Karl Bode’s Techdirt Profile

kbode

About Karl Bode




Posted on Techdirt - 22 September 2017 @ 7:39pm

'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack

from the killed-by-apathy dept

By this point, the half-baked security in most internet of things devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.

The lack of security in the medical front is particularly alarming. The latest case in point: security researchers have discovered eight vulnerabilities in a syringe infusion pump used by hospitals to help administer medication to patients intravenously. The flaws in the Medifusion 4000 infusion pump, manufactured by UK medical multinational Smiths Group, were discovered by security researcher Scott Gayou. The device is utilized to deliver medications, blood, antibiotics and other fluids to critical care patients, patients undergoing surgery (anesthesia) -- and newborn babies.

The flaws were severe enough to warrant a new warning from the Department of Homeland Security, which issued an advisory that, like similar past advisories, rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly:

"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage."

Both the FDA and DHS have ramped up the attention they're giving such vulnerabilities, recently having issued similar first ever warnings about flaws in pacemakers by St. Jude Medical, which can be similarly abused to kill patients. And while this is all wonderful news if you're a wetworker operating in an environment where such flaws take years to discover much less fix, it's decidedly less fun for the companies being criticized for half-assed security measures. In most cases, the companies impacted make it their top priority to downplay the risks involved, as the Smiths Group did in its statement on the vulnerabilities:

The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.

Except six of the vulnerabilities in question simply involve the use of hard-coded credentials, the same problem that has plagued the home router market for years. For its part, Smiths says it's working hard to implement a fix for the flaws -- that might be released in January 2018. In the interim Smiths is urging hospitals to assess the risk, change the default login credentials, and disconnect these devices from the network where necessary. But considering the low quality of IT support in most hospitals (a major reason for a massive spike in hospital ransomware attacks) -- there's certainly no guarantee of any of these mitigation measures actually happening.

15 Comments | Leave a Comment..

Posted on Techdirt - 22 September 2017 @ 3:23am

The Soaring Cost Of Sports Programming Is Simply Not Sustainable

from the something-has-to-give dept

One of the biggest reasons for soaring cable rates is the bloated and soaring cost of sports programming. Similarly, one of the biggest causes for the unprecedented rise in cord cutting (ditching cable and going with a streaming alternative) is the cost of sports programming. Surveys have shown that 56% of ESPN viewers would dump the channel just to save the $8 per month it costs each subscriber. Once streaming alternatives emerged for the sports-bloated traditional cable bundles that let them do just that, users began flooding to the exits at a historic rate.

The reality is millions upon millions of customers don't give a shit about sports, yet are forced to pay $120 or more per month for cable bundles filled with content they don't watch, and didn't want. And when some cable companies initially tried to offer "skinny bundles" without ESPN or other sports networks, they were sued by ESPN for trying to give consumers what they wanted. And while that has slowly started to change with the rise of live TV streaming alternatives, for traditional cable providers something in this cycle of dysfunction needs to change. Quickly.

Case in point: Axios points to Magna's latest Media Sports Report that highlights how cable companies are now paying significantly more money for sports programming than they make off advertising during the games. For example, cable operators now pay the NBA $2.6 billion annually in licensing fees, but "only" make $1.3 billion from the ads run during sports events. The associated graphic highlights how it's the same for most leagues:

Of course cable companies make up for the difference by not only imposing endless cable TV rate hikes, but via the bevy of misleading fees they've long used to jack up the advertised rate of service post sale. But their ability to do this has been dramatically compromised by the mass exodus of users fleeing traditional cable. And the problem is notably worse for broadcast networks:

This (sic) economics are especially problematic for broadcast networks that carry live sports games, because they don't have access to subscription revenues to subsidize the high cost of programming, like cable networks do. Broadcasters rely on ratings, driven by viewership — which is getting increasingly older and aging out of the coveted 25-54 marketing demographic, as well as retransmission fees.

As a result, more sports distribution rights have migrated to cable networks — think TNT and TBS carrying the NBA and MLB, respectively. But there are problems there, too. Cable channels are losing subscribers to digital streaming options at the fastest rate ever. It's worth noting that both cable and broadcast networks make a substantial amount of money from retransmission fees (charging cable and satellite providers to carry their content), but collectively it's still not enough to completely offset the rate of increases to programming costs.

The report proceeds to state the obvious by proclaiming that analysts "don't see the ever-increasing gap between ad revenues and rights fees as sustainable in the long term," something cable subscribers could have told them years ago. Wall Street analysts have similarly been discussing how retransmission fee hikes and the soaring cost of programming simply isn't sustainable for the better part of the last decade, not that it appears to have changed the landscape -- or the executive quest to milk the traditional cable TV cash cow to death -- in any meaningful fashion.

This will likely most harm small cable TV operators, who have said they may just stop selling cable TV as margins get tighter. Don't feel too badly for larger cable providers like Comcast, however. As their TV margins get squeezed, they are simply using their monopoly over broadband to jack up the cost of broadband via unnecessary and confusing caps or overage fees. The end result: cable companies get their pound of flesh one way or the other, as users are punished for fleeing the cable and broadcast sectors' walled gardens and the seemingly endless TV rate hikes therein.

34 Comments | Leave a Comment..

Posted on Techdirt - 21 September 2017 @ 3:26pm

CCleaner Hack May Have Been A State-Sponsored Attack On 18 Major Tech Companies

from the good-luck-out-there dept

At the beginning of this week, reports emerged that Avast, owner of the popular CCleaner software, had been hacked. Initial investigations by security researchers at Cisco Talos discovered that the intruder not only compromised Avast's servers, but managed to embed both a backdoor and "a multi-stage malware payload" that rode on top of the installation of CCleaner. That infected software -- traditionally designed to help scrub PCs of cookies and other tracking software and malware -- was subsequently distributed by Avast to 700,000 customers (initially, that number was thought to be 2.27 million).

And while that's all notably terrible, it appears initial reports dramatically under-stated both the scope and the damage done by the hack. Initially, news reports and statements by Avast insisted that the hackers weren't able to "do any harm" because the second, multi-stage malware payload was never effectively delivered. But subsequent reports by both Avast and Cisco Talos researchers indicate this payload was effectively delivered -- with the express goal of gaining access to the servers and networks of at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

Cisco's researchers say they obtained a copy of the hackers' command-and-control server from an unnamed source. That server contained detailed logs of the 700,000 or so computers that had "phoned home" to the hackers earlier this month. Subsequent investigation has concluded that the hackers didn't really care about most of the infected customers, and that this may have been a sophisticated state-sponsored attack specifically designed access and copy internal information and trade secrets from major tech firms:

"That target list presents a new wrinkle in the unfolding analysis of the CCleaner attack, one that shifts it from what might have otherwise been a run-of-the-mill mass cybercrime scheme to a potentially state-sponsored spying operation that cast a wide net, and then filtered it for specific tech-industry victims. Cisco and security firm Kaspersky have both pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015."

One configuration file on the attackers' server was also set for China's time zone, though of course neither of these are enough solid evidence to definitively conclude state-sponsored involvement... yet. In an updated post to its website, Avast has been forced to concede that their initial claim that the second, multi-staged payload was never delivered was false, and that the total number of compromised machines at these targeted companies is "at least in the order of hundreds":

"First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered."

Cisco also warned impacted tech companies that deleting the software itself off of infected PCs is no guarantee that the threat has been mitigated, since the payload may have installed a second payload on their networks with its own, still-active command and control server. Like previous attacks of this type, the reported scope of the sophisticated attack is likely to only grow as researchers dig deeper.

As several outlets were quick to correctly note the attack on CCleaner highlights a supply-side security problem at a growing number of software companies like Ukrainian accounting software MeDoc and South Korea-based firm Netsarang, which both passed on malware to trusting clients in the last few months. Traditionally we've comforted ourselves by insisting we're safe if we just avoid untrusted app stores, dubious attachments, or questionable links -- but this attack further up the software supply chain erodes public trust, which could deter users from using or updating essential protection.

32 Comments | Leave a Comment..

Posted on Techdirt - 21 September 2017 @ 3:30am

FCC Sued For Ignoring FOIA Request Investigating Fraudulent Net Neutrality Comments

from the ignore-a-problem-and-it-goes-away,-right? dept

For months now we've noted how somebody is intentionally filling the FCC's net neutrality comment proceeding with bot-generated bogus comments supporting the agency's plan to kill net neutrality protections. Despite these fake comments being easily identifiable, the FCC has made it abundantly clear it intends to do absolutely nothing about it. Similarly, the FCC has told me it refuses to do anything about the fact that someone is using my name to file comments like this one falsely claiming I support killing net neutrality rules (you may have noticed I don't).

