After the Equifax breach, we need a policy solution for identity theft

While CNN Money has a pretty mainstream article of advice on the Equifax hack here, a supplementary article by David Goldman lays it on the line, “What’s the worst that can happen?”

The absolute worst might be being framed for a crime, like sex trafficking or child pornography.  In most circumstances that a novelist can imagine, it would still be pretty easy to prove that physically the culprit couldn’t have been “you”.  There are a variety of other outcomes, including job loss or denial or a mortage or lease. For millennials, the risk can extend for decades.  For seniors, it’s probably very minimal.

One comment that gets made by social conservatives particularly (and some libertarians) is that you are ultimately responsible for your own reputation, no matter what, because you live in a society that offers you the benefits of civilization.  I can remember an employer warning us about this in the late 1980s when we suddenly had to pass credit checks to keep our jobs.   I can remember that ten years ago there were prosecutors who looked at finding child pornography on a personal computer as an “strict  liability offense”, although since they they have accepted the idea that malware can put it there. This seems to be a very disturbing philosophy that transcends the plain meaning idea of the law normally, and that most of us cannot live with (especially those on the margins).

Maybe maintaining credit freezes would protect everyone, but it sounds pretty impractical in the long run.

So I think that in the identity theft idea, we need a new policy solution.  I had outlined an idea back in 2006 using “National Change of Address” at USPS, which I had worked on in Minneapolis on my own career back in 1998.

Now I would say, the credit reporting companies should develop the idea of a secondary social security number verifier, which a user can add to her file, and which could not have been hacked yet because it does not yet exist.   I would not be so comfortable with letting the Social Security administration run it. Get some security companies (not Kaspersky, in Russia) to help develop it.  It could be put into two-step verification required to pull a credit report, although it so it would need to be tied to sim cards and not just to phone numbers, which can also be stolen.

(Posted: Sunday, September 17, 2017 at 9:15 AM)

Do security companies overstate privacy risks on social media, maybe for political motives?

Every time I go into Twitter or Facebook on my new laptop, I get a lecture from Trend Micro on my lenient privacy settings.

Particularly I get warned that the Public can see my Facebook posts and Twitter messages, that others can tag me in photos, and that others can see personal information.  On the last point, only “business address and phone” information ever gets posted online, anywhere.  In fact, I normally don’t have circles of security clearances among who can see what information about me online.  It’s all or nothing.

Some of my curiosity about this was motivated by the video in the previous post, where the speaker (a television station reporter)  said that allowing anyone but approved “Friends” (Faceook) or approved “followers” (Twitter) would create gratuitous security risks that insurance companies would find unacceptable behavior on the part of consumers.

Facebook has different concepts, like Friends, Pages, and Groups.  Many people have Pages with followers.  They cannot be made private (you can block comments from specific people).  You can make a Group by invitation only, which is closer to the concept Trend seems to be encouraging.  The conventional wisdom has been that you allow only Friends to see your posts on your Friends page.  But Facebook allows up to 5000 friends.  It is common for people to have over a thousand.  Many, perhaps most, Facebook users don’t carefully screen who gets approved as a friend.  I do allow friends from overseas (including Arabic names).  I generally disapprove of minors only.  (Posts made by others on your timeline in public mode can normally be seen by “friends of friends”).

Some people, after being friends, do behave in an unwelcome way.  Some send greetings or messages and expect to be answered back.  A couple have made pleas for “personal” help with matters I can do nothing about (at least lawfully).  One female kept making silly posts on my Timeline claiming to tag me in sexual pictures when the individual was not me.  I did unfriend her and the posts stopped.

I also had one occasion where someone created a fake copy of my account with no posts.  A legitimate friend (the person who copyedited my books) caught it and reported it to Facebook and the entry was removed before I knew about it.

Tagging has crept up as a problem, for users who allow it.  I’ve noticed that some people are more sensitive about being photographed in bars or discos than they used to be, say, before 2010.  A few social establishments have started prohibiting photography inside their facilities.

In Twitter, it is possible to set up your account so that all followers have to be approved.  Relatively few users do this, but they will block followers who seem stalky or who don’t follow supposed etiquette (by replying to too many tweets when not being co-followed), although etiquette standards are changing again rapidly.

As a practical matter, limiting visibility of posts to “Friends” or approved followers probably doesn’t increase security very much, because it is so easy to be approved and because, to be successful and have an outreach, people need friends and followers.  Indeed, it wouldn’t stop “catfishing” (as in Nev Schulman’s 2010 film “Catflish” for Rogue pictures, as with a recent incident from a fake female catfisher in Manitoba).

