Karl Bode’s Techdirt Profile


About Karl Bode

Karl Bode is a freelance writer living in New York that has been babbling, jabbering and prattling about technology, politics and culture professionally for more than fifteen years. Follow me on Twitter @KarlBode


Posted on Techdirt - 2 September 2015 @ 3:33pm

The Boston Globe Will No Longer Let John Sununu Shill For Telecom Companies Under The Pretense Of Objectivity

from the sockpuppets-marching dept

Like so many industries, the telecom industry employs a literal army of paid "consultants," fauxcademics, fake consumer advocates, ex-politicians and other talking heads to parrot industry policy under the pretense of objective analysis. Usually this sockpuppet army is used to build a sound wall of illusory support for shitty policy. This practice has worked for decades, in large part, because very rarely can newspapers or websites be bothered to disclose the fact that these individuals are paid to spew total and absolute nonsense by anybody interested in hiring their services via a third party (usually a law firm or lobbying group).

Case in point: the Boston Globe apparently has declared that it will no longer allow former New Hampshire Senator John Sununu to proudly shill for telecom companies within the publication's hollowed walls. Sununu is on the board of directors for Time Warner Cable, and has been paid $750,000 to be an "honorary co-chair" for broadband industry lobbying group Broadband for America. As a loyal hireling, Sununu can often be found repeating broadband industry dreck in media outlets everywhere, whether that's the claim that net neutrality rules will destroy the Internet, or that Netflix is a vile monster getting a "free ride" on ISP networks and must be punished.

Historically, when Sununu parrots writes for the Globe, the paper has simply described him as "a former Republican senator from New Hampshire, (who) writes regularly for the Globe," without bothering to disclose that somebody's often paying for Sununu's time. Despite years of this, only recently has the Globe come under fire for its flimsy-to-nonexistent transparency policies for Sununu and other freelance contributors.

Globe editorial-page editor Ellen Clegg recently responded to this criticism by stating the paper would no longer be sharing Sununu's telecom-related insights:

"In the interest of more transparency, we’re posting bios for our regular freelance op-ed columnists online and linking those bios to their bylines. John Sununu has told me he will avoid writing about issues pertaining to cable and internet access because of his seat on the Time Warner Cable board."
Note Clegg's primary worry appears to be Sununu's seat on a cable company board, not the fact that he's been paid by a lobbying group since 2011 or so. Sununu can, of course, still write on other issues where his conflicts of interest are at least marginally obscured in some half-assed fashion. Clegg goes on to make some ambiguous promises in regards to shoring up any transparency gaps moving forward:
"It’s safe to say that few freelance columnists make their living solely from writing for newspapers these days, so most have other jobs or consultancies. We want to be more transparent with our readers about the nature of columnists’ work and affiliations. When appropriate, we’ll include relevant details in the text of the print edition of the column, as well as the link for our digital readers."
Great, except it's not entirely clear that just posting a bio is enough, since those bios often intentionally obscure direct financial relationships. Take a recent Sununu piece in the San Francisco Chronicle, for example, which actively helps Sununu and friends confuse customers by pretending the telecom lobbying group that pays Sununu, "Broadband For America," is actually "a coalition of 300 Internet consumer advocates, content providers and engineers."

It takes about twenty minutes of research to discover "Broadband For America" is primarily a big-telecom lobbying vessel, funded almost solely by the cable industry, whose broader roster of members are included to create the illusion of diversity (often to their own surprise). These connections don't require back-breaking journalism to make; the money trail and faux objectivity is usually only obscured by the thinnest of veneers. Yet apparently, it took the Globe the better part of five years to decide it might be a good idea to highlight their purportedly objective telecom-related editorials were being written by a paid lobbyist.

And Sununu's just one of thousands of discourse-polluting mouthpieces employed by the telecom sector. Former Senator and fair use champ Rick Boucher now works for Sidley Austin's "Government Strategy Group," one of countless AT&T lobbying vessels for policy regurgitation. When Boucher gets paid by AT&T to argue that CISPA would be good for privacy or pretend the broadband industry is ultra-competitive, you'd be hard pressed to find a single news outlet willing to highlight the umbilical cord that affixes him to the AT&T mothership.

And that's just two former politicians. There are thousands of other academics, consultants, politicians, think tankers and freelance telecom editorialists happy to regurgitate any and everything for pay, whether that's cheering Comcast's latest merger or insisting the broadband industry is secretly, wonderfully competitive. While this lack of transparency is common across the board in media, you'd think that journalism-lecture-happy newspapers in particular would be the first in line to proactively highlight dubious editorial funding relationships.

Leave a Comment..

Posted on Techdirt - 2 September 2015 @ 10:41am

The Cable Industry Is Fighting Tooth And Nail To Prevent Cable Set Top Box Competition

from the protectin'-innovation-through-obstinance dept

For years now regulators have tried fruitlessly to bring a little more competition to the cable set top box market. While CableCARD was supposed to be a revolution on this front, regulatory enforcement was messy and inconsistent, and to protect set top box rental revenues and overall market control, cable companies rarely advertised the technology and made installations frequently nightmarish and expensive. When lackluster CableCARD stats then emerged annually, the cable industry just shrugged and apathetically declared that gosh -- nobody really wanted choice anyway.

Senators Ed Markey and Richard Blumenthal recently collected data from ten cable companies and found that things haven't really improved when it comes to set top box competition. Their data found that 99% of cable customers still rent a cable box, and pay $231 in fees annually for hardware that's usually not even worth a single year's payments. As a result, the cable industry generates $19.5 billion per year in rental fees, and has every incentive to keep things as they are.

Last fall, Congress passed the Satellite Television Extension Act Reauthorization (STELAR), which effectively killed the CableCARD and the FCC's sloppy attempt to crack open the set top market. However, STELAR's passage included the creation of the the Downloadable Security Technology Advisory Committee (DSTAC), tasked with advising the FCC on how to move forward on a CableCARD replacement that actually works. That's no small feat given the cable industry desperately wants to maintain the status quo, and the copyright brigades want hardware to be as locked and crippled as possible.

Among the DSTAC proposals released last week (pdf) is the idea of a "virtual headend," where network security functionality is performed in the cloud, leaving the end user device flexible for an array of hardware and software solutions. It's an evolution of the "Allvid" proposal the FCC considered in 2010, intended to create a single, unified standard for a set top gateway that's open to all forms of video competition, software and hardware alike.

Not too surprisingly this idea has the support of companies like Google, Apple, Sony and Microsoft, but has faced stiff opposition from the cable industry. With reports suggesting DSTAC will be pushing such an open platform (even if more flexible than the original Allvid proposal), the cable industry's chief lobbying apparatus (the NCTA) is of course once again trotting out the safety, privacy and security bogeyman:

"Regrettably, the report veers off course by including a controversial proposal to place a burdensome technology mandate on MVPDs known as AllVid. This approach could jeopardize consumer protections including privacy, emergency alerts, parental controls, and inhibit innovation by allowing the government to dictate the way video content is delivered to consumers. Fortunately, the report reflects substantial opposition to the idea of a new, government-imposed technology mandate and extensively describes the proposal's shortcomings."
Yes, and we wouldn't want to "inhibit innovation," would we? Opening up the locked-down cable set top box not only would open the door to greater set top hardware competition, but it would ultimately threaten the cable industry's stranglehold over cable itself. As such, it's highly unlikely that any proposal worth its salt will see NCTA approval. It's also probably unsurprising that Allvid has the support of consumer advocates like Public Knowledge and the New York Times editorial board, which this week tried to soft sell the idea to the cable industry at the bottom of an editorial on the subject:
"Cable and satellite companies will surely resist change or try to water down the new F.C.C. regulations. After all, they stand to lose billions in rental fees. But it is in their long-term interest to give consumers more choices. A growing number of Americans are giving up cable-TV because it costs too much. Consumers might be more inclined to pay for cable if the industry stopped trying to nickel-and-dime them."
Except it's not really in their long-term interest to give consumers more choices. Open set top gateways and open, competing platforms would only further usher in increased Internet video options, incurring a mass realization that people pay the cable industry far too much, for far too little. As such, expect the cable industry to scratch, piss and moan until it has ensured that whatever standard emerges from the FCC committee is a scarred and bastardized shadow of the original intent. And should this shadow actually survive the lobbying gauntlet and see real-world adoption, the cable industry will surely work tirelessly to ensure the same level of dysfunction consumers enjoyed with the CableCARD.