While nobody has identified who is polluting the FCC comment system with fake support, it should be fairly obvious who this effort benefits. By undermining the legitimacy of the public FCC comment proceeding (the one opportunity for transparent, public dialogue on this subject), it's easier for ISPs and the FCC to downplay the massive public opposition to killing popular net neutrality rules. After all, most analysis has shown that once you remove form, bot and other automated comments from the proceeding, the vast, vast majority of consumers oppose what the FCC and Trump administration are up to.

Attempts to dig deeper into this mystery haven't gone well. Freelance writer Jason Prechtel filed a Freedom of Information Act (FOIA) request on June 4 asking the FCC for data on the bogus comments, the API keys used, and how the FCC has worked to address the problem. But while the FCC acknowledged the FOIA request, it wound up giving Prechtel the runaround throughout the summer -- stating on June 14 that it would be extending the deadline for responding to his request from July 3 to July 18 -- before ultimately deciding to ignore his request altogether.

As a result, Prechtel has filed a lawsuit against the FCC (pdf), stating the agency is breaking the law by sitting on its hands. From a Medium post written by Prechtel explaining the suit:

"As the agency is legally obliged to respond to my request, and as the underlying questions behind my request still haven’t been answered, I have filed a lawsuit against the FCC for their refusal to conduct a reasonably timely search for the records, and have demanded the release of these records. Even now, over three months after my FOIA request, and even after I’ve filed a lawsuit, this request is still listed as “under agency review”.

If you're playing along at home, this is just one of several lawsuits that have been filed against the agency for its Keystone Cops-esque handling of the network neutrality proceeding to date. The FCC has been sued for obfuscating details on its meetings with major ISPs in regards to net neutrality, and also faces a lawsuit over the agency's apparently completely fabricated DDoS attack it claimed occurred conveniently at the exact same time John Oliver told his viewers to file comments with the agency. Perhaps the more observant will notice a trend at Ajit Pai's FCC?

Again, nobody knows who's behind this effort to pollute the public discourse, and the FCC is making it pretty clear it doesn't want to make it any easier to find out. Having covered the sector for twenty years, this sort of thing is well within the behavioral norms of the wide variety of "non profit," "non-partisan" groups hired by ISPs to pee in the discourse pool. Whoever's to blame, it's pretty clear the FCC is playing a role in not only making it harder to understand what happened, but in undermining the value of the public comment period.

As the FCC moves to formally vote to kill the rules in a month or two, expect Ajit Pai and friends to increasingly use the dysfunction they helped cement to downplay legitimate public opposition to its plan. After that, you can expect all of this dysfunction to play a starring role in the multiple, inevitable lawsuits that will be filed against the agency in the wake of the vote. Again, how was this blistering shitshow a better idea than simply listening to the will of the public and leaving the existing, popular net neutrality rules alone?

Read More | 24 Comments | Leave a Comment..

Posted on Techdirt - 20 September 2017 @ 1:30pm

Verizon Hangs Up On Tens Of Thousands Of 'Unlimited' Wireless Customers For Using Too Much Data

from the invisible-barriers dept

Over the last few years, you may have noticed that Verizon is attempting a pivot from stodgy old telco to sexy new advertising juggernaut. Part of that effort has involved refusing to upgrade its lagging DSL infrastructure in countless towns and cities as it shifts its focus toward wireless and using its AOL and Yahoo acquisitions to sling videos and advertisements at Millennials. To justify its failure to upgrade its fixed-line network during this period (something it's being sued for by cities like New York), Verizon has long proclaimed that wireless is a "good enough" replacement for fixed-line alternatives.

But the company is now inadvertently highlighting just how not-ready for prime time wireless connections truly are. Verizon has been taking heat over the last few weeks for kicking thousands of customers off of its wireless network in more rural areas. Why? The company insists these customers (at last count 8,500 customers utilizing 19,000 lines across 13 states) are being kicked off the Verizon wireless network for using a "substantial" amount of data. But Verizon is refusing to tell these users what "substantial" actually means, after marketing "unlimited" data plans to these users for much of the year:

Verizon said in June that it was only disconnecting "a small group of customers" who were "using vast amounts of data—some as much as a terabyte or more a month—outside of our network footprint." But one customer, who contacted Ars this week about being disconnected, said her family never used more than 50GB of data across four lines despite having an "unlimited" data plan.

"Now we are left with very few choices, none of them with good service," the customer told us. "I guess small-town America means nothing to these people. It's OK—though I live in a small town, I know a lot of people, and I'm telling every one of them to steer clear of Verizon."

The problems here are multi-faceted. Three years ago, Verizon Wireless launched something called its LTE in rural America program (LTEiRA). Under this program, Verizon partnered with rural carriers to help extend the reach of their networks by letting them lease access to Verizon’s 700MHz Upper C Block spectrum. Several of the companies that worked with Verizon on this program state the company hyped the program, hired companies to help extend the reach of rural networks, then began marketing unlimited data plans to customers in many of these rural areas.

But when the program wasn't as profitable as Verizon hoped, it abruptly pulled the plug, leaving thousands in connectivity purgatory:

“It appears that Verizon induced these companies to build out in the rural areas around the country and then significantly promoted it by saying that they’re covering the rural areas, when it fact now, after putting those ads out, they’re now not covering the rural areas — in fact, they’re cutting it back,” he says.

And without much advance notice.

“This move caught them completely by surprise and totally blindsided them as it did the customers in the region,” says Jason Sulham, speaking for Wireless Partners LLC."

Again, Verizon isn't bothering to inform these users what "substantial" usage even means, part and parcel of a sector that has long advertised wireless connections as "unlimited," then saddled users with all manner of murky restrictions (part of the reason we have net neutrality rules). Some of the impacted users are telling news outlets they used as little as three gigabytes per month, so there's every indication that Verizon Wireless isn't being honest here as it tries to portray many of these folks as unreasonable data gluttons (which is traditionally par for the course).

In this case, Verizon's decision to kick thousands of people off of the network is also having a dramatic impact on first responders in many of these rural areas, who say their ability to protect the public has been compromised:

"Law enforcement agencies in eastern Maine are criticizing a decision by Verizon Wireless to terminate cell service due to excessive cost. Police say the company’s decision will have an adverse effect on their work, and on the ability of residents to call 911.

Verizon officials remained tight-lipped Wednesday regarding the actual number of dropped customers, which some sources say could be as high as 2,000."

Again, there's nothing particularly revelatory about the fact that delivering wireless broadband to rural markets is expensive. Wireless spectrum is costly (often impossible for smaller companies), as is access to the fiber backhaul needed to feed wireless towers. But Verizon has spent the last decade insisting that freezing its deployment of FiOS fiber connections wasn't a big deal because wireless would be "good enough" for the millions of subscribers left in a lurch. In fact, Verizon found itself repeatedly under fire after Hurricane Sandy for refusing to repair fixed line networks for just that reason.

Verizon's decision to purge thousands of users off of the network for murky reasons comes as the FCC is looking -- largely at Verizon and AT&T's behest -- to weaken the standard definition of broadband to include wireless. The goal: redefine broadband to declare an area competitive and served if wireless is present, justifying institutional apathy toward doing anything about the lack of competition in the space. Granted this effort ignores instances exactly like this one clearly demonstrating that -- even with 5G on the horizon -- wireless is not a magical broadband panacea for under-served areas.

21 Comments | Leave a Comment..

Posted on Techdirt - 20 September 2017 @ 9:38am

Florida Utilities Lobbied To Make It Illegal For Solar Users To Use Panels In Wake Of Hurricanes, Outages

from the sorry,-progress-is-illegal dept

You may have noticed that the shift to solar is happening whether traditional utilities like it or not, and attempting to stop solar's forward momentum is akin to believing you can thwart the Mississippi with a fork and a few copies of Mad Magazine. Said futility clearly hasn't discouraged Florida utilities, who have gone to numerous, highly-creative lengths to try and hinder or curtail solar use. When last we checked in with legacy Florida utilities, they were busy using entirely fake consumer groups to push a law that professed to help the solar industry while actually undermining it.

Fortunately Florida consumers ultimately saw through this effort, though this was just one of a steady stream of similar bills aimed at stalling progress. Many Florida Power and Light customers obviously lost power in the wake of the devastation caused by Hurricane Irma, despite promises by the company that endless rate hikes would help harden the utilities' lines. But customers thinking they could use the solar panels on their roofs to help keep themselves afloat until traditional power was restored were in for a rude awakening.

