Karl Bode’s Techdirt Profile

kbode

About Karl Bode

Karl Bode is a freelance writer living in New York that has been babbling, jabbering and prattling about technology, politics and culture professionally for more than fifteen years. Follow me on Twitter @KarlBode

http://www.linkedin.com/in/karlbode



Posted on Techdirt Wireless - 27 April 2017 @ 6:23am

AT&T Unveils A Fake 5G Network In The Hopes You'll Ignore T-Mobile Is Kicking Its Ass

from the 5G-is-whatever-I-say-it-is dept

To be clear: fifth generation (5G) wireless should be really impressive when it actually arrives, providing significantly faster mobile broadband speeds at lower latencies. The catch: the 5G standard hasn't even been created yet, and any real deployment of the ultra-fast technology isn't expected to even seriously begin until 2020. That hasn't stopped wireless carrier and hardware vendor marketing departments, which have been hyping the technology as the second coming for several years now. Sure, these salesmen don't know what 5G really even is yet, but they're pretty sure it's going to fix everything.

As these carriers rush to begin tests on the hardware and software advancements that may someday make up the 5G standard, the real yeoman's work is now being done in marketing. All of the big carriers are tripping over themselves, trying desperately to convince the public that they're going to be the first to offer the amazing new benefits 5G can provide. Verizon has traditionally been at the forefront of this hype, telling anyone who'll listen it hopes to offer gigabit speeds over wireless sometime this year (to a limited number of trial participants).

Not to be outdone, AT&T has upped the ante this week with a proclamation that the company is first to market with "5G Evolution." What is 5G evolution? It's a largely meaningless marketing term concocted by AT&T to describe 4x4 MIMO (multiple input, multiple output) antennas and 256 QAM technologies that can be used to make existing LTE networks faster. It really has nothing whatsoever to do with "5G," but you wouldn't know that from reading AT&T's marketing missives this week:

"AT&T* today announced 5G Evolution plans to pave the way to the next generation of faster speeds for its wireless customers with the latest devices in over 20 major metro areas by the end of this year. We continue to lay the foundation for our evolution to 5G while the 5G standards are being finalized."

"Our 5G Evolution in Austin gives our customers a taste of the future," said David Christopher, chief marketing officer, AT&T Entertainment Group. "With 5G Evolution from AT&T you don’t have to wait to experience endless entertainment possibilities on the next generation network when you have the latest devices."

Except you will wait. For some time. A closer look reveals that the trials are only currently available in a limited part of Austin, and only accessible from those that have one of two mobile devices: the Samsung Galaxy S8 or S8+. And while 4x4 MIMO and 256 QAM advancements are a useful improvement for existing networks, they're not really new, either. T-Mobile has been implementing the upgrades on its own network since last fall.

And again, this has absolutely nothing to do with "5G." So why are carriers like AT&T and Verizon pushing so hard to hype a technology that doesn't technically exist? For years both carriers justified their higher prices by claiming their networks offered users superior connectivity. But as T-Mobile has ramped up competition, gobbled up their frustrated customers and closed the network coverage and performance gap -- these companies have been forced to find some other way to justify what are fairly consistently some of the highest LTE broadband prices among all developed nations. Their solution for this justification gap? Good, old-fashioned hype.

With "4G" networks, we watched as carrier marketing departments slowly but surely convinced the ITU to let them call pretty much everything short of carrier pigeons 4G. Not to be outdone, you can expect the marketing bastardization of the term "5G" to be dramatically more misleading and annoying.

19 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 26 April 2017 @ 2:29pm

FCC Boss Unveils Ingenious Plan To Replace Net Neutrality Rules With Fluff & Nonsense

from the throttled,-blocked,-hamstrung-and-hindered dept

FCC boss Ajit Pai has made no secret of his disdain for net neutrality. Or, for that matter, his general disregard for the consumer-protection authority granted the agency he's supposed to be in charge of. Pai had already stated that his "solution" -- to his perceived injustice that is net neutrality -- is to replace the government's existing, hard net neutrality rules with "voluntary commitments" by the likes of AT&T, Comcast and Verizon. From there, he hopes to leave any remaining regulatory enforcement to the under-funded and over-extended FTC (we've explained why this is a notably bad idea here).

Pai clarified his plans a little during a speech today in Washington, DC at an event hosted by FreedomWorks (which, not coincidentally, takes funding from the giant ISPs Pai is clearly eager to help). According to Pai, the FCC will issue a Notice of Proposed Rule Making tomorrow to begin the process of rolling back Title II and killing net neutrality. The FCC will then vote on the proposal on May 18, according to the agency head. That means there will be a full public comment period (that's where you come in) ahead of a broader vote to kill the rules later this year.

Pai's full speech (pdf) was packed with conflations, half-truths, and statements that have been repeatedly, painstakingly debunked over the course of the last decade. Among them being the ongoing claim that net neutrality rules weren't necessary -- because incumbent ISPs had done nothing wrong:

"Nothing about the Internet was broken in 2015. Nothing about the law had changed. And there wasn’t a rash of Internet service providers blocking customers from accessing the content, applications, or services of their choice.

Pai apparently "forgot" the time that AT&T intentionally blocked iPhone users from using FaceTime unless they signed up for significantly more expensive mobile data plans. Or that time MetroPCS blocked all access to video on its introductory plans to drive users to costlier plans if they wanted the "full internet experience." Or that time a small ISP named Madison River decided to block a competing VoIP provider. Or that time AT&T, Verizon, and T-Mobile blocked their users from using Google Wallet to help prop up their own mobile payment services. Or the longstanding allegations that Comcast, Verizon, AT&T and others intentionally let their peering points get congested to kill settlement-free peering and force content and transit providers to pay an additional toll.

The idea that net neutrality rules are arbitrary and unnecessary is a joke, and if you still don't believe consumers and startups need some kind of regulatory protection from giant (and ever-growing) broadband duopolists like Comcast, the joke's on you. And it's notably unfunny.

Pai, like most of the ISP allies in favor of gutting the rules, simply refuses to be proven wrong -- no matter what the actual data shows. For years now, Pai has cited broadband industry-funded studies that try to claim that net neutrality rules severely hampered broadband investment, despite zero objective evidence that's actually the case. But this being the post-truth era, Pai was quick to trot out the "Title II and neutrality killed investment" canard to the immense joy of the crowd of attending lobbyists, think tankers and other loyal ISP allies:

"So what happened after the Commission adopted Title II? Sure enough, infrastructure investment declined. Among our nation’s 12 largest Internet service providers, domestic broadband capital expenditures decreased by 5.6% percent, or $3.6 billion, between 2014 and 2016, the first two years of the Title II era. This decline is extremely unusual. It is the first time that such investment has declined outside of a recession in the Internet era."

It never happened. What did happen: some telecom industry-funded think tanks cherry picked data to make it appear that investment had foundered, then repeated the fabrication they'd created, apparently believing that repetition forges truth. But if you spoke privately to most ISPs, they'd be telling you they saw no investment reduction under Title II. ISPs don't oppose net neutrality and Title II because it makes investing harder; they oppose Title II and net neutrality because it prevents them from abusing the uncompetitive shitshow that is the broadband last mile.

What's abundantly clear here is that net neutrality opponents have zero problem with lying to achieve one, singular goal: maximizing the income of large broadband providers to the detriment of consumers, competition, startups and the health of the internet. And Pai poured it on exceptionally thick during his speech at FreedomWorks, claiming that gutting oversight of some of the most anti-competitive and least liked companies in America will somehow magically improve broadband competition, create jobs, expand internet access, and more:

"Without the overhang of heavy-handed regulation, companies will spend more building next-generation networks. As those networks expand, many more Americans, especially low-income rural and urban Americans, will get high-speed Internet access for the first time. And more Americans generally will benefit from faster and better broadband.

Second, it will create jobs. More Americans will go to work building these networks. These are good-paying jobs, laying fiber, digging trenches, and connecting equipment to utility poles. And established businesses and startup entrepreneurs alike will take advantage of the networks that they build to create even more jobs.

Doesn't that sound lovely? Except it's not happening. If the claim that Title II and net neutrality stifled investment was bullshit, the narrative that removing these regulations magically creates jobs and competition is just as fantastical. If anything, turning a blind eye to duopolists like Comcast and Verizon as they abuse the lack of broadband competition to make life harder on streaming competitors (something they're already doing) will have the opposite impact on existing and emerging internet markets to come. And if protecting ISP revenues is the top priority (and let's not fool ourselves that it isn't), actually fixing the industry's competitive shortcomings will never be on Pai's radar.

The problem Pai faces now is two-fold. One, net neutrality has broad, incredible bi-partisan support, and those consumers are certain to give him an earful during the public comment period that will begin after the May 18 vote. If Pai isn't familiar with the concept of backlash and overreach, he may want to bone up on some history. Pai will also need to show to the courts that the market has changed dramatically enough since the FCC's June 2016 win over ISPs to justify a massive reversal of the rules. If he can't, his entire effort will be struck down.

As a lawyer Pai knows this, which is why I still think Pai's playing a game of good cop, bad cop. Under this plan, Pai saber rattles for a few months about his intent to kill net neutrality, at which point the GOP shows up with some "compromise" legislation (likely this summer) that claims to codify net neutrality into law, but is worded in such a way (by the ISP lawyers that will inevitably write it) so the loophole-riddled "solution" is worse than no rules at all. If I were to guess, the legislation will come from Senator John Thune, who attempted to derail the 2015 net neutrality rules using a similar strategy.

It seems likely that neutrality opponent hubris could easily backfire. After all, every time ISPs have tried to kill net neutrality, the end result has been more stringent protections (as we saw when Verizon sued to overturn the FCC's flimsy 2010 rules, only to get... tougher rules). That said, this fight still may be harder than previous battles. With Google and Netflix likely to be less active (they're large enough now that they apparently think they no longer need to worry), the onus is going to be on grassroots activists, debate-fatigued consumers and startups to carry the brunt of the load this time around.

