" /> net.wars: August 2007 Archives

« July 2007 | Main | September 2007 »

August 31, 2007

Snouting for bandwidth

Our old non-friend Comcast has been under fire again, this time for turning off Internet access to users it deems to have used too much bandwidth. The kicker? Comcast won't tell those users how much is too much.

Of course, neither bandwidth caps nor secrecy over what constitutes heavy usage is anything new, at least in Britain. ntl brought in a 1Gb per day bandwidth cap as long ago as 2003. BT began capping users in 2004. And Virgin Media, which now owns ntl and apparently every other cable company in the UK, is doing it, too.

As for the secrecy, a few years ago when "unlimited" music download services were the big thing, it wasn't uncommon to hear heavy users complain that they'd been blocked for downloading so much that the service owner concluded they were sharing the account. (Or, maybe hoarding music to play later, I don't know.) That was frustrating enough, but the bigger complaint was that they could never find out how much was too much. They would, they said, play by the rules – if only someone would tell them what those rules were.

This is the game Comcast is now playing. It is actually disconnecting exceptionally heavy users – and then refusing to tell them what usage is safe. Internet service, as provided by Franz Kafka. The problem is that in a fair number of areas of the US consumers have no alternative if they want broadband. Comcast owns the cable market, and DSL provision is patchy. The UK is slightly better off: Virgin Media now owns the cable market, but DSL is widespread, and it's not only sold by BT directly but also by smaller third parties under a variety of arrangements with BT's wholesale department.

I am surprised to find I have some – not a lot, but some – sympathy with Comcast here. I do see that publishing the cap might lead to the entire industry competing on how much you can download a month – which might in turn lead to everyone posting the "unlimited" tag again and having to stick with it. On the other hand, as this Slashdot comment says, subscribers don't have any reliable way of seeing how much they actually are downloading. There is no way to compare your records with the company's equivalent to balancing your check book. But at least you can change banks if the bank keeps making mistakes or your account is being hacked. As already noted, this isn't so much of an option for Comcast subscribers.

This type of issue is resurfacing in the UK as a network neutrality dispute with the advent of the BBC's iPlayer. Several large ISPs want the BBC to pay for bandwidth costs, perhaps especially because its design makes it prospectively a bandwidth hog. It's an outrageous claim when you consider that both consumers and the BBC already pay for their bandwidth.

Except…we don't, quite. The fact is that the economics of ISPs have barely changed since they were all losing money a decade ago. In the early days of the UK online industry, when the men were men, the women were (mostly) men, and Demon was the top-dog ISP, ISPs could afford to offer unlimited use of their dial-up connections for one very simple reason. They knew that the phone bills would throw users offline: British users paid by the minute for local calls in those days. ISPs could, therefore, budget their modem racks and leased lines based on the realistic assessment that most of their users would be offline at any given time.

Cut to today. Sure, users are online all the time with broadband. But most of them go out to work (or, if they're businesses, go home at night), and heavy round-the-clock usage is rare. ISPs know this, and budget accordingly. Pipes from BT are expensive, and their size is, logically, enough, specified based on average use. There isn't a single ISP whose service wouldn't fall over if all its users saturated all their bandwidth 24/7. And at today's market rates, there isn't a single ISP who could afford to provide a service that wouldn't fall over under that level of usage. If an entire nation switches even a sizable minority of its viewing habits to the iPlayer ISPs could legitimately have a problem. Today's bandwidth hogs are a tiny percentage of Internet users, easily controlled. Tomorrow's could be all of us. Well, all of us and the FBI.

Still, there really has to be a middle ground. The best seems to be the ideas in the Slashdot posting linked about: subscribers should be able to monitor the usage on their accounts. Certainly, there are advantages to both sides in having flexible rules rather than rigid ones. But the ultimate sanction really can't be to cut subscribers off for a year, especially if they have no choice of supplier. If that's how Comcast wants to behave, it could at least support plans for municipal wireless. Let the burden of the most prolific users of the Internet, like those of health care, fall on the public purse. Why not?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 24, 2007

Game gods

Virtual worlds have been with us for a long time. Depending who you listen to, they began in 1979, or 1982, or it may have been the shadows on the walls of Plato's cave. We'll go with the University of Essex MUD, on the grounds that its co-writer Richard Bartle can trace its direct influence on today's worlds.