Thanks to the fact that Florida utility lobbyists are being allowed to quite literally write the state's energy laws, many locals discovered they weren't able to use their solar panels in the wake of the storm lest they violate state law:

"FPL's lobbying wing has fought hard against letting Floridians power their own homes with solar panels. Thanks to power-company rules, it's impossible across Florida to simply buy a solar panel and power your individual home with it. You are instead legally mandated to connect your panels to your local electric grid. More egregious, FPL mandates that if the power goes out, your solar-power system must power down along with the rest of the grid, robbing potentially needy people of power during major outages.

In the broadband industry, we consistently let giant incumbents like Comcast and AT&T write shitty protectionist state laws -- then stand around with a dumb look on our collective faces wondering why U.S. broadband is shitty and expensive. The same problem plagues the utility sector across countless states. In Florida, the average household spends $1,900 a year on power, 40% higher than the national average. Yet incentives or other measures designed to spur solar power adoption are either absent or illegal, in large part thanks to utility lobbying.

Needless to say, Irma appears to be acting as a wake up call to Florida utility customers unfamiliar with how the American lobbying and political system actually works:

The problem, again, is that legacy companies across numerous sectors are very effective at using partisan patty cake to convince consumers to root against their own best self interests. That's why Florida, a state perfectly suited to take advantage of solar power, remains well behind the curve when it comes to solar adoption. And again, that's courtesy of folks like State Representative Ray Rodrigues, who takes notable campaign contributions from utilities like FPL, then consistently fields bills that profess to aid the solar revolution while covertly sabotaging what should be the obvious path forward.

72 Comments | Leave a Comment..

Posted on Techdirt - 19 September 2017 @ 3:35pm

HP Brings Back Obnoxious DRM That Cripples Competing Printer Cartridges

from the who-wanted-loyal-customers-anyway dept

Around a year ago, HP was roundly and justly ridiculed for launching a DRM time bomb -- or a software update designed specifically to disable competing printer cartridges starting on a set date. As a result, HP Printer owners using third-party cartridges woke up one day to warnings about a "cartridge problem," or errors stating, "one or more cartridges are missing or damaged," or that the user was using an "older generation cartridge." The EFF was quick to lambast the practice in a letter to HP, noting that HP abused its security update mechanism to trick its customers and actively erode product functionality.

HP only made matters worse for itself by claiming at the time that it was only looking out for the safety and security of its customers, while patting itself on the back for being pro-active about addressing a problem it caused -- only after a massive consumer backlash occurred.

Fast forward almost exactly one year, and it looks like HP hasn't learned much from the Keurig-esque experience. The company this week released a new software update for the company's OfficeJet 6800 series, OfficeJet Pro 6200 series, OfficeJet Pro X 450 series, and OfficeJet Pro 8600 series printers. One of the major "benefits" of the update? Printer cartridges from competing manufacturers no longer work. Again:

According to ghacks.net, a new firmware update for HP Officejet printers released yesterday appears to be identical to the reviled DRM update released exactly one year ago. When you try to use third-party ink after installing the new/old firmware, you apparently run into an error that says “One or more cartridges appear to be damaged. Remove them and replace with new cartridges.” Depending on how many cartridges your specific printer uses, it may be possible to insert one or two without getting an error. But it seems when all of the ink cartridge slots are filled up, the warning message will be displayed again.

Just like a year ago, this restriction is being foisted upon consumers under the guise of a security update, powered by a service HP calls its "Dynamic Security" platform. Fortunately, consumers have several paths to avoid dealing with this nonsense. Customers can head to the HP support website and download an alternate firmware without the Dynamic Security platform embedded (something that HP knows most users won't do, and which places the onus for remedying HP's bad behavior on the end user). Users then have to block HP's automatic update functionality to prevent this firmware from being installed automatically (at the cost of useful updates).

There's probably an easier, more elegant solution: stop buying HP printers until the company realizes that eliminating device functionality under the pretense of security is obnoxious bullshit.

46 Comments | Leave a Comment..

Posted on Techdirt - 19 September 2017 @ 3:23am

California Sides With Comcast, Votes To Kill Broadband Privacy Law Favored By EFF

from the who-needs-privacy-anyway dept

You'll recall that earlier this year, AT&T, Verizon and Comcast successfully lobbied the GOP and Trump administration to kill consumer broadband privacy protections that were supposed to take effect last March. While big ISPs engaged in breathless hysteria about the "draconian" nature of the rules, the restrictions were quite modest -- simply requiring ISPs be transparent about what user data gets collected and sold. They also made it more difficult for big ISPs to charge users significantly more money just to opt out of private data collection, an idea both AT&T and Comcast have already flirted with.

But in quickly axing the rules, big ISPs --- and the regulators and lawmakers paid to love them -- got a bit more than they bargained for. The ham-fisted rush to kill the protections quickly resulted in more than a dozen states passing a patchwork collection of new state laws aimed at protecting broadband consumers. Among the most notable was California Assemblyman Ed Chau's AB 375 (pdf). The proposal largely mirrors the FCC's proposal, though it took an even harder stance against ISPs looking to abuse the lack of competition to effectively make privacy a paid, premium option.

The law quickly received praise from the EFF, which argued that the law would be a good template for other states moving forward, lessening the chance for over-reaching, inconsistent, and poorly written state measures. But large ISPs, Facebook and Google lobbyists quickly got to work demonizing Chau's proposal too, falsely claiming it would somehow weaken user security and magically increase pop ups all over the internet. These and other claims were recently picked apart in an EFF blog post:

"The prediction of "recurring pop-ups" is also false because if anything, the bill would "likely result in fewer pop-ups, not to mention fewer intrusive ads during your everyday browser experience," Gillula wrote. "That’s because A.B. 375 will prevent Internet providers from using your data to sell ads they target to you without your consent—which means they’ll be less likely to insert ads into your Web browsing, like some Internet providers have done in the past.."

But the lobbying had its intended effect, and California lawmakers voted to kill the effort in a night vote over the weekend:

"It is extremely disappointing that the California legislature failed to restore broadband privacy rights for residents in this state in response to the Trump Administration and Congressional efforts to roll back consumer protection,” EFF Legislative Counsel Ernesto Falcon said. “Californians will continue to be denied the legal right to say no to their cable or telephone company using their personal data for enhancing already high profits. Perhaps the legislature needs to spend more time talking to the 80% of voters that support the goal of A.B. 375 and less time with Comcast, AT&T, and Google's lobbyists in Sacramento.”

While the proposal can be reintroduced next year, fighting upstream against the collective lobbying firepower of massive ISPs and Silicon Valley giants like Facebook and Google has proven no easy task. And there have been some comments from FCC Commissioners that they may try and use FCC authority to hamstring these efforts as well. You see, it's a "states rights" issue if you try to prevent states from letting ISP lobbyists write protectionist law hamstringing competition, but those concerns magically disappear when states move to actually protect consumers from duopoly harm.

It's worth re-iterating that ISPs spent years arguing consumers didn't need added privacy protections because the sector would self-regulate. Of course, Verizon subsequently highlighted the folly of such claims when it was busted modifying user packets to track users around the internet without telling them. AT&T similarly did the same when it began charging users $400 to $550 more per year to opt out of behavioral advertising. And other, smaller cable companies like CableONE joined the fun when they proclaimed they'd be using consumer financial data to provide worse customer service to bad credit customers.

The origins of this aggressively bad behavior? The lack of competition in the broadband space. And with the Trump administration looking to effectively gut all oversight of one of the least-competitive and least-liked sectors in American industry, anybody thinking these privacy issues will magically resolve themselves (instead of say, just getting progressively worse) hasn't been paying attention.

37 Comments | Leave a Comment..

Posted on Techdirt - 18 September 2017 @ 6:33am

Yet Another Report Says The Rate Of TV Cord Cutting Is Worse Than Anybody Thought

from the not-just-a-river-in-Egypt dept

For years the traditional cable and broadcast industry has gone to comedic lengths to deny that cord cutting (getting rid of traditional cable TV) is real. First, we were told repeatedly that the phenomenon wasn't happening at all. Next, the industry acknowledged that sure -- a handful of people were ditching cable, but it didn't matter because the people doing so were losers living in their mom's basement. Then, we were told that cord cutting was real, but was only a minor phenomenon that would go away once Millennials started procreating.

