Sponsored data and YOU!

This could be your lucky day, your cellular provider is going to start offering packages where certain content doesn’t cost you anything in your data cap. This is awesome. You can start streaming more and more video/music/whatever it is that you stream from your favorite services. However, not all of your favorite services will be free of data charge! So make sure that you tell your favorite service that YOU want THEM to sign up and make their content data cap free to you! All those service providers have to do is pay your cellular provider money to stop the data caps! No, seriously, AT&T wants to do this.

Is this a problem? I think it depends on who you are. For a consumer in some cases this is pretty awesome. Let’s say you love to watch video games being streamed on Twitch.tv by your buddies over at KBMOD and Twitch decides to pay money to prevent your data from being charged against your data cap. But you’re also a huge fan of MLG and MLG just decided to start their own Twitch competitor but they can’t afford to pay those same fees. Well, guess you’ll be only watching MLG from your PC or on wifi. Too bad your favorite shows are on while you’re not able to use Wifi though! O well, Twitch is there for you though!

This is a niche market obviously. Not everyone cares about watching someone play streaming video games or even streaming video games to your phone so you can keep playing a game you were playing from home. A lot of people care about TV and movies though. We can look at this as something that’s really analogous to what Comcast was trying to do to Netflix close to two years ago. In April of 2012 Comcast announced that its Xfinity streaming service would not be charged against your Comcast data caps while Netflix streaming service would be. Netflix’s CEO argued that this violated Net Neutrality because it provided preferential treatment to one source of data over another.

What is Net Neutrality? Well, there are two different arguments, which I discuss in a blog here, where one is saying everything must be treated equally, while the other one argues that there are nuances and we can treat data differently because we need to “Groom” our networks. Internet and network purists believe that you shouldn’t even be able to determine what the data is or what the source of that data is if you’re a point along the network, just where it most recently was and where it needs to go next. The only application that can read the data in the package is the application that requested it.

AT&T’s plan, similar to Comcast’s, is in violation of Net Neutrality and the FCC will step in to regulate this type of “service” because it’s, in the end, bad for the consumer. Unfortunately, there are limitations to what the FCC can do and even potentially what AT&T can do.

There has been much more of a push for encryption and it’s likely that these pushes may actually enable more of a return to the true meaning of Net Neutrality. If all of our data is fully encrypted, deep packet inspection tools (which tell if the data you’re getting is video, music, or whatever), won’t work very well as that information will be encrypted. Furthermore, if your application’s data is all encrypted and AT&T won’t be able to tell if your data is your data then there’s no value in paying for “privileged” data status from AT&T.

It’s one of the reasons why I’ll likely support company’s like Wickr, an encrypted Snapchat competitor, which told the FBI to screw itself when they were asked to put a backdoor into their encryption. It’s important that we work to protect our data and support companies that do so in terms of Net Neutrality and encryption.

What companies do you support that encrypt and fight for net neutrality?

Goofy Stock photos might not be so silly any more

Silly Stock photo

@NFEN and @Cheddarchezz having a conversation about “hacking”

I just saw a few people that I follow tweeting about trying to take over Youtube. There’s a Meme on Youtube right now that’s been going on for a while as a form of protest over some of the recent changes to the comment policy, copyright policy, integration with Google+ and probably a litany of other issues. To the gaming community Youtube is a dying platform.

What struck me about the conversation wasn’t really what they were talking about, but the stupid stock photos that are supposed to represent “hackers’ breaking into a network. For some absurd reason stock photography companies almost always put them in the same outfit they’d be wearing if they were breaking into a house, mugging someone, or doing some other nefarious activity. Clearly it’s just a ploy to help people understand that the person using the computer is up to no good, but it just looks ridiculous as almost no one wears any of those clothes while using the computer. So instead of making it look like a criminal it just make it look like an idiot. However, I think that with some recent revelations about the FBI and the hacking process called “RAT” these imagines are looking less absurd. Not that I’ll go out and buy clothes like this to work at my computer on.

One of the more recent Edward Snowden revelations has to do with breaking into personal computers by the US government. This isn’t really shocking, nor is what they do when they are on the computer. The FBI has admitted that they have the capabilities to hack into your computer and activate your webcam without turning on the indicator light. These capabilities aren’t new. In fact Ars Technica did a report on this in the kiddie hacker community called RAT. I imagine that some of the tools that my friends used to use while we were in highschool to remotely open a CD drive or type messages to each other operates in a similar fashion.

