Karl Bode’s Techdirt Profile


About Karl Bode

Karl Bode is a freelance writer living in New York that has been babbling, jabbering and prattling about technology, politics and culture professionally for more than fifteen years. Follow me on Twitter @KarlBode


Posted on Techdirt - 21 October 2016 @ 6:28am

FTC Warns AT&T Court Victory On Throttling Could Screw Consumers For Decades

from the not-so-free-markets dept

AT&T stopped selling unlimited wireless data plans back in 2011, and instead started pushing more expensive capped and metered plans. Existing unlimited users at the time were "grandfathered," but AT&T went out of its way to make life as unpleasant as possible for these users, ranging from blocking them from using Facetime unless they subscribed to metered plans, to throttling these "unlimited" users after only consuming a few gigabytes of data. Ultimately AT&T faced a $100 million fine by the FCC (currently being contested by AT&T), and a 2014 lawsuit by the FTC for misleading consumers and dramatically changing the terms of service while users were under contract.

But AT&T being AT&T, its lawyers got right to work contesting the FTC lawsuit, arguing that the very Title II common carrier FCC classification it had been fighting tooth and nail against exempted it from the FTC's jurisdiction. As it turned out, AT&T didn't need to engage in this Schrodinger-esque legal tap dance at all, with a court ruling back in August that the FTC never truly had authority over AT&T in the first place:

"The common carrier exemption in section 5 of the FTC Act carves out a group of entities based on their status as common carriers. Those entities are not covered by section 5 even as to non-common carrier activities. Because AT&T was a common carrier, it cannot be liable for the violations alleged by the FTC. The district court’s denial of AT&T’s motion to dismiss is reversed, and the case is remanded for entry of an order of dismissal."
The FTC isn't particularly pleased with this ruling, and this week it filed a petition for a rehearing in which it stated that the ruling could potentially let any company dodge FTC authority -- just as long as some component of its business has common carrier status. This could, the FTC warns, result in companies buying select companies they may not even want just to avoid regulatory scrutiny:
"The panel’s ruling creates an enforcement gap that would leave no federal agency able to protect millions of consumers across the country from unfair or deceptive practices or obtain redress on their behalf. Many companies provide both common-carrier and non-common-carrier services—not just telephone companies like AT&T, but also cable companies like Comcast, technology companies like Google, and energy companies like ExxonMobil (which operate common carrier oil pipelines). Companies that are not common carriers today may gain that status by offering new services or through corporate acquisitions. For example, AOL and Yahoo, which are not common carriers, are (or soon will be) owned by Verizon. The panel’s ruling calls into question the FTC’s ability to protect consumers from unlawful practices by such companies in any of their lines of business."
And again, while light touch regulation may work in healthy markets, that's simply not the case in telecom, where AT&T all but owns state legislatures and the lion's share of Congress, and the lack of last-mile competition leaves regulators as the last defense for frustrated consumers stuck in monopoly or duopoly markets. The FTC continues to warn that this new enforcement gap, if allowed to become precedent, could have a notable impact on user privacy:
"The FTC is the nation’s primary protector of consumer data privacy, but under the panel’s ruling it could be powerless against any company that provides a common-carrier service. Consumers would have no protection from breach or misuse of their personal information or practices like false advertising or improper billing."
And that's kind of a big deal for an industry in which misleading billing and sneaky fees are already a huge problem. And while the FCC is considering some basic new privacy rules for broadband subscribers, the collective lobbying power of the telecom, advertising, and content industries (Google is also quitely opposing the FCC's new rules), there's not a great chance that they ever see the light of day while retaining any teeth. No regulatory oversight is a problem in a sector where ISPs are flirting with charging users more just to protect their own privacy.

The FTC argues that the appeals court panel ruling conflicts with prior decisions of the 9th Circuit and other appeal courts. But should these efforts fail, one of the least ethical companies in telecom in one of the least naturally competitive industries in America could suddenly face less regulatory oversight than ever before. And while those that falsely believe telecom is a free market and all regulation is inherently bad may applaud that outcome, the resulting regulatory capture AT&T would enjoy would be almost total, resulting in higher prices, worse service, and potentially more anti-consumer behavior than ever before.

Read More | 26 Comments | Leave a Comment..

Posted on Techdirt - 20 October 2016 @ 11:46am

FCC Fines T-Mobile For Abusing The Definition Of 'Unlimited' Data

from the abusing-the-dictionary dept

For the better part of the last decade, wireless carriers have had an often vicious, adversarial relationship with the dictionary. More specifically, they've struggled repeatedly with the definition of the word "unlimited," often pitching data services that proclaim to be unlimited, only to saddle users with onerous, often confusing restrictions. For the last decade, regulators have tried to cure them of this behavior, from Verizon paying $1 million to New York's Attorney General in 2007, to the FCC fining AT&T $100 million last year.

Yet despite repeated warnings, the problem persists. Case in point: this week the FCC announced it had struck a $48 million settlement with T-Mobile (pdf) for advertising unlimited data plans without making it clear the limitations of these connections. More specifically, the FCC says T-Mobile didn't clearly inform consumers that these "unlimited" lines would be throttled during periods of network congestion, or after users consumed 17 GB of data in any given month:

"The FCC’s investigation found that company policy allows it to slow down data speeds when T-Mobile or MetroPCS customers on so-called “unlimited” plans exceed a monthly data threshold. Company advertisements and other disclosures may have led unlimited data plan customers to expect that they were buying better and faster service than what they received. The Commission’s 2010 Open Internet transparency rules require broadband Internet providers to give accurate and sufficient information to consumers about their Internet services so consumers can make informed choices."
All told, T-Mobile will pay a $7.5 million fine and dole out $35.5 million in "consumer benefits" (mostly just minor discounts on select hardware and plans) from T-Mobile and its prepaid subsidiary MetroPCS. This will, the FCC insists, surely teach T-Mobile a lesson about marketing unlimited data tiers that aren't:
"Consumers should not have to guess whether so-called ‘unlimited’ data plans contain key restrictions, like speed constraints, data caps, and other material limitations,” said FCC Enforcement Bureau Chief Travis LeBlanc. “When broadband providers are accurate, honest and upfront in their ads and disclosures, consumers aren’t surprised and they get what they’ve paid for. With today’s settlement, T-Mobile has stepped up to the plate to ensure that its customers have the full information they need to decide whether ‘unlimited’ data plans are right for them."
While this sounds superficially nice, there are a few problems with the FCC's move here. For one thing, the FCC has been making it abundantly clear that it's ok to sell "unlimited" plans with all manner of misleading limits -- you just have to make sure your marketing fine print makes those limitations clear. And while that's good, these kinds of wrist slaps clearly aren't working. And just ensuring transparency is not the end of this particular conversation.

For example, T-Mobile's and Sprint's newest plans, which the FCC hasn't raised a peep about, offer users "unlimited" connections, but throttle all games, video and music unless users shell out a monthly premium if they actually want these services to work as intended. That's a fairly obvious violation of net neutrality principles and an abuse of the word "unlimited," yet the FCC has made it abundantly clear it thinks this sort of behavior is perfectly ok. In other words, you can be a misleading cheat. You just have to make it clear you're a misleading cheat via fine print in your three-hundred page terms of service.

We've noted repeatedly how the FCC simply refuses to acknowledge how usage caps and zero rating are causing significant problems, and it doesn't look like it's an issue that's going to get fixed anytime soon. While current FCC boss Tom Wheeler's pro-consumer bent was a surprise to many (especially given his cable and wireless lobbying past), there are growing signs that his tenure will be up at the end of the year. And given the particular leanings of both Trump and Clinton, there's certainly no guarantee his replacement will have the political courage to stand up for consumers and finish what Wheeler started.

25 Comments | Leave a Comment..

Posted on Techdirt - 20 October 2016 @ 8:23am

Vox Seems Kind Of Upset That We're Building Gigabit Networks With Bandwidth To Spare

from the you're-not-helping dept

If you want to see why broadband in the United States still stinks, your first stop should be to examine the state level protectionist laws used to stifle competition across countless markets. But despite the lobbyist stranglehold over state legislatures, we're still seeing some impressive progress when it comes to the deployment of gigabit fiber networks. Google Fiber continues to slowly but surely expand its footprint, and we're seeing the rise of numerous other piecemeal gigabit solutions, whether coming from the likes of Tucows or municipal broadband deployments in cities like Chattanooga, Tennessee.