10 Comments | Leave a Comment..

Posted on Techdirt - 26 April 2017 @ 1:21pm

Bose Lawsuit For Collecting Headphone Data Is Flimsy, But Highlights Continued Lack Of Real Transparency

from the dumb-tech-is-often-smarter dept

Being transparent about what private consumer data is being collected and sold appears to be a hard lesson for hardware vendors to learn. Earlier this month, Bose was hit with a new lawsuit (pdf) accusing it of collecting and selling personal subscriber usage data of the company's $350 QC 35 noise-canceling headphones. More specifically, the lawsuit claims that the Bose Connect smartphone companion app is collecting user preferences when it comes to "music, radio broadcast, Podcast, and lecture choices" -- and then monetizing that data without making it clear to the end user:

Unbeknownst to its customers, however, Defendant designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent...Though the data collected from its customers’ smartphones is undoubtedly valuable to the company, Defendant’s conduct demonstrates a wholesale disregard for consumer privacy rights and violates numerous state and federal laws.

To be clear, the complaint, filed last week by Bose customer Kyle Zak in federal court in Chicago, seems more than a little thin. The suit appears to piggyback on growing concern about the wave of internet of things devices (from televisions to smart dildos) that increasingly use internet connectivity to hoover up as much as possible about consumers. Often, this data is collected and transferred unencrypted to the cloud, then disseminated to any number of partner companies without adequate disclosure.

That said, while Bose marketing insists users need the app to "get the most out of your headphones" and get the "latest features" for their headphones, in this instance, users can avoid data collection by simply not using the Bose companion app. And while Bose only appears to be collecting metadata, the suit tries to somehow claim that collecting this type of metadata -- which any and every music service also happily collects -- somehow violates the Wiretap Act:

... customers must download and install Bose Connect to take advantage of the Bose Wireless Products’ features and functions. Yet, Bose fails to notify or warn customers that Bose Connect monitors and collects—in real time—the music and audio tracks played through their Bose Wireless Products. Nor does Bose disclose that it transmits the collected listening data to third parties.

Were Bose, say, using the headphone jack on a headset to monitor actual user communications, the case might have legs. That said, while the suit's central Wiretap Act claims may be weak, the suit once again highlights that consumer data collection policies, if disclosed at all, are often buried in overlong privacy policies few if any consumers actually read -- using language carefully crafted to obfuscate what precisely is happening. Bose doesn't really help its case all that much in a statement on its website that declares the lawsuit "inflammatory" and "misleading," before being a little misleading itself:

We understand the nature of Class Action lawsuits. And we’ll fight the inflammatory, misleading allegations made against us through the legal system. For now, we want to talk directly to you. Nothing is more important to us than your trust. We work tirelessly to earn and keep it, and have for over 50 years. That’s never changed, and never will. In the Bose Connect App, we don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you – or anyone else – by name.

While Bose insists it doesn't "sell your information" -- its app privacy policy does note that it "may partner with certain third parties" to "engage in analysis, auditing, research, and reporting" (hey, it's not selling if we call it something else). And while Bose may not personally identify you "by name," we've long noted that "anonymized" data is far from anonymous. Study after study has made it clear that it only takes a shred of additional contextual data to make "anonymous" data easily and personally identifiable. If "trust" were truly Bose's top priority, they'd actually explain precisely what the app is doing, who data is sent to, and why.

Again, many may not care that Bose is collecting this data. Especially in an age where everybody carries around a miniature computer in their pocket, happily oblivious that their every step and click are being monetized by cellular carriers, app vendors, OS makers, advertising networks, and everybody else in the food chain. The problem is that companies continue to believe there's nothing wrong with hoovering up every shred of data they can, then hiding this collection in overlong, carefully-worded privacy policies -- and the false sense of security "anonymization" is supposed to provide.

Read More | 15 Comments | Leave a Comment..

Posted on Techdirt - 26 April 2017 @ 6:27am

Cord Cutting Is Very Real, And 25% Of Americans Won't Subscribe To Traditional Cable By Next Year

from the head-buried-firmly-in-the-sand dept

For years the traditional cable and broadcast industry has gone to great lengths to deny that cord cutting (getting rid of traditional cable TV) is real. First, we were told repeatedly that the phenomenon wasn't happening at all. Next, the industry acknowledged that sure -- a handful of people were ditching cable, but it didn't matter because the people doing so were losers living in their mom's basement. Then, we were told that cord cutting was real, but was only a minor phenomenon that would go away once Millennials started procreating.

Of course none of these talking points were true, but they helped cement a common belief among older cable and broadcast executives that the transformative shift to streaming video could be easily solved by doubling down on bad ideas. More price increases, more advertisements stuffed into each minute, more hubris, and more denial. Blindness to justify the milking of a dying cash cow instead of adapting.

But given the numbers we've seen over the last year or two, even the cable and broadcast industry has had to scale back its "head firmly in the sand" approach to market evolution. Last month MoffettNathanson analyst Craig Moffett, the telecom industry's top media quote machine, pointed out that 2016's 1.7% decline in traditional cable TV viewers was the biggest cord cutting acceleration on record. Kagan agreed, a recent report indicating that Pay TV providers lost around 1.9 million subscribers last year, the firm predicting a notable spike in the number of broadband-only homes:

"At the same time, American broadband-only homes grew much faster in 2016 — increasing by more than 2 million. Kagan estimated the U.S. had 15.4 million non-multichannel broadband homes at the end of last year, up from 13.3 million end of 2015. That suggest that 13% of the country’s occupied households make the decision not to take a traditional multichannel TV package."

Another new report by Convergence Research predicts that this broadband-only trend will only continue:

"US TV subscriber losses and cord cutter/never household additions saw a major increase in 2016 as compared to 2015: We estimate 2016 saw a decline of 2.05 million US TV subscribers, 2015 saw a decline of 1.16 million, and forecast a decline of 2.11 million TV subscribers for 2017...As of YE2016 we estimate 27.2 million US households (22.3% of HHs) did not have a traditional TV subscription with a Cable, Satellite, or Telco TV access provider, up from 24.2 million (20% of HHs) YE2015, and we forecast 30.3 million (24.6% of HHs) YE2017. 2015 saw 2.1 million, 2016 3 million, and we forecast 3.1 million 2017 cord cutter/never household additions.

The shorter version: by next year, one quarter of Americans will no longer subscribe to traditional cable. And that's only going to accelerate as cheaper, better, streaming alternatives emerge.

In a functioning, healthy market, these companies would see the writing on the wall and adapt, benefiting users. And to be fair, some have tried (Dish's Sling TV, AT&T's DirecTV Now). But with the cable industry's growing monopoly over broadband, a return to rubber-stamp regulation, and the looming death of net neutrality, many of these companies correctly understand they won't have to seriously compete anytime soon. They can simply impose unnecessary usage caps and overage fees on uncompetitive broadband markets, then use zero rating to give their own services a leg up -- while penalizing competitors.

Unfortunately for them, even that likely won't "solve" the tectonic evolution that's only just starting to take place. Ultimately, denial-prone cable and broadcast executives will be left with just one, unthinkable option: actually competing on cable TV price, flexibility and quality.

62 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 25 April 2017 @ 6:12am

Canada Rushes To Defend Net Neutrality As The U.S. Moves To Dismantle It

from the who-needs-a-healthy,-working-internet-anyway? dept

Here in the States, regulators and Congress are preparing to gut our existing net neutrality rules -- replacing them with the policy equivalent of wet tissue paper. In Canada, regulators are taking the complete opposite tack, last week cementing the country's net neutrality rules as some of the most comprehensive in the world.

After years of some obnoxious behavior by Canadian ISPs like Rogers, Canadian regulators adopted guidelines back in 2009 that prevent ISPs from blocking websites, while requiring that they're transparent about network management. In 2013, those guidelines were expanded to cover zero rating after Ben Klass, a graduate student in telecommunications, filed a complaint with the CRTC over zero rating. Specifically, Klass and his co-filers noted that Bell had begun exempting its own streaming video service from the company's usage caps, thereby putting smaller streaming competitors at a notable disadvantage.

While many people (especially here in the states) continue to labor under the misconception that zero rating gives them something for free, Klass rather concisely broke down why this was a problem in a blog post at the time:

"To figure out exactly what’s going on, I compared the price Bell charges for 5 gigabytes of mobile TV data to the least expensive data-only plan that lets you watch 5GB of Netflix without going over your cap (it’s called the “Tablet Flex” plan). It turns out that Bell charges you $5 a month to watch 5GB worth of their own content. If you want to watch 5GB worth of Netflix on the Bell network, on the other hand, they charge you $40. That’s a markup of 800%."

The short version: usage caps (which are already arbitrary constructs only made possible by a lack of real competition) are being used as an anti-competitive weapon to harm streaming video competitors. Here in the States the FCC seems to think this is a really nifty idea. In Canada, Chile, Japan, India, Norway, and The Netherlands where the practice has been banned; not so much.

In 2015, the CRTC sided with Klass, arguing that this implementation of zero rating could wind up "inhibiting the introduction and growth of other mobile TV services accessed over the Internet, which reduces innovation and consumer choice." And last week, the CRTC released its final net neutrality guidelines, which puts in place a framework for addressing similar zero rating complaints moving forward. The CRTC decision first makes it clear that this kind of "differential pricing," when applied asymmetrically, can harm the overall market:

"differential pricing practices, generally speaking, result in (a) a preference toward certain subscribers over others, (b) a preference toward certain content providers over others, (c) a disadvantage to subscribers who are not eligible for, or interested in, a differential pricing practice offering, and (d) a disadvantage to content providers that are not eligible for, or included in, an offering."

Instead of using usage caps to disadvantage competitors and fracture the market, the CRTC has a crazy idea: how about ISPs instead directly compete on the quality and price of their networks?