Of course none of these talking points were true, but they helped cement a common belief among older cable and broadcast executives that the transformative shift to streaming video could be easily solved by doubling down on bad ideas. More price increases, more advertisements stuffed into each minute, more hubris, and more denial. Intentional blindness to justify the milking of a dying cash cow -- instead of adapting.

But we're slowly but surely reaching the point where the rise of the streaming video revolution can't be denied, with data indicating it's worse than anybody thought. While the pay TV sector lost another 1 million subscribers last quarter, those totals don't factor in those that bought a new home or rented a new apartment, but chose not to sign up for cable. Many of these folks are dubbed "cord nevers," having never bought into the value proposition of paying $130 more per month for a bloated bundle of largely-unwatched reality TV channels from a company that treats paying customers with disdain.

Meanwhile, a new report by eMarketer this week indicates that the pace of customer defections is notably higher than most previous estimates. The firm notes that it was forced to reduce its estimate for US TV ad spending due to faster-than-expected growth in cord-cutting:

"eMarketer expected a slowdown this year in TV ad sales, after 2016 benefited from both the Olympics and US presidential election,” said Monica Peart, eMarketer’s senior forecasting director. “However, traditional TV advertising is slowing even more than expected, as viewers switch their time and attention to the growing list of live streaming and over-the-top [OTT] platforms.”

All told, the firm predicts that by the end of this year, there will be 22.2 million consumers over the age of eighteen that have cut the cord, up 33.2% since 2016. And while there's still a whopping 196.3 million US adults that subscribe to traditional pay TV (cable, satellite, or telco), that tally is down 2.4% over 2016 levels, with the defection rate only accelerating. The cause? A strange idea known as competition and, by proxy, lower prices:

"The acceleration of cord-cutting is the result of several factors,” said eMarketer principal analyst Paul Verna. “First, traditional pay TV operators are increasingly developing streaming platforms, such as Dish Network’s Sling TV. Second, networks such as HBO and ESPN have launched standalone subscription services that allow users to tap those channels without a cable subscription. And third, digital players like Hulu and YouTube are now delivering live TV channels over the internet at reasonable prices—including sports properties that were previously available only through traditional distribution.”

As we've long noted, it wouldn't be particularly hard to nip this entire revolution in the bud. Entrenched cable providers simply have to shore up their abysmal customer service and lower rates for legacy TV. And while a few cable and broadcast executives are finally starting to get it, most would rather double down on lip service, bad ideas and price hikes in the false belief they get to nurse the dying cable cash cow in perpetuity.

47 Comments | Leave a Comment..

Posted on Techdirt - 15 September 2017 @ 12:05pm

Unlimited Data Customers Report Fewer Network Problems Than Capped Users

from the unshackle-me,-please dept

Back in 2011, you might recall that AT&T and Verizon stopped offering users unlimited wireless data plans. Taking advantage of a lack of competition at the time, the duo worked in concert to shove users toward confusing, metered plans that imposed a usage cap, then socked users with overage fees upward of $15 per gigabyte. When users refused to migrate to these plans, both companies spent years making life as difficult as possible for these subscribers, AT&T going so far as to block users from accessing Facetime until they switched to these more expensive, metered plans (but who needs net neutrality rules, right?).

All the while, both companies repeatedly insisted that nobody actually wanted simpler, unlimited plans. That was until increased competition from T-Mobile (thanks in large part to regulators blocking AT&T's attempted acquisition of the company) forced both companies to bring back their unlimited data plans. And while Wall Street has been whining for months that competition is preventing these companies from nickel and diming their customers, consumers generally like the return to unlimited data.

Case in point: a new study by JD Power and Associates indicates that unlimited data customers are consistently more impressed with the performance of their connections than their capped and metered counterparts. More specifically, users on unlimited data plans state that they experience fewer network problems of all kinds than metered users:

Unlimited data emerges as great equalizer for wireless network quality: Customers with unlimited data plans experience an average of 11 overall network quality problems per 100 (PP100) connections vs. an average of 13 PP100 among customers with data allowances. They also have lower incidences of data problems (15 PP100 vs. 16PP100, respectively); messaging problems (5 PP100 vs. 6 PP100); and calling problems (12 PP100 vs. 15 PP100). This trend holds true among both power users (100 or more network connections in the previous 48 hours) and lighter users (fewer than 100 network connections in the previous 48 hours).

That said, the study does proceed to note that this may be based, in part, on the "perception" by consumers that they have a better connection, not necessarily that the network is performing better. In other words, customer perception of a network's performance may be shaded by the fact they don't have to constantly worry about whether they're about to go over their usage restrictions:

“Whether a customer has unlimited data or a data allowance on their wireless plan should not really affect their overall network quality, but our data shows that—consistently—wireless customers who are not worried about data overages have a much more positive perception of their network’s quality,” said Peter Cunningham, technology, media, and telecommunications practice lead at J.D. Power. “This is a critical insight into wireless customer psychology for carriers who’ve been engaged in battle over unlimited data plans for the past several months.”

The meters used by fixed and mobile customers are notoriously unreliable, one study claiming carriers routinely over-bill consumer mobile data usage by between five and seven percent. Despite this, there's nary an effort from any regulator here in the States to ensure that usage is being metered accurately, and that's certainly not changing with the current FCC. And while it's nice to see competition forcing these carriers to actually listen to subscribers, a wave of merger mania in the sector means that this competition -- and the unlimited data resurgence it spawned -- may not be sticking around for long.

8 Comments | Leave a Comment..

Posted on Techdirt - 15 September 2017 @ 6:29am

FCC's New 'Diversity Chair' Has Long History Of Undermining Minority Consumers At Comcast's Behest

from the with-friends-like-these... dept

For years one of the greasier lobbying and PR tactics by the telecom industry has been the hijacking of minority and civil rights groups to help parrot awful policy positions. Historically, such groups are happy to take financing from a company like Comcast, in exchange repeating whatever memos are thrust in their general direction -- even if the policy dramatically harms their constituents. The tactic of creating or "co-opting" such groups helps foster the illusion of broad support for awful, anti-consumer policies, whether that's support for the latest competition-killing merger or support for the assault on net neutrality.

Because this cozy quid pro quo is implied but never put into writing, ISPs traditionally respond with breathless indignance to the mere suggestion they're using minority voices as policy props. But Comcast has found that tactic consistently so successful, a few years back it went so far as to give its top lobbyist, David Cohen, a new title: "Chief Diversity Officer." Said title not only lets Cohen profess the company's unwavering dedication to minorities with one hand while undermining them with the other, but helps him skirt the government's flimsy restrictions on lobbying.

A few weeks back boss Ajit Pai announced the creation of a new "Advisory Committee on Diversity and Digital Empowerment," a group Pai insisted was established to champion the voice of every American, “no matter their race, gender, religion, ethnicity, or sexual orientation." But as we've noted before, Pai's breathless support of closing the digital divide is utterly illusory, as his policies (ranging from gutting popular consumer protections to protecting the cable industry's monopoly over the cable box) consistently involve undermining consumer interests while encouraging industry rate hikes.

Pai has appointed Julia Johnson, president of a consulting firm called NetCommunications, to lead the Advisory Committee. Not too surprisingly, The Intercept was quick to highlight how Johnson has a long history of actively undermining minority interests on behalf of the Multicultural Media, Telecom & Internet Council, a Comcast, AT&T and Verizon funded vessel specifically designed to help provide illusory minority community support for these companies' positions:

"Shortly after Trump named Pai to lead the FCC, the Multicultural Media, Telecom & Internet Council — a nonprofit chaired by Johnson and funded by Comcast, AT&T, Verizon, and other large telecom firms — released statements praising Pai’s appointment and endorsing his strategy for unwinding the net neutrality protections secured during former President Barack Obama’s administration. MMTC’s pro-Trump administration statements, cast as being made on behalf of communities of color, are typical of Johnson’s approach. Over the years, Johnson has used racial minorities as a cudgel to disingenuously lobby on behalf of industry."

It should go without saying, but mindlessly cheering for competition-killing mega-mergers raises rates and harms consumers -- minority or otherwise. As does advocating for the destruction of popular net neutrality and broadband privacy rules. Such protections, however imperfect, help prevent large, incumbent ISPs from abusing the obvious lack of competition in the broadband market. With little to no competition, we've watched as companies like AT&T have tried to charge users a steep premium for privacy, and companies like Comcast have slowly but surely imposed arbitrary and unnecessary usage caps.

