It’s not polite to take joy in the troubles of others but I can’t help gloating a little bit today. Lifelock agreed to pay $12 million to its customers to settle a suit with the Federal Trade Commission and 35 states for making “exaggerated claims about its identity theft services”.

If you remember, Lifelock’s CEO posted his real Social Security Number on billboards and buses around the country His identity was subsequently stolen but that didn’t stop the company from continuing to advertise that its services would “prevent identity theft”. The company promised far more than any company could ever really deliver. Especially since the primary ‘defense’ that they put in place for their customers was a credit alert, something which any consumer can arrange him/herself for free. Those month charges added up to a lot of money for a couple of stamps and a note on your calendar.

In the settlement, the company admitted no wrongdoing but they’ve said that they have “changed their business model”.

If you haven’t checked your credit report lately, you should. Remember that you’re entitled to a free copy every 12 months (and go to the legitimate site, not the scam site with “free” in the domain name). If you think you’re at special risk of ID theft, consider implementing a credit alert or even a credit freeze. Don’t forget to check the credit reports of at-risk family members (children and dependent elders) while you’re there.

Posted by Mike Rossander on 2010 March 10 at 08:01 under Credit report.
Comment on this post.

I got two spam messages today that I just have to share. (example 1 and example 2) They are such blatant examples of the Nigerian 419 scams that I laughed out loud.

Sadly the answer is “yes”, these scams do still work. The FBI continues to report hundreds of millions of dollars in losses to these frauds each year. Some are this blatant but some are quite a bit more subtle. Variant scams target non-profits. One recent wave alleged that the charity was the beneficiary in an unnamed donor’s will. A surprising number of charities let blind hope get in the way of common sense. Wikipedia has an extensive list of the variants.

So what can you do about it? Some people retaliate. There are whole organizations dedicated to wasting the scammers’ time. They respond with equally false stories about how they are “excited to be notified about the windfall” but because of a religious tenet, need a picture of you (the scammer) “in white robes balancing a loaf of bread on your head while holding a fish under each arm” before they can send the money. Here is one group that collects and publishes the ‘trophy’ pictures of scammed scammers.

While it’s emotionally satisfying to think about retaliation, I strongly recommend that you just delete them. I also encourage you to think about friends and family who might not be as aware of these scams as you are. Do you have a dependent elder who is more trusting than he/she should be? Do you have a friend or co-worker who is a great person but a bit gullible? Send them copies of these scams so they learn what to look for. Help them to set up the spam filters and other computer protections. These scams are amazingly profitiable. They will continue as long as we continue to fall for them.

Some background: The broader name for this kind of scam is the “advance-fee fraud”. Following the collapse of Nigerian economy in the 1980s, a large portion of the educated and computer-savvy population were unable to find gainful employment and turned their skills to crime in order to feed their families. The preponderance of such scam emails coming from Nigeria’s 419 area code led to the current name even though the same scam has also been found originating from England, Spain, Ireland, USA, Canada, The Netherlands, Australia, etc. An older version of this scam was carried out by regular mail in the early 1900s under the Spanish Prisoner name.

Posted by Mike Rossander on 2010 March 2 at 10:54 under Cybercrime Trends.
Comment on this post.

This post is not directly related to security though it does have some connections through the broader concept of governance and leadership. It is something I’ve been think about a lot lately and I feel an obligation to write. For those of you reading just for the tactical security tips, please skip this post.

Recently, there has been a great deal of chatter about eliminating the filibuster – the rule within the Senate that effectively allows a single senator to hold up a bill by continuing to talk about it for hours, days or even weeks on end. The filibuster has been rather famously used to disrupt the passage of key bills and nominations proposed by the majority power. Filibusters are being described as a prime example of partisan bickering and legislative gridlock.

I disagree. Yes, the filibuster can be abused for purely partisan purposes but at its core the filibuster is a way for the minority party (whether currently Democrat, Republican, Whig or Federalist) to keep a stake in the operations of government and to continue to influence debate. Despite the threats about the “nuclear option”, neither party would be served by the elimination of the filibuster.

Much more importantly, the filibuster is a check against the tyranny of the majority. By allowing a mechanism to raise the threshold for a vote from simple majority (50% plus 1) to a super-majority, it acts as a check against the ability of the majority to vote themselves unlimited privileges. 51% of the population could, for example, decide to fund the government by taxing just the other 49% – or less obviously, to skew the burden of taxation onto the minority. Or the 51% could vote in a particular moral code which may not be held by – may even be anathema to – the 49%.