On Facebook, I notice that some Friends (even with privacy set to “Friends only”) will “check in” with that red dot that lets others track their movements;  I don’t think this is a good idea myself.  But part of this is that I don’t want anyone to “take me for granted”, beyond security.  Likewise, I don’t announce (even to Friends) what events I will attend, even if I report on the events after the fact on blogs.  Maybe that isn’t playing ball.  I think back to the days of my upbringing in the 50s;  my parents probably “shared” their lives with about ten other families, as with Thanksgiving and Christmas gift sharing that I remember so well (and with the Ocean City beach trips with one family I remember, too). As for services like Snapchat:  I feel that if I need a conversation that doesn’t go anywhere, I just have it by smart phone or in person.  I don’t like the idea of sharing video or photo that disappears.  (Kathy Griffin should know.)

 

All of this is interesting because Zuckerberg invented Facebook at the time that Myspace had become popular (to the extent that Dr. Phil had programs about misbehavior on Myspace), and, despite winning out over several competing ideas (the movie “The Social Network”; the books “The Accidental Billionaires” by Ben Mezrich, or “The Facebook Effect” by David Kirkpatrick).  Zuckerberg originally intended to set up Facebook for campus environments.  It wasn’t fully public until about 2007 and it didn’t get into its controversial news feed aggregation (so plagued by the fake news that is said to have helped elect Donald Trump) until maybe about 2010 (when Time Magazine honored Zuckerberg as person of the year, the “Connector”).

What such a practice would do, however, is try to discourage online self-publishing with free content.  Social media was built on the premise that known lists of people see your content, more or less like email listservers (or restricted membership sites) that were popular before modern social media.  When people are popular and have lots of “fans”, the practical effect is that social media account is public anyway. It is true that actual friends or followers are more likely to see posts even on public accounts. Blogs can also have “followers” and, with Blogger, can be made “private” (as can YouTube videos), but the normal result is that few people would see them.  Blog following has become less popular since Facebook took off, although YouTube channel subscription is still somewhat popular.

The relevant point seems to be that when you publish a hardcopy (or Kindle or Nook) book, you don’t have the “right” to know who bought it.  That’s the traditional idea or model of “open publication”.  Self-instantiation by open self-publication, with leaving a lot of content free, seems to be a morally suspect or gratuitous practice (even if it purports to offer alternative viewpoints and critical thinking as I think mine do) in the minds of some people:  if it doesn’t pay its own way, it competes unfairly with writers who do need to make a living at it;  it discourages professionalism and facilitates fake news, it can attract cultural enemies (to others as well as the self), leading to the insurance concerns, and (probably most of all) it breaks up political solidarity for those (on both the (alt) right and left) who want to recruit loyal volunteers and who want to control the (often polarized and tribally-centered) message.  “Belonging” to some group seems to be imperative.  The election and  relentlessly tribal and boorish behavior of Donald Trump seems to have brought this point home.

In fact, in the eyes of intellectual property law, this isn’t quite right.  “Publication” in defamation law is communicating the false defamatory claim to even one person who understands the message (which can be one approved friend or follower, or just one email recipient).

I opined before, back in 2000, that “open” self-publication can become an unethical practice for people in some positions (like those with direct workplace reports, when there is a concern over possible workplace results).  Now it’s a possible security issue, especially in asymmetric warfare where civilians can attract enemies who view civilians as combatants.  Yet it’s odd that security company like Trend Micro gets to define what that means, for everybody.

Some observers (like Ramsay Taplan, “Blogtyrant” of Australia) urge an inside-out approach to blogging, focusing on consumer niches that are inherently profitable, the narrower the better.  Then, he says, become aggressive in building email lists from actual customers who need you wand welcome hearing from you, which confounds the conventional wisdom today about spam.  But this practice refers to writing that supports an inherently commercial product or service, not self-expression online for its own sake or even for promoting critical thinking on political or social controversies.

(Posted: Saturday, June 3, 2017 at 11:15 AM EDT)

Behind Trump’s weakening of Obama’s Internet privacy protections, a lot of chaos on what privacy means (esp. to insurance companies)

The Washington Post recently documented “how Congress dismantled federal Internet privacy rules” in a piece by Kimbery Kindy on May 30.

The writer notes a collusion between telecommunications provider companies (that is, Internet ISP’s, like Comcast, Verizon and ATT)) and social media and content servicing providers (like Facebook, Google Twitter, Amazon, Apple) in Silicon Valley. Politics emits strange bedfellows (so libertarians say), and the common interest between the backbone technology interests and the content servicing interests on the ad opportunity inherent in relaxing privacy rules is logical, but in contradiction to the general nature of the disagreement between these big industrial sectors over network neutrality. That disparity seems remarkable to me. Particularly remarkable was the donation of money so quickly as Trump took office to roll back Obama’s end-of-term work. I don’t play K-street Monopoly myself.

But there’s not much question that users do benefit from the existence of ads, which pay for all the free user-generated content platforms. The ethical question at the individual level comes down to the old dilemma of spectators vs. actual players. We can’t flourish just as a society of watchers. People need to be willing to see ads, even those selected algorithmically for them, and sometimes people need to be willing to engage them. Both clicks (Adsense) and actual product purchases (Amazon) do help some people make a living by publishing on the Internet.   Freedom implies (somewhat ironically) a need to some new openness to sharing on terms other than one’s own (as in the film “The Circle“).