"The Commission considers that competition in the retail Internet access services sector is best served, and the telecommunications policy objectives set out in the Act are best achieved, when ISPs compete and differentiate their services based on their networks and the attributes of the services on those networks, such as price, speed, volume, coverage, and the quality of their networks."

Of course ISPs loathe the idea of simply being "dumb pipe" providers that just offer a quality connection at a quality price. And they'd much rather continue engaging in half-hearted non-price competition -- using the lack of said competition to protect their TV revenues. But the CRTC also wasn't buying the argument put forth by ISPs (and the policy wonks and politicians paid to love them) that zero rating somehow improves overall internet access. Nor did it buy the argument that zero rating benefits users by letting them watch content for "free":

"The Commission considers that any short-term benefits of differential pricing practices would be greatly outweighed by the negative long-term impacts on consumer choice if ISPs were to act as gatekeepers of content through their use of such practices.

In other words, consumers labor under the illusion they're getting a better deal because their ISP's content doesn't count against caps. But as we've pointed out for years now -- the practice of zero rating simply shifts the cost burden around -- driving up costs elsewhere and hurting overall streaming competition. The CRTC is making it clear that -- barring some exceptional creative trickery by ISPs -- this will no longer be acceptable business behavior in Canada. For now.

This is all dramatically different from what we're doing here in the States. Our 2015 net neutrality rules didn't specifically ban zero rating, but instead left it up to the FCC to determine the anti-competitive impact of such plans on a "case by case basis" (something we made clear was a mistake at the time). But by the time the FCC actually got around to enforcing the rules last fall (when it warned both AT&T and Verizon their zero rating plans are clearly anti-competitive), the existing FCC was on the way out the door, to be replaced by a new FCC led by new boss Ajit Pai.

And Ajit Pai's first order of business? To kill the agency's inquiry into zero rating. And he's now getting ready to push a plan that would eliminate hard, real net neutrality rules and replace them with voluntary guidelines -- and weaker FTC oversight that ISPs are fairly certain to laugh at. In other words, as Canada moves to protect consumers, net neutrality and competition, the United States -- driven ignorantly and blindly by Comcast, AT&T and Verizon lobbyists -- is preparing to give a giant, neon middle finger to all three.

13 Comments | Leave a Comment..

Posted on Techdirt - 24 April 2017 @ 11:49am

Malware Hunts And Kills Poorly Secured Internet Of Things Devices Before They Can Be Integrated Into Botnets

from the battle-of-the-brick dept

Researchers say they've discovered a new wave of malware with one purpose: to disable poorly secured routers and internet of things devices before they can be compromised and integrated into botnets. We've often noted how internet-of-broken-things devices ("smart" doorbells, fridges, video cameras, etc.) have such flimsy security that they're often hacked and integrated into botnets in just a matter of seconds after being connected to the internet. These devices are then quickly integrated into botnets that have been responsible for some of the worst DDoS attacks we've ever seen (including last October's attack on DYN).

And most security researchers firmly believe we haven't seen anything yet.

Enter PDoS (permanent denial of service) attack bots, which scan the internet for routers with default, unchanged passwords, or "smart" doorbells, dolls or other devices with paper-mache grade security. From there, PDoS attack bots issue a series of commands that wipe device media, corrupt all storage, and disconnect the device from the internet. Last month, researchers from security firm Radware set up an intentionally poorly-secured honeypot that they say saw roughly 2,250 PDoS attempts during just a four-day span.

The lion's share of these attacks came from two botnets dubbed BrickerBot.1 and BrickerBot.2 -- with nodes busily bricking poorly-secured devices around the world. Initially researchers say they thought that somebody crafted malware specifically to tackle the IOT threat. But given the broad targeting of the botnets (including server-attached storage devices), they also think it's possible that the goal may just be good, old, vanilla mayhem:

"When I discovered the first BrickerBot, I thought it was a drastic attempt to stop the IoT Botnet DDoS threat," Radware researcher Pascal Geenens told Ars. "I thought this was a competitor hacker who wanted to take out his competition and get access to the list of IP [addresses] of bots that were in the competitor's botnet. But upon discovery of the second BrickerBot this theory changed, as the second one is targeting any Linux-based system—not only embedded, BusyBox-based Linux with flash storage. What motivates people to randomly destroy things? Anger, maybe? A troll, maybe?"

As it stands, BrickerBot.2 can only access machines that feature default administrative passwords and have the telnet protocol enabled, limiting the overall potential impact. Regardless, the end result still isn't pleasant for those on the receiving end of a BrickerBot.2 attack:

"...In addition to corrupting the storage device, BrickerBot.2 wipes all stored files, removes the default Internet gateway, disables TCP timestamps, and limits the maximum number of kernel threads to just one. That all but ensures that most damaged devices won't be restored without a major undertaking. Radware has more details about the attacks here."

It's still entirely possible the goal here is to actually help the internet by killing poorly-secured hardware before they can be conscripted into the shitshow that is the internet of things. After all, BrickerBot.2 appears to be an evolution of the Linux.Wifatch malware, which first appeared in October 2015. It seems more than likely that additional malware strains taking cues from the Mirai malware will inevitably appear in the wild, the goal potentially being not necessarily mayhem -- but preventing the massive, crippling DDoS attacks most security experts feel are inevitable in the next year or two.

The problem (aside from this being illegal and destructive) is that the type of person that's likely to go out and purchase a poorly-secured "gee whiz" IOT device or router without considering security -- is the same type of person that's not going to understand why that device just stopped working for no coherent reason. As a result, they're likely to rush out and buy another, poorly-secured device, bringing the incompetence full circle with a zero net gain. As such, Security expert Victor Gevers is urging malware authors like this to consider a more constructive path toward the same end goal:

"These attacks are very easy to execute, and I think this just the beginning," (Gevers) told Bleeping Computer. "I don't want to label this work as dark, but I think there are less destructive ways to achieve the same goal." "Instead of bricking you could also allow the devices to still work and just patch the vulnerability. This requires a bit more finesse."

Granted an even better solution? Stop selling (and buying) hardware with paper-mache grade security in the first place.

33 Comments | Leave a Comment..

Posted on Techdirt - 21 April 2017 @ 10:39am

Self Driving Taxis Are Going To Be A Nightmare To Secure, Warns Ex-Uber Security Researcher

from the I'm-sorry-I-can't-do-that,-Dave dept

So over the last few years you probably remember seeing white hat hackers demonstrate how easily most modern smart cars can be hacked, often with frightening results. Cybersecurity researchers Charlie Miller and Chris Valasek have made consistent headlines in particular by highlighting how they were able to manipulate and disable a Jeep Cherokee running Fiat Chrysler's UConnect platform. Initially, the duo documented how they were able to control the vehicle's internal systems -- or kill it's engine entirely -- from an IP address up to 10 miles away.

But the two would go on to highlight how things were notably worse, pointing out last year that they'd also found a way to kill the vehicle's brakes, cause unexpected acceleration, or even direct the vehicle to perform sudden and extreme turns:

"Last year, they remotely hacked into the car and paralyzed it on highway I-64—while I was driving in traffic. They could even disable the car’s brakes at low speeds. By sending carefully crafted messages on the vehicle’s internal network known as a CAN bus, they’re now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed."

Just the gift for intelligence or private sector ne'er-do-wells looking to cause mayhem -- or worse.

After Miller and Valasek's hacks made consistent headlines, the two were quietly hired by Uber to help the company secure its self-driving taxi service. Miller has since moved on to Chinese competitor Didi, and tells Wired he's much more free to speak about the perils of securing automated cars and taxis. What he's saying isn't what you'd call comforting:

"Autonomous vehicles are at the apex of all the terrible things that can go wrong,” says Miller, who spent years on the NSA’s Tailored Access Operations team of elite hackers before stints at Twitter and Uber. “Cars are already insecure, and you’re adding a bunch of sensors and computers that are controlling them… If a bad guy gets control of that, it’s going to be even worse."

The problems that Miller highlighted with the Jeep Cherokee are significantly worse when you're talking about a taxi that sees significantly more use each day. A taxi that, under current federal law, won't be able to block consumer access to the vehicle's OBD2 port (something consumers want the freedom to tinker with in their own vehicle, but perhaps not so much in a communal car):

"There’s going to be someone you don’t necessarily trust sitting in your car for an extended period of time,” says Miller. “The OBD2 port is something that’s pretty easy for a passenger to plug something into and then hop out, and then they have access to your vehicle’s sensitive network."

Miller notes that securing an automated vehicle isn't impossible, but it's going to require the use of "codesigning," restrictions built into the OBD2 port, better internal segmentation and authentication -- and basically a complete retooling of how self-driving vehicle security is implemented. But Miller notes that companies like Uber are bolting their computer systems onto already built vehicles, which complicates things. And the slow pace of finding and patching security vulnerabilities in vehicles poses an additional layer of problems.

The solution will also involve greater "open conversation and cooperation" among carmakers and developers, something Miller says was lacking at Uber, and hasn't exactly been the trademark of other automated vehicle vendors.

Right now, we continue to find the lack of security in our smart fridges and TVs kind of cute. But it's threats like those being exposed by Miller that have some security researchers like Bruce Schneier consistently predicting some massive problems on the horizon that may result in notable human casualties. And we're not helping the problem by letting companies monopolize repair, or consistently erode our privacy rights or our freedom to tinker.

20 Comments | Leave a Comment..

Posted on Techdirt - 20 April 2017 @ 6:27am

FCC Moves To Make Life Easier For Business Broadband Monopolies

from the do-not-pass-go,-do-not-collect-$200 dept

By now, most people understand that the residential broadband market simply isn't very competitive. They also understand that's in large part due to the lobbying and financial stranglehold many providers have over both state and federal lawmakers and regulators. But however uncompetitive the residential broadband market is, the business "special access market" (often called Business Data Services (BDS)) is notably worse. This important but overlooked segment of the telecom market connects schools, cell towers, ATMs, retailers, and countless others to the internet at large.