The majority could do so even in a situation where the the 51% felt only weak agreement but the 49% disagreed vehemently. Our simple majority voting system is prone to bias and sub-optimal decisions when the voting groups have different degrees of preference for a result or where multiple options could/should be considered. (Wikipedia has an excellent discussion of alternative voting structures, some of which are less susceptible to this bias though they each have their own limitations in turn.)

Our legislative system is also susceptible to a recency bias. Get 51% today and even if you can only keep your majority for the time it takes to vote, the effects will long outlast the majority opinion. In theory, it should be as easy to rescind a law as it was to pass it but in practice, it is remarkably hard to undo a law even in the face of convincing evidence that it is ineffective.

The filibuster is not the only check and balance in our system against the tyranny of the majority and recency bias and it’s not a perfect one but it is an important one. A 61% majority might still impose their will on the remaining 39% but that higher threshold gives the affected minority a chance to raise the stakes and to force additional scrutiny on the debate.

Now there are those who say that the filibuster was a mistake – a minor omission in the procedural rules of the Senate that took on a life of its own. If it was a mistake, it ranks as an outstanding example of serendipity. It subtly encourages one arm of the government to be more deliberative and circumspect in their aims.

I will concede, however, that some of the procedural rules changes within the Senate make it easier to use than was historically the case. In particular, when the Senate allowed “tracking” in early 1960s, the connection between the objection and visible debate was broken. Jimmy Stewart in Mr Smith Goes to Washington is no more. Under the current rules, a Senator lodges a procedural filibuster, the bill is tabled and the Senate moves on to other business. No dramatic and colorful endurance exercises on the floor. No pain at all, either for the Senator doing the filibustering or for his peers who should be listening to it. Perhaps they should feel some pain though. It might encourage them to actually address the underlying issues instead of adopting waiting games and back-room deals for votes. A little bit of pain and a lot of visibility might might put some skin back in the game. It might return the filibuster to the status it once held – an important and special legislative tactic to be used only when truly needed.

Either way, it remains an invaluable protection for the rights of the minority.

Posted by Mike Rossander on 2010 March 1 at 20:21 under Uncategorized.
Comment on this post.

If you haven’t heard by now, a number of Google executives were convicted in absentia by a court in Italy for failing to police some videos posted by users. In this case, the video was a home movie of several teenagers bullying a peer with Downs Syndrome. The video was anonymously posted to Google Videos where it stayed for several months. Eventually, some adults noticed it and contacted the police who investigated and then asked Google to take the video down. By all reports, Google did so within two hours of receiving the notification.

The Italian prosecutors felt that this was not fast enough and argued in court that Google had an affirmative responsibility for the content even though it was posted by others and even though Google does not exercise any control over the content. One self-appointed consumer advocate is proclaiming this a “victory for individual privacy over corporate interest”.

I am an avid privacy activist but I’m not buying it here for several reasons. First, it’s not possible to evaluate all the content that users are posting. About twenty hours of video content are posted to YouTube alone every minute. Add in all the other Web 2.0 sites and you’d need literally armies of people doing nothing but watching what other people are posting. Nobody could afford that. And even if you tried, that many people just couldn’t do the job without making mistakes. Second, there’s no easy way to tell inappropriate content (like real bullying) from certain types of performance art. That kind of stuff is not to my taste but other people … well, I won’t say they necessarily enjoy it, but they do it. And heaven help you if you censor their artistic content. Third, which set of standards will you apply? Granted, beating up a kid with Downs Syndrome is bad in pretty much every culture but there’s nothing philosophically different about this case and the Chinese suppression of political dissent. There is no way to draw the line about what is or is not acceptable.

Some commentators on this case have argued that other users added comments to the site that the video was inappropriate and that should have been enough to require Google to act. Again, I don’t buy it. User feedback and ratings can have a place but they are remarkably susceptible to abuse. False reports are rampant, either as pranks or as retribution for negative ratings on other users’ content. Remember that the Internet is an inherently pseudonymous environment. That is, even if you have to create a username to use a site, you can still create as many usernames as you want and they don’t necessarily have to have any connection to your real identity. If you want to tank a site or skew a vote, just create a thousand or so accounts (often called “sockpuppets”) and have them all paraphrase your original opinion. If you are careful to change your tone and word choice a bit, it’s very difficult to identify this kind of abuse.