Where there is a problem, though, can be with security, and, to some extent, online reputation. Users are sometimes reckless on the web. To the extent that users apply privacy settings and they work, that’s not too bad; but often users place gratuitous material online which could attract harm to them and to others connected to them. That has to become a concern for the insurance industry, for example (yesterday).

In fact, there’s a sliding continuum, in most people’s minds, between privacy and reputation. People post legitimate (not porn) interesting stuff because it makes them appear cool, knowledgeable, or desirable in some way for others, or just politically and socially influential. Sometimes you can do this and maintain a certain amount of privacy (wait until you’re back home or near the end of the vacation before posting public images and videos of your good time at P-town or Disney’s new Pandora). I say this noting that some Facebook friends let Facebook post all of their movements on their timeline to friends on geographical maps. (That makes them feel important.)

Employers have been concerned about watching associate (and especially job applicant) personal social media for about a decade now (giving rise to the whole Reputation industry). They have legitimate concerns, for example, about managers inadvertently creating a legally hostile workplace by expressing their views online even in their own personal accounts. That’s especially true now that in the world of Trump, society seems to be getting more polarized into worlds of identity politics. Businesses may not even want some polarizing people as customers (as Richard Spencer found out from Sport and Health recently).

This problem can spill over into insurance, where we know that insurance companies (both health and property) sometimes scan consumer social media accounts or other blog or content posts for possible claims fraud. They could also get a sense of increased consumer loss risk from some social media content (obviously health risks like STD’s, smoking, drugs, and the like, or risky hobbies like skydiving; imagination goes wild on this.)   Here are a couple of discussions about the problem: Huffington, and Insurance Quotes.  This problem can quickly connect itself to social justice and identity issues.

In fact, the end of the Denver TV station video envisions a world where insurance companies don’t want users to post any vacation details in public mode at all. I haven’t heard that said so bluntly before, but since I dug into it, I have to report it. One immediately problem with this idea is that pages (as opposed to friending accounts) are, almost by definition, public. And there are “friends” and there are “pseudo-friends”. Not everyone expects a personal conversation or relationship with each “friend” as “trusted:. The idea seems not very well thought through.

(Posted: Wednesday, May 31, 2017 at 3:45 PM EDT)

Why the “mandatory coverages” in Obamacare set a bad stage for future Internet law; Trump is actually on to something

Let’s think a moment about how mandatory insurance can work, in different areas, like health, auto, property.

Generally, you have to have auto insurance to have a driver’s license (how it’s required varies by state) you need property insurance for a mortgage, and with Obamacare (and previously Romneycare in Massachusetts) health insurance.  And Medicare and single payer in most other countries can be viewed as mandatory health insurance, paid for by much higher taxes.

Obamacare (the Affordable Care Act) is partly driven by requirement that “healthy” young people will buy coverages they as individuals are almost certainly not going to need, to support otherwise much higher premiums for people who do need them.  I’ve said here that we probably need publicly funded props (subsidies — not just tax cuts — and reinsurance, to help pay for health care for the sickest people), which would affect the deficit and maybe require cuts elsewhere (maybe in Social Security, for example, slowly increasing age eligibility) to control spending.  I may be OK with some of the aspects of “community rating” – that is, men have to buy pregnancy coverage because it takes two to tango – and we want, as a policy matter, some sort of gender equality. (It wouldn’t hurt me some day if PrEP were covered, although at my age it’s not real likely.)

But requiring people to buy add-on coverages for other people’s risks (“moral hazard”) is generally a dangerous idea, that can set up a bad precedent for other misuse.  That’s one reason why I am somewhat behind “TrumpCare” or “RyanCare” or “PriceCare,” if you really get serious about covering everybody somehow.  The Republicans want the states to take more responsibility for this area.  Under a federal system (compared to a unitary system like China’s) that seems appropriate.  We no longer trust the states to manage their own ideas of “equal protection” (from the 14th Amendment all the way to the Civil Rights Movement of the 1960s, ending with Stonewall) but we generally allow states a lot of leeway in just how they want their residents to pay for services or how much to privatize some services.  States vary on whether or not they have their own income taxes, and to what extent they want to charge user fees or tolls.  As California found out in the late 1970s, they can have their own battles on using property taxes to fund public education.  So, yes, the OMB is appropriate concerned about how the reddest states will handle a block grant approach to health care. But our Constitution and federalism limit just how much coercion the federal government can use, even for worthwhile policy goals.

