September 25, 2008

Does Big Brother know where you’ve been surfing?

August 25th, 2008

Posted by Sam Diaz

If you think no one will ever know about the Web sites you were surfing last night, guess again. It may not be your spouse, your boss or a cop – but there’s growing interest in what sort of data your Internet Service Provider is collecting about your viewing habits.

As for me, I just finished reading a very interesting piece by my former Washington Post colleague Rob Pegoraro, who wrote about “deep packet inspection.” Given the technology that’s out there, monitoring Web usage has grown beyond cookies on your computer to data scouring on your ISP’s servers. Rob writes:

Peering inside the digital packets of data zipping across the Internet — in real time, for tens of thousands of users at once — was commercially impractical until recently. But the ceaseless march of processing power has made it feasible. Unsurprisingly, companies have been trying to turn this potential into profit. By tracking users’ Web habits this closely, they can gain a much more detailed picture of their interests — and then display precisely targeted, premium-priced ads. Equally unsurprising, these attempts have become a public-relations tar pit for Internet providers that experimented with this technology without giving users fair warning.

In a recent hearing on Capitol Hill, lawmakers asked dozens of providers if they had used deep packet inspection and most said they had not. But a couple, including Washington Post-owned Cable One, said it had tested it using a service provided by Redwood City-based NebuAd. Of course, everyone is saying that privacy has been respected and that personal and sensitive matters – emails, financial transactions and so on – were stripped from the data first. But how do we know? I mean, we don’t even necessarily know if our usage patterns are being monitored.

I guess I already know I’m being watched. As a Gmail user, there are ads related to the topics in my e-mail conversations. And yet, I’m OK with that. But this data packet level of inspection is just so far out of my control that it’s a bit unnerving. Case in point: If I don’t like the Gmail ads, I can stop using Gmail and go another route for my mail services. I make that decision and I control it. In the case of deep packet inspection, my ISP holds the key – not me. Rob uses an excellent analogy in his column:

Tracking via cookies is the rough equivalent of a supermarket clerk noting that you spend a lot of time in Aisle 9 checking out cereal but never duck into Aisle 2 for frozen dinners. Deep packet inspection, by contrast, is more like the clerk following you to see which boxes of cereal you eyeballed — and doing so at every store you visit, even those run by propecia persistence program other companies.

I try to surf the Web without paranoia and, if anyone was tracking my usage, they’d probably think I’m on tech news overload or would wonder why on Earth an educated adult subscribes to ridiculously sophomoric YouTube vlogs. (Hey, it’s the same reason I watch South Park – we all need a break, right?) I have no immediate problems with the idea of deep packet inspection. I think I would just like to know when and if it’s happening. And I think I’d want the option to opt-out or at least be compensated in some way for the valuable advertising data I’m providing about myself.

A week for two in Hawaii would be nice but I’d probably settle for a discount on my monthly ISP bill.

Filed under government, internet by al

Permalink • Print • Comment

September 21, 2008

Memo To Comcast: Show Us the Meter for Metered Broadband

Om Malik, Thursday, August 28, 2008

Comcast is out defending its bandwidth caps and how they are not bad. And how 250 GB transfer is plenty and enough to do whatever we want to do. Of course, in today’s terms that is more than enough, but what happens in the future? Nevertheless, if they are going to put caps, then they need to give us what I think is an acceptable expectation: a meter.

Metered billing needs a meter we can see, use and monitor any time we desire to do so. Water and electric utilities provide that meter (regardless of whether we use it or not), so why not Comcast?

If a customer surpasses 250 GB and is one of the top users of the service for a second time within a six-month timeframe, his or her service will be subject to termination for one year. After the one year period expires, the customer may resume service by subscribing to a service plan appropriate to his or her needs.

Figure out a way to tell us what our monthly usage is, and let us know if we are running up against a 250 GB cap, so that we know when to stop and not pay overage. I want to know at every single minute how much bandwidth I have used.

After all, if someone crosses the 250 GB twice in six months, they are going to get tossed out. The burden of proof lies with Comcast to prove, measure and meter to the most accurate byte of data transferred.

Another Question For Comcast: If you’re going to meter, then please let us know how you are factoring in the overhead associated with TCP/IP. Will this be included or excluded in the cap? After all, overhead includes control messages (session control, packet headers) and this can be as high as 40 percent.

This is where FCC Chairman Kevin Martin has to step up and do something. If he is going to allow Comcast to put caps in place, then the FCC needs a firm bond from Comcast saying that they wouldn’t lower the caps to, say, 150 GB or 100 GB using the same lame excuse of 1 percent people degrading the network.

You want to know why I think they are going to obfuscate the issue and fudge the numbers sooner or later using some Enron math? Just go to the FAQ page that explains their 250 GB cap decision. You will consume 250 GB in a month if you do any of the following:

* Sending 20,000 high-resolution photos,
* Sending 40 million emails;
* Downloading 50,000 songs; or
propecia permanent /> * Viewing 8,000 movie trailers.

…but then lower down on the same page, they say:

* Send 50 million emails (at 0.05 KB/email)
* Download 62,500 4 MB songs (at 4 MB/song)
* Download 125 standard-definition movies (at 2 GB/movie)
* Upload 25,000 hi-resolution digital photos (at 10 MB/photo)

What is it with you guys? Can’t do the math? Forget that…how about answering a simple question: How many HD movies can you download with 250 GB cap? That’s the only answer I need.