But consumer groups and smaller companies for years have complained that this segment suffers under an absurd amount of monopoly control, resulting in many companies and organizations paying sky-high rates for basic connectivity. According to the FCC's own data (pdf), in the lion's share of markets, 73% of the special access market is controlled by one provider (usually AT&T, CenturyLink or Verizon), 24% usually "enjoys" duopoly control, and only a tiny fraction of markets have more than two choices of BDS providers providing this key connectivity.

After ten years of industry bickering and lobbying, Tom Wheeler last year began seriously exploring changes to special access rules, including price caps on how much these monopolies and duopolies can charge smaller companies (and in wireless, smaller competitors). By and large the FCC avoids broadband price caps like the plague, and the effort to impose limits on the BDS market reflected just how incredibly uncompetitive the special access market had become. But the rules were never finalized, and new FCC boss Ajit Pai was quick to throw away the decade-long reform effort.

Instead, Pai has proposed deregulating this captive market even further, a massive win to the incumbent monopolies and duopolies that control it. In a blog post, the FCC boss was quick to insist that competition in this sector is actually growing, and his (read: AT&T and Verizon's) proposal will be sure to keep regulations in place in areas where it isn't:

"The extensive record compiled by the Commission’s excellent staff shows substantial and growing competition in many areas of the country, thanks to new market entrants like cable companies. Where this competition exists, we will relax unnecessary regulation, thereby creating greater incentives for the private sector to invest in next-generation networks. But where competition is still lacking, we’ll preserve regulations necessary to prevent anti-competitive price increases."

But, as with much of Pai's particular brand of FCC leadership, what the FCC boss says -- and what he does -- are often very different things. Ars Technica is quick to highlight that Pai's proposal has a rather unique definition of "competition." Namely, the proposal declares a market "competitive" if there's just one additional broadband provider anywhere in a half mile radius:

"Pai's definition of "sufficient competition" has drawn fire. The plan would treat an entire county as competitive "if 50 percent of the locations with BDS demand in that county are within a half mile of a location served by a competitive provider." A county would also be considered competitive if 75 percent of Census blocks in the county have a cable provider."

Pai is part of a segment of revolving door regulators and other industry allies that often comically deny any competition issues in the broadband space -- whatsoever. Their solution is consistently blind and blanket deregulation, laboring under the belief that less regulatory oversight -- combined with no real competition -- somehow magically forges telecom Utopia. And while deregulation certainly does aid competitive, innovative markets, blind deregulation of the telecom market time and time again only serves to make competition issues worse. Just ask a Comcast customer.

The FCC is poised to vote on the deregulation of the uncompetitive BDS market on April 20 (and likely already voted to approve this effort by the time you read this). Lawmakers like Senator Ed Markey and Rep. Ed Doyle had urged the FCC to delay the vote:

"In the BDS market, we need more protections for competitors and small businesses, not great market control by incumbents,” they wrote. “We are concerned that the proposed BDS Report and Order does not adequately promote competition or apply appropriate pricing protections where competition does not exist."

BDS being an important but wonky and under the radar market for consumers and the press -- Pai should be able to ram this vote through without much public scrutiny. As such, Pai's moves to gut rules governing the BDS market are set to join a growing chorus of other "accomplishments" we've seen so far under Pai, such as making it easier for prison monopolies to rip off inmates, the dismantling of efforts to improve cable box competition, the erosion of efforts to bring broadband to the poor, and his looming attempt to kill net neutrality. You'll notice one, consistent beneficiary to Pai's agenda -- and it sure as hell isn't you.

12 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 19 April 2017 @ 6:18pm

Roku Hires DC Lobbyists For First Time To Fight For Net Neutrality

from the K-Street-showdown dept

With broadband privacy rules dead, ISP lobbyists and their loyal lawmakers have begun quickly shifting their attention to killing FCC oversight of broadband providers and net neutrality. We've pointed out how folks concerned about this shouldn't expect a lot of help from the likes of Facebook, Netflix and Google this go round. We've also noted how folks need to begin waking up to the false arguments being used to sell the pitch (namely that gutting net neutrality and FCC authority over ISPs will be fine because existing FTC rules will protect users, which simply isn't true).

Roku certainly appears to have gotten the message, with reports suggesting the company has hired DC lobbyists for the first time ahead of what's expected to be a May or June attack on net neutrality (either at the FCC, in Congress, or a combination of both):

"For Roku and others in the business, an end to the Obama-era protections could make it harder — or, in some cases, more expensive — to offer content or services to customers at top download speeds. That’s why Roku has hired a pair of Republican lobbyists through an outside government-affairs firm, according to a federal ethics reports filed this week, specifically to focus on net neutrality. It’s the first time the company has ever retained lobbyists in Washington, D.C."

Roku, like countless other companies, is considering a live TV streaming platform that would compete with services from the likes of AT&T, Verizon and Comcast. Via usage caps and zero rating, these providers have already been waging a not-so-subtle war on streaming competitors. The former FCC had just started doling out wrist slaps for this sort of anti-competitive behavior, though the current Ajit Pai-led FCC was quick to kill all inquiries into the tactic. As we've long-noted, this kind of behavior is only made possible by a lack of competition in the broadband space, something the current FCC is clearly not interested in fixing.

Roku has been on the receiving end of other anti-competitive behaviors by the likes of Comcast, designed to protect the cable industry's long-standing monopoly over cable TV hardware. While not technically a net neutrality violation, Comcast spent years refusing to implement the relatively-simple authentication needed to let Comcast broadband customers watch services like HBO Go on Roku, Playstation, or other devices. And while it has since backed off that behavior, it's now charging Roku users a completely arbitrary $7.95 fee just to use the Roku to watch Comcast TV services.

As we've long noted, these kinds of anti-competitive behaviors are just symptoms of the disease that is the lack of competition in the broadband market (which, contrary to some narratives, is far from "free," is deeply taxpayer subsidized, and doesn't magically fix itself with blind deregulation). With the current FCC making it abundantly clear it plans to ignore this lack of competition -- and strip away consumer protections in the space -- Roku should be worried. If you've spent any time watching the behavior of companies like Comcast as they grow larger and less accountable, you should be worried as well.

5 Comments | Leave a Comment..

Posted on Techdirt - 19 April 2017 @ 10:48am

Apple Takes Heat For Software Lock That Prevents iPhone 7 Home Button Replacement By Third-Party Vendors

from the right-to-repair dept

We've been discussing for some time how John Deere, Apple, Sony and Microsoft are among a laundry list of companies fighting against so-called "right to repair" bills. The bills, currently being pushed in a handful of different states, make it easier for consumers to repair their own products and find replacement parts and tools. The bills are an organic consumer response to the attempts of many of these companies to monopolize repair, driven in large part by John Deere's draconian lockdown on "unauthorized repairs" -- forcing tractor owners to pirate tractor firmware and maintenance tools just to repair products they thought they owned.

Apple's been notably vocal on this subject, recently trying to shut down a Nebraska right to repair bill by proclaiming that it would turn the state into a dangerous hacker playground. Of course, propped up by the DMCA's anti-circumvention rules, Apple has utilized a rotating crop of tools to try and protect this repair monopoly. Last year, for example, Apple caused a bit of a shitstorm due to "Error 53", part of an iOS update that bricked phones that had their screens replaced by third party repair vendors.

Having apparently learned no lessons from the backlash from that use of repair locks, Apple is once again taking heat for new software locks cooked into the iPhone 7, which prevent the device's home button from working after it has been replaced. Unless, that is, the replacement is performed by a certified Apple technician with the proper "re-calibration" software. The home button is used to unlock the phone, and to return the user to the home screen when pressed.

In previous iPhone versions (iPhone 5S, 6, and 6S) if you replaced the home button you lost the security function, but users could still login via pin -- and the button still worked to bring users "home." But with the iPhone 7, replacing the home button via third-party vendor results in the button not working at all -- unless you take the device to Apple's Genius bar. This is, independent repair shops claim, just part of Apple's overall strategy of monopolizing repair, hampering third-party repair vendors, and restricting consumer choice:

"In a video demonstrating the block, Michael Oberdick, owner of the independent iPhone repair shop iOutlet, swapped the front displays (and home buttons) of two iPhone 7 devices. When swapped, the phone displays an error message that says "The Home Button May Need Service." Its functionality is disabled and "Assistive Touch" automatically pops up on the device, creating an onscreen, software-based home button."

This is, Oberdick argues, little more than a vindictive, anti-consumer move on the part of Apple:

"Not supporting that menu function makes no sense," Justin Carroll, owner of FruitFixed, an independent iPhone repair shop, told me. "Just a sad and petulant move on their part that will directly affect consumers especially after their one year manufacturer warranty is up."...This may sound like an esoteric issue, and to some extent it is—screen replacements can still be done so long as the original home button is carefully removed and moved to the new screen. But software locks specifically designed to prevent repair are a monopolistic, anti-consumer move that attempts to "tie" an electronic to the manufacturer even after it's already been sold.

Whether coming from Apple, Sony, or Microsoft, opposition to "right to repair" bills usually focuses on the three (false) ideas: the bills will make users less safe, somehow "compromise" intellectual property, and open the door to cybersecurity theft. Apple will be sure to breathlessly insist that they're only making the iPhone 7's home button impossible to repair to protect consumer security, hoping you'll ignore the entire practice of such software locks simply allows the company to monopolize repair, drive up the cost of overall ownership for all of its customers, and make life harder for third-party repair vendors.

36 Comments | Leave a Comment..

Posted on Techdirt - 19 April 2017 @ 6:28am

Comcast Belatedly 'Introduces' Faster Broadband To City It Sued To Keep From Doing The Same Thing Years Ago. It Didn't Go Well

from the reap-what-you-sow dept

Back in 2008, Comcast sued the city of Chattanooga shortly after the city-owned utility (Electric Power Board, or EPB) announced plans to deliver the kind of cheap, ultra-fast broadband Comcast long refused to. After being saddled with legal expenses, EPB ultimately won that lawsuit, and in 2010 began offering ultra-fast fiber broadband. But it wasn't long before the community-owned broadband network ran into another obstacle: a Tennessee state protectionist law -- quite literally written by AT&T and Comcast -- that hamstrung the operation and prohibited it from expanding.