To be clear, the "gigabit revolution" is certainly a bit overhyped. The vast majority still can't get this caliber of service, and the obsession with the mighty gigabit does tend to obscure a potentially more important conversation about broadband prices and the often glaring lack of real competitive options. But by and large most people can agree that gigabit fiber builds are a good thing in an era when most users can still only obtain DSL at circa 2002 speeds and prices, and two-thirds of homes lack access to speeds greater than 25 Mbps from more than one provider (aka a broken monopoly).

Well, unless you're Vox, which published a kind of strange article this week lamenting how "cities spent millions on fast gigabit networks" and "nobody is sure what they're good for." The central narrative of the article is apparently that gigabit fiber networks aren't any good because nobody has developed the "killer app" that can effectively use all that bandwidth at once:

But six years after the first super-fast connections went live, even proponents concede no “killer” gigabit application has emerged. Most of their potential, critics say, is simply ignored by users. And building gigabit networks nationwide would be a colossally expensive undertaking.
Vox appears to have missed the fact that gigabit broadband competition itself is the killer app. Google Fiber may only have a small footprint, but in markets where it's deployed, incumbent ISPs have been forced not only to dramatically improve their own networks, but also to offer these services at a significantly lower price point (usually around $70) without the usage caps that have been popping up in less competitive markets. Gigabit municipal broadband deployments often have the same impact, as we've seen in locations like Wilson, North Carolina, and Chattanooga, Tennessee.

It's true that most consumers don't take gigabit speeds when offered; usually because 25 to 50 Mbps remains the sweet spot and can often be had for significantly less. But ISPs consistently note that even advertising gigabit speeds causes consumers -- most of whom actually have no damn idea what speed they subscribe to -- to call in and see if it's time for an upgrade, driving overall adoption. Another study has found that prices of all service tiers tend to drop when gigabit connectivity is introduced into a market.

Yes, gigabit speeds aren't really necessary for most people, but that's missing the point. Especially when you're trying to build the networks and competitive landscape of tomorrow.

As such, Vox's claim that "nobody is sure" what gigabit networks are actually good for seems a bit short-sighted. Worse, perhaps, the article's core narrative is only fueled largely by a single analyst at the Information Technology & Innovation Foundation -- the same think tank that first proposed SOPA. Said think tanker manages to contradict himself in pretty short order, lamenting the lack of the "killer app," then immediately admitting gigabit network deployment could help the development of said apps in the future:
Of course, there’s another possibility: Maybe people just don’t have any use for so much bandwidth. That’s the view of Doug Brake, of Information Technology & Innovation Foundation, a think tank funded by foundation and government grants as well as donations from firms such as Google and IBM. "There are no apps today and no apps on the horizon,” he said, though he acknowledged that development of new applications would probably proceed more quickly with far broader gigabit coverage.
Vox notes that the ITIF takes money from "Google and IBM," but forgets to inform the reader they also take money from the same incumbent broadband ISPs threatened by the rise in gigabit competition. The ITIF is the same organization that recently tried to argue that Comcast's plan to charge users more money to protect their own privacy was "pro consumer," and that the failed Comcast merger would have been fantastic for consumers. As such, perhaps the ITIF is not the best cornerstone for your argument that gigabit networks are useless.

Meanwhile, this narrative that gigabit networks aren't important because we're not yet using their full potential runs deeply through the entire piece, the author trying to use Netflix as an example of why, apparently, we shouldn't aim high when building new broadband infrastructure:
Right now, one of the most bandwidth-hungry applications out there is Netflix. Netflix recommends users have at least 3 Mbps of bandwidth for standard-definition video — meaning that you could stream about 300 Netflix videos simultaneously on a 1 gigabit connection. If you want Netflix’s highest-quality streaming, called Ultra HD, that requires 25 Mbps. So a gigabit connection would allow you to stream 40 Ultra HD videos at a time.
But again, who builds technology for the future constrained solely by the needs of today? Are gigabit networks over-hyped? Yes. The fascination with extreme speeds tends to help some ISPs obfuscate the reality that the lion's share of their tiers are expensive (or capped). But Vox seems to have been sold on the idea that we don't really need these additional gigabit networks because the incremental improvements being deployed by cable and phone companies are "good enough."

But most of us realize that's not true: while cable companies are busy using relatively inexpensive DOCSIS 3.1 cable upgrades to deliver gigabit speeds Vox implies nobody wants, most phone companies are hanging up on unwanted DSL customers to focus on capped and metered wireless broadband that isn't truly a replacement for fixed-line service. The end result is going to be a stronger cable monopoly (and in many areas less competition) than ever before, and a market that might offer gigabit speeds eventually, but at exorbitant prices and with utterly unnecessary usage caps.

No, you don't need gigabit speeds today. But gigabit networks from the likes of Google Fiber and municipal broadband providers are delivering the kind of competition folks at incumbent ISPs (and by loyal proxy think tanks like the ITIF) are pretty clearly terrified of. And by helping them keep the bar set at ankle height, Vox is only perpetuating the kind of thinking that saddled us with the current broadband duopoly that so many of us "enjoy" in the first place.

32 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2016 @ 11:49am

CNN Tells Viewers It's Illegal For Them To Read Wikileaks Document Dumps. CNN Is Wrong

from the you're-not-helping dept

I cut the cord years ago, so the only time I stumble into cable "news" coverage is usually at the gym or airport. And time and time again I'm struck by how the empty prattle is more in line with dystopian satire than anything resembling actual news reporting or intellectual analysis. Even when these channels feature live breaking news stories, you'd be hard pressed to find a reporter willing to call up a source and confirm details of what's happening, resulting in something that's more akin to industrialized speculation than the polished news product of multi-billion-dollar media empires.

The latest case in point: CNN's Chris Cuomo was dissecting the latest Wikileaks document dump when he decided to "inform" viewers that it's illegal for anybody but a member of the media to download and view the contents of the Podesta leaks:

"...Remember, it’s illegal to possess these stolen documents. It’s different for the media. So everything you learn about this, you’re learning from us."
Yeah, that's not how the First Amendment works. Legal precedent has repeatedly made it clear that the First Amendment offers the same protection to the press as to the public, even when it comes to possessing or distributing illegally obtained material (just as long as you weren't directly involved in the theft of the material in question). In its 2001 Bartnicki v. Vopper decision, the Supreme Court rejected even civil liability for distributing illegally obtained cellphone recordings, and refused to differentiate the public from the media in its ruling:
"The . . . question is whether the application of these statutes [that purport to ban distributing illegally obtained material, even when one wasn’t involved in the distribution,] in such circumstances violates the First Amendment. [Footnote: In answering this question, we draw no distinction between the media respondents and Yocum.]"
As the Washington Post and the Wall Street Journal's law blog were quick to highlight, that case cited New York Times Co. v. Sullivan, which also treated press outlets and the public equally in the eyes of the law in such situations. The Supreme Court's Pearson v. Dodd ruling also makes clear that the possession of illegally leaked materials is simply not treated the same way as knowingly possessing physical, stolen property.

This isn't Cuomo's first run in with being violently wrong on legal fundamentals despite having graduated from Fordham with a law degree. He also took a bit of a beating last year when he apparently hallucinated a "hate speech" exception buried in the First Amendment. At some point you have to wonder if CNN is actively trying to be this bad at what it does, or if CNN boss Jeff Zucker is a subversive artist of the highest order, working tirelessly to craft a crushing, satirical look at modern American intellectual dysfunction.

116 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2016 @ 10:47am

Vox Joins Growing Chorus Of Outlets Weirdly Crapping On Cord Cutting

from the cheaper,-more-varied-options-really-suck dept

For a few years now there's been a lazy trend among reporters analyzing "cord cutting," or the practice of leaving legacy cable TV for streaming alternatives. Usually the narrative goes something like this "cord cutting is (stupid/failing/irrelevant/on the ropes) because users need to subscribe to multiple streaming video services to get the same amount of content they used to get with cable." Despite these stories popping up pretty much constantly these reports miss a few key points, the biggest being that nobody wants to duplicate the 300 channels of bullshit that comprises the traditional cable bundle.