At State of Play this week, it was clear that just as the issues surrounding the Internet in general have changed very little since about 1988, neither have the issues surrounding virtual worlds.

True, the stakes are higher now and, as Professor Yee Fen Lim noted, when real money starts to be involved people become protective.

Level 70 warrior accounts on World of Warcraft go for as little as $10 (though your level number cannot disguise your complete newbieness), but the unique magic sword you won in a quest may go for much more. The best-known pending case is Bragg versus Second Life over virtual property the world's owners confiscated when they realized that Bragg was taking advantage of a loophole in their system to buy "land" at exceptionally cheap prices. Lim had an interesting take on the Bragg case: as a legal concept, she argued, property is right of control, even though Linden Labs itself defines its virtual property as rental of a processor. As computer science that's fine, but it's not law. Otherwise, she said, "Property is mere illusion."

Ultimately, the issues all come down to this: who owns the user experience? In subscription gaming worlds, the owners tend to keep very tight control of everything – they claim ownership in all intellectual property in the world, limit users' ability to create their own content, and block the sale of cheats as much as possible. In a free-form world like Second Life which may host games but is itself a platform rather than a game, users are much freer to do what they want but the EULAs or Terms of Service may be just as unfair.

Ultimately, no matter what the agreement says, today's privately owned virtual worlds all function under the same reality: the game gods can pull the plug at any time. They own and control the servers. Possession is nine-tenths of the law, and all that. Until someone implements open source world software on a P2P platform, this will always be the way. Linden Labs says, for what it's worth, that its long-term intention is to open-source its platform so that anyone may set up a world. This, too, has been done before, with The Palace.

One consequence of this is that there is no such thing as virtual privacy, a topic that everyone is aware of but no one's talking about. The piecemeal nature of the Net means that your friend's IRC channel doesn't know anything about your Web use, and Amazon.com doesn't track what you do on eBay. But virtual worlds log everything. If you buy a new shirt at a shop and then fly to a distant island to have sex with it, all that is logged. (Just try to ensure the shirt doesn't look like a child's shirt and you don't get into litigation over who owns the island…)

There are, as scholars say, legitimate reasons. Logging everything that happens is important in helping game developers pinpoint the source of crashes and eliminate bugs. Logs help settle disputes over who did what to whose magic sword. And in a court case, they may be important evidence (although how you can ensure that the logs haven't been adjusted to suit the virtual world provider, who is usually one of the parties to the litigation, I don't know).

As long as you think of virtual worlds as games, maybe this isn't that big a problem. After all, no one is forced to spend half their waking hours killing enough monsters in World of Warcraft to join a guild for a six-hour quest.

But something like Second Life aspires to be a lot more than that. The world is adding voice communication, which will be interesting: if you have to use your real voice, the relative anonymity conferred by the synthetic world are gone. Quite apart from bandwidth demands (lag is the bane of every SLer's existence), exploring what virtual life is like in the opposite gender isn't going to work. They're going to need voice synthesizers.

Much of the law in this area is coming out of Asia, where massively multi-player online games took off so early with such ferocity that, according to Judge Unggi Yoon, in a recent case a member of a losing team in one such game ran to the café where the winning team was playing and physically battered one of its members. Yoon, who explained some of the new laws, is an experienced online gamer, all the way back to playing Ultima Online in middle school. In his country, a law has recently come into force taxing virtual world transactions (it works like a VAT threshold – under $100 a month you don't owe anything). For Westerners, who are used to the idea that we make laws and export them rather than the other way around, this is quite a reality shift.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 17, 2007

Welcome to Singapore

Some designs are just annoying – the Blue Screen of Death, say, once you get over the initial fright of seeing it, Somewhere on the planet there may be someone who sees the screen and can read the gibberish in the few seconds before the screen goes black and the computer restarts and say, "Ah, yes, it's the shedelepp in the specklediff" (non-words courtesy of the late humorist Jean Kerr).