On the bright side: none of this really matters longer term. Neither incompetent regulators nor terrified legacy giants can stop the Internet video revolution from threatening traditional cable television. And as traditional cable's power wanes, its all-too-comfortable walled-garden authority over the set top box market becomes utterly irrelevant. As such, the cable industry needs to stop focusing on swimming upstream, and start battening down the hatches ahead of what's going to be a particularly nasty storm.

15 Comments | Leave a Comment..

Posted on Techdirt - 2 September 2015 @ 5:58am

Microsoft Retrofitting Windows 7, 8.1 With Windows 10's Privacy-Invading 'Features'

from the unavoidable-Redmond-umbilical dept

Last week we noted that while Windows 10 has generally seen good reviews in terms of spit and polish, there's growing concern that the OS is too nosy for its own good, and that the opt-out functionality in the OS doesn't really work. Even when you've disabled a number of the nosier features (like Windows 10's new digital assistant, Cortana), the OS ceaselessly and annoyingly opens an array of encrypted channels back to the Redmond mother ship that aren't entirely under the user's control.

Now some of the information being transmitted is purportedly harmless, and some of the problems appear to be overblown (like Windows 10 being banned from some BitTorrent trackers for fear of it reporting user piracy activity), but an operating system you can't fully control is still undeniably stupid and annoying. And it's a curious choice for a company intent on moving beyond the fractured Windows adoption of yesteryear and encouraging the lion's share of Windows users to hop on to a new platform.

Making matters worse, Microsoft now seems intent on retro-fitting its older operating systems (specifically Windows 7 and Windows 8.1) with many of the annoying, chatty aspects of Windows 10. GHacks has noticed that four updates to the older operating systems, described as an "update for customer experience and diagnostic telemetry," connect to vortex-win.data.microsoft.com and settings-win.data.microsoft.com. These addresses are hard-coded to bypass the hosts file, and ferry all manner of personal information back to Microsoft.

Fortunately, it appears that users in this instance can configure Windows firewall and routers to block the traffic, and users can avoid much of the snooping by opting out of the Customer Experience Improvement Program (CEIP):

"The concern with the new Diagnostic Tracking service is much the same as with Windows 10's tracking: it's not clear what's being sent, and there are concerns that it can't be readily controlled. The traffic to Microsoft's servers is encrypted, sent over HTTPS, so it can't be easily examined. While the knowledge based articles describing the new service list the DNS names of the servers that the service connects to, there are reports that the service ignores the system HOSTS file. As such, a traditional and simple method for redirecting the traffic doesn't work.

However, we're not sure just how big an impediment this is in practice; in our testing of Windows 8, the builtin Windows Firewall, for example, is more than capable of blocking the traffic, and this appears to be working entirely as it should. Disabling the service is also effective for those who don't trust its behavior."
Still, it's annoying that Microsoft continues to insist on expanding this kind of OS behavior, without making opting out simple and comprehensive. And it certainly doesn't exactly deflate arguments by folks like Richard Stallman, who consistently argue that Windows is effectively malware. More than anything though, it's a continued advertisement for Linux and operating systems that the end user actually has some degree of control over.

210 Comments | Leave a Comment..

Posted on Techdirt - 1 September 2015 @ 11:44am

Comcast Users Now Need To Pay A $30 Premium If They Want To Avoid Usage Caps

from the screw-you dept

Comcast has slowly but surely been expanding the company's usage cap trials since around 2012, largely focusing them on less competitive markets where annoyed users can't vote with their wallets. In these seventeen (and counting) trial markets, Comcast broadband customers face a monthly usage cap of 300 gigabytes. After that, users need to shell out $10 for each additional 50 gigabytes of data consumed. The trials have expanded slowly but surely in the hopes of minimizing user backlash. Basically, Comcast is the hot water slowly coming to a boil, and you're the frog.

It appears that Comcast has now added a new wrinkle to the mix, and has started charging these trial users an extra $30 if they want to bypass usage caps. The company's FAQ for the new option tries to argue that the change is being made to provide consumers with greater "choice and flexibility":

The Unlimited Data Option provides additional choice and flexibility for our customers who may make heavier use of the Internet. Enrollment is optional. The Unlimited Data Option costs the current additional fee of $30 per calendar month, regardless of actual data usage. The 300 GB plan will not apply to customers who enroll in the Unlimited Data Option.
Yeah, that's bullshit. Back in 2012, users in these trial markets used to get uncapped Comcast broadband service as a matter of course. They now get to pay $30 more a month for the honor of avoiding Comcast's totally arbitrary and unnecessary usage restrictions. And it's all thanks, of course, to the painful lack of competition in most Comcast markets. While this "unlimited" option is currently only being tested in the Florida cap markets, Comcast has made it clear for years it hopes to impose this kind of punitive pricing system in all markets.

You'll recall the cable industry used to claim usage caps on fixed-line networks were necessary due to congestion (fear the Exaflood!). But as bandwidth costs dropped and intelligent network gear offered far more sophisticated ways of managing network load, the cable industry finally admitted that congestion had nothing to do with it. And while the cable industry now tries to argue that usage caps are necessary due to "fairness," they're really about one thing and one thing only: taking advantage of limited competition and protecting legacy TV revenues from Internet video.

If you peruse the Comcast usage cap FAQ you'll notice that Comcast doesn't even really bother with an explanation or justification as to why the caps are necessary, since even the nation's least-liked company knows any defense of this position is futile. This is about as close as Comcast gets to delivering a coherent explanation as to why these limits were imposed:
As the marketplace and technology change, we do too. We evaluate customer data usage, and a variety of other factors, and make adjustments accordingly. Over the last several years, we have periodically reviewed various plans, and recently we have been analyzing the market and our process through various data usage plan trials.
So yeah, we're not a massive incumbent telecom exploiting uncompetitive markets and lazy regulators, we're just experimentin' and changin' and what have you! Comcast has made it abundantly clear that it plans to keep expanding these usage caps (and charging you to avoid them) until either the competition fairy somehow materializes better broadband options out of the ether, or regulators wake the hell up and realize that usage caps on fixed-line networks are a predatory assault on captive customers, an affront to innovation, and an aggressive abuse of monopoly power.

36 Comments | Leave a Comment..

Posted on Techdirt Wireless - 1 September 2015 @ 8:19am

Parents Sue School, Claim Wi-Fi Made Son Sick

from the shaky-science dept

For years now we've noted how some people are absolutely positive that Wi-Fi is making them sick, despite a lack of any substantive evidence on that front. Still, schools have repeatedly found themselves on the receiving end of lawsuits for simply installing and using Wi-Fi, and in some cases have been forced to remove the technology for the supposed benefit of the "electromagnetically sensitive." The majority of double-blind studies conducted indicate that, contrary to claims of the afflicted, these individuals cannot accurately state when they're in the presence of stronger electromagnetic fields.

Regardless, a lack of science hasn't stopped parents in Massachusetts from suing their local private school, claiming the school installed new Wi-Fi gear in 2013 that triggered "headaches, nosebleeds, nausea, and other symptoms" in their thirteen-year-old child. The suit hopes to have "Electromagnetic Hypersensitivity Syndrome" classified under the protections of the Americans with Disabilities Act. According to the lawsuit (pdf), the child's mother, after "much research and study," concluded that it was the Wi-Fi making the child sick, something family doctors were willing to substantiate.

Justifiably, the school brought in EMF analysis experts to document the specific EMF hazard being posed (spoiler, there wasn't any):

"Isotrope found that the combined levels of access point emissions, broadcast radio and television signals, and other RFE emissions on campus ‘were substantially less than one ten-thousandth (1/10,000th) of the applicable (FCC) safety limits."
The family was also annoyed when the school district wanted to use their own doctors, who in about ten minutes (at least according to the parents) came to the conclusion that whatever is ailing the kid, it wasn't Wi-Fi radiation:
"The family was also unhappy after officials at Fay asked them to have G see another physician, who after speaking to G for 10 minutes and not conducting any tests “pronounced that in his view there was not enough study yet done to link Wi-Fi emissions to symptoms such as those G is experiencing at Fay School,” they say in the complaint. "This doctor stated in essence that he does not believe in EHS,” the lawsuit says. “Yet he made no alternate diagnosis."
All told, the parents demanded the school run Ethernet to classrooms their child attends, lower the overall power of Wi-Fi transmissions in the school, and provide $250,000 in settlement funds. A new, updated report suggests that a preliminary settlement with the school may have already been reached. Maybe it's just me, but it seems like these disputes could be settled very easily (and without hindering the school's coffers or other student's capacity for learning) by having the electromagnetically-sensitive participate in a blinded study requiring they clearly illustrate their ability to detect electromagnetic fields.