It seems to me that the real culprits are the bullies who 1) abused the victim and then 2) posted the video. Google appears to have been a good corporate citizen, acting quickly and responsibly once notified of a problem by the proper authorities. Attempting to require Google or any other host to actively police ever bit of content on their site would kill the very idea of user-generated content. YouTube, Twitter, Facebook, MySpace, Wikipedia, … all would be run out of business by this social policy. And we would all be much poorer as a result.

I hope this case gets overturned on appeal. It’s hard to predict, though. European law is far less deferential to the idea of free speech than we are used to in the US. They also have not been very successful at grappling with the implications of applying local standards to global operations. If you expect others to kowtow to your local foibles, you have to be equally ready to defer to all of theirs – a standard that very few communities will tolerate in practice.

As a closing thought, I can’t help wondering if this court case was a smoke-screen. It is suspicious that this case comes right as Google is being sued by the state-run media companies for alleged tolerance of copyright violations on the same site. I feel for the kid who was being bullied but this smells to me more of political grandstanding and strong-arm negotiations than it does of a legitimate privacy case.

Posted by Mike Rossander on 2010 February 25 at 22:54 under privacy.
Comment on this post.

My dentist was asking about his computer this evening. He’s been having some trouble that might indicate a virus or could just be a sign that the computer’s getting a bit old. Along the way, he talked about some add-ons that seem to have added themselves to his system and he wasn’t really sure what they were. Between the novocain and the drill, I’m sure my answer was completely incoherent so here is an attempt to better answer the questions “What is an add-on” and “Should I let it be added to my computer”.

First, what is an add-on? (Other names include plug-in, extension and sometimes theme. More on that later.) An add-on is an optional software component that, in theory, increases the functionality and/or usability of the original program. Most people learn about add-ons in the context of their internet browser, especially if you are a Firefox user. Add-ons can improve your computer’s security (by blocking scripts and ads), make certain actions easier (like viewing pictures or updating webpages), improve compatibility with other programs such as Java or QuickTime or just customize the look and feel of the computer.

Add-ons can also be malicious trojan horses, bringing along all sorts of viruses and vulnerabilities to your computer. If you find an add-on you like – and there are some good ones out there – be sure that you get it from a reliable source. If you’re looking for add-ons to Mozilla’s Firefox, for example, go to Tools/Add-ons and look for the Browse all add-ons link. That will take you directly to the official Mozilla site. Internet Explorer has a similar path.

Some add-ons can be very helpful. I really like NoScript and AdBlock for Firefox. Between the two of them, they make my browsing much safer.

Many add-ons are neutral from a security point of view – they may make your browsing experience better but they neither help nor hurt your computer’s security.

Some are downright dangerous – add-ons that include some hidden code that lets the author control your computer or that otherwise subvert your security. Those tend to get filtered out of the legitimately sponsored sites pretty quickly but they are a real danger in chat rooms and unmoderated forums.

And an unfortunate number of add-ons are offered with a good heart but either badly written or just don’t take into account all the possible configurations that are out there – and when used in combination with some other add-on or program, they create new vulnerabilities that didn’t exist before. I put all the Google and Yahoo Toolbar add-ons in this category – well-intentioned but fundamentally unsafe.

Add-ons also tend to go out of support fairly quickly. They are often written by volunteers, after all. Microsoft has a financial incentive to keep programmers pounding away, patching their products. If a hacker finds a hole in an add-on, it may or may not get fixed quickly.

If you find an add-on you like, read the reviews to see what other users say about it. See if anyone has had concerns about unexpected interactions or problems. See if it’s been updated recently and find a legitimate download site. Then back everything up on your computer before you install it.

On the other hand, if your computer “spontaneously” offers to install an add-on, the right answer is almost invariably to reject it. If it looks like it might be useful, go to a legitimate site and read the reviews, then decide for yourself.

When an add-on is primarily designed to change the look and feel – background colors, fonts, logos, maybe even layout and organization of buttons – but not to change the underlying function of the program, that’s usually called a “theme”. There are literally thousands of themes available including ones for just about every sports franchise imaginable. They are commonly available not merely for your browser but also for your phone and for many other computer applications such as Media Player. Themes are usually safer to load since they are not supposed to affect the program but be careful. Something advertised as merely a theme can still include malicious code. And a badly written theme can cover up functions you do need, like say, the undo button – it’s still there but you can’t reach it because some other button is in the way. Like other add-ons discussed above, only consider themes from reputable sources. If you’re not sure, stick with the default theme.

Posted by Mike Rossander on 2010 February 22 at 21:51 under Definitions, Home Computer.
Comment on this post.

« Previous Entries