Other designs are just dangerous: the laptop power adaptors that burst into flames, for example.
The really insidious ones are the ones that scare you half to death and make you scurry around in panicked circles ministering to them. Here is one such. The iGo Juice is in many ways an admirable product. It will power just about any laptop in just about any circumstance. It has two flaws: it relies on a bolt-together design using proprietary cables and plugs that you can't get anywhere but from iGo, and some of those cables and plugs are rather small and come apart rather too easily.

Which is all to explain how I managed to unpack the laptop in my hotel room on the evening I arrived in Singapore to discover that the little tiny plug that hooks the whole thing to the laptop was missing, presumably still hiding in my airplane seat. I may be more frightened of being in a foreign city with no laptop power more than almost anything that's actually likely to happen to me.

First idea: call airline, ask them to look for the plug. Airlines do find things sometimes; I'm fairly sure that if I were able to search the plane myself I *would* find it. However, it's a small plug, and it's nearly the same color as many of the furnishings…clearly a Plan B was needed.

It has to be possible to find a laptop adaptor that works in Singapore, right? It's southeast Asia. Electronics country. This is where geeks come for fun.

The hotel said, "Funan." I had already read about it online: a giant electronics shopping mall. It's within walking distance, which is near-miraculous. But it will be closing soon, probably in the next hour. I set out promptly in the wrong direction, map in hand.

There are several reasons why you can't actually walk very fast in Singapore. For one thing, downtown Singapore is filled with malls, overpasses, and other diversions that all work to slow you down. You have to go around, up, through, or over them. Second of all, and this is a hard thing for a native New Yorker, jaywalking is illegal – and they are said to enforce that law. (In fact, at one particularly crowded crossing there were police officers making sure.) Third of all, and I think this was just coincidental, it was incredibly crowded. Almost everyone was going the other way because there was going to be a huge firework display.

Funan, when I eventually got there after half an hour of walking (past, among other things, a giant Chinese pagoda) is six stories of electronics stores, all at various stages of closing for the night. The first one had a universal adaptor for S$170 that didn't have a plug that fit. It recommended a second store I couldn't find, and a third that was closed. A fourth store said no. The fifth had a list of adaptors it sold outside, and my specification was on it – but it was out of stock. And then a miracle happened. A guy materialized with another universal adaptor that came with more plugs. And one of them fit. And when we plugged it all in the laptop actually confirmed it was getting power. For S$49.

Of course, every design has its pluses and minuses. iGo's idea seems to have been to protect pins and cables so securely that they wouldn't break, a common problem with adaptors. The cables are braided or heavily insulated, and all the pins in all the plugs are encased in plastic to protect them. It's a nice design except for the losing parts problem.

I don't think the designers understand how important that really is – it makes their design so fragile if you're on the road somewhere. I feel sure that their design is a response to years of frustration with the more common type of adaptor, whose cable emerges from the power brick with a molded plastic surround that wears out under the strains of folding and unfolding the cord. But by fixing that perennial problem they created a new one: a design that at any given time is only one tiny proprietary part away from total failure.

Of course, the truly obsessive travel with not only backup power supplies but second laptops. And I suppose my Plan C would have been something like that: buy a new laptop, which of course would come with its own power adaptor. These days, when laptops all use commodity parts, you can just swap in the old one's hard drive and let the BIOS figure it out. It seems disproportionate, but anything has to be better than the black void of no communications, nothing to work on, and no entertainment. Because these days, when you travel, your laptop is all those things.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 10, 2007

Wall of sheep

Last week at Defcon my IM ID and just enough of the password to show they knew what it was appeared on the Wall of Sheep. This screen projection of the user IDs, partial passwords, and activities captured by the installed sniffer inevitably runs throughout the conference.