We've also noted how this lack of competition has resulted in a large number of minority communities being left behind completely when it comes to next-generation broadband. Groups like the MMTC and dollar-per-holler allies like Johnson have consistently undermined efforts to actually do something about these problems. And getting them to admit their financial ties to giant ISPs has long proven comical, as Ed Markey found out in a 2006 hearing when he tried to uncover whether Johnson was being paid by the telecom industry to oppose policies aimed at forcing ISPs to expand broadband coverage to disadvantaged areas:

Markey: Is your organization financially supported by the Bell [telephone] companies in any way?

Johnson: No, we’re not.

Markey: At all.

Johnson: Yes, and let me elaborate upon that too. We’re a relatively new organization.

Markey: No, that’s OK. I can go along with that answer. That’s fine. Thank you. And are you compensated in any way by the Bell companies?

Johnson: I have a consulting firm that works for a variety of companies, generally in the regulatory space.

Markey: But are the Bell companies amongst those companies that pay you?

Johnson: Yes.

Traditionally the media hasn't shown much of an interest in connecting what are often fairly-obvious dots, a major reason this disinformation and lobbying tactic has been so successful over the last decade. Knowing this all too well, the FCC appears poised to lean on this tactic heavily as it works to kill net neutrality and eliminate most meaningful oversight of one of the least competitive markets in American industry. All while groups like the MMTC and industry allies like Johnson proclaim that gutting consumer protections will somehow aid the very communities these decisions will harm the most.

7 Comments | Leave a Comment..

Posted on Techdirt - 14 September 2017 @ 6:38am

The Google Fiber Honeymoon Period Appears To Be Over

from the the-disruption-that-only-half-arrived dept

When Google Fiber first arrived back in 2010, it was heralded as a gamechanger for the broadband industry. Google Fiber would, we believed, revolutionize the industry by taking Silicon Valley money and using it to disrupt the viciously uncompetitive and anti-competitive telecom sector. Initially things worked out well; with the mere mention of a looming Google Fiber target market resulting in a much-needed conversation about why the United States consistently languishes in mediocrity when it comes to our broadband networks (pro tip: it's because AT&T, Verizon and Comcast all but own state and federal lawmakers).

Seven years later, however, and the Google Fiber bloom appears to be off the rose. There's little doubt that Google Fiber brought some much-needed competition to countless markets, driving down costs and spurring deployment of gigabit networks in key areas (though these benefits are often over-hyped, and broadband competition in countless markets is actually getting worse). There's also no doubt that Google Fiber has been of great benefit to disadvantaged communities, thanks to free deployment of gigabit broadband to anchor institutions and low-income housing developments.

That said, the company has gone through two CEOs in a matter of months, laid off an unspecified number of employees during a restructuring last fall, and has begun to show signs that the company's dedication to the project is wavering at best, and notably derailed at worst. Reports began to circulate last fall that high-level Alphabet execs were bored with the slow pace and high cost of fiber deployment, and were considering pivoting the entire Google Fiber business model to wireless. But the company's messaging regarding this transition has been anything but clear, only driving unease among those waiting for the promised revolution.

Kansas City, Google Fiber's first launch market, was hyped as nothing short of a looming connectivity Utopia at launch. But the better part of a decade later and many locals say Google Fiber has cancelled their installations after years of waiting. And one Kansas City local made headlines recently when she revealed that the company cancelled her broadband service over a 12 cent dispute, a rather Comcast-esque failure by the company. And a local Motherboard report highlighted further how the honeymoon phase of Google Fiber is most decidedly at an end:

"Kansas City expected to become Google's glittering example of a futuristic gig-city: Half a decade later, there are examples of how Fiber benefitted KC, and stories about how it fell short. Thousands of customers will likely never get the chance to access the infrastructure they rallied behind, and many communities are still without any broadband access at all. Many are now left wondering: is that it?

"We were saying that in all likelihood this is too good to be true," said Isaac Wilder, co-founder of the Free Network Foundation and a Kansas City native..."Lo and behold, just a few years later and it's beginning to become clear that [Google Fiber] was just a lot of lip service," Wilder told me.

To be clear a lot of Google Fiber's problems are not the company's fault. AT&T, Comcast, and Charter have filed numerous nuisance lawsuits designed to slow the company's use of city and telco-owned utility poles, and protectionist state laws pushed by these same companies often hinder attempts at public/private partnerships with cities. Meanwhile, the company's murky messaging is in part thanks to the fact that Google Fiber has so many various wireless experiments in the oven, it's not really sure which of these technologies are going to pan out -- making publicly communicating the project's future direction a notable challenge.

That said, Google Fiber's momentum stall comes as Alphabet and Google as a whole are notably veering away from some of the more revolutionary traits that characterized the company a decade ago. Much like the way Google's net neutrality support has magically all-but-dissappeared during this period, numerous reports have indicated that there's a contingent of executives at Alphabet like Larry Page that frankly just got bored by the whole costly telecom disruption thing.

In short, it's possible that Google Fiber successfully pivots to next-generation wireless and fulfills at least some of the lofty promises made early on in the Google Fiber life cycle. But based on the conversations I've had with industry insiders, there would be little surprise if in a few years Google Fiber sold off the entire project to a second-tier telco like CenturyLink, then shifted its focus -- like countless hugely-successful giants before it -- more toward turf protection of its legacy markets.

22 Comments | Leave a Comment..

Posted on Techdirt - 13 September 2017 @ 6:40am

0-Day Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack

from the whoops-a-daisy dept

AT&T and hardware manufacturer Arris are being accused of leaving millions of broadband subscribers open to attack. A new report by security researcher Joseph Hutchins highlights how five flaws were discovered in Arris routers used by AT&T and numerous other ISPs around the world. Hutchins notes that some of the flaws may have been introduced after they were delivered to AT&T, since ISPs traditionally modify hardware for use on their network post sale. But many of the flaws were courtesy of the all-too-common tendency to ship hardware with hardcoded credentials and SSH enabled by default:

"It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem’s “cshell” client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic."

Nearly 140,000 devices are impacted, and the Arris NVG589 and NVG599 modems are used by AT&T to power its VDSL broadband (formerly U-verse) service. The vulnerabilities not only open up subscribers to attack, but hardcoded credentials are also to thank for the rise in historically massive DDoS attacks as malware targets such devices for use in botnets. In addition to hard-coded credentials (which you'd think any sensible hardware vendor would steer well clear of at this point), Hutchins notes the devices suffer from default https server credentials, command injection vulnerabilities, and a a firewall bypass on port 49152.

AT&T is refusing to comment and Arris tells ThreatPost it's looking into the flaws. Whichever party is to blame, Hutchins noted that the vulnerability was a result of "pure carelessness" at the companies:

"Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case. The first vulnerability found was caused pure carelessness, if not intentional all together. Furthermore, it is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents."

At a recent Defcon, hackers demonstrated how they were able to break into around half of thirty different commercially-available residential broadband routers without too much elbow grease. Why does this continue to be such a problem? Security experts like Bruce Schneier have repeatedly noted how the same flimsy security we enjoy mocking in the internet of broken things space is all too present in residential broadband router market, thanks in large part to nobody in the supply chain having the financial incentive to do much about it:

"Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary.

The system manufacturers – usually original device manufacturers (ODMs) who often don't get their brand name on the finished product – choose a chip based on price and features, and then build a router, server, or whatever. They don't do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they're done, too."

After that, everybody in the cycle is too focused on making money on the next product or chipset to do the legwork required to keep the hardware or software in these devices updated or secure. This is at the heart of IOT dysfunction, but the problem goes notably deeper than just your easily hacked smart thermostat. Fair or not, the onus then gets put in the lap of the broadband ISP -- since they field the support calls once a customer gets hacked. But swapping out the hardware or troubleshooting existing gear erodes profit margins as well -- at companies that already cut customer support corners to an often comical degree.

As script-kiddie oriented malware kits make attacking these vulnerabilities easier than ever, the problem nobody seems to want to fix is going to only get worse. And while some might incorrectly call it hyperbole, that's why Schneier and many other security researchers have been warning for years that there's dumpster fire just over the horizon that could result in a notable loss of human lives. It's a future everybody in the space can pretty clearly see, but few are willing to spend the money to avoid.

40 Comments | Leave a Comment..

Posted on Techdirt - 12 September 2017 @ 6:30am

Comcast Continues To Insist Its Sneaky, Misleading Fees Are Just The Company's Way Of Being 'Transparent'

from the false-advertising-is-good-for-you dept

We've noted for years now how broadband and cable providers have created a high art out of bogus, misleading fees. Such fees, ranging in name from Comcast's "broadcast TV fee" to CenturyLink's "internet cost recovery fee" -- allow these companies to falsely advertise one price, then sock consumers with a much higher rate once the bill comes due. This allows these companies to not only jack up prices while claiming the don't, but it has the added bonus of making direct price comparisons with competitors almost impossible.