So, if you are hacking a computer does it make sense to take precautions against showing your face? It might or as the Ars article suggest, just cover up the camera.The difference is that you don’t know if you’re under surveillance or not. It’s also not clear if the FBI only means laptop webcams or if they are able to do the same to a smart phone or tablet. As the ACLU mentions in one article “we’ve never had discussion” about law enforcement hacking into computers. This is part of the reason there was a petition for We the People to update our privacy laws. Regular mail and packages are protected by the fourth amendment while email is not. Using a web cam with or without a web cam constitutes a much larger breach of privacy than just taking pictures through the camera. It’s likely that with access to the webcam the entire computer is open to the FBI, which means that a warrant for a web cam is a warrant for everything you do. If you have services that you’re always logged into like Drop Box or Tresorit those are also accessible through the computer you’re cam is being used on.

We need to have a conversation about the limits of searching and privacy. I don’t want to sit around in a ski mask or cover up my webcam. Users likely need to install firewalls, more passwords, and disconnect from services they aren’t actively using.

The NSA, FBI, and Internet Security

Over the past few months we’ve learned a lot about how the US government looks at its own citizens. We’ve learned this through the actions of Edward Snowden. He’s done us a great service by forcing a conversation that the NSA and FBI didn’t want us to have. The NSA lied to the Senate recently by claiming that it never tracked US citizens through Cell Phones. We would never have known about these activities if it wasn’t for Snowden.

Snowden was using email to send information back and forth between himself and Glenn Greenwald. Since email is in one of those fuzzy gray areas of the law around data retention and government access to it this has caused a bit of a problem. It make things more difficult Snowden used an encrypted email service called Lavabit. It’s encryption was at such a level that when the FBI requested data from it, they were confounded and essentially attempted to blackmail (legally of course) the owner into handing over the encryption key. This would have effectively rendered the service these people were paying for worthless. They were paying to have their email traffic be secured from both public and private entities.

As we hear and more about how the US government has been behaving towards internet security, the more we’re learning that the NSA and other US agencies are doing their best to thwart it. They have worked with the NIST and weakened the encryption key they developed. The problem with these backdoors is that if it’s there for the “good guys” (whoever that might be) it’s also there for the “bad guys” (whoever that might be). This isn’t just general encryption keys, it’s things that we use every day without using it. Whenever we are using any website that includes “https” we are using a basic encryption protocol called SSL. Think about when you’re banking, you see the https. Google now allows you to use this when you send information to and from them. This encryption has also been broken by the NSA. This is our personal stuff and if it’s broken by the NSA it can be broken by other people. Now does this mean we’re likely to have a rash of new fraud cases or theft cases? No, as it’s been compromised for some time. However, people do know about it now and this of course is a greater cause for concern.

What can we do about this? Well, first, look into more secure encryption methods. I wouldn’t be surprised if Google and applications like HTTPS everywhere will change their algorithm in result. Second, contact your representative and your senator. I’m lucky my senator in Oregon is very vocal (Ron Wyden) not everyone is so please help inform your leaders. Third, buy from companies that you know haven’t given up data to the NSA, don’t use Facebook and the like and basically try to follow the great writing that Sean did several months ago over on KBMOD. He nailed it then and it’s even more pressing than before to keep up with security.

LulzSec, Anonymous, ICE, FBI and users Part IV

Get caught up on this series Part I, Part II and Part III.

Well, it goes to show how quickly the internet works. LulzSec calls it quit, see NY Times article. However, in my opinion this doesn’t change a whole lot about what I said in my previous posts. There will be another group that decides to do the same sort of thing. I’m sure the individual members of LulzSec will be active with groups like Anonymous and perhaps join up with some other hacking group out there.

At any rate, it’s important to discuss the overall structure of the internet. While many users believe the internet should be free and anonymous and all those things. It’s starting to become apparent that this is not going to be the case. With major US ISPs deciding to go after pirating directly, it seems that deep packet analysis is going to be the way of the future. Wait, what is deep packet analysis? Well, when you send information across the internet it’s broken up into smaller pieces and sent to the end point through many different routes. This ensures that the data all makes it to the other side in the fastest manner possible. Initially, it was difficult to determine what this information was. Now there are many different suppliers that allow ISPs to figure out what these packets of data are. This gets to the root of the Net Neutrality debate. I haven’t talked about that yet, which I’ll do later this week I believe.