Gizmodo recently ran one such article where the author was shocked and outraged after he discovered that subscribing to four different streaming services cost him a measly forty-seven bucks, proof positive in the author's estimation that cord cutting "isn't a bargain any more." And while Reddit users were quick to point out how cord cutting saves them significant cash every month, this narrative never seems to die. Case in point is Vox, which appears to have piggybacked on the Gizmodo report with a similar story proclaiming that "cord cutting is bound to fail":

"Recently, Gizmodo ran the numbers and concluded that if you subscribed to every streaming service collecting most of the TV shows and movies you’d likely want to see (and thus excluding niche services like horror-centric Shudder or anime-centric Crunchyroll or etc., etc., etc.), your monthly bill would be more expensive than an average cable bill on its cheapest tier."
Again though, Gizmodo didn't "run any numbers." The author just subscribed to HBO Now, CBS All Access, Netflix and Hulu and thought (incorrectly, if you ask actual cord cutters) that the $47 total was incredibly expensive. Analysts oddly forget that the same companies setting licensing rates for traditional cable also set the licensing rates for streaming alternatives. As such, pricing for both is probably going to be higher than anybody would like, and that's why Hulu, Amazon and Netflix are feverishly developing original content.

But the fact remains that streaming alternatives offer something cable refuses to: more flexibility at a lower price point. Vox's central thesis is that because cable providers have all the leverage in negotiations with broadcasters, they can strike much better deals than streaming video providers, offering their own dirt-cheap bundles of streaming packages:
"So there’s going to be a lot of demand for some form of bundling — of an option to subscribe to a bunch of streaming services, both mainstream and niche together — in packages that will be slightly more affordable than ordering each service a la carte. And when it comes to bundling, the cable companies know it better than anybody else."
But because the cable industry can do this doesn't mean they will do this. Yes, your cable provider could offer cheap bundles of streaming services. But this would cannibalize their existing legacy TV cash cow subscriber base, and the sector has made it abundantly clear it simply refuses to seriously compete on price. Instead, industry executives would rather pretend that cord cutting isn't a real problem, and defections will cease once Millennials have more babies. As a result the closest we've seen to price competition are skinny bundles that give the illusion of value, but saddle users with hidden fees.

If there's one thing the Vox report gets right, it's that consumers are growing increasingly frustrated with and confused by exclusive, temporary licensing and vanishing streaming catalogs. But that brings us to something all of these analysts and reports willfully, hysterically ignore: piracy. You'll note that none of the "cord cutting is dying" articles ever acknowledge that piracy exists as an option for the consumer frustrated by high prices, poor service or confusing exclusivity arrangements. It's as if these authors are not formally allowed to acknowledge piracy's existence by their editors because it's naughty.

But as this website has noted repeatedly, piracy is a competitor. Because you don't like that fact doesn't make it less true. The reality is that if streaming begins to fail the consumer as a cheaper, more flexible alternative to cable, the last place many of these customers will be headed is back to cable. Instead, countless millions will simply hide behind a VPN and head back to piracy, a shame given the progress we've collectively made in dragging many of these broadcasters, kicking and screaming, into the modern age.

46 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2016 @ 6:22am

Comcast Sued For Misleading Fees It Claims Are Just Its Way Of Being 'Transparent'

from the transparently-obnoxious dept

In addition to vanilla price hikes and usage caps and overage penalties, ISPs have spent the last few years borrowing a tactic from the banking industry to covertly jack up the advertised price of broadband service: the completely nonsensical hidden fee. From CenturyLink's $2 per month "Internet Cost Recovery Fee" to Fairpoint's $3 per month "Broadband Cost Recovery Fee," such fees usually just hide some of the cost of doing business below the line, letting an ISP advertise one price, then charge something quite different at the end of the month.

Encouraged by the fact that the FCC can't be bothered to police this behavior, a few years ago Comcast began charging its cable customers a "Broadcast TV fee." At the time, Comcast proudly proclaimed it was just being "transparent" by taking a portion of the retransmission fees paid to broadcasters and putting it below the line:

"Beginning in 2014, we will itemize a portion of broadcast retransmission costs as a separate line item to be more transparent with our customers about the factors that drive price changes," he said. “In 2014, we will not increase the price of Limited Basic or Digital Preferred video service, and adjustments to other video service prices will be lower than they would have been without the Broadcast TV Fee."
The problem with this logic is two fold. One, the money Comcast pays to broadcasters for programming is the cost of doing business as a cable company and should be included in the overall bill. Two, this is effectively little more than Comcast advertising a lower rate, only to shock users with a higher bill. It's false advertising, which is about as far from being "transparent" with consumers as you can get. Yet again, you'd be hard pressed to see the FCC so much as mention this sort of behavior, despite occasional, breathless announcements that the regulator is very concerned about transparency in the cable and broadband sector.

Fast forward to this week, when eight plaintiffs filed a class action lawsuit against the cable giant alleging consumer fraud, unfair competition, unjust enrichment and breach of contract for trying to covertly raise rates while the users were supposed to be under a locked-in rate:
"Lead plaintiff Dan Adkins, of California, says Comcast started using "a shady backdoor way to increase prices" in January 2014. He says the company added a "newly invented" Broadcast TV fee to cable bills without clearly disclosing the price hike to customers or updating its advertisements to reflect the new prices. "Comcast not only charged the fee to new customers, but also added the charge to the bills of existing customers in violation of their contracts which had promised a flat monthly rate for the term of the contract," Adkins says in the 79-page complaint."
Like all Comcast pricing, the lawsuit also points out that Comcast has relentlessly raised the fee from $1.50 when introduced, to $6.50 per month this year, a 333% increase in just three years. And while FCC data makes it clear that programming retransmission fees are skyrocketing, again -- that's the cost of doing business as a cable company (also remember that Comcast NBC Universal is also a broadcaster). The lawsuit is also quick to point out that Comcast is among several cable companies that began charging regional sports fees last year. In Comcast's case (as the owner of Comcast Sportsnet), the lawsuit notes how that fee was also bumped by 350% in just a few years, from $1.00 to $4.50 per month.

Trying to mislead customers by advertising one rate -- then socking them with a notably higher bill -- doesn't seem like the actions of a company that repeatedly insists it's dedicated to fixing some of the worst customer satisfaction ratings of any company, in any industry in America.

Read More | 28 Comments | Leave a Comment..

Posted on Techdirt - 18 October 2016 @ 4:43pm

Akamai: 12-Year-Old SSH Vulnerability Fueling Internet-Of-Broken-Things DDoS Attacks, And Worse

from the security-as-a-distant-afterthought dept

We've increasingly covered how the "internet of poorly secured things" has contributed to a rise in larger DDoS attacks than ever before. The barely-there security standards implemented by companies more interested in hype than quality meant it didn't take long before hackers were able to incorporate "smart" refrigerators, power outlets, TVs and other IoT devices in the kind of DDoS attacks that recently took down security researchers like Brian Krebs. The end result is DDoS attacks that continue to break records, first 620Gbps in the Krebs attack, then more recently a 1.1 terabits per second attack on a French web host.

But just how bad have things become? A new report by Akamai warns that hackers are using a 12-year-old vulnerability in OpenSSH to funnel malicious network traffic through IoT devices. SSH certainly can be implemented securely, but as with every other security aspect of the IoT, many hardware vendors aren't bothering to do so. Akamai's data indicates roughly 2 million devices have been compromised by this type of hack, which the firm dubs SSHowDowN.

CVE-2004-1653 is a default configuration in old versions of OpenSSH that can be exploited by an attacker to forward ports, letting a hacker route malicious traffic through the device as part of the overall DDoS command and control infrastructure. To pull this off you need the device's admin username and password; certainly not a problem in the IoT space where default logins are often the norm. Akamai notes that many IoT devices not only ship with this vulnerability intact, but with no ability to fix it:

"We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” explained Ory Segal, senior director, Threat Research, Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality."
Of course the internet-of-poorly-secured things isn't just useful for DDoS attacks. Brian Krebs has penned a new blog post noting how criminals are often using hacked IoT hardware as proxies to obscure their real location as they engage in tax return fraud and other criminal activity, courtesy of your not-so-smart WiFi-enabled tea kettle or home-automation system. An anonymous researcher tells Krebs he was able to track the various "honeypot" systems he configured as they were traded and sold as malware-infested proxies in exchange for bitcoin.