While there are countless diseases that constantly illustrate we certainly don't know as much as we think we do (Lyme Disease, for example), if EMF exposure really is having that dramatic of an impact on certain individuals, this is surely reproducible and provable, right? Right?

Read More | 198 Comments | Leave a Comment..

Posted on Techdirt Wireless - 1 September 2015 @ 5:30am

T-Mobile CEO Vows To Hunt Down 'Thieves' And 'Clever Hackers' That 'Abuse' Company's Unlimited Data Plans

from the unlimited-is-limited dept

For more than a decade now wireless carriers have struggled with this rather simple definition:

unlimited, adjective

1. not limited; unrestricted; unconfined: unlimited trade.

2. boundless; infinite; vast: the unlimited skies.

3. without any qualification or exception; unconditional.
While carriers have long insisted they offer "unlimited" data, they go to great lengths to avoid offering said advertised product when the gluttonous masses inevitably come calling to partake in the all-you-can-eat buffet. Countless companies have had their wrists slapped for the failure to disclose that their "unlimited" plans are in fact quite limited. Verizon settled a lawsuit from NY's AG back in 2007 for advertising capped and throttled services as unlimited. When Verizon and AT&T later ditched all unlimited plans, they both still waged a quiet war on unlimited users, again throttling or otherwise restricting their data consumption.

In recent years T-Mobile has taken advantage of this shift and marketed itself as one of the last companies that truly embraces unlimited data. Well, sort of. If you sign up for an unlimited T-Mobile smartphone plan, T-Mobile's website will quietly inform you that by "unlimited" T-Mobile actually means 21 GB, after which (provided you're on a congested tower), you'll have your speeds "de-prioritized" for the remainder of your billing cycle. Customers that sign up for unlimited data are also greeted with this notice, usually down below the advertisement:
So under T-Mobile's "unlimited" plans, unlimited smartphone use may actually be somewhere around 21 GB, while data consumed when tethering the phone as a modem or hotspot is throttled after 7 GB of consumption. Now to be fair, those allotments are pretty generous. And as carriers are quick to argue, the fact that you can still use data beyond those limits (albeit at reduced speeds) still technically means the connection is "unlimited." But the industry's still playing it a little loose with what is a clearly-defined term (I've underlined the key synonyms above if any confused carriers are reading).

For a while now, T-Mobile customers that install third-party ROMs have been able to skirt the 7GB tethering throttling limit. This has, apparently, greatly annoyed T-mobile CEO John Legere, who has taken to the company's blog to declare he's now hunting down data "thieves" for the benefit of all mankind:
"...These violators are going out of their way with all kinds of workarounds to steal more LTE tethered data. They’re downloading apps that hide their tether usage, rooting their phones, writing code to mask their activity, etc. They are “hacking” the system to swipe high speed tethered data. These aren't naive amateurs; they are clever hackers who are willfully stealing for their own selfish gain."
According to Legere these "clever hackers" only comprise around 1/100 of a percent of the company's 59 million customers, and a few of them have been eating as much as two terabytes a month of data. So why is T-Mobile making so much noise about a small number of customers it could easily shove to metered plans privately? T-Mobile's trying to get out ahead of media criticism for imposing limits on "unlimited" data, and to avoid the FCC's net neutrality and transparency rules by clearly stating intent (even if the T-Mobile FAQ on the issue doesn't really offer technical specifics).

It should be noted that every ISP on the planet has to deal with a small subset of extremely heavy users. This is nothing new, and if T-Mobile had said nothing, people probably wouldn't have given a damn. But after insulting his userbase, Legere proceeds with false bravado to pretend that the perfectly ordinary practice of protecting the network from gluttons somehow makes T-Mobile an industry leader:
These abusers will probably try to distract everyone by waving their arms about throttling data. Make no mistake about it – this is not the same issue. Don’t be duped by their sideshow. We are going after every thief, and I am starting with the 3,000 users who know exactly what they are doing...I won't let a few thieves ruin things for anyone else. We’re going to lead from the front on this, just like we always do. Count on it!
Good job I guess? To be clear: outside of its wishy-washy net neutrality stance I like T-Mobile, and think the company has done some great things to nudge the industry forward (like killing subsidies and reducing overseas roaming costs). I also think these allotments are more than fair for the price being paid, and T-Mobile has every right to police its network, since two terabytes of mobile consumption is gluttonous by any standard. That said, acting like it's the pinnacle of "clever hacking" and villainy to modify a device you own to get a service advertised as unlimited is a tad specious and theatrical. And Legere's decision to subsequently bicker with users on Twitter for the rest of the day wasn't the "uncarrier's" finest PR hour:
Snark, fanboys and fisticuffs aside, the core of the problem continues to be the use of the word unlimited to sell products that simply aren't. Since the first time the term was marketed it has confused the hell out of users who don't understand that in the age of finite spectrum, intelligent network management and hungry bean counters, there really is no such thing. If you're not willing to offer truly unlimited data (and frankly no spectrum-constrained wireless carrier truly is), stop advertising unlimited data, put your next-best offer clearly on the table, and stop molesting the god-damned dictionary.

57 Comments | Leave a Comment..

Posted on Techdirt - 27 August 2015 @ 10:41am

Leading DarkNet Market Agora Temporarily Suspends Service Over Tor Vulnerability Concerns

from the here-come-the-fuzz dept

As the government continues to play Whac-a-Mole with darknet drug bazaars, one of the Silk Road's leading darknet market replacements says it has temporarily suspended service over Tor vulnerability concerns. In an encrypted post to the site's buyers and dealers (copied over to PasteBin and over at the /r/darknetmarkets subReddit), Agora's administrators say the darknet market is nervous about law enforcement's ability to take advantage of recent Tor vulnerabilities, and as such are pulling the market offline for an undisclosed amount of time to protect the site:

"Recently research had come that shed some light on vulnerabilities in Tor Hidden Services protocol which could help to deanonymize server locations. Most of the new and previously known methods do require substantial resources to be executed, but the new research shows that the amount of resources could be much lower than expected, and in our case we do believe we have interested parties who possess such resources. We have a solution in the works which will require big changes into our software stack which we believe will mitigate such problems, but unfortunately it will take time to implement."
While the post doesn't specify which Tor vulnerability the market's responding to, a paper recently published by researchers from Qatar University and MIT (pdf) argued that it was possible to use a Tor vulnerability to identify Tor hidden services with as much as 88% accuracy. Tor director Roger Dingledine responded to these findings in a blog post back in July. Dingledine downplayed the ability of the vulnerability to be exploited in the wild, while pointing out that researchers have long over-estimated the ease of such fingerprinting methods in the real world.

To succeed in the fingerprinting process, the attacker needs to control the Tor entry point for the server hosting the hidden service, and have previously collected unique network identifiers allowing for the fingerprinting for that particular service. Still, Agora itself strongly hints that they've seen some (presumably law enforcement) behavior in the wild already attempting to take advantage of the vulnerability, and wasn't willing to take the risk:
"...We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again, however this is only a temporary solution. At this point, while we don't have a solution ready it would be unsafe to keep our users using the service, since they would be in jeopardy. Thus, and to our great sadness we have to take the market offline for a while, until we can develop a better solution. This is the best course of action for everyone involved."
Agora's decision to forgo possible revenue for the sake of OPSEC (operational security) resulted in some Reddit posters praising Agora for its "iron testicles". The outfit does appear to be slowly paying funds back to dealers and users (funds for DarkNet markets are usually held in escrow until deals are completed), but payments appear to be taking 24 to 48 hours for Agora to process. Meanwhile, admins for other darknet markets, like Middle Earth, have subsequently proclaimed that they have already covered their bases and aren't worried about the vulnerability:
"We noticed the strange happenings early on. We KNOW that TOR devs are the best of the best. This is only theoretical paper from MIT students. TOR updates daily on a development level, they would fix any vulnerabilities from any theoretical paper. Emphasis: Theoretical Paper, Not Successful Tests. We have covered all bases."
While the Agora shutdown combined with dropping Bitcoin value (due to the potential forking of currency development by those concerned about scalability) have Bitcoin advocates and Darknet market users sweating a bit, Agora's shutdown would seem to be only a temporarily bump in the road to future darknet opsec skirmishes. Agora already had survived last November's Operation Onymous, which took down Silk Road 2 and 400 other websites. It's still debated whether those seizures were thanks to a Tor vulnerability or old-fashioned detective work (law enforcement obviously isn't keen on being illuminating).