It's not that I forgot the sniffer was there, or that there is a risk in logging onto an IM client unencrypted over a Wi-Fi hot spot (at a hacker conference!) but that I had forgotten that it was set to log in automatically whenever it could. Easily done.

It's strange to remember now that once upon a time this crowd – or at least, type of crowd – was considered the last word in electronic evil. In 1995 the capture of Kevin Mitnick made headlines everywhere because he was supposed to be the baddest hacker ever. Yet other than gaining online access and free phone calls, Mitnick is not known to have ever profited from his crimes – he didn't sell copied source code to its owners' competitors, and he didn't rob bank accounts. We would be grateful – really grateful – if Mitnick were the worst thing we had to deal with online now.

Last night, the House of Lords Science and Technology Committee released its report on Personal Internet Security. It makes grim reading even for someone who's just been to Defcon and Black Hat. The various figures the report quotes, assembled after what seems to have been an excellent information-gathering process (that means, they name-check a lot of people I know and would have picked for them to talk to) are pretty depressing. Phishing has cost US banks around $2 billion, and although the UK lags well behind - £33.5 million in bank fraud in 2006 – here, too, it's on the rise. Team Cymru found (PDF) that on IRC channels dedicated to the underground you could buy credit card account information for between $1 (basic information on a US account) to $50 (full information for a UK account); $1,599,335.80 worth of accounts was for sale on a single IRC channel in one day. Those are among the few things that can be accurately measured: the police don't keep figures breaking out crimes committed electronically; there are no good figures on the scale of identity theft (interesting, since this is one of the things the government has claimed the ID card will guard against); and no one's really sure how many personal computers are infected with some form of botnet software – and available for control at four cents each.

The House of Lords recommendations could be summed up as "the government needs to do more". Most of them are unexceptional: fund more research into IT security, keep better statistics. Some measures will be welcomed by a lot of us: make banks responsible for losses resulting from electronic fraud (instead of allowing them to shift the liability onto consumers and merchants); criminalize the sale or purchase of botnet "services" and require notification of data breaches. (Now I know someone is going to want to say, "If you outlaw botnets, only outlaws will have botnets", but honestly, what legitimate uses are there for botnets? The trick is in defining them to include zombie PCs generating spam and exclude PCs intentionally joined to grids folding proteins.)

Streamlined Web-based reporting for "e-crime" could only be a good thing. Since the National High-Tech Crime Unit was folded into the Serious Organised Crime Agency there is no easy way for a member of the public to report online crime. Bringing in a central police e-crime unit would also help. The various kite mark schemes – for secure Internet services and so on – seem harmless but irrelevant.

The more contentious recommendations revolve around the idea that we the people need to be protected, and that it's no longer realistic to lay the burden of Internet security on individual computer users. I've said for years that ISPs should do more to stop spam (or "bad traffic") from exiting their systems; this report agrees with that idea. There will likely be a lot of industry ink spilled over the idea of making hardware and software vendors liable if "negligence can be demonstrated". What does "vendor" mean in the context of the Internet, where people decide to download software on a whim? What does it mean for open source? If I buy a copy of Red Hat Linux with a year's software updates, that company's position as a vendor is clear enough. But if I download Ubuntu and install it myself?

Finally, you have to twitch a bit when you read, "This may well require reduced adherence to the 'end-to-end' principle." That is the principle that holds that the network should carry only traffic, and that services and applications sit at the end points. The Internet's many experiments and innovations are due to that principle.
The report's basic claim is this: criminals are increasingly rampant and increasingly rapacious on the Internet. If this continues, people will catastrophically lose confidence in the Internet. So we must improve security by making the Internet safer. Couldn't we just make it safer by letting people stop using it? That's what people tell you to do when you're going to Defcon.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 3, 2007

The house always wins

Las Vegas really is the perfect place to put a security conference: don't security people always feel like an island of sanity surrounded by lunatic gamblers? Although, equally, it's probably true that Las Vegas casinos probably have some of the smartest security in the world when it comes to making sure that the house will always win.