Fast forward nearly a decade, and EPB now offers symmetrical gigabit connections for around $70 a month -- at least to the parts of Chattanooga ISP lobbyists have allowed it to. A 2016 survey by Consumer Reports ranked EPB, outside of Google Fiber, as the only ISP with a truly positive consumer satisfaction rating among the 30 national ISPs ranked by the magazine. Chattanooga's Mayor, meanwhile, has cited EPB as a major contributor to the city's reinvention.

Facing this weird new phenomenon known as competition, Comcast this year finally broke down and brought its own gigabit offering (technically 1 Gbps down, 35 Mbps up) to the city. But Comcast being Comcast, it simply couldn't help but saddle the offering with a number of restrictions. Specifically, Comcast's offering the gigabit option to Chattanooga residents for $70 a month -- but only if they're willing to sign a three year contract. If users refuse -- the price of the service not only is jacked to $140 per month -- but you'll face usage caps and overage fees -- which are only avoidable if you sign the absurdly long contract.

Hoping to get Chattanooga residents excited about the new option when it finally arrived a few weeks ago, Comcast posted an announcement to Facebook "introducing" the city to gigabit broadband service. It didn't go well. The company began taking an absolutely ferocious beating from area locals tired of Comcast's high prices and legendarily-bad customer service:

Take note of the automated Comcast "support" representative that appears to believe they're "helping" without any understanding of the context of the concerns. The beating proceeds like this for an amazingly long time, consistently citing slow speeds, high prices and poor service:

You may notice a consistent theme or two brought up by Chattanooga locals. The beating was so severe it made the Chattanooga Times Free Press, via which Comcast tried to claim that the response to the company's quickly-backfiring ad campaign was a "misunderstanding":

Comcast says the ongoing backlash is the result of a misunderstanding. The cable giant says that it didn't mean to imply it was rolling out the city's first gigabit service. Rather, it was introducing Xfinity's first gigabit service for residential customers.

"Comcast's recent advertisement on Facebook was intended to remind customers in Chattanooga that our 1-gigabit internet service is now available in their area," said Alex Horwitz, vice president for public relations at Comcast. "The service is offered via cable modem technology, which makes Chattanooga one of the first markets in the nation to enjoy this new service."

There's no misunderstanding. Chattanooga locals understand all too well that Comcast has thrown millions at lawmakers on both the local and state level to try and stifle competition, then expected locals to be awed when the company belatedly introduced its own, inferior and restriction-laden product -- nearly a decade later. There's a reason that Tennessee remains one of the least connected states in the union (pdf), and it has absolutely everything to do with Comcast being an anti-competitive bully with a near-total stranglehold over the state legislature and politicians like Marsha Blackburn.

Tennessee isn't alone in spending the majority of its time bending over backwards to please the country's biggest broadband incumbents to its own, obvious detriment. And more restrictive state laws are being passed all the time. And instead of fixing this corruption on the state or federal level, we're now looking at axing consumer privacy protections and killing net neutrality. Because, you know, that's certain to deliver the kind of broadband Utopia Chattanooga and countless other U.S. markets have been begging for over the last decade.

50 Comments | Leave a Comment..

Posted on Techdirt - 18 April 2017 @ 11:48am

New 'Perceptual' Ad Blocking Tech Doesn't Win The Ad Blocking War, But It May Put Advertisers On Their Heels... Permanently

from the the-mole-finally-got-whacked dept

We've long documented how there's a growing array of websites that seem intent on shooting themselves in the foot when it comes to "defeating" ad blocking. Quite often that includes punishing customers for a website's own misdeeds, or using ham-fisted (and frankly often broken) systems that attempt to block the ad blockers. Of course, this tends to obfuscate why these users are using blockers in the first place, whether it's to keep ads from eating their broadband usage allotments, or simply as an attempt to protect themselves from "ads" that are often indistinguishable from malware.

The bottom line is that thanks to aggressive, poorly designed or downright hostile ads, many consumers quite justly now feel that ad blockers are an essential part of their privacy and security. Here at Techdirt, we long ago decided to let our visitors decide what their ad experience looks like, letting visitors disable ads entirely if that's they're preference (we just, of course, hope they'll try to support us in other ways). Elsewhere though, websites are engaged in what feels like a futile game of Whac-a-Mole that seems increasingly obvious (to some) won't be "winnable."

New developments on the ad block front seem to indicate this game of Whac-a-Mole may soon end up with the mole being -- well -- most decidedly whacked.

Princeton and Stanford researchers say they've developed a new method of blocking advertisements that detects ads the same way human beings do -- by simply looking at things like container sizes, graphical layout, and words like "Sponsored" (usually mandated by regulations or voluntary, cross-industry commitments). Computer scientist Arvind Narayanan and his colleagues have published a new paper (pdf) and proof-of-concept code for something they're calling a Perceptual Ad Blocker. Their paper describes the new technology as such:

"Perceptual ad blocking seeks to improve resilience against ad obfuscation and minimize manual effort needed to create ad blockers. We rely on the key insight that ads are legally required to be clearly recognizable by humans. To make the method robust, we deliberately ignore all signals invisible to humans, including URLs and markup. Instead we consider visual and behavioral information. For example, an ad may include the tex "Sponsored" or 'Close Ad" within its boundaries, either directly or when hovered over. We expect perceptual ad blocking to be less prone to an "arms race."

Over at Freedom to Tinker, Narayanan is quick to point out that this new technology isn't "undefeatable" (as some websites quickly suggested), but it does certainly tilt the ad block battlefield in favor of the end user. He notes that the technology was developed in response to Facebook's decision to integrate ads that look like regular posts in the user's news feed, something systems like AdBlock haven't been able to detect (some smaller blockers like uBlock Origin have been able to, but apparently have such a small market share they've yet to get Facebook's attention).

The other ad blocking obstacle that Narayanan's perceptual ad blocker addresses is the growing numbers of websites that believe they've "solved" the problem by blocking users that block ad blockers. In short, it does this by convincing the web browser to effectively lie to any script trying to determine ad blocker use:

"The second prong of an ad blocking strategy is to deal with websites that try to detect (and in turn block) ad blockers. To do this, we introduce the idea of stealth. The only way that a script on a web page can “see” what’s drawn on the screen is to ask the user’s browser to describe it. But ad blocking extensions can control the browser! Not perfectly, but well enough to get the browser to convincingly lie to the web page script about the very existence of the ad blocker. Our proof-of-concept stealthy ad blocker successfully blocked ads and hid its existence on all 50 websites we looked at that are known to deploy anti-adblocking scripts. Finally, we have also investigated ways to detect and block the ad blocking detection scripts themselves. We found that this is feasible but cumbersome; at any rate, it is unnecessary as long as stealthy ad blocking is successful.

The researchers have developed both a standard and Facebook specific Chrome extension that you can try yourself, and they have no problem with identifying these types of integrated ads:

The researchers have yet to enable the actual blocking component of their ad blockers to, they say, "avoid taking sides on the ethics of ad blocking."

Now you'd like to think that should perceptual ad blocking be as effective as they're claiming, websites and advertisers would be forced to do some soul-searching into why users are flocking to ad blockers in the first place. But most of us know many of these websites won't learn a damn thing in this scenario, and may engage in behavior that forces users to somehow interact with the ads if they want the page to load. Narayanan is quick to point out that this -- like ad block blockers already have -- could only drive users away from these websites even faster:

"If publishers are willing to intrude on users’ attention by making them interact with ads, it does seem unlikely that ad blockers can succeed. But that will also drive away many users, and it’s not clear how many publishers would be willing to make that trade off. Sponsored content / native advertising is again a topic where the law has something to say. These need to be identified clearly as sponsored (and for the most part they are). We’ve found that people aren’t good at noticing these disclosures, but browser extensions can be! Ad blockers could take on the role of prominently alerting readers when a link they’re about to click on is in fact sponsored content."

If perceptual ad blockers are half as successful as the researchers claim they can be, many sites and advertisers have two options. One is to finally take serious stock of why ad block use has skyrocketed (and their own culpability for it) and develop more consumer-centric and creative monetization and advertising efforts. The other is to cry more, double down on blaming visitors for their adaptation failures, design systems that break the internet and annoy site visitors even further, or try to use the law to hamstring the use of ad blockers (an uphill climb, and in some places potentially a two-way street).

If stopping ad blockers truly is a fool's errand (and these researchers strongly believe it is), there's really only one choice that makes any real sense.

43 Comments | Leave a Comment..

Posted on Techdirt - 18 April 2017 @ 6:27am

German Consumers Face $26,500 Fine If They Don't Destroy Poorly-Secured 'Smart' Doll

from the internet-of-broken-things dept

We've noted repeatedly how modern toys aren't immune to the security and privacy dysfunction the internet-of-broken-things has become famous for. A new WiFi-enabled Barbie, for example, has come under fire for trivial security that lets the toy be modified for use as a surveillance tool. We've also increasingly noted how the data these toys collect isn't secured particularly well either, as made evident by the Vtech incident, where hackers obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

Last fall a lawsuit was filed against Genesis Toys, maker of the My Friend Cayla doll and the i-Que Intelligent Robot. The lawsuit accuses the company of violating COPPA (the Childrens' Online Privacy Protection Act of 1998) by failing to adequately inform parents that their kids' conversations and personal data collected by the toys are being shipped off to servers and third-party companies for analysis. A report by the Norwegian Consumer Council (pdf) also found that a lot of the data being transmitted by these toys is done so via vanilla, unencrypted HTTP connections that could be subject to man-in-the-middle attacks.