Even if Agora doesn't return, there's a half-dozen or more already established Darknet markets happy to fill the void and satiate the globe's inexhaustible supply of drug buyers and dealers, those entertained by the endless game of opsec cat and mouse, and the government's insatiable need to fill its mole-whacking quota.

7 Comments | Leave a Comment..

Posted on Techdirt Wireless - 27 August 2015 @ 3:13am

Study: 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies'

from the utterly-unaccountable dept

Earlier this year AT&T and Verizon were caught modifying wireless user traffic to inject unique identifier headers (UIDH). This allowed the carriers to ignore a user's privacy preferences on the browser level and track all online behavior. In Verizon's case, the practice wasn't discovered for two years after implementation, and the carrier only integrated a working opt out mechanism only after another six months of public criticism. Verizon and AT&T of course denied that these headers could be abused by third parties. Shortly thereafter it was illustrated that it was relatively easy for these headers to be abused by third parties.

While the fracas over these "stealth" or "zombie" cookies has quieted down since, a new study suggests use of such stealth tracking is increasing around the world as carriers push to nab their share of the advertising pie. Consumer advocacy group Access has been running a website called AmiBeingTracked.com, which analyzes user traffic to determine whether or not carriers are fiddling with their packets to track online behavior. According to a new study from the group (pdf) examining around 200,000 such tests, about 15% of site visitors were being tracked by the carriers in this fashion all over the globe:

Globally, the report notes that AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Verizon, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain are all now using stealth headers. In many of these instances there's no opt-out mechanisms in place for users, or the opt-in mechanisms that exist don't actually work. Most regulators meanwhile don't even realize this technology exists, much less have any plan to protect user privacy via hard opt-out requirements. The practice itself, and the stored data, the group's authors note, makes a delicious target for hackers and the intelligence community alike:
"Using tracking headers also raises concerns related to data retention. When “honey pots” of sensitive information, such as data on browsing, location, and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike."
The W3C Consortium recently agreed, noting that stealth carrier tracking header injection is basically a privacy nightmare in the making that undermines user trust in the entire Internet:
"The aggregate effect of unsanctioned tracking is to undermine user trust in the Web itself. Moreover, if browsers cannot isolate activity between sites and offer users control over their data, they are unable to act as trusted agents for the user. Notably, unsanctioned tracking can be harmful even if non-identifying data is shared, because it provides the linkage among disparate information streams across contextual boundaries. For example the sharing of an opaque fingerprint among a set of unrelated online purchases can provide enough information to enable advertisers to determine that user of that browser is pregnant — and hence to target her with pregnancy-specific advertisements even before she has disclosed her pregnancy.
This is what has been happening while the marketing, tech and telecom industries bickered, prattled and grandstanded over do not track protections -- that this technology makes irrelevant anyway. And while companies like Verizon have repeatedly claimed that no privacy or transparency guidelines are necessary because "public shame" will keep them honest, keep in mind that it took security researchers two years before they even realized that the telco was doing this. It took another six months of pressure for Verizon to heed calls for basic opt-out mechanisms most Verizon users don't know exist. It makes you wonder: just how long will it take the press and public to realize future iterations of stealth tracking technology are being used?

Read More | 26 Comments | Leave a Comment..

Posted on Techdirt - 26 August 2015 @ 1:53pm

Windows 10 Reserves The Right To Block Pirated Games And 'Unauthorized' Hardware

from the Microsoft-being-Microsoft dept

While Windows 8 annoyed many users for its attempt to duct-tape two disparate computing styles (traditional Windows and a touch interface) together while demanding you stand impressed by the genius of such a move, Windows 10 initially appeared to be seeing some positive responses (at least among those who use Windows). That was, at least until people started to realize how nosy the operating system is, how frequently it feels the need to phone home to Redmond, and some of the more obnoxious language buried in the terms of service.

Not too surprisingly (this is Microsoft we're talking about) the OS opts users in to all manner of information sharing from the start, and there's some indication the OS doesn't really heed its own opt-out settings for many of these "services":

"Unfortunately for privacy advocates, these controls don't appear to be sufficient to completely prevent the operating system from going online and communicating with Microsoft's servers. For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots.
While much of this phoning home appears to be innocuous, it's obviously annoying to users who expect an OS that operates quietly and securely on the network. Other ingrained features of the OS may or may not be more troublesome, depending on how seriously you'd like to take the Microsoft's fine print. One provision in particular appears to have caught the eye of numerous news outlets: namely that Microsoft has the ability and reserves the right to disable first-party (aka Microsoft) titles should they be found to be pirated. The TOS also notes that Microsoft reserves the right to block "unauthorized hardware":
"We may automatically check your version of the software and download software updates or configuration changes, including those that prevent you from accessing the Services, playing counterfeit games, or using unauthorized hardware peripheral devices. You may also be required to update the software to continue using the Services."
Comforting! It's possible Microsoft will never utilize this particular portion of its TOS, but its inclusion is understandably troubling all the same, and with the capability embedded, it's hard to think our friends at the MPAA and BSA won't urge Microsoft to include their products. Update: one commenter points out the TOS in question that has everyone in a tizzy refers to Windows services, not necessarily Windows 10. Windows 10 is covered by Microsoft Software License Terms. In short, while Microsoft could declare Windows 10 as a service, it still seems highly unlikely that the company is going to invite the wrath of millions by using Windows 10 as a piracy and device nanny, especially if they want the OS to succeed.

If you're looking for some additional bright side, Windows 10 at least blocks some of the more obnoxious, invasive flavors of DRM that have made the rounds over the last few years, including SecureROM and SafeDisc. Unfortunately, that means titles that used this DRM simply won't work on the new OS without a patch.

Either way, worries about Windows 10's spying and reporting habits appear to have freaked out a few BitTorrent trackers. One tracker by the name of iTS has decided to block all Windows 10 users entirely, redirecting them to this YouTube video explaining the perceived dangers of the new OS. In a post over at Reddit, tracker admins explain why they're not particularly welcoming of Windows 10 users:
"Many of you might have heard or read about the terrible privacy policy of windows 10 recently. Unfortunately Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one of the largest anti-piracy company called MarkMonitor. Amongst other things windows 10 sends the contents of your local disks directly to one of their servers. Obviously this goes way too far and is a serious threat to sites like ours which is why we had to take measures."
This is likely somewhat of an overreaction, since Microsoft has been working with MarkMonitor for many years now, in some instances to protect customers from phishing attacks. Still, it's understandable that Microsoft's decision to embed Windows 10 with all manner of chatty behaviors would raise a few eyebrows. If Redmond wants to avoid the fractured adoption issues that plagued earlier versions of Windows, hopefully executives there can be publicly pressured to ensure that opting out of the more chatty and invasive aspects of the new OS actually works.

191 Comments | Leave a Comment..

Posted on Techdirt - 26 August 2015 @ 3:04am

As Part Of Its War On Encryption, Russia Briefly Blocks All Of Wikipedia Over One Weed Reference

from the just-say-no dept

Did you know you can occasionally find people discussing narcotics on the Internet? Russian Internet regulator Roskomnadzor (the Kremlin's "Federal Service for Supervision in the Sphere of Telecom Information Technologies and Mass Communications") is pretending to have only recently figured this out, and is working tirelessly to purge this naughty behavior from the Internet. Of course, they're ingeniously doing so in a way that breaks the Internet for everybody else, often taking entire websites offline simply because of one yahoo's heady pontifications on dope.