In the past twenty years, auto and property companies have been combining normal property or physical liability (and damage loss, from accidents and storms) with cyber liability from Internet use.  The latter liabilities can include the cost of defending frivolous defamation suits (as with review sites) and copyright or even incidental trademark or patent infringement (from trolls), but they can also include losses due to identity theft or cybercrime (recently, ransomware).  In some cases, the higher limit auto policies are available only in umbrella policies that have all these other coverages (which have nothing to do with the likelihood of causing an auto accident or of being hit by a tornado).  In fact, as we know from the attempts around 2001 or so by the National Writers Union to buy media perils coverage for its members (and another push for this in 2008, shortly before the financial crisis), the risk for an individual consumer of being sued for Internet behavior is extremely hard to underwrite and predict, compared to the risks in the physical world.

I can imagine (especially from the “Left”) pushes to make cyber insurance mandatory components of property policies, and I hope the GOP would apply the same skepticism to this idea it has to health insurance mandatory coverages.  You can imagine the pressures:  because I have an unusual last name, I’m not as prone to identity theft as someone with an Anglicized name, but should I have to subsidize the premiums of someone more likely to experience it?  Because of the “gratuitous” nature of my self-publication (it doesn’t pay its own way) activity “in retirement” (maybe that’s like “in relief” in a baseball game’s bullpen), I don’t face the same risks as other people who actually need to support families with their writing, but I face my own unusual perils (mostly related to “implicit content” as I found out with a bizarre incident in 2005 when I was working as a substitute teacher – the concept has to do with attracting politically or socially motivated targeted risk to others connected to “you”). The main prevention is to know what I am doing.  (I do;  for example, I know how to recognize scams.)

But the permissive legal environment that has allowed user generated content to flourish does raise serious questions for me, involving some personal matters (how I place value on interactions with others who have more intrinsic need, and how I am willing, with volunteerism, to fit in and belong to a group and speak for its needs – accept “partisanship”).  The legal props include Section 230 and DMCA Safe Harbor, all of which makes me wonder how the Web still works in Europe, where these kinds of protections are weaker and where there is even an enforced “right to be forgotten” (and where, as Trump points out, defendants have to prove they told the truth in libel cases).  The permissiveness seems to have led to an world where there is a lot of recklessness and abuse, ranging from cuberbullying or stalking or revenge porn, to outright terror recruiting — largely because writers with sincerely put arguments wind up preaching to their own choirs, created by news aggregation.  Again, I could be silenced if I had to be insured, because my speech is not “popular” enough to pay its own way, especially in a mandatory insurance world.

(Posted: Wednesday, May 30, 2017 at 6 PM EDT)

Ransomware attack could provoke anti-tech reaction from Trump, but this particular attack may be easier to meet than it sounds

The “Ooops” page that many workplace computer users saw, displayed by hackers from the WannaCry worm last Friday, seemed almost cordial, as if making a mock of the Brexit vote last year, or of Donald Trump’s election.  It looked like a customer service page.  Can I get my data back?  Sure, if you pay up in time.

This almost looks like a hostile takeover.  Or is it a rebellion against the behavioral and personal performance norms of the civilized world in the digital age (and post)?  We’re in charge now, the welcome screen says;  you do what we tell you to do, and you’ll be OK.  The bullies win.  Might makes right, because there was no right before.

There are a lot of remarkable facts about this one.  First of all, the problem seems to have come from a leak of one of the NSA’s own tools, through Snowden and Wikileaks-like mechanisms.  The government wants its own back door, and it got left open.

Second, it seems to have affected certain kinds of businesses the most, mainly those overseas that happen to be less tech oriented and have less incentive to keep up.  It’s remarkable that one of the most visible victims was Britain’s National Health Service, and it’s easy to imagine how libertarians can use this fact to argue against single-payer and socialized medicine systems.  The government-run system didn’t give employees a personal incentive to stay tech-current.  (The what about intelligence services and the military?  They’re still government.)

But it is true, individuals and tech-oriented small businesses know how to keep up and do keep operating systems and security patches updated.  So do larger businesses with a core interest in tech infrastructure.  Your typical bank, insurance company, brokerage house or other financial institution usually keeps the actual consumer accounts on legacy mainframes, which are much harder for “enemies”  to attack (although insider vulnerabilities are possible, as I learned in my own 30-year career).  Typically they have mid-tiers or presentation layers on Unix systems, not Windows, and these are harder to attack.  Publishing service providers and hosting companies usually put their customer’s content on Unix servers (although Windows is possible, and my legacy “doaskdotell” site is still on Windows, and seems unaffected).

On the other hand, in Europe, most of all in Russia and former Soviet republics, there is a culture of cutting corners and sometimes using pirated software, which is much easier to attack.

A typical workplace infection might destroy all the data on employees’ own desktops (like Word memos) but not source code on a mainframe or Unix server, and not customer data.

This kind of ransomware cannot directly affect the power grids.  The computers that control distribution of power  run on proprietary systems (not Windows) normally not accessible to hackers.  However, in the book “Lights Out” (2015), Ted Koppel had described some ways a very determined hacker could try to corrupt power distribution and overload critical transformers.