Anyway, since the ISPs know what you’re sending, you’re already less anonymous there. They know where you live, who you are and how you are paying your bills. They know a lot of other information about you too. Next, the EFF has shown that based on your browser and plugins that it is likely your browser configuration makes it unique like a finger print (article). On top of that you have a lot of  “Cookies” based on the websites you’ve visited. These are useful to you and to commercial websites. It stores personal information and allows you to get your recommended books list from Amazon. This means that over time, you’ve accumulated a great deal of identifying information on your computer that is accessible through your browser. Using your browser it is easy to identify you and your online habits. However, the EU just implemented a law about requiring consent for websites to use cookies (BBC article).

Sadly, these are not the only structures that we need to be aware of. Many companies like Google are required by the US government to have a backdoor for them to execute warrants and do general snooping of the email systems. I’m sure Facebook is also required to do this, but I haven’t directly heard this yet. This has caused at least one acknowledged case of hacking by a Chinese group on Google (article). With these backdoors there is only so much an individual user can do to protect themselves. In cases like this, the strongest password in the world wouldn’t have protected your emails.

Groups like Anonymous, LulzSec and Ninja Hackers are trying to increase the amount of freedom and anonymity users have on the internet. The Government and businesses are trying to decrease it. The US government does want to initiate a national level internet ID, which basically would tie all your information together. While easy for users, it could be very high risk for them as well. The difference in how these groups feel that the internet should be operating is the root cause of the “Softwar.”  This will not stop, and we, the users, will be stuck between these two sides, unless we force our government to decide one way or the other.

Additional Reading:
Lawrence Lessig Code 2.0. Many of the ideas I got for this post are discussed in this book, which I’m currently reading, you can download it for free legally here.

LulzSec, Anonymous, ICE, FBI and users Part III

Get caught up on this series Part I, and Part II.
So I’ve been talking about these four groups and how they have been interacting. However, these groups are not interacting in a vacuum. Theses groups are either hacking governmental organizations or they are hacking corporations.When Anonymous and LulzSec (or any other hacking group) goes after a company, they are trying to get one of two things, some times both, either user data or  some sort of dirt on the company itself.

User information can range from names, locations, email address to IP addresses and credit card information. Since these guys are going after big companies, like Sony, Blizzard, and other gaming companies, they are most likely going after as much information as they can get their hands on. When it comes to dirt on a company, they go after big companies and small alike. They went after Bank of America in an attempt to reveal improper behavior to punish someone for the financial mess we’re in. Small companies like HBGary was a bit of a grudge match. HBGary claimed that they were able to bring down all of Anonymous, which pissed the group off. HBGary was hack and completely discredited and also showed a lot of nastiness going on in the security world in general.

In some ways it’s pretty obvious how stealing using information impacts the user. Recently, Sony’s PlayStaion Network was down for a month, because of the security breach, which included some 1.3 million user’s information being stolen including credit card information. In another case a game called Brink was hacked and 200,000 users information was stolen.

So, obviously these guys are in the wrong right? Well, yes and no. They think they are completely in the right here. They could have been doing all these things and not made it public. Just stole the information, then sell it to someone and make a lot of money from it. Or perhaps use it themselves. In some cases they did that. Anonymous ordered about 100 pizzas to a Sony Executive’s house. In fact, Sony is currently being sued for the weakness of their network. We would not have known about it, without the hacker attack.

The US government is fighting back and taking down servers which have obvious impacts on users and hosting agents at the same time. However, both ICE and the FBI feel they are 100% in the right based on the law. ICE firmly believes that it has the required authority and rights to take down websites, and the FBI feels it can take whatever servers it needs to find these guys.

It’s the immovable object versions the unstoppable force, with the regular internet users in the middle. Most users won’t notice unless some website they are using goes down, or they find out their card has been hacked. Users that play games, watch movies, and create content have the most risk in this battle.

How can users mitigate their risk? Well, the best thing to do is to get a specific online credit card that has a low limit that will cover your gaming and general online purchases. If you’re only spending $10/month on games then get a card that will have a maximum of $100 or something like that. Minimize the number of credit cards you use online, and try to avoid using debit cards as much as possible. Additionally, try to create difficult passwords, something with multiple capital letters, numbers and special characters if the website allows it. Such as: Dr.Wh0d^nn!t something more random might be better, but it’s still a much more difficult password to deal with than drwhodunit. If you are unable to create passwords like this, then you should request it from the website you are using.

Finally, there’s only so much you can do as a user. Some of this has to deal with how the internet is structured. I’ll discuss this tomorrow. Protect yourself as much as you can.

The NY Times posted this article yesterday about LulzSec.