The country recently thought it would be a great idea to ban all of Reddit because of one thread on growing hallucinogenic mushrooms. Reddit complied and was unbanned after deleting the content, since complying with country-by-country censorship requests (sometimes reasonable, sometimes not) is something Reddit's ok with these days. This week, Russia briefly banned all of Wikipedia as well because of one entry on charas (an Indian version of hashish). Instead of censoring the entry in question (like Reddit), Wikipedia refused and only changed the URL of the entry so it technically adhered to Russian law:

"Wikipedia refused to comply with the request and instead made a small change to the URL of the charas hashish article, technically putting it in compliance with Russian law. The old page now features a list of seven different Wikipedia entries on the various meanings of the word “charas,” while the original text about charas hashish is completely intact, but is now accessible at a new URL on the encyclopedia's website."
As of yesterday, Roscomnadzor wasn't satisfied, saying it would (re-)ban all of Wikipedia. Unless, of course, the site was willing to make one notable change:
"Roscomnadzor's press-office also said they didn't intend to block the whole website, and would be able to only block the offending content and pages, provided Wikipedia's management “cooperated” and removed the HTTPS encryption protocol that puts the whole website in danger of being blocked."
So yeah, this isn't just another government being stupid and filter happy. Russia is filtering these websites under the authority embedded in a 2012 censorship law, whose purpose was purportedly to protect the children from the Internet's naughty bits. The bill's real purpose, of course, was to create an intentional, obfuscated slippery slope, designed specifically to aid in expanding control over the Internet. So Russia's sudden interest in playing pointless drug content Whac-a-mole is actually an attempt to reduce the overall use of encryption and make snooping easier:
"This is an important case because it’s part of the general offensive against https. Roskomnadzor and the FSB [security services] don’t know what to do with it,” said Andrei Soldatov, a journalist and author of Red Web, a book about the Russian internet. Soldatov said SORM, the system Russia uses for internet surveillance, does not work with the more secure https protocol, also used by sites such as Facebook and Gmail...

Soldatov speculated that the move against Wikipedia could be part of a test of another strategy: by threatening the site with bans over single pages, the site could be forced off https to ensure that the whole site is not affected when only one page is banned. Soldatov said: “There are two options for https: the first is to have access to the data before encryption, which explains the demand to store servers in Russia. The second is to try to force services to give up on https, which is what is happening with Wikipedia.”"
So basically, the Russian government is assaulting encryption, expanding Internet surveillance power and cracking down on critics -- under the pretense of protecting the children from bonghits. Remember, though, killing journalists, encouraging violent homophobia and pumping the Internet full of propaganda twenty-four hours a day are still on the recommended hobbies list in Putin's Russia.

42 Comments | Leave a Comment..

Posted on Techdirt - 25 August 2015 @ 2:58pm

AT&T Injecting Ads Into Its Wi-Fi Hotspot Data Streams

from the the-man-in-the-middle-is-a-bit-of-a-jerk dept

Everybody wants a piece of the Internet advertising pie, and many are willing to sink to the very bottom of the well of stupidity to get what they believe is owed them. For years now ISPs, hardware vendors and even hotels simply haven't been able to help themselves, and have repeatedly been caught trying to inject their own ads over the top of user browsers and data streams. This is a terrible idea for a number of reasons, ranging from the fact that ad injection is effectively an attack on user traffic, to the obvious and inherent problem with defacing other people and organizations' websites and content with your own advertising prattle.

Still, companies like Comcast, Marriot and Samsung have all been caught trying to shove their ads over the top of user data streams. When pressed, most companies are utterly oblivious (or pretend to be utterly oblivious) as to why this behavior might not be that good of an idea.

AT&T appears to be the latest company to use its perceived power over the conduit to manipulate the message. Stanford computer science and legal lecturer Jonathan Mayer recently visited the Dulles airport in DC, and found AT&T's Wi-Fi hotspots pushing a number of pop up ads, overlaying themselves on browser content:

AT&T's hotspots (or at least the one in Dulles) appear to be using technology provided by RaGaPa, a startup that promotes itself as an expert in "Wi-Fi Monetization and In-Browser User Engagement Solutions." RaGaPa's tech loads the page via the hotspot, then make three edits over HTTP: the injection of an advertising style sheet, the loading a backup advertisement (in case the user's browser has disabled Javascript), and the injection of a pair of scripts for managing advertisement selection and loading. There's no mention of this practice anywhere in AT&T's terms of service.

As already noted, this type of injection is highly problematic and sets an awful precedent:
"AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user’s browsing activity to an undisclosed and untrusted business. It clutters the user’s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements."
As Mayer also notes, this is a legally muddy area, and, worried about regulatory wrist slaps, most busted ISPs have very quickly and sheepishly backed away from the practice for fear of legal repercussions. I reached out to AT&T to see whether this is a one-off instance of stupidity on the part of AT&T or somebody else (like Dulles), or if aggressively and idiotically injecting itself into the user browsing experience is now going to be AT&T's standard operating procedure across the company's network of 30,000+ Wi-Fi hotspots.

Update: AT&T has sent us a statement indicating that this was part of a limited trial:
"Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast."

29 Comments | Leave a Comment..

Posted on Techdirt - 25 August 2015 @ 3:08am

Internet Of Not-So-Smart Things: Samsung's Latest Smart Fridge Can Expose Your Gmail Password

from the I'll-take-my-devices-stupid,-thanks dept

The sometimes blisteringly-inane hype surrounding the "Internet of Things" appears to be on a collision course with the sophomoric security standards being employed in the field. As we've seen time and time again, companies were so bedazzled by the idea of connecting everything and anything to the Internet (your hat! your pants! your toilet!) they left device and network security as an afterthought -- if they could be bothered to think about it at all. The result has been smart TVs that share your personal conversations, vehicles that can easily be used to kill you, and a home full of devices leaking your daily habits.

The latest example comes again via Samsung, whose "smart" refrigerators aren't so smart. While Samsung's shiny new refrigerators connect to the Internet, can display your Google Calendar and implement SSL, hackers during a challenge at the recent DEFCON found the refrigerators fail to validate those SSL certificates. That opens the door to all kinds of man-in-the-middle attacks, potentially allowing your neighbor to steal your Gmail login information while sitting on his couch next door:

"The internet-connected fridge is designed to display Gmail Calendar information on its display," explained Ken Munro, a security researcher at Pen Test Partners. "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on."

"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example."
On the plus side, this vulnerability was found after Samsung invited hackers to try and find vulnerabilities in the system, showing some proactive thinking. On the flip side, this is the same company whose "smart" TVs were found to be happily sending living room conversation snippets unencrypted over the Internet -- so it's not always clear Samsung listens to feedback, or how many bugs and vulnerabilities go unnoticed. Regardless, the researchers' blog post has a little more detail, noting they may have also found some vulnerabilities in the app's encrypted communication stream with the refrigerator.

These endless IOT security issues may have the opposite effect of that intended: actively marketing the need for many devices to be dumber. And those dumb devices are getting harder to find. Many of the latest and greatest 4K television sets, for example, simply can't be purchased without intelligent internals that integrate functionality the user may not want. So while Wired magazine's endless 1990's obsession with intelligent refrigerators may have finally come to fruition, they may be unwitting pitchmen for how sometimes it's better for things to simply remain utterly analog -- and beautifully, simply stupid.

40 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 24 August 2015 @ 3:22pm

Google Lobbied Against Real Net Neutrality In India, Just Like It Did In The States

from the only-a-little-bit-evil dept

While Google is still seen as (and proclaims to be) a net neutrality advocate, evidence continues to mount that this is simply no longer the case. Back in 2010 you might recall that Google helped co-write the FCC's original, flimsy net neutrality rules with the help of folks like AT&T and Verizon -- ensuring ample loopholes and making sure the rules didn't cover wireless at all. When the FCC moved to finally enact notably-tougher neutrality rules for wired and wireless networks earlier this year, Google was publicly mute but privately active in making sure the FCC didn't seriously address the problems with usage caps and zero-rated (cap exempt) content.

While the company pretends this isn't a notable turnaround from previous principles, the evidence is on the table for all to see.

As India has been exploring net neutrality rules it's again apparent that, if not at least leaning into the anti-neutrality rule camp -- Google sure as hell is not helping. Both Google and Facebook have come under fire recently for their zero rating efforts overseas, which include exempting some select partner content from usage caps, and setting up walled garden fiefdoms under the banner of selfless altruism. Critics charge that these plans create vast inequalities in connectivity and violate Internet openness, and that if the companies' really want to help the poor, they can help subsidize truly open Internet access.