In short, flimsy Internet of Things security, combined with already often-dubious embedded security in routers, is kind of a throwback to the wild west of the 1990s when the idea of your mom's PC as a botnet participant was kind of novel. Krebs' source puts it this way:
"In a way, this feels like 1995-2000 with computers," my source told me. "Devices were getting online, antivirus wasn’t as prevalent, and people didn’t know an average person’s computer could be enslaved to do something else. The difference now is, the number of vendors and devices has proliferated, and there is an underground ecosystem with the expertise to fuzz, exploit, write the custom software. Plus, what one person does can be easily shared to a small group or to the whole world."
And again, while the abysmal state of IoT security can often be funny, firms like Gartner predict that the population of Internet of Things devices will top 20.8 billion by 2020, up from 6.4 billion or so today. Researchers like Bruce Schneier have been warning for some time that the check is about to come due in the form of attacks that may put human lives at risk at an unprecedented scale, lighting a fire under researchers who believe that automated cyberdefense and self-healing network technologies we haven't invented yet are what stand between us and the not-so-smart device cyber apocalypse.

28 Comments | Leave a Comment..

Posted on Techdirt - 18 October 2016 @ 6:26am

NBC Happily Parrots The CIA's Case For Escalating Cyber War With Russia

from the putting-out-fires-by-burning-the-house-down dept

As we've been noting there have been growing calls for the Obama Administration to publicly scold Russia for hacking the DNC, and to dole out some kind of righteous punishment for this unseemly behavior. Calls on this front have ranged from launching larger cyber offensives or even a brick and mortar military response. We've noted repeatedly how this is stupid for a multitude of reasons, since hacking "proof" is (if the hacker's any good) impossible to come by, with false-flag operations consistently common.

Despite the obvious dangers of escalation, the U.S. press seems pretty intent on helping the intelligence community justify doing exactly that. Countless outlets are breathlessly passing along the idea that we simply must "retaliate" for Russia's behavior, willfully ignoring that the United States wrote the book on nation state hacking and lacks the moral high ground to lecture anyone on cybersecurity. As Snowden and other whistleblowers should have made abundantly clear by now, we've been hacking allies, fiddling in Democratic elections, creating indiscriminately dangerous malware and worse for decades.

Led by our bad example, we've cultivated a global environment in which nation state operators hack one another every second of every day to keep pace with the United States. As such, the idea that the United States is an innocent daisy nobly defending its untarnished honor from uncivilized international ruffians is absurdly, indisputably false, yet this concept sits at 90% of the reporting on this subject. Case in point: eager to get the escalation ball rolling, the CIA last week used NBC to make the case for a renewed cyber-warfare campaign against Russia in the coming months:

According to the full NBC report, the CIA is cooking up a rotating platter of different proposals, most of which involve launching similar hack and leak campaigns intended to embarrass Putin and company:
"The Obama administration is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election, U.S. intelligence officials told NBC News. Current and former officials with direct knowledge of the situation say the CIA has been asked to deliver options to the White House for a wide-ranging "clandestine" cyber operation designed to harass and "embarrass" the Kremlin leadership."
Again though, if you understand that the NSA and its army of private contractors are covertly probing and attacking countless nations day in and day out (allies and enemies alike), the very idea that we'd announce this single counterattack via god-damned NBC should strike you as transparently theatrical and a bit silly. And as some pointed out, the wording of the story seems to strongly suggest we've already obtained plenty of documents that could prove embarrassing to Russia:
Like most news coverage of the Russian hacks, our own responsibility for global cyber war escalation is left entirely unmentioned by a media that fancies itself a truth teller, yet somehow still can't escape the grip of fevered nationalism when covering militarism and cyber warfare. And you'll note the only hesitation from most of the government sources quoted in the article is that our "retaliation" won't be vicious enough:
Sean Kanuck, who was until this spring the senior U.S. intelligence official responsible for analyzing Russian cyber capabilities, said not mounting a response would carry a cost. "If you publicly accuse someone," he said, "and don't follow it up with a responsive action, that may weaken the credible threat of your response capability." President Obama will ultimately have to decide whether he will authorize a CIA operation. Officials told NBC News that for now there are divisions at the top of the administration about whether to proceed.
Good. There should be "divisions." Escalating our cyber-offensive "strategies" resulted in the conundrum we're currently enjoying. And escalation here could prove notably fatal to many given our ongoing proxy war with Russia in Syria. But it's abundantly clear the CIA wants the green light and is getting some resistance from the current administration, encouraging NBC to suggest that escalation could protect the sanctity of the November elections:
"The CIA's cyber operation is being prepared by a team within the CIA's Center for Cyber Intelligence, documents indicate. According to officials, the team has a staff of hundreds and a budget in the hundreds of millions, they say. The covert action plan is designed to protect the U.S. election system and insure that Russian hackers can't interfere with the November vote, officials say. Another goal is to send a message to Russia that it has crossed a line, officials say."
Again though, there is no "line," and any ethical or legal lines that do exist, we obliterated years ago. We've hacked nations aggressively for decades, and are now fanning our collective faces in indignation at the idea that anybody would dare hack us back. We've contributed to escalating cyber-security tensions by being among the most badly behaved nations on Earth, consistently using the resulting threat escalation to justify our ongoing war on encryption, bloated security contractor budgets, and domestic surveillance expansion. It's a vicious, expensive ouroboros of dysfunction.

We've tried escalation as the aggressor, and it consistently makes things collectively, internationally worse, and certainly doesn't stop us from being the targets of these kinds of attacks. That's why we've noted repeatedly that the smart play here is to focus on defense, instead of letting Putin (and our own security contractors and intelligence community) goad us into more idiotic behavior than ever before.

27 Comments | Leave a Comment..

Posted on Techdirt - 14 October 2016 @ 11:49am

Even NSA BFF Verizon Thinks Warrantless Location Data Collection May Have Gone Too Far

from the bridge-too-far dept

You'd be hard pressed to find companies more bone-grafted to the nation's intelligence gathering apparatus than AT&T and Verizon. So much so that it's often difficult to determine where the government ends, and where the telecom duopoly begins. From Mark Klein highlighting how AT&T was giving the NSA live access to every shred of data that touched the AT&T network, to Snowden's revelation of Verizon's handover of customer metadata, these are companies that were not only eager to tap dance around privacy and surveillance law, but actively mocked companies that actually stood up for consumer privacy.

That's why it's notable to see one of Verizon's top lawyers, Craig Silliman, penning an op-ed over at Bloomberg implying that location data hoovering has jumped the shark. Silliman details the problems arising in the age of location data collection, and specifically how four recent district courts have ruled that law enforcement can get location data without a warrant. These rulings relied on the "third-party doctrine," or the argument that consumers lose privacy protections to this information if they're willing to share it with a third party -- aka Verizon.

But Silliman notes that the cases in question leaned on data collection and networks from 2010 and 2011, before the rise of even more precise small cell (femto) technology, deployed in many areas to shore up tower coverage gaps:

A femto cell may have a cell radius of between 100 feet and 500 feet. Knowing that an individual’s cellphone is within a few hundred feet of a cell obviously is more precise than knowing that it is within a few miles. All of these changes – particularly, the surge in our customers’ use of data and the fact that many of today’s cell sites have smaller ranges – mean that our network now collects more voluminous and more precise location information than when, in 2010 and 2011, law enforcement obtained the location information that gave rise to the four appellate cases described earlier.
Silliman proceeds to note that he hopes that should these cases stumble toward the Supreme Court, the court will realize the game has changed dramatically in the last half decade:
The defendants in the two location information cases that were decided this Spring are asking the Supreme Court to review their cases and the third-party doctrine. I think it’s a matter of time before the Court takes a case like this and when it does, I hope that it takes into account how quickly technology — including the volume and precision of location information — is changing.
Verizon tells The Intercept that while the op-ed comes on the heels of the recent surveillance scandal at Yahoo (soon to be owned by Verizon), the two are not related, and Silliman's editorial was penned weeks before the news of Yahoo's e-mail searches surfaced. Silliman claims that Verizon's motivation here is just an interest in protecting consumer privacy as it collects this data for troubleshooting (and, of course, sale):
Like other carriers, Verizon retains this information to troubleshoot, maximize network efficiency, and for other business purposes. We keep cell site and sector information that we need for these business purposes for one year, while we keep other location information, like multiple location points collected during a data session and the approximate distance a device is from a cell site for eight days.