Comcast initially charged $1.50 when its broadcast TV fee first appeared back in 2013, but now charges upwards of $6.50 more per month in many markets -- a 333% increase in just three years. With the occasional exception, regulators and lawmakers tend to turn a blind eye to this practice as little more than pricing creativity. Comcast was however sued for the practice last year, plaintiffs claiming that this practice is not only false advertising, but is primarily designed to let the company raise rates on customers it convinced to sign long-term contracts.

For its part, Comcast has spent the last few years insisting that sneaky, misleading fees are just the company's way of being "transparent" with its users:

"Beginning in 2014, we will itemize a portion of broadcast retransmission costs as a separate line item to be more transparent with our customers about the factors that drive price changes," he said. “In 2014, we will not increase the price of Limited Basic or Digital Preferred video service, and adjustments to other video service prices will be lower than they would have been without the Broadcast TV Fee."

Yes, nothing says "transparency" quite like an advertised price that suddenly jumps due to a completely manufactured, sneaky fee. In Oregon, customers were just informed that Comcast will be hitting users there in October with a $1.50 increase in the broadcast fee, a $2 increase in the company's regional sports fee (also a focus of the recent lawsuit), and a $1 increase in the cost of modem rental. And again, Comcast is attempting to tell locals this is all part of the company's quest to be more transparent with its users:

"We continue to make investments in our network and technology to give customers more for their money - like faster Internet service and more WiFi hotspots, more video across viewing screens, better technology like X1 and a better customer experience," Comcast Oregon spokeswoman Amy Keiter said in a written statement. The sports and broadcast fees, she wrote, "allow us to be more transparent with our customers about the factors driving price changes, and represent only a portion of our costs of carrying broadcast and regional sports networks."

Apparently, Comcast would have you believe that it's necessary to tack these fees on to your bills to help emphasize the fact that programmers are demanding higher and higher rates for the same service. But even if broadcaster demands are often ludicrous -- that's simply the cost of doing business -- and should be included in the overall cost of service. Comcast also apparently believes its subscribers are stupid enough to not realize Comcast NBC Universal is itself one of the biggest broadcasters in America, and owns most of the regional sports networks it's charging an additional fee for.

Eventually, a regulator or lawmaker somewhere will realize this is a predatory and misleading practice that harms consumers. Until then, Comcast customers not only get a heaping dose of false advertising, but also get to hear that this misleading pricing is for their own good. Enjoy!

25 Comments | Leave a Comment..

Posted on Techdirt - 11 September 2017 @ 6:38am

Comcast Sues Vermont, Insists Having To Expand Broadband Violates Its First Amendment Rights

from the defenders-of-the-status-quo dept

So you may have noticed this already, but giant telecom conglomerates don't much like having to upgrade their networks, especially in lower ROI areas. And while that's understandable from a purely-financial perspective, this practice is creating some major, notable broadband deployment holes where poor people tend to live. With telcos specifically refusing to upgrade lagging DSL networks at any real scale, that's also creating an emboldened cable broadband monopoly in many areas. That by proxy keeps prices high, speeds low, and allows the introduction of things like bullshit usage caps and overage fees.

By and large, localized efforts to do something about this generally run face-first into brick walls, thanks in large part to the almost comical stranglehold most ISPs have over state legislatures and regional telecom regulators. In many instances this culminates in ISPs not only refusing to expand their networks into under-served areas, but quite literally writing protectionist state laws to make sure nobody else can, either. This cake and eat it too mentality persists in countless states that have prioritized campaign contributions from the likes of AT&T and Comcast over the general welfare of their public constituents.

Despite the broadband industry consistently whining about "burdensome regulation," the reality is there's little to nothing passing for real oversight in many of these areas, and the regulation that is written -- is often focused primarily on protecting these duopolies' uncompetitive geographical fiefdoms. In Vermont, the Vermont Public Utility Commission (VPUC) recently tried to buck this trend by including provisions in Comcast's 11 year permit (pdf) with the state requiring it to not only retain public access programming in the state, but expand "no less than" 550 miles of additional cable into under-served Vermont communities over 11 years.

To be clear, deploying that much cable over more than a decade is a pittance to a company that sees $21 billion in quarterly revenues. But instead, Comcast decided to sue the state, claiming that doing this extra work violates the company's First Amendment rights:

The VPUC claimed that it could impose the blanket 550-mile line extension mandate on Comcast because it is the "largest" cable operator in Vermont and can afford it. These discriminatory conditions contravene federal and state law, amount to undue speaker-based burdens on Comcast's protected speech under the First Amendment of the United States Constitution... and deprive Comcast and its subscribers of the benefits of Vermont law enjoyed by other cable operators and their subscribers without a just and rational basis, in violation of the Common Benefits Clause of the Vermont Constitution.

ISPs love to trot out the First Amendment complaint wherever and whenever possible, similarly insisting that net neutrality protections somehow curtail their free speech rights (arguments that traditionally don't see much traction in the courts). But Comcast is also busy telling local Vermont news outlets that it's spending money on lawyers instead of more cable because it's just really worried about how much Vermont residents pay for broadband and TV service:

Comcast declined to talk about the case. But in a written statement company spokeswoman Kristen Roberts said the new state permit would, "cost millions of dollars, place discriminatory burdens on Comcast and its customers, and arbitrarily increase their costs for cable service.

While that's very sweet of Comcast, the fact is that Comcast enjoys an effective monopoly over broadband in countless areas; the closest it comes to competition in Vermont being a relatively pathetic telco by the name of Fairpoint Communications. Fairpoint acquired Verizon's unwanted DSL networks in the state several years back, bungled the acquisition, stumbled into bankruptcy, and struggles to offer 3 to 6 Mbps DSL across wide swaths of the state. This is, again, thanks to a generation of lawmakers and regulators that have effectively allowed giant duopolists to write state (and often federal) telecom law.

In a working, competitive market, Comcast wouldn't need to be prodded and cajoled by the state to actually upgrade and expand its network. But there's simply no organic market pressure forcing Comcast's hand because the U.S. telecom market is painfully, obviously broken. As a result, there has been a growing push to explore more creative public/private partnerships to help bring connectivity to long-neglected areas. But Comcast consistently supports laws hamstringing those efforts too, allowing Comcast to have its cake (not deploy broadband) and eat it too (erecting regulatory barriers preventing others from doing so either).

74 Comments | Leave a Comment..

Posted on Techdirt - 8 September 2017 @ 6:19am

Senators Blast The FCC For Weakening The Definition Of Broadband To Try And Hide The Industry's Lack Of Real Competition

from the set-the-bar-at-ankle-height dept

Back in 2015, the FCC raised the standard definition of broadband from 4 Mbps down, 1 Mbps up, to an arguably-more-modern 25 Mbps down, 3 Mbps up. Of course the uncompetitive broadband industry (and the lawmakers who adore them) subsequently threw a collective hissy fit about the change, because they realized a higher bar would only highlight their failure to deliver next-generation broadband to vast swaths of America.

And highlight it did: by this new metric, two-thirds of the country lack access to real broadband from more than one ISP. We've explored repeatedly how this is due to a refusal by the nation's telcos to upgrade lagging DSL connections, leaving cable companies with a growing broadband monopoly across huge swaths of the country. With this reduction in competition comes a growing apathy to customer service, as well as the ability to impose new unnecessary and arbitrary usage caps (read: price hikes) without any competitive reaction by the broken market.

Normally, this is where regulators would step in with policies aimed at shoring up this lack of competition. Under the Telecommunications Act, the FCC is required by law to track broadband deployment and competition and -- if things aren't up to snuff -- "take immediate action to accelerate deployment of such capability by removing barriers to infrastructure investment and by promoting competition in the telecommunications market." But if you fiddle with how precisely broadband penetration and competition is measured, you can avoid having to admit there's a problem, or do anything about it.

With industry-ally Ajit Pai now in charge of the FCC, the telecom industry has been lobbying to weaken the standard definition of broadband to help mask the sector's shortcomings. As if on demand, a new FCC proposal would lower the definition of broadband by declaring a region covered if it has access to wireless data connections at speeds of 10 Mbps. The goal: lower the goalposts for the express benefit of lazy telecom duopolies. Duopolies that talk a good game about "closing the digital divide," but refuse to upgrade huge swaths of their networks (espcially the parts where disadvantaged and poor people live) -- and lobby for protectionist state laws ensuring nobody else can, either.