While Facebook has responded to this criticism by insisting that all of its critics are extremists should they dare question Facebook's noble intentions, Google's again chosen a more subtle route; staying mute on the subject publicly but quietly working behind the scenes to weaken the final rules:

"Google joined hands with Facebook to try and prevent the Internet and Mobile Association of India, which represents some of the largest Internet companies in India, from taking a stand that counters Zero Rating. According to emails exchanged between IAMAI’s Government Relations committee members, of which MediaNama has copies, Vineeta Dixit, a member of Google’s Public Policy and and Government Relations team, strongly pushed for the removal of any mention of Zero Rating from the IAMAI’s submission, as a response to the Department of Telecom’s report on Net Neutrality. Please note that Google hasn’t responded to our queries, despite multiple reminders...
Apparently Google was preparing to launch its own zero-rated effort in India but put those plans on hold once it saw Facebook taking a public relations beating. And while Google's been very careful to even avoid having any of its positions on the record, these e-mails show it pushed India's wireless carriers to make sure they all were on board supporting zero rating:
"Dixit’s email to the IAMAI government relations committee, while reasoning that there is no consensus on Zero Rating, asked for its removal from the submission, saying: “We would like to register strong protest against this formulation and would request you to remove this (Zero Rating) from the submission."
So yes, this is basically Google's net neutrality modus operandi now: publicly say as little as possible (while harvesting press and public acclaim for being a net neutrality "supporter") while privately undermining real neutrality. As we've discussed with both AT&T's sponsored data and T-Mobile's Music Freedom, such a model gives preferential treatment to larger companies while making life immediately harder for smaller outfits, independents and non-profits. And Google's ok with that. Worth remembering the next time Google (or a press outlet) proclaims that Google's still a noble champion on the net neutrality front.

49 Comments | Leave a Comment..

Posted on Techdirt - 20 August 2015 @ 2:50am

EA: Complaints About On-Disc DLC Are 'Nonsense'

from the tomato,-tomahto dept

We've long discussed how game downloadable content (DLC) can be done right, but more often than not it's done very, very wrong. On the positive side you have CD Projekt Red, who recently decided to offer two free pieces of DLC for The Witcher 3 every week for months, helping to build a positive relationship with fans while keeping the game consistently in the public (and media's) eye. More often than not however you have efforts like Bungie's recent flubs with Destiny, or Ubisoft's pretty but incredibly shitty DLC approach to Assasin's Creed, Unity.

And then there's EA, whose quality control issues, treatment of employees and obsession with low-value microtransactions are now legendary in the gaming industry. The company has made nickel and diming DLC high art, at times stuffing $60 launch titles with dozens of pieces of DLC at $5 or more a pop -- already embedded on the disc. Whether you like this idea or not, there's little debate that EA has quite often pushed the idea of microtransactions too far.

But what you might call obnoxious and greedy, EA COO Peter Moore continues to call "innovative value proposition." Speaking recently to Gamespot, Moore quite-proudly proclaimed that it's "nonsense" to believe publishers sell incomplete titles in order to make money off of missing content:

"A lot of that resistance comes from the erroneous belief that somehow companies will ship a game incomplete, and then try to sell you stuff they have already made and held back. Nonsense. You come and stand where I am, next to Visceral's studio, and you see the work that is being done right now. And it's not just DLC, this is free updates and ongoing balance changes."
Well, one, things like "free updates" and "balance changes" are part of routine maintenance for a title, and since they often involve fixing bugs -- aren't really part of the conversation. Still, Moore would prefer it if gamers thought about future EA DLC as if it were "APIs," not content already on the disc that customers should have gotten with the original game:
"Think of them as APIs," he said. "Knowing down the road that something needs to sit on what you've already made, means you have to put some foundations down. What people are confused about is they think DLC is secretly on the disc, and that it's somehow unlocked when we say."
And sure, Moore's not entirely wrong. Many are quick to point out that in modern game development, DLC quite often runs parallel and separate from core game design, and the core structure of DLC developed at a later date often exists on disc to make integration easier. Few deny that, and DLC can certainly be done well. But DLC did in fact start with many developers shaving core content off of the original game to make an extra buck, and there's little doubt that many titles are left intentionally sparse so users need to acquire pricey DLC to fully flesh them out. Moore also ignores the unholy atrocity that is pre-order DLC bonuses, which involves only being able to get a vast array of content if you pre-order from select vendors.

Cumulatively, the frequency of poorly-implemented microtransactions is still annoying, and it's certainly not "nonsense" if the modern gamer feels that the value proposition of many modern titles from AAA developers has slowly been circling the toilet. On the flip side, it has been interesting to watch the resistance to poorly-implemented DLC slowly erode over the years. Back in 2011, gamer disdain for nickel and dime DLC was utterly palpable. During the first quarter of this year, "extra content" generated roughly $921 million out of EA’s total digital revenue of $2.2 billion, meaning there are plenty of people who now either think DLC offers a great value position or have more disposable income than brains. I personally ignore 99.7% of all DLC.

Granted Moore is the same guy who tried to argue that EA won Consumerist's "The Worst Company In America" poll simply because it's big. And EA is the same company that consumes talented developers and shits out broken dreams as a matter of course. As such, EA's probably the last one gamers should ask when trying to differentiate value from a heaping $5 pile of nonsensical, supplementary horse excrement.

38 Comments | Leave a Comment..

Posted on Techdirt - 19 August 2015 @ 10:42am

ISP Can't Figure Out How To Automate A Password Reset, But Is Happy To E-mail Your Password In Plain Text

from the cryptography-schmiptography dept

As we've noted, AT&T and Verizon are working hard to dump all of the DSL customers they're too cheap to upgrade to fiber, so they can focus on much more profitable (read: capped) wireless broadband service. A company by the name of Frontier Communications is doing the lion's share of the acquisitions, recently acquiring all of AT&T's customers in Connecticut, as well as all of Verizon's fixed-line broadband customers in California, Texas, and Florida. Unfortunately for these acquired users, Frontier is exhibiting the kind of steep, sustained incompetence that should probably be making these customers very nervous.

As we noted back in May, Frontier recently had to stop selling broadband service via the company's website -- because it apparently couldn't figure out how to get the technology to work. If that didn't make new Frontier customers nervous, last week the company made headlines again after it was discovered the company apparently has no idea how to automatically reset user e-mail passwords or what cryptography is. Apparently, the only way for Frontier users to have their e-mail passwords reset is to e-chat with a support rep named Shawn, who is happy to share your password with you in plain text:

"Silverman had forgotten the password to this little-used account but found that the Frontier e-mail website provides no self-service method for resetting the password. The only option was to chat with a Frontier employee. And that employee, Shawn from tech support, had access to Andrew's password in plain text and was ready and willing to share it."
That the company isn't salting and hashing stored passwords is obviously a red flag, but it gets worse:
"I'm not comfortable giving out passwords. Is there a password reset page?" Silverman asked.

"I'm sorry there isn't," Shawn replied. "Are you OK with me posting the password in chat? It is a secure network and I have the password in front of me."

Silverman pointed out how ridiculous this system is but accepted Shawn's offer and received the password. Before ending the chat, Shawn tried to sell Silverman antivirus software, computer tech support, or "identity protection." Silverman declined. The Frontier system then e-mailed Silverman a full transcript of the chat, including the password in plain text. The only information Frontier obscured was his account number."
So to recap: Frontier isn't capable of building a website that can sell broadband service, or one that allows for automatic e-mail password resets. It also apparently stores the password in plain text making it easy for any Frontier employee to see, and is happy to both post said password into an e-chat platform (which at least uses HTTPS) and over unencrypted e-mail. For good measure, the company will then upsell you on security and "identity protection" services and software. Amusingly, Frontier still insists that its systems are secure:
"Frontier insisted that its password practices are secure but was stingy with details...Frontier also said that it only provided Silverman a password after "we verified identity first through security questions." But as Silverman told Ars, "the only security challenges they posed were to provide the account number OR the landline service number in combination with the last 4 of the social security number."
Of course these kinds of security questions aren't remotely secure either. Earlier this month "The Martian" author Andy Weir noted on Facebook that it was incredibly trivial for his Comcast e-mail account to be hacked after the ISP gave up his password after simply being given the last four numbers of his social security number and his street address. Regardless, the Frontier user proceeds to wonder just how secure Frontier's billing systems are. It also obviously raises questions about the quality of the company's quickly-expanding broadband empire.

So yeah, pro tip: if you're one of the six people still using your ISP's e-mail services, it might be time to stop, since security is pretty clearly a distant afterthought. And if you're one of the millions of monopoly victims customers getting gobbled up by Frontier as AT&T and Verizon sever their ties to unwanted DSL customers, you may want to think about either moving, or building your own broadband ISP with at least a rudimentary understanding of cryptography.