We take our customers’ privacy very seriously, of course, and protect this information carefully.
Well, let's not go that far. This is the same company that was caught covertly modifying user data packets to track their behavior around the internet, failing to inform customers this was happening or provide working opt-out tools. Verizon's also actively working to prevent new privacy protections for consumers at the FCC. And again, this is the same company that, hand in hand with AT&T, consistently went above and beyond in handing over vast oceans of data to intelligence services while never challenging the government and actively mocking companies that did.

That said, it's still amazing to see one of the government's closest allies on domestic surveillance suggesting that just maybe we've taken this whole warrantless hoovering of information thing a little too far.

4 Comments | Leave a Comment..

Posted on Techdirt - 14 October 2016 @ 6:23am

Verizon Punishes Techs That Try To Repair DSL Customers It No Longer Wants

from the taxpayer-subsidized-apathy dept

For decades Verizon has enjoyed billions in tax breaks and subsidies in exchange for fiber optic upgrades the telco either partially or never actually deploys. Now, for the last half decade or so, the telco has been trying to hang up on these unwanted, un-upgraded DSL customers entirely as it shifts its focus to more profitable (read: usage capped) wireless service. Well, that and buying up old and uninteresting 90s internet brands in a quest to become the next media and advertising juggernaut (note: it's not going all that well).

While it's understandable that Verizon executives want to migrate to higher-growth sectors, there's a few problems. Most of these networks were built on the backs of taxpayers, and the "burdensome regulations" governing them exist in many instances to ensure nobody can unceremoniously disconnect phone service from the elderly. And Verizon has been far from ethical as it tries to back away from networks that should have been upgraded years ago, even going so far as to refuse to repair them after natural disasters like Hurricane Sandy.

Pennsylvania is one of several states where Verizon nabbed billions in subsidies, didn't do all that much with it, and now wants to just walk away from frustrated broadband customers. As the state continues scattered, largely toothless investigations into Verizon's behavior on this front, the Communications Workers of America recently issued a filing with the state PUC detailing how Verizon hamstrings its own employees from giving customers better (or any) service:

"We are seeing increasing numbers of dissatisfied customers whose service goes out when it rains or who simply have no dial tone at all,” Gardler wrote. “We know the reasons why—the cable is bad and needs to be replaced; air pressure systems are not working property; and backup batteries are not replaced when they wear out. But we are powerless to make the changes that would provide good service to customers because Verizon is not willing to spend the money, or hire the people needed, to repair the service. Instead, we're told to install VoiceLink for voice-only customers and allow the copper network to deteriorate even further."
As noted above, Verizon's "solution" for axing these DSL lines is "Voice Link" a wireless-based service that only provides voice (no data) and doesn't work with the lion's share of security systems, fax machines, or many pacemakers that require landline monitoring or updates. It was the solution du jour pushed by Verizon in the aftermath of Sandy, triggering massive public backlash from users that found this "upgrade" to be a downgrade.

Obviously the unions have a vested interest in Verizon not migrating to less-unionized wireless, but the CWA also notes that Verizon employees now face termination if they actually try to do their jobs:
"Field technicians are required to have VoiceLink units on their trucks and to refuse to repair copper plant serving voice-only customers. Our members are being told that if they actually try to repair copper plant instead of using VoiceLink, they will be subject to disciplinary action by Verizon."
Again, that's a telco actively punishing technicians for trying to make customers happy, since it runs contrary to Verizon's mission of trying to drive these DSL customers away via the one-two punch of repair apathy and constant price hikes. Again though, none of this would really be a problem if Verizon had actually used taxpayer subsidies to upgrade to the more resilient fiber networks it originally promised and we all collectively paid for (over and over and over again).

18 Comments | Leave a Comment..

Posted on Techdirt - 13 October 2016 @ 10:44am

Verizon Wants $1 Billion Discount After Yahoo Scandals, Still Fancies Itself The New Google

from the we're-innovative-if-we-say-we-are dept

With wireless and fixed-line broadband growth slowing, Verizon has been steadily expanding into new growth territories to try and please insatiable investors. So far, that apparently includes buying failed 90s internet brands like Yahoo and AOL in the belief that it can somehow become a Millennial advertising juggernaut. Except that hasn't been going particularly well, as the stodgy old telco realizes that it's kind of hard to innovate when you've spent the last thirty years bumbling about as a government-pampered telecom monopoly almost solely focused on turf protection.

And things have been going notably worse for Verizon over the last month, as the company has acknolwedged that Yahoo failed to reveal not only the 2014 hack of 500 million user accounts, but also its recently disclosed wholesale e-mail spying for the U.S. government during negotiations. That has prompted rumors that Verizon is looking for a billion-dollar discount off the original $4.8 billion Yahoo asking price:

"In the last day we’ve heard that [AOL boss] Tim [Armstong] is getting cold feet. He’s pretty upset about the lack of disclosure and he’s saying, ‘Can we get out of this or can we reduce the price?’” said a source familiar with Verizon’s thinking. That might just be tough talk to get Yahoo to roll back the price. Verizon had been planning to couple Yahoo with its AOL unit to give it enough scale to be a third force to compete with Google and Facebook for digital ad dollars.
Of course "scale" isn't enough to compete with Facebook and Google when you lack anything resembling disruptive or innovative DNA, though Verizon seems intent on learning this the hard way. Verizon CEO Lowell McAdam says the company has no intention of backing away from the deal, and continues to insist that despite Yahoo being a vicious shitshow, it's the missing link necessary to transform Verizon from stodgy old telco to innovative advertising juggernaut:
"I think, and we’ll see how AOL and Yahoo come together, but I think that entity can be easily one of the top three,” McAdam said at the conference. “I think we can provide the content and applications that will stand up with anything that goes up on the West Coast."
Right. But so far, there's absolutely zero indication that's going to be the case. One of the key cornerstones of Verizon's attack plan has been Go90, a new streaming video service tailored to Millennials. The problem? Those advertising and content partners McAdam claims are so excited about Verizon's entry into the market think the platform is a disaster of colossal proportions:
"Early on, we thought the platform had promise, but it was an absolute dud when it launched,” says one Go90 publishing partner. “We get the sense that unless you’re one of the premier folks they paid piles of money to [for original content], there isn’t much there from a traffic perspective,” said another. “Based on the plan they had originally laid out, it would have been a mid-tier platform for us — millions of views per month, at worst — but it’s turned out to be far, far worse than their projections,” says yet another."
Fancy! So not only did Verizon gobble up a number of underwhelming 90s internet brands in the hopes of striking it rich in content, its own foray into content has been painfully underwhelming (something that should have been apparent to anybody who remembers Verizon's first, brief attempt at original content, SugarString). Combine that with the money Verizon will have to dole out once the lawsuits over the Yahoo hack begin flooding in, and you've got the kind of pivot and metamorphosis that makes Jeff Goldblum's experience in The Fly look arguably pleasant.

15 Comments | Leave a Comment..

Posted on Techdirt - 13 October 2016 @ 3:29am

Obama Promises 'Proportional' Response To Russian Hacking, Ignores That We Started The Fight

from the bogus-moral-high-ground dept

We've noted several times how launching cyberwar (or real war) on Russia over the recent spike in hack attacks is a notably idiotic idea. One, the United States effectively wrote the book on hacking other countries causing all manner of harm (hello, Stuxnet), making the narrative that we're somehow defending our honor from shady international operatives foundationally incorrect. And two, any hacker worth his or her salt either doesn't leave footprints advertising their presence, or may conduct false flag operations raising the risk of attacking the wrong party.

After significant pressure from intelligence industry saber rattlers and the cybersecurity firms that profit from cyber-hysteria, President Obama this week proudly proclaimed that the U.S. government would be launching a "proportional" response to Russia's recent slate of hacking attacks:

"We obviously will ensure that a U.S. response is proportional. It is unlikely that our response would be announced in advanced. It’s certainly possible that the president could choose response options that we never announce," Earnest told reporters aboard Air Force One. "The president has talked before about the significant capabilities that the U.S. government has to both defend our systems in the United States but also carry out offensive operations in other countries," he added. "There are a range of responses that are available to the president and he will consider a response that’s proportional."
Again though, the very idea that the United States would be "responding" is fundamentally incorrect. We've been engaged in nation state hacking and election fiddling for decades, happily hacking the planet for almost as long as the internet has existed. We use submarines as underwater hacking platforms, the U.S. government and its laundry list of contractors routinely hacking and fiddling with international elections and destroying reputations when and if it's convenient to our global business interests. Our behavior in 1970s South America giving tech support to Operation Condor is the dictionary definition of villainy.