In Germany, where surveillance fears run a little deeper for obvious reasons, regulators last February went so far as to urge German parents to destroy the My Friend Cayla doll, highlighting that hackers can use an unsecure bluetooth device embedded in the toy to listen to and to talk to the child playing with it. Since then, Germany's Federal Network Agency has clarified its position further. It's not only banning the sale, purchase, and ownership of the toy, but it's warning families that they face fines up to $26,500 if they don't comply with demands that the toy be destroyed:

"The agency has now laid out just how parents are to destroy the doll. Parents are asked to fill out a destruction certificate that must be signed by a waste-management company and sent back to the agency for proof. While the agency says it has no plans to take action against those who don’t destroy the doll, it certainly could. Under German telecommunication laws, those who don’t comply with Federal Network Agency directives could face a fine up to $26,500 and two years in prison.

How very...thorough. One mother, amusingly, felt bad destroying the doll -- so she came up with a novel solution:

"One mother tells the WSJ that she was surprised to have had the doll sitting in her daughter’s room for two years. She says she was hesitant to actually destroy the doll, so instead she donated it to the German Spy Museum Berlin."

Germany's decision is certainly unnecessarily excessive, but it's a step up from the outright apathy on many fronts to the problems raised by connecting everything to the internet without prioritizing security and privacy. Researchers continue to argue that the IOT is creating thousands of new attack vectors into every home and business on the planet every day. Given the rise in the use of IOT devices in record-setting DDoS attacks, it's only a matter of time before these devices contribute to an attack on essential infrastructure, potentially at the cost of human lives.

It's obviously not their intent, but these devices continue to function as advertisements for the "dumb" technologies of yesterday. At least until parents collectively realize that Barbie and Ken need a better firewall.

48 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 14 April 2017 @ 6:23am

Don't Wait For Google, Netflix Or Facebook's Help If You Want To Save Net Neutrality

from the wake-up-and-smell-the-monopoly dept

So if you've not been paying attention, broadband ISPs (with help from new FCC boss Ajit Pai) are slowly but surely working to eliminate oversight of one of the least-competitive sectors in American industry. It began with Pai killing off a number of FCC efforts piecemeal, including plans to beef up cable box competition, investigate zero rating, and FCC attempts to stop prison telco monopolies from ripping off inmate families. From there, Congress used the Congressional Review Act to kill FCC privacy protections for broadband consumers. Next up: reversing the FCC's 2015 Title II reclassification and gutting net neutrality.

Between this, cable's growing monopoly over broadband (including the rise in usage caps), the sunsetting of Comcast NBC merger conditions and a looming wave of new megamergers and sector consolidation, you should begin to notice there's a bit of a perfect storm brewing on the horizon when it comes to broadband and media competition, anti-competitive behavior, and oversight -- one that's not going to be particularly enjoyable for broadband consumers, or the numerous companies that compete and/or do business with the likes of AT&T, Comcast and Verizon.

To that end, most of the internet industry's heaviest hitters -- including Reddit, Google, Amazon, and Netflix -- under the umbrella of the Internet Association (IA) -- met with the FCC this week to urge Ajit Pai to keep the existing net neutrality rules in place. At the meeting, IA CEO Michael Beckerman and General Counsel Abigail Slater argued that things are working well with the rules in place, and that the long-standing industry claim that net neutrality hurt broadband investment is a canard:

"IA continues its vigorous support of the FCC’s OI [Open Internet] Order, which is a vital component of the free and open Internet," Beckerman wrote in an ex parte filing that summarized the meeting. "The Internet industry is uniform in its belief that net neutrality preserves the consumer experience, competition, and innovation online. In other words, existing net neutrality rules should be enforced and kept intact. The OI Order is working well and has been upheld by a DC Circuit panel. Further, IA preliminary economic research suggests that the OI Order did not have a negative impact on broadband Internet access service (BIAS) investment."

Unfortunately, the plea is likely to fall on deaf ears. Pai has made it abundantly clear he doesn't think that broadband competition, rampant consolidation, or net neutrality are real problems -- whatsoever. In fact, when Pai has spoken on net neutrality, he's gone to rather comic lengths to try and claim that content companies like Netflix are the real villains, while downplaying any and all anti-competitive ISP behavior. At one point, Pai actually went so far as to claim that the fact that Netflix ran a CDN was proof positive that Netflix was the real threat to the internet.

The second major problem here is that while companies like Netflix, Google and Facebook are gently lobbying against the FCC's plan via the IA, independently they've been less active than ever in protecting net neutrality. Like Amazon and many other tech giants, Facebook has never really been particularly vocal on net neutrality -- and in places like India they've consistently undermined the entire concept. Google has, contrary to public perception, also been arguably absent from the conversation since around 2010 when it began getting into fixed (Google Fiber) and wireless (Android, Project Fi) services. And as Netflix has grown more powerful, it's been notably less vocal on the subject as well.

Yes, these companies may still remain quietly active behind the scenes, but if you're hoping they come to the rescue in the same vocal way they did in the early days of the net neutrality feud, it's likely you're going to be disappointed. And with potentially less corporate firepower backing up their flanks, net neutrality supporters are going to have a steeper uphill climb this go round.

That brings us to the third major problem we're facing: the onus to save net neutrality this time is going to fall largely on the shoulders of consumers, small companies, and the startup community. But many of them, bored after a decade of often hyperbolic debate, were happily under the impression that once we had net neutrality rules -- the fight was over. Many still don't understand that net neutrality is a fight that never really ends. Net neutrality (the symptom) certainly isn't getting better until you shore up broadband competition (the disease) -- and there's exactly zero indication that's happening anytime soon.

That's not to say net neutrality can't be saved as the fight heats up over the next few months. But unless heavy hitters like Netflix and Google ramp up their opposition, and smaller companies and consumers shake off their apathy and begin waking up to the stage play currently underway in Congress and at the FCC, we're going to enter a new "golden era" of Comcast, AT&T, and Verizon cross-industry dominance that will make the media and internet issues of the last decade seem arguably quaint.

27 Comments | Leave a Comment..

Posted on Techdirt - 13 April 2017 @ 10:48am

Tennessee Gives AT&T, Comcast Millions In New Taxpayer Subsidies, Yet Banned A City-Owned ISP From Expanding Broadband Without Taxpayer Aid

from the dysfunction-junction dept

If you want to understand what's wrong with the American broadband industry, you need look no further than Tennessee. The state is consistently ranked as one of the least connected, least competitive broadband markets in the country, thanks in large part to Comcast and AT&T's stranglehold over politicians like Marsha Blackburn. Lawmakers like Blackburn have let Comcast and AT&T lobbyists quite literally write protectionist state laws for the better part of a decade with an unwavering, singular focus: protecting incumbent revenues from competition and market evolution.

The negative impact of this pay-to-play legislature is non-negotiable. One state-run study last year ranked Tennessee 40th in terms of overall broadband investment and availability (pdf), and found that 13% of households (or 834,545 Tennesseans) lack access to any high-speed broadband internet service whatsoever. The study found that the vast majority of Tennessee residents still get internet access through slower services like DSL, wireless or dial-up connections, either because that's all that's available, or because they couldn't afford faster options.

Like twenty other states, Tennessee long ago passed a state law hamstringing towns and cities looking to improve regional broadband networks. As a result, popular municipal broadband providers like Chattanooga's utility-run ISP, EPB, have been banned from expanding its up to 10 Gbps offerings into any more markets. Attempts to repeal the law earlier this year went nowhere after mammoth pressure from incumbent ISP lobbyists. When that didn't work, one lawmaker tried to pass a compromise bill that would have allowed EPB to expand into just one neighboring county.

That proposal was shot down as well, one of the dissenting votes being that of Rep. Patsy Hazlewood, a former AT&T executive.

Tennessee residents have increasingly seen through Tennessee's unwavering fealty to some of the most despised brands in America. Some annoyed state residents have gone so far as to spend their own money to wire the state glacially, hilltop by hilltop. In a feeble attempt to try and placate those tired of expensive, slow broadband, Tennessee lawmakers recently passed HB 0529 or the "Broadband Accessibility Act of 2017." The centerpiece of the bill: throwing $45 million in additional subsidies at ISPs, the majority of which will be enjoyed by AT&T.

Motherboard correctly points out that the state banned EPB from expanding service to those same users without any cost to taxpayers, but was willing to throw additional subsidies at two giant companies with a mixed track record on putting government subsidies to work:

"To be clear: EPB wanted to build out its gigabit fiber network to many of these same communities using money it has on hand or private loans at no cost to taxpayers. It would then charge individual residents for internet service. Instead, Tennessee taxpayers will give $45 million in tax breaks and grants to giant companies just to get basic infrastructure built. They will then get the opportunity to pay these companies more money for worse internet than they would have gotten under EPB's proposal.

"Tennessee taxpayers may subsidize AT&T to build DSL service to Chattanooga's neighbors rather than letting [EPB] expand its fiber to neighbors at no cost to taxpayers," Christopher Mitchell, director of the Community Broadband Networks initiative at the Institute for Local Self-Reliance said. "Tennessee will literally be paying AT&T to provide a service 1000 times slower than what Chattanooga could provide without subsidies."

Given the repeated billions that have been thrown at incumbents that then consistently find ways to wiggle out of the obligations, resistence to the "throw subsidies at giant ISPs with a long, documented history of anti-competitive behavior and hope that does the trick this time" model is understandable. Especially in a state like Tennessee, where holding giant companies accountable for misdirection of telecom funds has never been a priority.

Fortunately, this new bill does make it legal now for electric cooperatives to provide broadband internet access to some areas -- a concession to outraged locals and a small sign of progress. That said, these co-ops will still find themselves hamstrung by Tennessee's other, existing, protectionist laws, which impose all manner of reporting and financing restrictions on anybody not named AT&T or Comcast. Popular companies like EPB -- ranked recently by Consumer Reports as one of the best rated ISPs in the country -- still can't offer service outside of its traditional electric utility footprint under Tennessee state law.