20 Comments | Leave a Comment..

Posted on Techdirt - 18 August 2015 @ 3:53pm

FCC May Finally Act To Ease The Pain Of Stupid Cable TV Content Negotiation Blackouts

from the dig-your-own-grave dept

If you still watch traditional TV chances are you've increasingly been accosted with blacked out content and annoying ticker warnings as cable operators and broadcasters bicker over programming contracts. Whether it's Fox News's ugly fight with Dish, DirecTV's feud with The Weather Channel, or the Cablevision - News Corporation fight that blacked out the World Series a few years back, these obnoxious disputes have only gotten uglier over the last few years as programming costs have soared and the cable and broadcast industry works tirelessly to ensure its looming irrelevance.

For the consumer, these fights usually go something like this: you're bombarded with on-screen tickers and ads from both your cable operator and the broadcaster telling you the other guy is being a greedy villain during a contract standoff. After the programming contract expires, content you're paying for gets blacked out (which you're of course never given a refund for) by one side or the other in the hopes of pushing negotiations along. After a month or two the two sides then ultimately strike a confidential new programming deal. A few weeks later your cable bill sees a price hike -- potentially your second of the year.

It's kind of a lose-lose scenario for consumers, who get used as public relations pinatas (call your cable operator to complain!), lose access to content they're paying for, and then get accosted with an endless series of rate hikes. For the last few years, the FCC has generally had a hands off approach to these disputes (boys will be boys, and all that), but as they've gotten uglier and consumers have increasingly been railroaded, pressure has mounted for the regulator to at least do something. According to a new blog post by FCC boss Tom Wheeler, the FCC head says he's looking at a number of ideas that could help ease the pain of these idiotic standoffs. Maybe.

One, the FCC is considering lifting rules that prohibit cable companies from simply piping in another region's local broadcast affiliate, allowing them to at least provide customers with some version of ABC, NBC, Fox or CBS while negotiations continue. The agency also suggests it's going to look more closely at the very definition of "good faith negotiations," since these blackouts make it clear there's not much of that actually going on:

"The NPRM currently before the Commission undertakes a robust examination of practices used by parties in retransmission consent negotiations, as required by Congress. The goal of the proposed rulemaking is to ensure that these negotiations are conducted fairly and in a way that protects consumers."
Since these are private business contracts, the FCC injecting itself into these negotiations is going to piss off free marketeers and the cable and broadcast industry to no end, but the industry brought it upon itself by behaving like absolute jackasses for the last few years. Not only have they consistently held traditional TV customers hostage, some broadcasters have even blocked access to online content in petulant responses to contract feuds.

In its fight with Cablevision in 2010, News Corporation went so far as to get Hulu to block Cablevision broadband customers from accessing all Fox content. Viacom did something similar in 2014 when it blocked all CableONE broadband customers from accessing Viacom content online, even if those broadband users were paying for TV from another provider. Let that sink in a little bit: you pay for Viacom content through, say, DirecTV, but you can't access that content through your broadband provider because the cable arm of your ISP is engaged in a TV content contract dispute.

And while broadcasters do deserve the lion's share of the blame for soaring programming rates, the cable providers aren't faultless since they're quick to impose rate hikes of their own (modem fees, broadcast TV fees, set top rental charges, charges to pay over the phone) as often as possible. Layer this lost content and annoyance on to existing high prices and the industry's absolutely legendary reputation for atrocious customer service, and you've uncovered the industry's ingenious plan to more efficiently dig its own grave on the eve of the cord cutting revolution.

16 Comments | Leave a Comment..

Posted on Techdirt Wireless - 18 August 2015 @ 11:36am

FCC Fines Company Caught Blocking Wi-Fi To Force Visitors On To Their Own, Absurdly-Priced Services

from the packet-shenanigans dept

The FCC has fined yet another company for blocking user Wi-Fi access in order to drive customers to the company's own, ridiculously-expensive Wi-Fi options. According to an FCC announcement, regulators have fined Smart City Holdings, LLC $750,000 for blocking user access to Wi-Fi at a number of convention centers served by the company. More specifically, Smart City was caught using common technology that sends de-authorization packets to user devices, kicking them off of their own personal hotspots or tethered smartphones while in Smart City business locations.

This was done, says the FCC, so that users would have to use Smart City's own service, which according to this brochure for the Charlotte convention center (pdf), is provided at pricing that's downright comical. Smart City offers convention center exhibitors access to 24 hours of blisteringly-fast (1.5 Mbps) Wi-Fi for $80, three days of Wi-Fi for $160, or five days for $360. If you're just a conference center visitor your options get even slower, with the company providing 768 kbps Wi-Fi service for $13 per 24 hours.

Obviously most users would rather just use their own phone as a hotspot to avoid these charges, and the FCC reminds everyone that acting like a jackass and preventing this from happening to make additional money simply isn't ok:

"It is unacceptable for any company to charge consumers exorbitant fees to access the Internet while at the same time blocking them from using their own personal Wi-Fi hotspots to access the Internet,” said Travis LeBlanc, Chief of the FCC’s Enforcement Bureau. “All companies who seek to use technologies that block FCC-approved Wi-Fi connections are on notice that such practices are patently unlawful."
This is the second time the FCC has had to step in and slap some wrists. The company fined Marriott $600,000 last year for the same thing, though Marriott was blocking local Wi-Fi to drive users to even more expensive, $1,000 per device Wi-Fi service. Marriott originally tried to fight the agency by arguing this was all done to protect the safety and security of their customers, but sheepishly backed off of the practice once they realized the court of public opinion was very clearly not on its side.

Like Marriott, Smart City apparently couldn't help itself, and felt it necessary to issue a bullshit statement pretending the practice was about network security:
"As recommended by the Department of Commerce and Department of Defense, we have occasionally used technologies made available by major equipment manufacturers to prevent wireless devices from significantly interfering with and disrupting the operations of neighboring exhibitors on our convention floors. This activity resulted in significantly less than one percent (1%) of all devices being deauthenticated and these same technologies are widely used by major convention centers across the globe as well as many federal agencies."
So yeah, uh, we weren't being anti-competitive asses, we were simply worried about network security (the irrelevant DOD reference is a nice touch though). Fortunately, Smart City's statement also makes it clear they see the futility of fighting the FCC on this issue:
"While we have strong legal arguments, we’ve determined that mounting a vigorous defense would ultimately prove too costly and too great a distraction for our leadership team. As a result, we’ve chosen to work cooperatively with the FCC, and we are pleased to have resolved this matter. We are eager to return our energies to providing leadership to our industry and delivering world-class services to our clients."
Yeah, it's probably a good idea to get back to what you do best: charging outrageous pricing for pathetically-slow Wi-Fi service.

Read More | 37 Comments | Leave a Comment..

Posted on Techdirt - 18 August 2015 @ 8:24am

Ex-Kremlin Hired 'Troll' Wins One Ruble In Damages From Putin's Internet Propaganda Factory

from the propagandist-whac-a-mole dept

As we've been exploring, whistleblowers have been exposing Putin and the Kremlin's use of "troll factories" to fill the internet with propaganda. The efforts run amazingly deep, with employees paid 40,000 to 50,000 rubles ($800 to $1,000) a month to create proxied, viable fake personas -- specifically tasked with pumping the internet full of toxic disinformation 24 hours a day. One of these employees, Lyudmila Savchuk, spent two months employed by the operation and was so disgusted that she quit, launched an anti-propaganda social activist campaign, and decided to sue the Russian government.

Amazingly enough Lyudmila Savchuk is not only still alive, but she has won her case. A Russian court has awarded Savchuk symbolic damages of one ruble, her requested damage amount after suing the disinformation barn for non-payment of wages and for failing to give workers proper contracts:

"I am very happy with this victory. I achieved my aim, which was to bring the internet trolls out of the shade," said Savchuk, 34. The Kremlin has claimed that it has no links to the operations of the Agency for Internet Studies. Authorities in Russia have intensified a propaganda campaign as the crisis over Ukraine has sent tensions with the west soaring to their highest level since the cold war.
So yes, Savchuk managed to bring a small portion of one of Putin's companies involved in propaganda (Agency for Internet Studies, or Internet Research) out of the shadows briefly. But the Russian government continues to deny they've any connection to the operation, and the company itself continues to operate unfettered, as do the myriad other similar companies the Kremlin employs to pollute the global discourse mud puddle.