Yet somehow, once countries began hacking us back, we responded with indignant and hypocritical pouting and hand-wringing. But the reality is we are not some unique, special snowflake on the moral high ground in this equation: we've historically been the bully, and nationalism all too often blinds us to this fact. Long a nation driven to war by the weakest of supporting evidence, hacking presents those in power with a wonderful, nebulous new enemy, useful in justifying awful legislation, increased domestic surveillance authority, and any other bad idea that can be shoe-horned into the "because... cybersecurity" narrative.

And as we're witnessing in great detail, hacking has played a starring role in this nightmarish election, with Donald Trump giving every indication he intends to only ramp up nation state hacking as a core tenet of his idiocracy, and Hillary Clinton lumping Russia, hackers, and WikiLeaks into one giant, amorphous and villainous amoeba to help distract us from what leaked information might actually say about the sorry state of the republic.

We're wandering into extremely dangerous territory here. As we saw with Stuxnet's impact on companies like Chevron, the United States' hacking behavior has had very real, negative repercussions for innocent third parties around the globe. Operating from the belief that we're somehow nobly defending ourselves is a falsehood the media consistently perpetuates, making this kind of dangerous digital saber rattling easier than ever for those in power. The U.S. press and public can no longer afford to be so viciously naive as 2016 stumbles drunkenly to its welcome conclusion and hacking becomes the bogeyman du jour for the next administration.

58 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 12 October 2016 @ 8:27am

Facebook Wants To Bring Controversial Zero Rated 'Free Basics' Service To The States

from the we're-helping! dept

Last year the Indian government forged new net neutrality rules that shut down Facebook's "Free Basics" service, which provided a Facebook-curated "light" version of the internet -- for free. And while Facebook consistently claimed its program was simply altruistic, critics (including Facebook content partners) consistently claimed that Facebook's concept gave the company too much power, potentially harmed free speech, undermined the open nature of the Internet, and provided a new, centralized repository of user data for hackers, governments and intelligence agencies.

In short, India joined Japan, The Netherlands, Chile, Norway, and Slovenia in banning zero rating entirely, based on the idea that cap exemption gives some companies and content a leg up, and unfairly distorts the inherently level internet playing field. It doesn't really matter if you're actually altruistic or just pretending to be altruistic (to oh, say, lay a branding foundation to corner the content market in developing countries in 30 years); the practice dramatically shifts access to the internet in a potentially devastating fashion that provides preferential treatment to the biggest carriers and companies.

Fast forward a year and Facebook is now considering bringing the controversial service to the United States. The company has apparently been in talks with the White House about getting the idea rolling in the U.S., without setting off the same kind of regulatory alarm bells it faced in India:

"The effort to offer a U.S.-based version of Free Basics is moving forward in fits and starts, said the people, who spoke on the condition of anonymity because the effort has not been publicly revealed. In particular, the company wants to ensure that Free Basics will be viewed favorably by the U.S. government before it launches, thus avoiding a costly repeat of its experience in India."
Again, India reacted poorly not because Facebook was giving away "free stuff," but because Facebook was trying to install itself as the 90's AOL of the modern internet. Content partners dropped out because they didn't like Facebook dictating which websites and services get to be "zero rated." Companies like Mozilla suggested that if Facebook really wants to help the world's poor, it can start by funding access to the actual Internet. Facebook, annoyed by those who don't believe it's being purely altruistic, responded by calling such critics "extremists" who are hurting the poor.

The fight comes to US shores as the country is already facing a growing array of problems thanks to zero rating. Whereas India banned the practice, the FCC passed net neutrality rules that don't ban it outright, opening the door to companies trampling net neutrality if they're just creative enough. As a result, Comcast, Verizon and AT&T all now exempt their own streaming content from caps while still penalizing Netflix. Similarly T-Mobile and Sprint have now started throttling video, music and games unless customers pay a steep monthly premium.

So while the FCC twiddles its thumbs to what's quickly becoming a growing problem (unless you're an ISP or a deep-pocketed content company), Facebook is looking to get in on the ground floor of a concept that professes to be "helping" while dramatically changing the way access to the internet works. Amusingly, the social media giant appears to be treading so carefully, it's refusing to strike deals with big carriers out of an obvious fear of anti-competitive criticism:
"Facebook has not attempted to strike a deal with national wireless carriers such as T-Mobile or AT&T, said the people familiar with the matter, over concerns that regulators may perceive the move as anti-competitive. Instead, it has pursued relationships with lesser-known carriers."
Again, if you want to help low-income global citizens access to the internet -- doesn't it just make more sense to help fund connections to the actual internet?

27 Comments | Leave a Comment..

Posted on Techdirt - 12 October 2016 @ 6:09am

FCC: Comcast Routinely Charges Customers For Hardware, Services Never Ordered

from the earning-your-awful-reputation dept

When you're among the worst ranked companies for customer service in America, you consistently need to find new ways to ramp up your game if you want to take malicious incompetence to the next level. Enter Comcast, which despite constant promises that it's getting better, routinely keeps finding itself in the headlines for immeasurably shady business practices. Earlier this year, for example, the company was sued by Washington's Attorney General for charging users a $5 per month "Service Protection Plan," then routinely and intentionally charging users for repairs that should have been covered under it.

This week, America's least-liked companies is finding itself in the headlines for another misleading practice: errantly and routinely billing customers for hardware or services they never ordered. According to a new FCC announcement, Comcast will be paying the agency $2.3 million to settle an investigation into the behavior. According to the FCC, Comcast apparently likes to charge customers for premium cable channels, hardware, or other services the customer never ordered and may have expressly refused:

"The Commission received numerous complaints from consumers alleging that Comcast added charges to their bills for unordered services or products, such as premium channels, set-top boxes, or digital video recorders (DVRs). In some complaints, subscribers claimed that they were billed despite specifically declining service or equipment upgrades offered by Comcast. In others, customers claimed that they had no knowledge of the unauthorized charges until they received unordered equipment in the mail, obtained notifications of unrequested account changes by email, or conducted a review of their monthly bills."
This being Comcast, the FCC notes that impacted customers had to spend "significant time and energy" removing the charges from their bills. After all, this is the company that routinely refuses to correct its own mistakes unless the practice in question gets significant media attention.

While not specifically mentioned in the FCC's announcement, Comcast also has a long, proud history of charging customers who own their own modem a $10 rental fee anyway. This has been a problem customers have faced for years, yet seems to never stop occurring no matter how many complaints or regulatory wrist slaps the cable giant receives. In this case, the FCC states the obvious:
"It is basic that a cable bill should include charges only for services and equipment ordered by the customer—nothing more and nothing less," said Travis LeBlanc, Chief of the Enforcement Bureau. "We expect all cable and phone companies to take responsibility for the accuracy of their bills and to ensure their customers have authorized any charges."
The problem of course is that Comcast likely made significantly more than $2.3 million on this scheme. And the FCC may also want to hold off on the celebration; while the FCC did give Comcast a wrist slap in this instance, there's also a long-standing practice of Comcast and other ISPs and cable companies using misleading below-the-line fees to jack up the advertised rate of both TV and broadband services. And then there's the ongoing issue of Comcast's expanding and anti-competitive usage caps and overage fees, which nobody at the FCC seems all too concerned about.

So while it's good the FCC is cracking down on this kind of fraud, it's just tap dancing around the opening of a very deep, dark rabbit hole of dysfunction, one that has long-since passed from minor inconvenience into legend.