There are other particulars in this incident.  Microsoft patched its latest server against the NSA vulnerability in mid March 2017.  All modern companies and ISPs or hosts would have applied this patch.  But there could have been a risk of this worm getting unleashed before the patch.

Windows 10 does not have the vulnerability, but apparently all previous versions did.  While media reports focuses on Britain’s NHS using Windows XP, it would seem that any PC with an earlier Windows operating system could be vulnerable it not patched after May 13, 2017.  Even the monthly update, applied May 12, might not have the fix.

From the best that I know, Carbonite or other cloud backups are not affected.  But users who do not network their Windows machines at home and who make physical backups (like on Seagate drives or even thumb drives) regularly are not the same danger of losing data.  I haven’t seen much information on how quickly the major security companies like Trend, Webroot or Kaspersky update their detection capabilities.

The fact that the worm spread among Windows computers in a network, without action by any users after the first one as attracted attention. It seems as though the original infection usually comes from email attachments disguised to look as if they came from inside the workplace.  But it is possible for an unprotected computer to be infected merely by visiting a fake website (the way scareware infections can take over a computer, often based on misspellings of real sites with “System Response” and 800 numbers for fake support). There are reports that infection is possible in unnetworked computers by leaving certain ports open (like 445) without adequate firewall.

Another problem is that, since introducing Windows 8 and later versions, Microsoft has become much more aggressive about pressuring users to replace operating systems on older hardware.  Often the loaded versions of operating systems like Windows 10 Creators Update, while loaded with the latest security, don’t run very well on older PC’s.  In the interest of providing gaming and tablet capabilities, Microsoft has made its systems less stable for people with ordinary uses (like blog posts).  Microsoft’s own PC’s, as compared to those with third party hardware (HP, Dell, ASUS, Acer, Lenovo, etc) may have fewer problems with updates inasmuch as they don’t have to deal with third party firmware (often from China) which may not be perfect.  Stability has become a much bigger issue since about 2013 with the introduction of Microsoft’s tablet systems.   I had a Toshiba laptop fail in 2014 when going from Windows 8 to Windows 8.1 because it overheated due to inadequate engineering of the power components.

There was a stir over the weekend when CBS reported that President Trump had ordered emergency meetings at DHS, as if he had intended to take some kind of action on his earlier “no computer is safe” idea.  His use of Twitter seems to contradict his previous dislike of computers as a way to get around dealing with people and salesmanship. I had wondered if he could propose liability rules for companies or individuals who leave computers unprotected and allow them to be used in conducting attacks (as like home PC’s that become botnet nodes in DDOD attacks).

It was a couple of two young male programmers (each around 22), one in Britain and one in Indiana, who helped break the attack.  One programmer found an unregistered domain as a “killswitch” and found he could stop the worm by buying the domain himself for about $11.  I started wondering if Trump would talk about a killswitch for many portions of the Internet, as he threatened in December 02 2015 in early debates. “Shut down those pipes.”

My other legacy coverage of this incident is here.

Wikipedia screenshot of the user greeting.

Malware Tech is one of the resources fighting the work.

(Posted: Tuesday, May 16, 2017 at 2 PM EDT)

More followup on allowing guests router use, on downstream liability questions

Recently (Jan. 10), I wrote a posting about the possible downstream liability that router owners could experience if they allow guests to use their networks.  This could include persons hosting refugees or asylum seekers for humanitarian reasons or to “give back”. It could also apply to the sharing economy (Airbnb and other home-sharing sites).

After talking to Electronic Frontier Foundation, I was finally guided to a website they had set up called “Open Wireless,” and here is their take on it, at this link.

Here is how I interpret this paper.

First, as I noted, it is generally pretty easy to provide guest accounts, that would separate the log of Internet accesses made by the guest(s) for identification in any civil or criminal action.  It would always be advisable for the owner to do this, and insist on the use of a guest account and separate password  (or else the guest would use her own hotspot, which might not work in all locations).

Furthermore, discussions with others (like at Geek Squad) have suggested that installation of OpenDNS is not necessarily a critical idea for liability protection;  it does not provide perfect protection from a determined criminal compromise.  Indeed, some use of TOR and hidden sites for some foreign guests could be morally legitimate (to avoid detection by autocratic home countries).

There is no law requiring router owners to protect their networks, or establishing downstream liability potential.  There is also no law protecting owners from a injured party’s from the normal “” of negligence on the part of the owner. (States could vary on this, but it doesn’t seem like they have done much about it.)

An owner who could be reasonably suspicious that his router was being used for illegal downloads or to facilitate terror recruitment, sex trafficking, child pornography, cyberbullying, or other similar harms, would seem to be at risk, as I read this.  That could leave open the question of monitoring use.

It would seem that an owner would need to behave in good faith in allowing the use of his router.  Evidence of creditworthiness or reputation of guests might seem to be evidence of good faith, as well as providing a strike page requiring agreement to terms of service (which normally means no illegal use).