Case in point: as Russia waits for the report on what caused the crash of Malaysia Airlines flight MH17 over the Ukraine last year (investigators believe the downing missile was Russian made, and the report is expected to show it was fired from territory held by pro-Russian rebels), a rather ham-fisted attempt to blame the CIA for the crash has been circulating online ahead of the report's release:
"A Russian newspaper posted an audiotape on its website that purports to reveal two US spies plotting to bring down Malaysia Airlines flight MH17 over Ukraine last year. One hitch: The conversations are so stilted and oddly worded that they have been widely dismissed by native English speakers as obviously fake. "If you wanted to believe the CIA is responsible for downing MH17, now you've got the 'proof,'" the self-exiled Russian online newspaper Meduza headlined its report pointing out the awkward language used by the purported spies.
The recording itself certainly sounds as if two sad actors are simply reading from a poorly-translated English script:
Of course any Russian internet propagandist worth their salt will probably conclude that this ham-fisted attempt to frame the CIA was cleverly devised by the CIA itself as a sort of reverse head fake (and since the CIA has done numerous stranger things, many might even believe it). Either way, the point stands: while Savchuk may have bravely succeeded in winning one small battle against Putin's propaganda army, it's only the tiniest of dents in what's now a well-established Russian internet disinformation apparatus.

31 Comments | Leave a Comment..

Posted on Techdirt Wireless - 18 August 2015 @ 5:04am

Verizon Quietly Backs Off Throttling 'Unlimited' Wireless Customers, But Only After It No Longer Matters

from the limited-unlimited dept

In July of 2011, Verizon announced it would no longer offer its wireless users unlimited data plans, and instead began pushing more expensive and capped shared data plans (complete with shiny $15 per gigabyte overage fees!). While Verizon did grandfather existing unlimited customers, like AT&T, it immediately began waging a quiet war on these users, throttling these purportedly "unlimited" connections to try and drive these users toward pricier metered options.

In Verizon's case, the company started by throttling unlimited customers on its 3G network. When Verizon Wireless announced in 2014 it was going to start applying these "network optimization" practices to its LTE 4G network, the company received a surprise wrist slap by FCC boss Tom Wheeler, who warned the company that he saw through its use of congestion to drive revenue:

"Reasonable network management" concerns the technical management of your network; it is not a loophole designed to enhance your revenue streams. It is disturbing to me that Verizon Wireless would base its "network management" on distinctions among its customers' data plans, rather than on network architecture or technology."
As we frequently note, phantom network congestion has long been a useful bogeyman to defend predatory or otherwise anti-competitive behavior in telecom. In Verizon's case, the company responded to the FCC by effectively claiming that everybody was doing it, something that didn't sit well with Wheeler in a follow up warning to the company just about a year ago:
"'All the kids do it' was never something that worked with me when I was growing up and it didn’t work with my kids,” Wheeler told reporters on Friday. Wheeler said that response wasn’t good enough to calm his concerns that the company was trying to milk users for more profit. "My concern in this instance is that it is moving from engineering and technological issues into business issues,” he said.
Verizon ultimately decided to scrap its plans to throttle unlimited LTE users, and the FCC proceeded to pass tougher new net neutrality rules in February of this year. AT&T, in contrast, tried to push its luck, and continued throttling unlimited users until it received a $100 million FCC fine (which AT&T is still fighting) and was socked with an FTC lawsuit for false advertising (which AT&T is also still fighting). Verizon, meanwhile, quietly continued throttling its unlimited 3G users -- until only just last week. Verizon "announced" the changes in a bit of fine print on the Verizon website:
"Beginning in 2011," it reads, "to optimize our network, we managed data connection speeds for a small subset of customers — those who are in the top 5% of data users and have 3G devices on unlimited data plans — and only in places and at times when the network was experiencing high demand. We discontinued this practice in June, 2015."
And by "optimize its network," Verizon means "optimize its revenues." In speaking to the Washington Post, Verizon claims this was just a run of the mill business decision, made because it impacted so few customers:
"We make business decisions all the time," Verizon said in a statement to the Post. "Because it was such a small subset of customers who were affected [by the 3G throttling], we made the call to discontinue even a limited approach to managing data connection speeds."
Right, well, it's only now such a small subset of customers because Verizon drove them all to metered, LTE plans already. But basically, Verizon was allowed for four years to advertise a product falsely as "unlimited," and to use network congestion as bogus justification for driving its users to more expensive plans -- with little more than a wrist slap. With the net neutrality rules now in effect (you know, the ones that were supposed to have destroyed the Internet by now) there's some basic protections in place for consumers moving forward.

But with AT&T and Verizon's history of outright fraud and misleading consumers, and network gear getting ever more sophisticated, enforcement is going to require that the FCC remain uncharacteristically tough and attentive. And that's no given; as noted recently usage caps similarly use the congestion bogeyman to drive revenue and raise consumer rates, but the FCC has remained notably mute on the subject.

11 Comments | Leave a Comment..

Posted on Techdirt - 17 August 2015 @ 9:18am

Comcast Admits Broadband Usage Caps Are A Cash Grab, Not An Engineering Necessity

from the whoops-a-daisy dept

For years the broadband industry tried to claim that they were imposing usage caps because of network congestion. In reality they've long lusted after usage caps for two simple reasons: they allow ISPs to charge more money for the same product, and they help cushion traditional TV revenues from the ongoing assault from Internet video. Instead of admitting that, big ISPs have tried to argue that caps are about "fairness," or that they're essential lest the Internet collapse from uncontrolled congestion (remember the debunked Exaflood?).

Over the years, data has shown that caps aren't really an effective way to target network congestion anyway, can hinder innovation, hurt competitors, and usually only wind up confusing consumers, many of whom aren't even sure what a gigabyte is. Eventually, even cable lobbyists had to admit broadband caps weren't really about congestion, even though they still cling to the false narrative that layering steep rate hikes and overage fees on top of already-expensive flat-rate pricing is somehow about "fairness."

Comcast is of course slowly but surely expanding usage caps into its least competitive markets. More recently the company has tried to deny it even has caps, instead insisting these limits are "data thresholds" or "flexible data consumption plans." But when asked last week why Comcast's caps in these markets remain so low in proportion to rising Comcast speeds (and prices), Comcast engineer and vice president of Internet services Jason Livingood candidly admitted on Twitter that the decision to impose caps was a business one, not one dictated by network engineering:

Jason's not the first engineer to admit that caps aren't an engineering issue and therefore don't have anything to do with congestion. In fact if you followed the broadband industry's bunk Exaflood claims over the last decade, you probably noticed that ISP lobbyists say one thing (largely to scare legislators or the press into supporting bad policy), while actual engineers say something starkly different.

Repeatedly we've been told by ISP lobbyists and lawyers that if ISPs don't get "X" (no net neutrality rules, deregulation, more subsidies, the right to impose arbitrary new tolls, whatever), the Internet will choke on itself and grind to a halt. In contrast, the actual people building and maintaining these networks have stated time and time again that nearly all congestion issues can be resolved with modest upgrades and intelligent engineering. The congestion bogeyman is a useful idiot, but he's constructed largely of bullshit and brainless ballast.

Livingood will likely receive a scolding for wandering off script. Comcast, unsurprisingly, doesn't much want to talk about the comment further:
"We've asked Comcast officials if there are any technology benefits from imposing the caps or technology reasons for the specific limits chosen but haven't heard back yet. Livingood's statement probably won't come as any surprise to critics of data caps who argue that the limits raise prices and prevent people from making full use of the Internet without actually preventing congestion."
That's worth remembering the next time Comcast tries to insist that its attempt to charge more for the same service is based on engineering necessity. The problem? Our shiny new net neutrality rules don't really cover or restrict usage caps, even in instances when they're clearly being used to simply take advantage of less competitive markets. While Tom Wheeler did give Verizon a wrist slap last year for using the congestion bogeyman and throttling to simply make an extra buck, the FCC has generally been quiet on the implementation (and abuse) of usage caps specifically and high broadband prices in general.

There are some indications that the FCC is watching usage caps carefully, and says it will tackle complaints about them on a "case by case basis." But what that means from an agency that has traditionally treated caps as "creative" pricing isn't clear. It's another example of how our net neutrality rules were good, but serious competition in the U.S. broadband sector would have been better.

32 Comments | Leave a Comment..

More posts from Karl Bode >>