38 Comments | Leave a Comment..

Posted on Techdirt - 7 October 2016 @ 9:33am

Comcast Dramatically Expands Unnecessary Broadband Caps -- For 'Fairness'

from the pay-more-for-the-same-service! dept

For years, we've noted how there's absolutely zero financial or technical justification for usage caps on fixed-line networks. They don't really help manage congestion, and as any incumbent ISP earnings report indicates, flat-rate broadband has proven incredibly profitable. But thanks to limited competition, caps are a great way to raise rates, hamstring streaming video competitors, and give incumbents a distinct advantage for their own services (aka zero rating). Ultimately, caps disadvantage startups and small businesses, while making broadband more expensive and confusing for everyone.

Needless to say, Comcast is pursuing this option with reckless abandon.

The cable giant this week again expanded its usage caps into a massive number of new areas according to an updated Comcast FAQ. As it stands, Comcast customers in capped markets face a 1 terabyte usage limit, after which users pay $10 per each additional 50 GB consumed, or they pay $50 a month for the same unlimited consumption they previously enjoyed. Hoping you'll ignore the fact that there's no functional justification for such limits, Comcast's FAQ and press release go well out of their way to try and claim that they're imposing this draconian new price hike out of...'fairness':

"A terabyte is a massive amount of data. More than 99 percent of our customers do not use 1 TB of data in a given month. But for those who do use more, we have options. Our data plans are based on a principle of fairness. Those who use more Internet data, pay more. And those who use less Internet data, pay less."
Bullshit. If "heavy users" were really a concern, these users could be shoveled to business-class tiers, since they make up a minority of Comcast's overall customers. No, the goal of usage caps isn't fairness, it's to impose punitive new restrictions on all of a company's customers, who can't vote with their wallet because they don't have any broadband alternatives (or if they do, don't have any alternatives that don't also cap usage). The end result is customers being forced to pay significantly more money for the same, unlimited service they had yesterday.

Then, to add insult to injury, these users are told this confusing new price hike is somehow an act of corporate altruism and fairness.

Comcast hopes that you'll be distracted by the fact that at the moment, most people shouldn't bump into the terabyte cap (recently raised from 300 GB after Comcast began worrying the FCC might actually start doing its job). As such, Comcast provided a handy little video to try and explain just how generous the cable giant is being:
Again though, focusing on the fact that people aren't bumping into the cap now ignores the certainty that they will bump into the cap down the line. As 4K video streams and technologies we haven't even invented yet emerge, consumers will inevitably face having to ration their usage or pay steep penalties. And, since Comcast exempts its own streaming service from these caps, those users are being incentivized anti-competitively to stick with Comcast's video services.

Usage caps are an embarrassing con being played on an unsuspecting public by one of the least liked companies in any industry in America. More embarrassing perhaps is the fact that the FCC, tasked with protecting broadband consumers, hasn't shown the slightest interest in either cracking down on this behavior, or if not -- ensuring that usage meters are accurate. The end result is vastly more expensive broadband, disadvantaged competitors, and frustrated and angry consumers whose complaints to the FCC simply aren't being heeded.

44 Comments | Leave a Comment..

Posted on Techdirt - 6 October 2016 @ 6:23am

Charter Joins AT&T In Using Lawsuits To Try And Slow Down Google Fiber

from the glass-mansions dept

For decades, incumbent broadband ISPs have all but owned state legislatures, often to the point where they're quite literally allowed to write awful state law that actively harms state consumers. That's why it has proven amusing to see these same ISPs cry like petulant children at Google Fiber's disruption of the uncompetitive broadband market. AT&T, for example, has sued Louisville and Nashville for passing pole attachment reform that would speed up broadband deployment, all while claiming that doing so gives Google Fiber an unfair advantage.

Enter freshly-mega-merged Charter Communications, which has also now filed a different lawsuit against Louisville (pdf) under a Charter-owned subsidiary named Insight Kentucky Partners II -- claiming that its Constitutional rights are being violated. Why? Because Lousiville struck a better franchise deal with Google Fiber than the one Charter signed years ago. Charter tries to defend saddling Louisville with a lawsuit using basketball metaphors in comments to the Louisville Courier Journal:

"The current situation is like requiring the University of Louisville to use the NBA 3-point line, while its opponents use the closer college line," said Mike Pedelty, a Charter spokesman. "More burdensome regulation inevitably means a higher cost to do business and ultimately higher prices for customers. We're simply asking the court to ensure the equal treatment state and federal law require."
Here's the thing though: Google Fiber got a better franchise deal from the city because it asked for it -- and because it promised to deliver gigabit broadband competition to the city. There's a reason cities are throwing themselves (and better deals) at Google Fiber, and Charter hopes you'll forget it's because Charter just doesn't try very hard thanks to little competition and the regulatory capture it spent 30 years lobbying for. Charter could negotiate a better deal once its current franchise contract expires, but hopes that legal threats will allow the cable giant to get out of its obligations more quickly.

Charter's lawsuit also again tries to claim that pole attachment reform -- often used by incumbent ISPs as yet another way to slow new market entrants (there's more detail here) -- will cause all manner of horrible technical and PR harm to larger ISPs:
The One-Touch procedures also could allow Insight’s competitors (intentionally or unintentionally) to damage or disrupt Insight’s ability to serve its customers, creating an inaccurate perception in the market about Insight’s service quality and harming its goodwill. These procedures also threaten public safety as Insight is responsible for providing service to critical infrastructure in Louisville Metro, in addition to its customers’ access to 911 and other emergency services. And they intrude upon the exclusive jurisdiction of the Public Service Commission of Kentucky to regulate the use of privately-owned utility poles.
It's certainly understandable that Charter wants the same deal that Google Fiber is getting, and it's all but inevitable it would have gotten it. But it's disingenuous and obnoxious to spend a generation lobbying for and enjoying regulatory capture -- only to whine once an actual competitor comes to town and begins dismantling the status quo. Charter could just get to work competing with Google Fiber -- but as one of the least liked companies in any industry in America -- it apparently feels that it makes much more sense to whine and litigate.

Read More | 25 Comments | Leave a Comment..

Posted on Techdirt - 5 October 2016 @ 6:33am

Johnson & Johnson Warns Insulin Pump Owners They Could Be Killed By Hackers

from the internet-of-broken-things dept

Initially the lack of security on "smart" Internet of Things devices was kind of funny as companies rushed to make a buck and put device security on the back burner. And while hackable tea kettles and refrigerators that leak your Gmail credentials just seem kind of stupid on the surface, people are slowly realizing that at scale -- we're introducing millions of new attack vectors into homes and businesses annually. Worse, compromised devices are now being used as part of massive new DDoS attacks like the one we recently saw launched against Brian Krebs.

Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision. As a result, we're seeing a rise in not only the number of ransomware attacks launched on hospitals, but a spike in hackable devices like pacemakers that could mean life and death for some customers.

Another new case in point: Johnson and Johnson this week had to reach out to owners of the company's insulin pumps to warn them that the devices could be used to kill somebody by overdosing diabetic patients with insulin. According to researchers, the devices were launched with wireless connectivity in 2008 as a means of bringing added convenience for customers, but Johnson and Johnson failed to encrypt the device's wireless traffic:

"The Animas OneTouch Ping, which was launched in 2008, is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they do not need access to the device itself, which is typically worn under clothing and can be awkward to reach. Jay Radcliffe, a diabetic and researcher with cyber security firm Rapid7 Inc, said he had identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections."
As with pacemakers, an attacker needs to be relatively close to make this happen (25 feet), resulting in Johnson and Johnson insisting the overall risk was low:
"The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters sent on Monday to doctors and about 114,000 patients who use the device in the United States and Canada. "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."
That's not really comforting. While this particular hack was publicized and fixed, there's a growing zero-day exploit market for medical device vulnerabilities that can be used to kill or injure an individual without detection, something that's going to be increasingly attractive to nation state actors and private contractors using the Internet of Things for globally malicious (and in some instances potentially fatal) activity. The rise in hackable medical devices has forced the FDA to issue formal guidance on how medical device makers should handle reports about cyber vulnerabilities.

In this case it appears that Johnson and Johnson was cooperative with Rapid7, but as we've noted previously, the lion's share of internet-of-broken-things companies tends to respond to researcher vulnerability reports with stone-cold silence.