Of course the FCC isn't framing their decision as the industry-coddling myopia it is, instead declaring this a "modernization" of FCC policy, in some instances fooling media outlets into thinking this is about "reclassying wireless broadband" for some ambiguously noble policy purpose. But a handful of Senators this week criticized the FCC's new plan, highlighting (correctly) how lowering the broadband deployment bar to ankle height is a disservice to those waiting for, or trying to deploy, better broadband:

"At this time, such a striking change in policy would significantly and disproportionately disadvantage Americans in rural, tribal, and low-income communities across the nation, whose livelihoods depend on a reliable and affordable broadband connection... In reading this notice of inquiry, it appears that the FCC, by declaring mobile service of 10Mbps download/1Mbps upload speeds sufficient, could conclude that Americans' broadband needs are being met—when in fact they are not. By redefining what it means to have access, the FCC could abandon further efforts to connect Americans, as under this definition, its statutory requirement would be fulfilled."

AT&T, Verizon and the current FCC will tell you that mobile broadband is a perfect substitution for quality fixed-line broadband. And while that might be true by 2030 or so, that's certainly not the case now. Wireless networks certainly can offer comparable speeds to lower-end fixed-line connections, but traditionally at much higher prices -- and often with notable restrictions on usage (more so with the looming death of net neutrality). So these Senators are also right in highlighting how wireless is far from being a suitable-replacement for fixed-line connectivity:

"We believe that mobile broadband service cannot adequately support the same functions as does fixed service currently and, therefore, cannot be a substitute at this time. A small business owner who wants to begin a new venture today would not be adequately supported by mobile-only service. Should the decision to change current policy be made with the technology currently available, it would signal a strong departure from the Commission's mission, while also implying that certain consumers must accept lower-quality connectivity."

Unfortunately, like net neutrality, the quest to erode basic deployment standards will somehow be framed as a "partisan" debate, causing many to lose the plot. And pandering to the Comcast status quo will be framed as some sort of heroic pledge to phony free market ideals none of the regulators or companies backing this effort actually believe in. But lowering the bar to obfuscate the fact U.S. broadband is an uncompetitive market rife with regulatory capture (especially on the state level) isn't some panacea, it's the kind of weak-kneed regulatory apathy that gave us the customer-service abomination we call Comcast in the first place.

42 Comments | Leave a Comment..

Posted on Techdirt - 7 September 2017 @ 11:57am

The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware

from the what-security-and-privacy-problem? dept

You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

That's hugely problematic for what should be obvious reasons, but Lenovo doubled down on dumb by issuing a statement initially claiming it didn't see what all the fuss was about and that it was just trying to "improve the shopping experience":

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

Security researchers didn't agree. Neither, apparently, did the FTC, which this week gave Lenovo what amounts to a stern talking to after the company settled allegations it had turned a blind eye to customer security concerns:

"Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen K. Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The full FTC complaint (pdf) against Lenovo makes it clear the Superfish adware used the same bunk security certificate for every user of the stealthware -- every time it covertly interupted secure traffic. And, of course, the complaint notes that Lenovo really couldn't be bothered to explain how any of this was happening to the company's customers:

"Respondent did not make any disclosures about VisualDiscovery to consumers prior to purchase. It did not disclose the name of the program; the fact that the program would act as a man-in-the-middle between consumers and all websites with which they communicated, including sensitive communications with encrypted https:// websites; or the fact that the program would collect and transmit consumer Internet browsing data to Superfish."

Yeah, whoops. One complaint exhibit highlights that while users had the option of opting out of this security-compromising, behavioral advertising effort, Superfish and Lenovo made doing so notably hard to spot:

But again, nowhere was the encryption-compromising aspect of this software disclosed to the end user, even in the finest of fine print in the company's privacy policy. And opting out only prevented users seeing ads dictated by their previous browsing habits; doing so didn't stop the software from faking security certificates and compromising the end user's security.

Lenovo won't be required to pay a dime to impacted users; FTC boss Ohlhausen (who downplayed the severity of the deception in her own statement (pdf)), claims the agency lacks the legal authority to obtain civil penalties for first-time violators under the FTC Act. As part of the settlement Lenovo is prohibited from misrepresenting "features of software preloaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties." Lenovo must also get explicit consumer opt-in consent before installing similar software in the future, and must implement -- for the next 20 years -- a software security program to more dutifully analyze the security impact of such programs.

A day after Lenovo's settlement with the FTC, the company also struck a $3.5 million settlement (pdf) with a coalition of 32 states for violating user privacy and failing utterly to disclose the dangerous nature of the company's laptop bloatware. In a statement Lenovo proclaimed it had seen the error of its ways, and that "security, privacy and quality are top priorities at Lenovo." Of course this is the same company that shortly after the Superfish fiasco was caught stealthily installing bloatware via laptop BIOS, so hopefully Lenovo won't mind if people wait a little while before declaring the company truly reformed.

Read More | 23 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 7 September 2017 @ 6:23am

Comcast Whines That The Net Neutrality Debate It Keeps Rekindling Is A Lot Like 'Groundhog Day'

from the I-wish-I-could-stop-punching-myself dept

Large ISPs continue to try their best to pretend they adore net neutrality, and have nothing to do with their own perpetual efforts to crush FCC rules designed to keep the internet relatively open and competitive. Verizon recently released an utterly-comical video that blatantly lied about its role in killing the FCC's consumer protections. And companies like Comcast have penned blog post after blog post falsely claiming that the entire world somehow has it all wrong, and companies with a generation of documented anti-competitive behavior are really just misunderstood sweethearts being falsely maligned by fringe radicals.

You just know Comcast is telling the truth, since it has proudly, repeatedly declared as much in all caps and pretty colors:

:

Bullshit doesn't magically become reality with a change of font. Enter top Comcast lobbyist (the company apparently hates it when you call him that) David Cohen, who recently penned yet another blog post whining incessantly about how the fifteen-year net neutrality debate has become a lot like Groundhog Day, with the same players being forced to make the same arguments over and over again, ad infinitum:

"As the comment period comes to a close in the FCC’s latest review of Open Internet rules, consumers, ISPs, edge providers, and other stakeholders might feel like it is "Groundhog Day," with the same characters weighing in over and over on the same legal and policy issues that the FCC has considered again and again for a decade."

Ignored by Cohen is the fact we wouldn't all be stuck on this idiotic hamster wheel if Comcast and other major ISPs would simply accept the will of the public and stop trying to undermine the health of the god-damned internet. While it's at it, Comcast and its hired policy flacks could stop incessantly lying about how the relatively-basic rules were an apocalypse for industry investment. Comcast complaining about the repetitive, endless nature of the net neutrality debate is much like an arsonist whining about the high temperature in the house he or she is currently burning down.

Of course it doesn't take Cohen long to get to Comcast's real motivation for the post; the company's desire for a new, flimsier net neutrality law Cohen knows he and other industry lobbyists will be writing:

"It’s time to end this constant regulatory fluctuation and focus on protecting consumers and strengthening the American marketplace. As we’ve said before, and as both sides of the aisle have agreed, it’s time for Congress to enact bipartisan legislation that permanently establishes sensible and enforceable open Internet protections. However, until a permanent framework is in place, the FCC can and should ensure a durable backstop and maintain core open Internet protections through one or more of the options outlined in our comments and the comments of others."

We've noted repeatedly how large ISPs are pushing hard for a new net neutrality law they know either won't be passed (the debate remains notably toxic in Congress thanks to guys like Cohen) or will be so filled with lobbyist-crafted loopholes as to be entirely useless. The belief that this bickering, cash-soaked Congress is capable of passing tough consumer protections on this front is utterly laughable. In Cohen's world you're all too stupid to realize this, so Cohen proceeds glibly to again declare Comcast's unyielding dedication to "strong, legally enforceable rules":

"To be clear – as we have said time and time again – Comcast is committed to an open Internet. We support permanent, strong, legally enforceable net neutrality rules. We will continue to not block, throttle, or discriminate against lawful content, no matter what the FCC does. We stand ready to work with policymakers, legislators, and stakeholders to end this regulatory back-and-forth and craft an effective and enduring solution for consumers and the U.S. economy. Ping pong should be for players, not policy."