With personal guests (including boarders or roommates) it seems that a typical expectation is how well the host knows the guest, and whether the host can reasonably expect the guest to behave responsibly.  In the case of hosting for humanitarian reasons, I think there is something that is troubling here.  It may be like saying that providing foster care for children is risky (because it can be).   In Canada, the legal system recognizes the idea of private sponsorship or refugees and that would seem to provide some presumption of good faith because the host is privately supplying a needed service to others.  In the United States, especially now (under Trump) the legal system and culture seems to emphasize “take care or your own first” and seems to provide no such recognition. Yet asylum seekers, to stay out of detention and homeless shelters, would probably need private sponsors to support them and take responsibility for them.  It’s not yet clear to me that a host in the US might not be viewed as intrinsically negligent during our current political climate toward immigration.  However, background checking (with former employers, etc) or other forms of familiarity (repeated volunteering) might provide more of a presumption of good faith, as I would interpret this.

(Posted: Tuesday, January 31, 2017 at 3:30 PM EST)

Downstream liability concerns for allowing others to use your business or home WiFi connection, and how to mitigate

A rather obscure problem of liability exposure, both civil and possibly criminal, can occur to landlords, businesses, hotels, or homeowners (especially shared economy users) who allow others to use their WiFi hubs “free” as a way to attract business.

Literature on the problem so far, even from very responsible sources, seems a bit contradictory.  The legal landscape is evolving, and it’s clear the legal system has not been prepared to deal with this kind of problem, just as is the case with many other Internet issues.

Most hotels and other venues offering free WiFi take the guest to a strike page when she enters a browser; the guest has to enter a user-id, password, and agree to terms and conditions to continue.  This interception can normally be provided with router programming, with routers properly equipped.  The terms and conditions typically say that the user will not engage in any illegal behavior (especially illegal downloads, or possibly downloading child pornography or planning terror attacks).  The terms may include a legal agreement to indemnify the landlord for any litigation, which in practice has been very uncommon so far in the hotel business.  The router may be programmed to disallow peer-to-peer.

There is some controversy in the literature as to whether Section 230 of the 1996 Telecommunications Act would hold hotels and businesses harmless.  But my understanding that Section 230 has more to do with a content service provider (like a discussion forum host or a blogging service provide) being held harmless for content posted by users, usually for claims of libel or privacy invasion.  A similarly spirited provision in the Digital Millennium Copyright Act of 1998, called Safe Harbor, would protect service providers for copyright infringement by users.  Even so, some providers, like Google with its YouTube platform, have instituted some automated tools to flag some kinds of infringing content before posting, probably to protect their long-term business model viability. Whether Section 230 would protect a WiFi host sounds less certain, to me at least.  A similar question might be posed for web hosting companies, although it sounds as though generally they are protected.  Web hosting companies, however, all say that they are required to report child pornography should they happen to find it, in their AUP’s. You can make a case for saying that a telecommunications company is like a phone company, an utility, so a hotel or business is just extending a public utility. (That idea also mediates the network neutrality debate, which is likely to become more uncertain under a president Trump.)

Here’s a typical reference on this problem for hotels and businesses.

A more uncertain environment would exist for the sharing economy, especially home sharing services like Airbnb.  Most travelers probably carry their own laptops or tablets and hotspots (since most modern smart phones can work as hotspots) so they may not need to offer it, unless wireless reception is weak in their homes.  Nevertheless, some homeowners have asked about this.  These sorts of problems may even be more problematic for families, where parents are not savvy enough to understand the legal problems their teen kids can cause, or they could occur in private homes where roommates share telecommunications accounts, or where a landlord-homeowner takes in a boarder, or possibly even a live-in caregiver for an elderly relative.  The problem may also occur when hosting asylum seekers (which is likely to occur in private homes or apartments), and less often with refugees (who more often are housed in their own separate apartment units).

It’s also worth noting that even individual homeowners have had problems when their routers aren’t properly secured, and others are able to pick up the signal (which for some routers can carry a few hundred feet) and abuse it.  In a few cases (at least in Florida and New York State) homeowners were arrested for possession of child pornography and computers seized, and it took some time for homeowners to clear themselves by showing that an outside source had hijacked the connection.

Comcast, among other providers, is terminating some accounts with repeated complaints of illegal downloads through a home router.  In some countries, it is possible for a homeowner to lose the right to any Internet connection forever if this happens several times, even If others caused the problem.

Here are a couple of good articles on the problem at How-to-Geek and Huffington, talking about the Copyright Alerts System.  Some of this mechanism came out of the defeated Stop Online Piracy Act (SOPA), whose well-deserved death was engineering in part by Aaron Swartz, “The Internet’s Own Boy”, who tragically committed suicide in early 2013 after enormous legal threats from the Obama DOJ himself.

Along these lines, it’s well to understand that automated law enforcement and litigation scanning tools to look for violations are becoming more common on the Internet.  It is now possible to scan cloud backups for digital watermarks of known child pornography images, and it may become more common in the future to look for some kinds of copyright infringement or legal downloads this way (although content owners are good enough detecting the downloading themselves when it is done through P2P).