It's ironic, in that ISP lobbyists and loyal lawmakers usually try to justify their state bans on community broadband by pretending they were solely interested in protecting state residents from additional taxpayer spending. Yet this is all pretense to justify protecting large incumbent broadband duopolists from having to actually compete. One lawmaker that's actually trying to eliminate the state's restrictions on community broadband perhaps put it more succinctly:

"What we have right now is not the free market, it's regulations protecting giant corporations, which is the exact definition of crony capitalism."

And yet Tennessee's Marsha Blackburn has been consistently and generously rewarded for the kind of "crony capitalism" she's relentlessly advocated for on the state level. She recently was tagged to replace Greg Walden as the head of the House Energy and Commerce Committee's Subcommittee on Communications and Technology. Since that committee tackles most of the pressing internet-related issues, you can expect Tennessee's particular brand of AT&T and Comcast earlobe nibbling to manifest even more strongly on the federal level moving forward.

23 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 13 April 2017 @ 6:27am

FTC Commissioner: If The FCC Kills Net Neutrality, Don't Expect Our Help

from the Comcast-gets-what-Comcast-wants dept

So we've been talking a lot about new FCC boss Ajit Pai and his plan to not only kill net neutrality, but eliminate FCC oversight of broadband providers almost entirely. Reports recently surfaced indicating Pai has been busy meeting with large ISPs behind closed doors to replace hard net neutrality rules with "voluntary commitments" from ISPs (insert laugh track). This won't cause any problems, Pai and ISP lobbyists have argued in perfect unison, because the FTC will rush in to protect broadband consumers -- and net neutrality -- in the wake of the FCC's dismantling.

We've already noted how this entire narrative is exquisitely-crafted bullshit.

The FTC doesn't have any real authority over broadband without Congress passing a new law, which ISP campaign contributions will ensure won't be happening. And thanks to some lovely tap dancing by AT&T lawyers (looking to help the company dodge accountability for lying about throttling), a recent court ruling declared that broadband ISPs are largely immune to FTC oversight courtesy of common carrier exemptions. Former FCC staffer Gigi Sohn drove that point home this week in a piece over at The Verge:

"...Because of a recent decision from a Federal Appeals Court in California, the FTC can’t prohibit the vast majority of ISPs from sharing or selling your personal information at all. That decision says that if a company provides a common carrier service, the FTC cannot enforce its laws against any of its services, even if they are non-common carrier services like video or online news. So ISPs that also provide mobile or fixed telephone service — which is pretty much all of them — would be completely exempt from FTC oversight.

If people understand nothing else they should understand this: the goal here is virtually no real oversight of one of the least competitive, and most anti-competitive industries in America. But it's going to be sold as an improvement and a move toward "more efficient" regulation in an attempt to make killing net neutrality and eliminating regulatory oversight of Comcast sound reasonable.

Former FCC boss and one-time dingo Tom Wheeler had already stated Pai's entire argument is a "fraud," pointing out that ISP lobbyists want all consumer issues simply "lost in a morass" over at the already over-extened FTC. Current FTC Commissioner Terrell McSweeny this week effectively told Ars Technica the same thing, stating the FTC really isn't positioned to provide oversight of the broadband sector:

"We are a very hard-working agency but we’re not a very big agency," McSweeny said. "The FTC doesn't have a lot of expertise in network engineering. We're not the FCC in that regard." The FTC receives "millions of consumer complaints every year" across all industries under its jurisdiction, and "we can’t act on every single complaint."

Not only is the FTC too over-extended to provide real oversight of the likes of Comcast, Verizon and AT&T -- but McSweeny reiterates that ISPs can simply use the recent court ruling on common carrier exemptions to dodge oversight completely:

"In order to make sure that this isn’t just a no-cops-on-the-beat plan, the FTC Act would actually have to be amended by Congress to eliminate the common carrier exemption," McSweeny said.

And what, do you think, is the over-under for a campaign-contribution-soaked Congress actually doing that? There's a reason ISPs are spending millions in lobbying to roll back the FCC's Title II reclassification and shift broadband oversight back to the FTC -- and it's not to help the collective American public's complexion. Repeatedly throughout the article McSweeny makes it abundantly clear Pai's entire plan for "voluntary" net neutrality commitments is a joke, and trusting in the FTC to aid consumers in the wake of the looming neutering of FCC authority is a fool's errand:

"Moving from a clear ex ante rule around the open Internet and requirements that maintain an open Internet, and moving to this ex post enforcement kind of world is going to strongly tilt everything in favor of the incumbents," McSweeny said. "It will be harder potentially for innovators and edge providers to make sure that they are being treated fairly and in a nondiscriminatory way."

This narrative that killing net neutrality and Title II is no big deal because the FTC will rush in to save the day is a misleading canard, but you're going to see it start showing up literally everywhere over the next few months as ISPs fire up their think tanks, consultants, and other policy sockpuppets to support the push in the media.

If you're playing along at home, make sure you note how these folks will go to comic lengths to avoid addressing the elephant in the room (a lack of broadband competition). Also be sure to note how they intentionally avoid using the phrase "net neutrality" to avoid public backlash, instead focusing on the argument that FTC oversight is the one, true path toward glorious telecom Utopia (ignoring everything we already pointed out above).

It's clear the public is bored stiff with the net neutrality debate after a decade of often hyperbolic claims. But if large ISPs and those paid to love them succeed in gutting net neutrality, privacy, and FCC oversight of broadband carriers -- consumers, startups, many hardware vendors, smaller ISPs and content companies alike are collectively in for a very real, very bad time in relatively short order.

48 Comments | Leave a Comment..

Posted on Techdirt - 11 April 2017 @ 9:39am

70% Support Letting Cities Build Their Own Broadband Networks, So Why Are We Still Passing State Laws Banning It?

from the state-government-for-sale dept

For years we've noted how more than twenty states have passed laws -- often quite literally written by ISP lobbyists -- that prevent towns and cities from building their own broadband networks (either alone, or with a private partner). Even in instances where, as is often the case, the incumbent broadband provider refuses to upgrade them. ISP lobbyists (and the lawmakers that love them) usually try to defend these protectionist laws by first demonizing municipal broadband as some kind of vile socialist cabal, then pretending new state laws are necessary to protect local communities from themselves.

In reality, municipal broadband is an organic, grassroots reaction to broadband market failure. And buying laws that restrict local communities' rights to decide local infrastructure matters for themselves is little more than regulatory capture. Like net neutrality and privacy rights, municipal broadband actually has broad, bipartisan support -- and most municipal broadband networks are built in Conservative markets with local voter support. But by framing the issue in a partisan way (government run amok!), ISP lobbyists have been able to sow dissent and stall progress that could challenge their status quo.

A new survey of 4,000 consumers by the Pew Research Project once again drives that point home, highlighting that 70% of Americans support letting towns and cities build their own broadband networks -- if they're not getting decent service by the regional incumbent:

"A substantial majority of the public (70%) believes local governments should be able to build their own broadband networks if existing services in the area are either too expensive or not good enough, according to the survey, conducted March 13-27. Just 27% of U.S. adults say these so-called municipal broadband networks should not be allowed. (A number of state laws currently prevent cities from building their own high-speed networks, and several U.S. senators recently introduced a bill that would ban these restrictions.)"

That said, partisan lines are far more stark when it comes to support for subsidizing broadband to low-income areas:

"At the same time, fewer than half of Americans (44%) think the government should provide subsidies to help lower-income Americans pay for high-speed internet at home. A larger share (54%) says high-speed home internet service is affordable enough that nearly every household should be able to buy service on its own."

Partisan battle lines are also quite notable when it comes to asking consumers if they think broadband is essential versus just kind of important (in part because if you admit broadband is "essential," then you need to do something about it -- and that might cost taxpayer dollars):

"Republicans and Democrats tend to agree that broadband is important, but Democrats are more likely to say it is essential: 58% of Democrats and Democratic leaners describe broadband in this way, compared with 38% of Republicans and Republican leaners. A similar split is evident by race and ethnicity, with blacks (55%) and Hispanics (61%) more likely than whites (45%) to say that high-speed access at home is essential."

That dissent is certainly understandable, given how easy it has been for companies like Verizon to nab billions in tax breaks and subsidies for jobs half-completed. There's also a laundry list of states like West Virginia, where regional incumbents received millions in well-intentioned subsidies -- only to turn around and waste that money on projects that helped virtually nobody. While some skepticism is warranted, there are countless instances where broadband subsidies did precisely what they were designed to do -- without much (if any) fanfare.

But again, it's interesting how municipal broadband tends to smash through these well-worn partisan grooves many of us dig into the earth. In large part because if there's one thing that we can all agree on -- it's that companies like Comcast and AT&T kind of suck, and dealing with their utterly abysmal customer support is a unifying, albeit miserable, experience. So then, too, is sticking it to these giant, lumbering, apathetic, and uncompetitive sector giants, and building a local, more accountable network operator where the money -- and employment -- actually remains in the local community.

The problem usually winds up being how to pay for it. Consumers may support the idea of municipal broadband and want to protect their right to vote for or against it, but many don't want to pay for it. That's why we're seeing more public/private partnerships between cities and companies like Google or Tucows/Ting. The problem, again: state laws bought by large ISPs often ban or hamstring public/private partnerships as well to help keep local competition at bay.

Despite the broad support for municipal broadband, states continue to sell state telecom law to the highest bidder. AT&T convinced Missouri to pass a law earlier this year expanding restrictions on municipal broadband -- after the telco failed to bury a restricting provision into a state traffic bill. Virginia tried to similarly expand its ban on municipal broadband, but lawmakers there were forced to retreat after they took a notable beating from the press and public.

As we've long noted, one surefire way to prevent towns and cities from getting into the broadband business is to provide cheaper, better service. But it has long been significantly easier to just buy a state lawmaker and protectionist law to protect the dysfunctional status quo. And like so many issues facing America, until we at least marginally address money's influence on politics -- and/or drive a higher turnout during state elections, little if any of this is going to change.