Clever! Except Comcast could stop this entire game of regulatory ping pong itself -- by simply putting down the paddle. The company lit a fire under the entire debate in 2008 when it repeatedly lied about throttling BitTorrent. It subsequently has abused the lack of competition via unnecessary usage caps and zero rating schemes aimed at hamstringing competitors. And it joined AT&T, Verizon and Charter in suing to overturn the FCC's 2015 rules, utterly terrified that somebody might actually stop the company from abusing its captive, historically disgusted customers.

So yeah, Comcast has a peculiar definition of "commitment" and "support" for tough net neutrality protections, since it has fought viciously against every implementation of this idea over the last fifteen years. And Cohen would like you to ignore that the simplest solution to Groundhog Day purgatory he's responsible for is right in front of his nose: leave the existing, popular rules the hell alone.

24 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 6 September 2017 @ 6:36am

Large ISP & Silicon Valley CEOs Were Too Afraid To Publicly Testify On Net Neutrality

from the own-your-words dept

While ISP lobbyists are pushing the government to kill net neutrality protections, they're also pushing hard for a new net neutrality law. Why? With our current historically-dysfunctional and cash-compromised Congress, large ISPs like AT&T and Comcast know that their lawyers and lobbyists will be the ones writing the law -- if it gets passed at all. The end result will be a law ISPs will profess "puts the debate to bed," but which contains so many loopholes as to be effectively meaningless when it comes to protecting consumers and competition.

As a cornerstone of this new push, lawmakers in July sent out invitations to CEOs of major tech companies and major ISPs for a September hearing to be held in front of the House Energy and Commerce Committee. The meeting was, the invitation claimed, an opportunity for stakeholders (only apparently the wealthiest ones) to "rethink the current regulatory model and build new rules from the ground up" in Congress. Again, this is something ISPs have been lobbying for knowing it either won't happen, or if it does will be so loophole-filled as to be worse than useless.

Amusingly, however, none of the invited CEOs from telecoms or Silicon Valley's biggest, wealthiest companies were interested in testifying publicly at the hearing:

"Republican lawmakers had hoped to bring top executives from tech companies and internet providers to testify publicly in a bid to garner support for a deal to set permanent rules on the future of internet access after a more than decade-long fight. No company had publicly committed to testify and many firms were privately reluctant to testify."

The reason for this should be fairly obvious. Large ISPs are perfectly happy to lie about their assault on popular consumer protections in viciously-misleading videos or disengenuous blog posts penned by a rotating crop of lawyers and lobbyists. But no CEO wants to directly own their company's ugly, anti-consumer, anti-innovation, and anti-competitive positions personally in a public hearing, especially given the shady behavior at the FCC and the growing bipartisan public backlash to what Trump's FCC is doing.

Similarly, Google and Facebook don't want to highlight that they stopped supporting net neutrality in any meaningful fashion years ago, and in many parts of the world have repeatedly undermined the concept solely to corner developing nation ad revenues. Netflix CEO Reed Hastings doesn't want to have to explain why the company's support of net neutrality has waned proportionally to the company's growing power, and no major Silicon Valley CEO wants to own the fact their apathy on this subject has left small and mid-sized companies, startups and consumers alone and under-funded as they fight to keep the internet a relatively level playing field.

But worry not! Lawmakers like Greg Walden were quick to make it clear that instead of publicly and transparently owning their inconsistent to downright anti-consumer positions, these large companies will continue to haggle out the details of a new law behind closed doors:

"Zach Hunter, a spokesman for the committee’s chairman, U.S. Representative Greg Walden of Oregon, said the hearing was postponed because of talks over the future rules. “As negotiations progress on a permanent solution for net neutrality that ensures a free and open internet, the committee will postpone the original hearing in order to allow talks between stakeholders to continue,” he said."

So as the FCC works to kill the rules currently on the books, the nation's largest companies and cash-compromised lawmakers will be debating -- without your input -- how to replace these rules with the policy equivalent of wet cardboard. Throughout the fall you're going to see countless ISP-prompted editorials popping up (like this one and this one and this one and this one...) insisting such a law is the best -- or only -- path forward. Be sure to note how these calls ignore what the public wants -- and that the easiest path forward isn't another new law, but to simply leave the existing, popular net neutrality protections alone.

24 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 5 September 2017 @ 10:40am

Apple Throws Its Support Behind Net Neutrality. Sort Of.

from the don't-pull-a-muscle dept

While large Silicon Valley companies like Google and Facebook are often credited for being "net neutrality supporters" in the media, their actual support of the concept is often incredibly flimsy. Though it's quick to claim otherwise, Google hasn't really supported net neutrality since around 2010 or so, progressively walking back its dedication as it pushed into the fixed and wireless broadband sectors. Similarly Facebook often says all the right things, but internationally has been repeatedly accused of trampling the open internet in its quest to dominate developing nation advertising markets.

We're also now seeing similar behavior from companies like Netflix, which aggressively supported net neutrality when the streaming company was a scrappy upstart, but has since walked back its support now that it's an international video juggernaut. While these companies still occasionally pay lip service to the concept of net neutrality via their joint policy organizations, these are often token gestures -- leaving consumers, consumer advocates and smaller companies and startups alone and under-funded in the quest to maintain something vaguely resembling an open and level internet playing field.

Apple has also paid little more than fleeting lip service to neutrality over the years -- and has been largely quiet as the Trump administration works to remove most meaningful oversight of the barely-competitive telecom sector. But last week the Cupertino giant took things a little further, filing comments with the FCC in support of protecting net neutrality. Sort of. Apple does make it clear that it doesn't think ISPs should indiscriminately block, throttle or otherwise hinder competitors' content:

"Broadband providers should not block, throttle, or otherwise discriminate against lawful websites and services. Far from new, this has been a foundational principle of the FCC’s approach to net neutrality for over a decade. Providers of online goods and services need assurance that they will be able to reliably reach their customers without interference from the underlying broadband provider.”

Granted, this isn't saying much of anything. Even most large ISPs like Comcast and AT&T have made it clear they have no intent of outright blocking or banning content given the potential PR backlash. And the net neutrality has long-since become more nuanced as incumbent ISPs have been forced to be more creative with the way they hamstring competitors (usage caps, zero rating, interconnection shenanigans).

It's also commedable that Apple makes it clear that lifting the current ban on paid prioritization could prove problematic for companies whose services compete with the likes of AT&T, Comcast, and Verizon:

"Lifting the current ban on paid prioritization arrangements could allow broadband providers to favor the transmission of one provider’s content or services (or the broadband provider’s own online content or services) over other online content, fundamentally altering the internet as we know it today — to the detriment of consumers, competition, and innovation."

Again, that's great -- especially since Verizon, AT&T, Charter and Comcast have a generation of documented experience creatively abusing the lack of competition in the broadband market to hamstring competitors.

It's here however that Apple's support wavers. We've noted repeatedly how large ISPs are pushing hard for a net neutrality law -- because they know they'll be the ones writing it, ensuring it's far weaker than the current protections currently on the books. That's why if you actually care about net neutrality, you need to realize that keeping the existing (though admittedly imperfect) rules on the books is the easiest and best path forward. But Apple never explicitly urges the FCC to keep Title II and FCC authority in place, instead insisting it's open to "alternative sources of legal authority" to help protect consumers from incumbent ISP shenanigans:

“Apple remains open to alternative sources of legal authority, but only if they provide for strong, enforceable, and legally sustainable protections, like those in place today. Simply put, the internet is too important to consumers and too essential to innovation to be left unprotected and uncertain.”

The problem is there is no "alternative source of legal authority." You'll recall Verizon successfully sued to overturn the FCC's flimsy 2010 net neutrality rules, a court informing the FCC that it couldn't protect net neutrality without first returning ISPs to their pre-2002 status as "common carriers" under the telecom act. So that's what the FCC did in 2015, a decision that has been subsequently held up by the courts. The only other "alternative source of legal authority" would be a new law by Congress, and if anybody believes the current Congress is genuinely interested in passing a tough, consumer-friendly net neutrality law free of large ISP-dictated loopholes -- you've been living in some other, saner dimension.

Again. it's great to see Apple support net neutrality here, especially since they've historically been so muted -- and make it clear they only support alternatives that result in "strong, enforceable and legally sustainable protections." But with large ISP lobbyists now aggressively ramping up their quest for a new, flimsy law (see ISP-driven editorials like this one and this one and this one and this one...) companies that actually support net neutrality need to make it clear to the public that the best -- and only -- real path forward at the moment is keeping the existing, extremely popular rules intact.

3 Comments | Leave a Comment..

More posts from Karl Bode >>