's about right. And it gives you a way to understand hazards from web browsing. Stay alert like you would if you were driving. Alert, not paranoid: most drivers are sober and most web sites are safe (for your computer anyway). If a driver is weaving or if a web site is pounding you with popups and blocking your Back button, either way you know it's time to be someplace else.

The security company is called SiteAdvisor. There's a SiteAdvisor plugin for Internet Explorer, and more to the point a plugin for FireFox. Their product is different from the antivirus and antispyware products you've already got. It puts up a stop/go/caution indicator for you to check before you go to a website, based on their continuing scans to see which sites are doing nasty things to the computers of their visitors.


Wednesday, March 01, 2006

Using your neighbor's wireless: right or wrong? 

Some debates simply go on forever. Catholicism or Protestantism? Hang toilet paper coming off the front of the roll or the back of the roll?

One of those debates is whether it's ethical to use the Internet through someone else's wireless connection. Recent entries in the debate include the New York Times approving of WiFi freeloading and networking publication Networking Pipeline calling it "bandwidth theft".

People usually try to argue this by analogy. That gets hilarious when people try to find analogies from the physical world that actually match the realities of how WiFi works. My favorite compared a wireless access point to a garden sprinkler! Then people get truly worked up over their positions while ignoring simple and common-sense solutions. At least the two articles linked above mention some of those common-sense solutions.

What would the Bedu do?

A well in a desert is something you want to protect. On the other hand, people need to travel sometimes, which means they need some way to drink while they're on the road. The Bedouin evolved a custom to meet the needs of travelers and of well owners. Travelers could stop at someone else's well and drink enough for the next stage of their journey. If you went beyond "reasonable" consumption, for example by trying to water your sheep at someone else's well -- that would bring a violent response. The unwritten rule was to allow small and occasional use.

One theory of WiFi ethics is similar. Checking email is like filling your canteen, downloading TV episodes is like bringing your entire flock of sheep.

The stick in the doorway

I don't know whether this is true. I read it in a well-researched work of fiction.

Supposedly, some orderly Central American civilization did not have locks on their doors. If you wanted people to stay out you grabbed a stick and leaned it against the outside of the doorway. The stick didn't block the door. It was just a "keep out" sign. Everyone respected it.

On this theory, turning on the flimsy security features of a wireless access point is like putting the stick in your doorway. It doesn't prevent access and isn't meant to. It's simply a way of saying "I choose not to share this connection". No stick means "come on in".

The problem with both ideas about sharing

Two dangerous hidden assumptions lurk inside the pro-leeching arguments. One is that you have no impact on the connection's owner when you hop on. The other is that you can somehow discern the owner's intent from the settings on the access point.

Check your email, look at some headlines, and you won't use enough of your neighbor's bandwidth to matter. But you will be on your neighbor's home network. Your neighbor may be sharing directories with other machines on the same network, on the assumption that all of them belong to him. Now you've put yourself in the position of compromising your neighbor's privacy. Worse, if you've picked up a virus you could give it to your neighbor.

Privacy and security aren't the only problems. You're perfectly law-abiding, of course, but if someone else connects to your neighbor's access point and does something illegal with it, the trail leads to your neighbor. Your neighbor may not want that kind of exposure.

You can't tell what your neighbor wants at all, because in almost all cases the wireless network is set up just the way it came out of the box. The wireless network may be open, but that doesn't tell you that your neighbor meant for it to be open.

The low-tech solution.

Knock on the door and ask, maybe?

MORE, 3/10/2006

Is it legal to use someone's Wi-Fi connection to browse the Web if they haven't put a password on it?
Nobody really knows. "It's a totally open question in the law," says Neal Katyal, a professor of criminal law at Georgetown University.
But if you raise enough suspicion, you can get arrested.

UPDATE 3/24:

In Illinois, you can be convicted for "unauthorized use" of a WiFi signal. The newspaper article about that case starts out with, you guessed it, a bad analogy.


Is the Internet as dangerous as the media say? 

BBC journalist/producer Adam Livingstone tackles just that question in a recent BBC article about BitTorrent, file sharing, encryption and law enforcement. I talked about "media frenzy" in my recent column about MySpace: Livingstone says that's exactly what is happening, although being British he writes much better than I do.

He makes a devastating observation about how mainstream media cover the Internet:
Why is it that every time the media starts to talk about the internet they feel compelled to bang on about paedophiles and terrorists and generally come over like a cross between Joe McCarthy and the Childcatcher from Chitty Chitty Bang Bang?

Well here's one answer - it sells copy. Another answer is that we're totally scared of new media, because new media is railways and we're canals, and you all just know how that's going to end.

So we seek to equate the internet with all bad things to scare you off it.


This page is powered by Blogger. Isn't yours?