33 Comments | Leave a Comment..

Posted on Techdirt - 4 October 2016 @ 2:31pm

Hackable Speed Cameras Highlight Risk Of Rush Toward IoT-Enabled 'Smart' Cities

from the if-you-build-it-(poorly)-they-will-come dept

We've been talking at length about how the lack of security in the Internet of Things space is seen as a sort of adorable joke, but isn't always a laughing matter. While the hillarious stupidity of some of the "smart" products flooding the market is undeniable, the reality is that the abysmal state of security in "IoT" devices (read: little to none) is creating millions of new attack vectors every year. And as Bruce Schneier recently warned, it's only a matter of time before the check comes due, and these vulnerabilities contribute to hacking attacks on core infrastructure resulting in notable fatalities.

Refrigerators that leak your Gmail credentials are one thing, but this looming calamity is going to be made notably worse by the rush toward "smart" cities. The same hardware vendors that can't bother to secure their consumer-side hardware haven't done a much better job securing the gear they're shoveling toward cities under the promise of a better, more connected tomorrow. Case in point: Kaspersky Lab researchers have discovered that a significant number of city speeding cameras are, you guessed it, easily hackable:

"According to Vladimir Dashchenko and Denis Makrushin from Kaspersky Lab, these devices can be easily manipulated. The results were published in a security conference paper about the security hazards in smart cities...The Russian researchers were using the Shodan search engine to explore the security implications of the "smart city" fad. They hypothesized that the rush to deploy high-tech, "Internet of things" devices to improve the municipal infrastructure often meant that security was left behind.
And they were right. Except security wasn't just subpar on speed cameras made by vendors like Redflex Traffic Systems. In many instances it didn't exist whatsoever:
"We decided to check that passwords were being used," Dashchenko and Makrushin wrote. "Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well."
The researchers noted that even in not-so-smart cities, the cameras are already processing gigabytes of citizens' data with little to no protection. Worse, the researchers found that given these cameras are tied to larger networks, hackers could potentially gain access to databases of stolen vehicles and add or remove vehicles from said lists. Their full paper, Fooling The Smart City (pdf), is worth taking a look at, and highlights how a significant number of kiosks -- used for everything from ticket sales to bicycle rentals -- are also vulnerable.

The result isn't just an exponential explosion in vulnerabilities. These compromised devices are now being used in historically massive new DDoS attacks, that appear to be getting larger by the day. On the heels of the recent, record-setting 620 gigabit-per-second DDoS attack against Brian Krebs (which was fueled in part by compromised IoT devices), a new attack this week launched against a French web host peaked at an incredible 1.1 terabits per second, driven in part by -- you guessed it -- hacked security cameras.

Krebs subsequently noted this week that the source code for the IOT-fueled DDoS that took down his website has been released, all but guaranteeing that mammoth, even larger attacks fueled by not-so-smart cars, not-so-smart locks, and not-so-smart power outlets are about to become the norm.

16 Comments | Leave a Comment..

Posted on Techdirt - 4 October 2016 @ 10:43am

HP Issues Flimsy Mea Culpa For Recent Printer Cartridge DRM Idiocy, But It's Not Enough

from the not-helping dept

A few weeks ago we noted how HP had effectively delivered a DRM time bomb in the form of a software update that, once detonated, crippled customers' ability to use competing third-party print cartridges in HP printers. While such ham-fisted behavior certainly isn't new, in this case HP had actually first deployed the "security update" to its printers back in March -- but didn't activate its stealthy payload until last month. Once activated, the software update prevented HP printers from even detecting alternative ink cartridges, resulting in owners getting a rotating crop of error messages about faulty cartridges.

HP customers were obviously annoyed, and the EFF was quick to pen an open letter to HP, quite correctly noting that HP abused its security update mechanism to trick its customers and actively erode product functionality. Ultimately HP was forced to respond via a blog post proclaiming the company was just "dedicated to the best printing experience" and wanted to correct some "confusion" about its DRM sneak attack. In short, HP strongly implied it was just trying to protect consumers from "potential security risks" (what sweethearts):

"HP printers and original HP ink products deliver the best quality, security and reliability. When ink cartridges are cloned or counterfeited, the customer is exposed to quality and potential security risks, compromising the printing experience. As is standard in the printing business, we have a process for authenticating supplies. The most recent firmware update included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned."
And while HP ultimately said it would deploy an "optional firmware update" in a few weeks, the mea culpa is filled with the usual assortment of garbled half-truths -- including HP patting itself on the back for being ultra-transparent and proactive after its customers began brandishing pitchforks. The EFF is fortunately attempting to hold HP's feet to the fire, urging the company to more fully disclose just how many printers were impacted, detail how it intends to inform users about the update, and stop undermining their customers confidence in the security update process:
"HP needs to promise never to use a security update to take away features again. There's hundreds of millions of inkjet printers out there, and they're vulnerable to malicious software that can conscript them into jaw-dropping internet attacks. Whether or not you own an HP printer, you have a stake in HPs' printers being swiftly updated when bugs are discovered in them. That means that HP must not give customers a reason to worry that the next "security update" is yet another self-destruct mechanism aimed at protecting the security of HP's cartridge division, rather than the security of our printers, to which we supply our credit card details, Social Security Numbers and personal photos."
The EFF is also urging annoyed customers to sign this petition, which currently has 12,400 signatures and counting.

43 Comments | Leave a Comment..

Posted on Techdirt - 4 October 2016 @ 6:08am

AT&T Stops Charging Broadband Users Extra For Privacy

from the privacy-is-a-luxury-option dept

A few years ago, AT&T came up with an "ingenious" idea: charge broadband consumers more money if they want to protect their privacy. Under this plan, users ordering AT&T's U-Verse broadband service could get broadband for, say, $70 a month. But if you want to opt out of AT&T's Internet Preferences program (which uses deep packet inspection to study your movement around the Internet down to the second) you'll pay $30 to $50 more, per month. AT&T also made opting out as cumbersome as possible, knowing full well that few people would dare take the option.

With its decision, AT&T effectively made user privacy a luxury option.

After years of this behavior, AT&T suprisingly proclaimed last week that it would be eliminating the privacy surcharge and its Internet Preferences behavioral advertising service completely this month:

"To simplify our offering for our customers, we plan to end the optional Internet Preferences advertising program related to our fastest Internet speed tiers," an AT&T spokesperson confirmed to Ars today. "As a result, all customers on these tiers will receive the best rate we have available for their speed tier in their area. We’ll begin communicating this update to customers early next week."
Why the sudden AT&T about-face? While AT&T claims it's just concerned about "simplicity," the real reason is because the FCC is considering some basic privacy protections for broadband users, who often can't vote against bad behavior with their wallet thanks to the lack of competition in the broadband space. AT&T's decision to issue a surcharge for privacy was one of the primary reasons the FCC began the privacy rulemaking proceeding. AT&T's lobbyists and lawyers clearly hope that if they eliminate this controversial program, they'll be more easily able to argue that broadband privacy rules aren't necessary.

Broadband ISPs have consistently tried to argue that consumer broadband privacy protections aren't necessary because carriers are fantastic at self-regulating on this front. Yet time and time again they've proven that's simply not the case. Verizon, for example, proclaimed in 2008 that broadband privacy protections weren't necessary because "public shame" would keep the company on its best behavior. Fast forward to 2014 and Verizon was caught covertly modifying user wireless data packets to track customer behavior around the internet -- without notifying consumers or offering working opt-out tools.

It took security researchers two years before they even discovered what Verizon was doing. It took another six months before Verizon was even willing to provide customers with working opt-out tools. That's fairly consistently what "self regulation" on the broadband privacy front looks like.

While they've been portrayed by ISPs as mammoth overreach, the FCC's proposed broadband privacy rules are relatively basic, simply requiring that ISPs are completely transparent about what they're collecting and selling, while requiring ISPs also provide working opt-out tools. ISPs, eagerly hoping to compete with Google and Facebook on the advertising front (see Verizon's acquisitions of AOL and Yahoo), don't want any regulations that put them at a competitive disadvantage, arguing the playing field should be level as they eye billions in new advertising revenues.

The problem with that argument is that while internet users can choose not to use Facebook and Google, they all-too-often have no such luxury when it comes to broadband. So while regulations aren't entirely ideal, there's an argument that (like net neutrality rules) they're necessary until we can get something vaguely resembling competition established in the broadband space. Until that happens, and without meaningful privacy protections, there's absolutely nothing preventing AT&T's next "great idea" from being aggressively worse.

15 Comments | Leave a Comment..

More posts from Karl Bode >>