A repeated source of humor this week at Black Hat has been the responses from various manufacturers when they're told that their systems are in fact hackable. My favorite was the presentation explaining how to hack the RDS-TMC radio service that delivers information about upcoming traffic jams and other disruptions to in-car satellite navigation systems. The industry's response to the news that Italian guys could effectively control traffic was pretty much that even if it was possible, which they seemed inclined to doubt, it would take a lot of knowledge, and anyway, it's illegal…

Adam Laurie got a similar response from RFID people when he showed you could in fact crack one of those all-singing, all-dancing new e-passports and, more than that, that you can indeed clone those supposedly "unique" RFID chips with a device small enough that you could pick up the information you need just standing next to someone in an elevator. (What a Las Vegas close-up magician could do with one of those…)

The industry's response to the news that Laurie could clone ID tags was to complain triumphantly that Laurie's clones "don't have the same form factor". You're an RFID chip reader. What do you see?
"I believe in full disclosure," said Laurie. "They must know you can program in any ID you want." But that's not what they tell the public.

And then there's mobile phone malware, which according to F-secure's Mikko Hypponen is about where PC viruses were ten years ago. We have, he figures, a chance to stop them now, so we won't wind up ten years from now with all the same security risks that we face with PCs. Some of the biggest manufacturers have joined the Trusted Computing Group (an effort to secure computer systems that unfortunately has the problem that it treats the user as a potentially hostile invader).

But viruses and other bad things spread a lot faster between mobile phones because they are specifically designed for…communication. The average smartphone has Bluetooth, infrared, USB, and its network connection, and each of those is a handy way of getting a virus into the phone, not to mention also MMS, user downloads, and memory card slots. And, in future, probably WLAN, email, SMS, and even P2P. This is the bad side of having phones that can run third-party applications and that are designed to be, damn it, communications devices.

Viruses that spread by Bluetooth are particularly entertaining because of the way Bluetooth's software handles incoming connections. Say a nearby phone tries to send your phone a virus. Your phone puts up a message asking you to confirm that you want to accept it. You click No. The message instantly reappears (viruses don't like to take no for an answer). There is in fact a simple solution: walk out of range. But most users don't know to do this, and in the meantime until they say Yes, their phone is unusable. The first virus to appear in the wild, 2004's Cabir, spreads very easily if users do something risky – like turn on their phone.

This is obviously a design problem caused by a failure of imagination, even though anti-virus companies such as Kaspersky have been warning for at least a decade that as the computing power of mobile phones increased they would become vulnerable to the same problems as desktop computers.

By far the vast majority of mobile phone malware is written for Symbian phones, by the way. Palm, Windows Mobile, and other operating systems barely figure in F-Secure's statistics. Trojans are the biggest threat, and the biggest way phones get infected is user downloads.

It would not noticeably ruin the user experience for mobile phone manufacturers to change the way Bluetooth handles such incoming requests.

It took the Meet the Feds panel to regain a sense of proportion. The most a mobile phone virus can do to a new phone equipped with a mobile wallet is steal your money and send out text messages to all your contacts that will alienate them forever, leaving you with a ruined life. (Take comfort from the words of the novelist Edward Whittemore, in his book Sinai Tapestry: "No one was safe, and there was no security – just life itself.")

Bad security is still bad security, and "the Feds" sure do a lot of it, and the rather stolid face they present to the public pushes us to regard them as comical. But they're gambling with far bigger consequences than any of us, as Chris Marshall of the NSA reminded everyone. He was out to dinner with his counterparts from a variety of countries, and they were discussing what "homeland security" really means. The representative from New Zealand spoke up: he has children living in New Zealand, Australia, the US, and France, where he also has grandchildren.

"Homeland security," he said simply, "is where my children are."

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).