Generally, the best advice seems to be to have a router with guest-router options, and to set up the guest account to block P2P and also to set up OpenDNS.  An Airbnb community forum has a useful entry here.  Curiously, Airbnb itself provides a much more cursory advisory here, including ideas like locking the router in a closet (pun).

I have a relatively new router and modem combo from Comcast myself.  I don’t see any directions as to how to do this in what came with it.  I will have to call them soon and check into this.  But here is a typical forum source on guest accounts on Xfinity routers.  One reverse concern, if hosting an asylum seeker, could be that the guest needs to use TOR to communicate secretly with others in his or her home country.

It’s important to note that this kind of problem has come some way in the past fifteen years or so.  It used to be that families often had only one “family computer” and the main concerns could be illegal content that could be found on a hard drive.  Now, the concern migrates to abuse of the WiFi itself, since guests are likely to have their own laptops or tablets and storage devices.  There has also been some evolution on the concept of the nature of liability.  Up until about 2007 or so, it was common to read that child pornography possession was a “strict liability offense”, which holds the computer owner responsible regardless of a hacker or other user put it there (or if malware did).  In more recent years, police and prosecutors have indeed sounded willing to look at the usual “mens rea” standard.  One of my legacy blogs has a trace of the history of this notion here; note the posts on Feb. 3 and Feb. 25 2007 about a particularly horrible case in Arizona.  Still, in the worst situations, an “innocent” landlord could find himself banned from Internet accounts himself.  The legal climate still has to parse this idea of downstream liability (which Section 230 and Safe Harbor accomplish to some extent, but evoking considerable public criticism about the common good), with a position on how much affirmative action it wants those who benefit from technology to remain proactive to protect those who do not.

(Posted: Monday, January 9, 2017 at 10:45 PM EST)

Update: Tuesday, Jan 24, 2017, about 5 PM EST

Check out this Computerworld article (Michael Horowitz, “Just say No” [like Nancy Reagan] June 27, 2015) on how your “private hotspot” Xfinitywifi works.  There’s more stuff below in the comments I posted .  To me, the legal situation looks ambiguous (I’ve sent a question about this to Electronic Frontier Foundation; see pdf link in comment Jan. 24).  If you leave your router enabled, someone could sign onto it (it looks if they have your Xfinity account password, or other password if you changed it).  Comcast seems to think this is “usually” OK because any abuse can be separated to the culprit.

 

Evidence of Russian hacking attempt reported at an electric power utility in Vermont, on the heels of election “hackergate” and Obama’s actions

The Washington Post, in a story by Julie Eilperin and Adam Entous, reports the discovery of codes associated with Russian hacking in the computer systems of one of the two major electric power utilities in Vermont.  The code is associated with malware known as “Grizzly Bear”.  Other Russian malware has colorful names, like “Pawn Storm”, a maneuver in chess with the opposing armies are castled on opposite sides of the board (like the Yugoslav Attack against the Dragon Sicilian).

The journalists confirmed the story with DHS, which would not say which company was involved.

Malware might cause a power station to overload a large transformer connecting it to other utilities, burning it up, creating a very difficult problem for replacement in reasonable time, as Ted Koppel had explained in his Nov. 2015 book “Lights Out”.

On Nov. 5, I reported a Sinclair Broadcasting story about “Black Energy” malware discovered at one or more unspecified utilities in 2012, and being impossible to remove.

There are no reports yet of any malware causing outages, as far as reported in the media.

The Vermont infection apparently occurred when an employee opened a link or attachment in a “phishing” email disguised to look like official company workplace business.  The email might have purported to come from a vendor or a customer. It is actually more difficult to defend against phishing attacks in the workplace than it is at home for savvy users, who know their own personal operations well enough to suspect phishing emails at sight.

Normally it is very difficult to get to the grid components directly, as they are not supposed to be connected topologically to the public Internet.  This sounds like a problem Donald Trump could talk about quickly.

National security experts have cautioned president Obama about his mode of retaliation against Russia for the supposed hack of both parties during the 2016 election, backed up by circumstantial evidence. Vox has good articles by Yochi Darezan  and Timothy B. Lee .   I personally don’t think Hillary Clinton lost the electoral vote because of hacking.  Comey’s letter (on the emails), Obamacare price hikes, and poor campaigning before certain “resentful” parts of the electorate (the Rust Belt), and poor “getting out the vote” among minorities are better explanations for the loss.  Ironically, Putin played a “waiting move” with Obama today (by chess analogy) and took no action yet (NBC story). Trump, anyway, won’t be in zugzwang.

I personally visited a nuclear power plant in 1982, at Glen Rose, TX, on a weekend Sierra Club camping trip from Dallas, and have visited the grounds at North Anna, which has limited visitor displays.  Ironically, it is near Mineral, VA, where the 2011 earthquake occurred, and in an area with several “intentional” low-tech shared-income rural communities, one of which (Twin Oaks) I toured briefly in 2012.