24 Comments | Leave a Comment..

Posted on Techdirt - 10 April 2017 @ 11:44am

Hackers Set Off Dallas' 156 Warning Sirens Dozens Of Times

from the not-everything-should-be-connected-to-the-internet dept

So we've talked repeatedly how the shoddy security in most "internet of things" devices has resulted in increasingly-vulnerable home networks, as consumers rush to connect not-so-smart fridges, TVs and tea kettles to the home network. But this failure extends well beyond the home, since these devices have also resulted in historically-large DDoS attacks as this hardware is compromised and integrated into existing botnets (often in just a matter of minutes after being connected to the internet).

Whether it's the ease in which a decidedly-clumsy ransomware attacker was able to shut down San Francisco's mass transit system, or the fact that many city-connected devices like speed cameras often feature paper mache security, you can start to see why some security experts are worried that there's a dumpster fire brewing that will, sooner rather than later, result in core infrastructure being compromised and, potentially, mass fatalities. If you ask security experts like Bruce Schneier, this isn't a matter of if -- it's a matter of when.

In what should probably be seen as yet another warning shot across the bow: slightly before midnight in Dallas last Friday a hacker compromised the city's emergency warning systems and managed to set off the city's 156 warning sirens more than a dozen times. Needlessly to say, the scale of of the warning, and the number of sirens, led many people in Dallas to believe that the city had somehow been physically attacked in the middle of the night:

Dallas officials were forced to shut the system down around 1:20 am on Saturday, and despite informing the public to ignore the false alarms, a city that had already been having 911 issues the last few months found its 911 systems inundated with a massive influx of calls from concerned citizens:

"Even as the city asked residents not to dial 911 to ask about the sirens, more than 4,400 calls were received from 11:30 p.m. to 3 a.m. — twice the average number made between 11 p.m. and 7 a.m., Syed said. The largest surge came from midnight to 12:15 as about 800 incoming calls caused wait times to jump to six minutes, far above the city's goal to answer 90 percent of calls within 10 seconds.

The city is, frankly, fortunate that this didn't result in more problems than it did. City officials say they've identified how the attacker compromised the system, but won't be revealing technical details for obvious reasons (Update: it looks like the attacker used a radio signal attack on city gear to repeatedly set off the sirens). Over at his Facebook page, Dallas Mayor Mike Rawlings was quick to highlight how the attack made it clear the city needs to spend significantly more money on its technology infrastructure:

"This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure. It’s a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind. Making the necessary improvements is imperative for the safety of our citizens."

Of course while older, out-dated systems are certainly a problem, rushing to throw money at companies promising the "connected city of tomorrow in a box" isn't a panacea, either. While it likely had nothing to do with the recent hack, AT&T has been advertising Dallas as the centerpiece of its "IOT" ambitions for the last few years, just one of countless companies rushing into the space in pursuit of new revenue and quarterly growth. The problem, again, is that many of these smart city solutions are from many of the same vendors for which security and privacy were an afterthought in the residential market.

So yes, most cities are in desperate need of a technology and security upgrade, yet often lack the budgets to do so. You just hope that when these upgrades actually occur, they aren't sabotaged by the same superficial concern for privacy and security already plaguing the connected home market.

25 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 10 April 2017 @ 9:37am

FCC Boss Wants 'Voluntary' ISP Net Neutrality Promises Instead Of Real Rules

from the Comcast-pinky-swear dept

Surprising nobody, FCC boss Ajit Pai has been privately meeting with large broadband providers, informing them he'll be taking an axe to net neutrality protections soon. What exactly this will look like isn't yet clear, especially given the massive support for the rules, and the fact that Pai can't just roll back net neutrality (and the FCC's Title II reclassification) without justifying it to the courts. But anonymous sources tell Reuters that Pai seemingly wants to replace real net neutrality protections with voluntary commitments from companies like AT&T, Verizon and Comcast:

Pai wants to overturn that reclassification, but wants internet providers to voluntarily agree to not obstruct or slow consumer access to web content, two officials said late Tuesday.

The officials briefed on the meeting said Pai suggested companies commit in writing to open internet principles and including them in their terms of service, which would make them binding.

It is unclear if regulators could legally compel internet providers to adopt open internet principles without existing net neutrality rules.

Asking growing, giant corporations with a generation of documented anti-competitive behavior under their belts to just behave is utterly adorable, and anyone who believes that's a winning strategy for consumers, startups and competitors in the Comcast era is either obtuse or being intentionally misleading.

Contrary to the bedtime stories that dollar-per-hollar ISP think tankers, lobbyists and consultants tell their children, gutting regulatory oversight of an uncompetitive market doesn't magically forge telecom Utopia. With neither competition nor functional regulatory oversight, the problems that plague the broadband industry (privacy violations, net neutrality infractions, high prices and usage caps, legendarily-bad customer service) only get worse, especially given the often absurd amount of telecom regulatory capture occurring on the state level.

And while Reuters is quick to strangely proclaim that such voluntary conditions would be "binding," most of us realize that the overlong privacy policies you sign when you buy broadband are designed almost entirely to legally protect the ISP, not you. These policies are flexibly and frequently updated and reconfigured all of the damn time to the benefit of the ISP and whatever new data collection effort they're up to this week. That these shifting, vague, ISP-written policies are the equivalent of the existing rules is a farce, as rightly pointed out by Nilay Patel over at The Verge:

"So what’s to stop Comcast from making this deal today, and then changing its terms a year from now? (It’s certainly not the presence of meaningful access competition in the marketplace!) How will the FTC track every single ISP’s terms of service language, the differences between them, and enforce any sort of consistent, reasonable policy?

Second, let’s say Pai manages to thread the needle and gets every ISP in the country to agree on the exact same open internet language in their terms of service, and further secures a commitment that the language will remain in their terms in perpetuity. Isn’t that functionally identical to... a law? Shouldn’t we just have... a law? And don’t we already have that law? What specifically is Pai trying to accomplish if he agrees that open internet principles are important?"

Let's be clear: Ajit Pai doesn't actually believe that net neutrality is important, whether that's manifest in principles, rules, or show tune. Pai doesn't believe net neutrality or a lack of competition are real problems. Nor does he believe in functional regulatory oversight of some of the largest and most anti-competitive companies in American industry. Pai, a former Verizon lawyer, believes in one thing: maximizing large ISP revenues at nearly any cost. Everything else is pretense (albeit a pretense many in the public, media and policy circles are exceptionally good at playing along with).

Pai, apparently blind to the perils of political overreach, could find himself in an untenable situation. One, reversing net neutrality will cause a policy and activist backlash that could make the SOPA uprising look like a game of grade-school patty cake. Especially given the extreme unpopularity of the recent privacy rule repeal. Two, to reverse the FCC's title II classification via FCC proceeding requires he show a court that things have changed substantially since last year's fairly overwhelming FCC appeals court victory. Since he won't be able to, expect some form of misdirection when the plan is finally revealed in either May or June.

It still seems very likely Pai may be planning to make a public stink about repealing the rules as part of a stage play. One where the FCC boss intentionally stirs the pot and plays the bad cop, and ISP-allies in Congress push a new bill pretending to save net neutrality as good cop via "compromise." And while such a bill would, like Thune's similar proposal in 2015, pay ample lip service to net neutrality (the Make American Broadband Great Again Act of 2017?), the end goal would still be to kill real rules and reduce large ISP regulatory oversight, consumer welfare and internet health be damned.

Anybody who has spent more than five minutes dealing with a large ISP should be well aware of the dangers this looming farce presents. On the plus side, since ISPs and Pai have repeatedly claimed that the net neutrality rules stifled broadband investment, Pai's decision to replace the rules with the policy equivalent of wet cardboard should at least net us all gigabit fiber connections in short order. Right? Right?

22 Comments | Leave a Comment..

Posted on Techdirt - 7 April 2017 @ 6:28am

Researcher: 90% Of 'Smart' TVs Can Be Compromised Remotely

from the internet-of-very-broken-things dept

So we've noted for some time how "smart" TVs, like most internet of things devices, have exposed countless users' privacy courtesy of some decidedly stupid privacy and security practices. Several times now smart TV manufacturers have been caught storing and transmitting personal user data unencrypted over the internet (including in some instances living room conversations). And in some instances, consumers are forced to eliminate useful features unless they agree to have their viewing and other data collected, stored and monetized via these incredible "advancements" in television technology.

As recent Wikileaks data revealed, the lack of security and privacy standards in this space has proven to be a field day for hackers and intelligence agencies alike.

And new data suggests that these televisions are even more susceptible to attack than previously thought. While the recent Samsung Smart TV vulnerabilities exposed by Wikileaks (aka Weeping Angel) required an in-person delivery of a malicious payload via USB drive, more distant, remote attacks are unsurprisingly also a problem. Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, recently revealed that around 90% of smart televisions are vulnerable to a remote attack using rogue DVB-T (Digital Video Broadcasting - Terrestrial) signals.

This attack leans heavily on Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable companies and set top manufacturers that helps integrate classic broadcast, IPTV, and broadband delivery systems. Using $50-$150 DVB-T transmitter equipment, an attacker can use this standard to exploit smart dumb television sets on a pretty intimidating scale, argues Scheel:

"By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city."

Scheel says he has developed two exploits that, when loaded in the TV's built-in browser, execute malicious code, and provide root access. Once compromised, these devices can be used for everything from DDoS attacks to surveillance. And because these devices are never really designed with consumer-friendly transparency in mind, users never have much of an understanding of what kind of traffic the television is sending and receiving, preventing them from noticing the device is compromised.

Scheel also notes that the uniformity of smart TV OS design (uniformly bad, notes a completely different researcher this week) and the lack of timely updates mean crafting exploits for multiple sets is relatively easy, and firmware updates can often take months or years to arrive. Oh, and did we mention these attacks are largely untraceable?:

"But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only. This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good."

So yeah, that internet of broken things security we've spent the last few years mercilessly making fun of? It's significantly worse than anybody imagined.

33 Comments | Leave a Comment..

More posts from Karl Bode >>