As the video above claims, the US can also hack into the Russian power grid.

Wikipedia picture of Killington Ski Resort trail, which I visited in February 1973.

(Published: Friday, December 30, 2016 at 9 PM EST)

Update: Dec. 31 early

A newer version of the Washington Post story in print identifies the utility as Burlington Electric, and says that the malware, now called “Grizzly Steppe” was found on a laptop not connected to the grid.  No actual outages or hardware damage has occurred.   Homeland Security was notified immediately when the malware was discovered. The company has a statement about the incident on its home page now.

The Wall Street Journal weekend edition now has a story online by Jennifer Levitz here.  But Rebecca Smith has a story about a ransomware incident (resulting in bitcoin payment) at a Michigan utility (Lansing Board of Water and Light) in April 2016, here. That sounds coincidentally alarming given the problems with the Flint MI water supply (which disproportionately affect low income people and their kids) after gross mismanagement, as covered in the media  in 2016.  Smith also has a story “Fears over U.S. power grid” Dec. 30, p. B3 in print Saturday, explaining how multiple attacks in Ukraine have happened (one on Dec. 23, 2015), and the penetration of four more electric utilities (and thirteen other companies) in 2014, apparently with similar “Russian” malware.

Security companies are starting to discuss these incidents. FireEye offers more info in a downloadable subscription report, link; Root9B has resources indexed here.

Wikipedia picture of Burlington, from Lake Champlain wharves, link.  I have been there once, as a child.

Obama’s pre-election use of “red phone” to Moscow actually underscores eventual power grid vulnerability to cyberwar

NBC News reported tonight that on Halloween morning, October 31, 2016, a Monday and eight days before the election, President Obama used the “red phone” line with Moscow for the first time during his presidency.  He reiterated a warning to the Kremlin not to interfere with the election, following up on a session in later September when Obama reportedly told Putin to “stop it”.

On Nov. 4, news media began to report concerns over possible attacks or infrastructure (Internet and power grid) disruptions on Election Day and perhaps the day before.  The threats were supposed to be credible.  On Nov. 5, I reported here a story that some American utilities had been infected with malware as early as 2012 and that the malware could not be easily removed.

The Obama administration, on Oct. 31, was still concerned that an Oct. 21 “denial of service” attack on some companies providing URL domain name resolution has been perpetrated by Russia as a “dry run”.  There are some accounts of how the attack happened, as here on “WeLiveSecurity”    and this statement by DYN. It’s well to remember that back in 2008, researchers in Finland had found a hole in the domain name resolution system that necessitated an emergency meeting with Microsoft in Seattle (story)  And historically it’s a little ironic that this summit happened just a little before the financial crash in September 2008.

More recent investigations seem to have discounted the idea that the Oct. 21 DDOS came from the Russian government.

But the media has also been concerned with various reports from the FBI, CIA and other agencies that the Russians hacked servers of both the Republicans and Democrats, posted embarrassing information about Democrats on Wikileakds, and helped alt-right sources spread “fake news” that influenced the election, especially in swing and “blue wall” states.  It’s hard for me to believe that the claim that this changed the election is really credible, but Matthew Yglesias has a very detailed explanation on Vox here. This is the activity that led Obama to tell Putin to “stop it” the first time.

All of this I write today while listening on CNN to reports of an apparent crude but vicious terror attack in Berlin, Germany by a carjacked truck in a crowd, leading to deaths and horrific injuries, and to a “Word War I”-like assassination of a Russian ambassador to Turkey today at an art gallery.

So for any president to talk “tough” to Russia can run the risk of a backlash, where an attack on the US power grid may be possible because of the reports of the 2012 malware planting.  This sort of problem was covered by Ted Koppel in his 2015 book “Lights Out” and is related to the over-dependence of major utilities on huge transformers to adjust loads, and to the inability of the US to manufacture replacement transformers.

This may be a good place to say that Donald Trump’s “make America great again” phrase when used in conjunction with doing more manufacturing at home is certainly appropriate when it comes to major hardware items at the heart of our infrastructure.  Bringing some of that manufacturing back would provide more domestic engineering and manufacturing jobs, and seems essential to prevent possibly catastrophic breakdowns in the power grid infrastructure, either from Carrington-like solar storms or terror attacks or Hitchcock-style sabotage.  Bur it’s also important for utilities to provide more of their own local generation, and this may be much more economical now with renewable technologies (including Taylor Wilson’s small fission reactors) than fossil fuels, although many such small generating stations could probably use natural gas (the “Pickens Plan”).  This one particular matter needs Donald Trump’s focused attention on Day 1 (now that his Electoral College victory is assured today), and it is totally a-political and not particularly concerned with any one voting constituency.

(Posted: Monday, December 19, 2016 at 11:30 PM EST)