PS: If you believe the 0.05 kb/email then you also believe in the Tooth Fairy.

Filed under internet by al

Permalink • Print • Comment

September 17, 2008

Comcast Bandwidth Limits

Dear Comcast High-Speed Internet Customer,

We appreciate your business and strive to provide you with the best online experience possible. One of the ways we do this is through our Acceptable Use Policy (AUP). The AUP outlines acceptable use of our service as well as steps we take to protect our customers from things that can negatively impact their experience online. This policy has been in place for many years and we update it periodically to keep it current with our customers' use of our service.

On October 1, 2008, we will post an updated AUP that propecia penile shrinkage will go into effect at that time.

In the updated AUP, we clarify that monthly data (or bandwidth) usage of more than 250 Gigabytes (GB) is the specific threshold that defines excessive use of our service. We have an excessive use policy because a fraction of one percent of our customers use such a disproportionate amount of bandwidth every month that they may degrade the online experience of other customers.

250 GB/month is an extremely large amount of bandwidth and it's very likely that your monthly data usage doesn't even come close to that amount. In fact, the threshold is approximately 100 times greater than the typical or median residential customer usage, which is 2 to 3 GB/month. To put it in perspective, to reach 250 GB of data usage in one month a customer would have to do any one of the following:

* Send more than 50 million plain text emails (at 5 KB/email);
* Download 62,500 songs (at 4 MB/song); or
* Download 125 standard definition movies (at 2 GB/movie).

And online gamers should know that even the heaviest multi- or single-player gaming activity would not typically come close to this threshold over the course of a month.

In addition to modifying the excessive use policy, the updated AUP contains other clarifications of terms concerning reporting violations, newsgroups, and network management. To read some helpful FAQs, please visit http://www.p.comcast.net/r?2.1.Gy.CK.1V4LGs.CfG%5fS6..N.Cw%2ao.2IeM.DOBaEXJ0.

Thank you again for choosing Comcast as your high-speed Internet provider.

Filed under internet by al

Permalink • Print • Comment

September 8, 2008

Staying Powered Up When the Power Goes Down

TechTip 184

By Scott Nesbitt – Sunday, August 24, 2008

Electricity is one of those things that we take for granted. We plug into a socket and expect power to flow. But sometimes circumstances beyond our control choke off that supply of power.

Maybe lightning strikes, literally. Maybe a wind storm takes out some power lines. It could be a blazingly hot day, and one too many people cranks the A/C up to 11. Or maybe there's a flood or fire in an underground vault, taking out a bunch of circuits. The result: no power.

If you're working at a desktop computer when the power goes down, that could mean trouble when your monitor goes dark. It's happened to me a few times – both at home and at a client site. I've always lost some work; sometimes more than just some.

While you can't predict when the power will go out, you can protect yourself with an uninterruptible power supply (UPS)


What is a UPS?

A UPS is a backup power supply for your desktop computer or laptop computer, or any other peripherals that you might have. A UPS doesn't just protect your equipment against power loss. It can also ensure that your equipment will keep running if there are spikes or surges in power, or if your voltage drops below the level it should be at. In a sense, a UPS is a combination of a power supply and a surge protector. It lets you save your work, but also protects delicate electronics from the fickle nature of electricity.

There are two major types of UPS available. Standby UPS is the most widely used in homes and small businesses. They're small, and fairly inexpensive. A standby UPS is a essentially a battery and a power inverter. The power inverter converts the battery's DC propecia patent expiration date current to AC current, which your equipment can use. When the standby UPS detects a power failure, it kicks in the power inverter (usually within a few milliseconds) and switches over to battery power. The battery in a standby UPS only holds enough power to run your equipment for a few minutes – just enough time to save your files and power down properly.

Widely used in server rooms and other mission-critical areas is continuous UPS. A continuous UPS, again, consists of a battery and an inverter. However, equipment runs off the battery. The battery is constantly recharged using conventional power. The advantage of a continuous UPS is that there is no delay in failing over to battery power. You get constant power.

For most home and small business users, though, a standby UPS is probably enough.

 

What to look for

What should you look for when buying a UPS? Here are a few factors to consider.

First, how much protection do you need? If you only need to protect one computer, then look for the UPS that best fits your budget. A home user, for example, could probably get away with a lower-end UPS. If you're running a small business out of your home or have a central home server and a few computers, then budget for a few more units.

Next, consider how many devices you'll be plugging into the UPS. At the very least, this will be two – your computer and a LCD Monitor. A decent UPS usually comes with four outlets. You can also get systems that have 6, 7, 8, 10, or 12 outlets. Just remember that the more devices that you plug into a UPS, the faster the battery will drain.

Think about some of the extra features of a UPS and whether or not you'll need them. For some people, a bare bones UPS might be the way to go. Others might need more features, like a voltage regulator or the ability to initiate a shutdown at a defined time after power goes down. You definitely should read the information on a vendor's Web site, or talk to a customer service representative, to learn more about the extra features.

Find a UPS that's right for your equipment. Pay attention to the VA rating of the UPS system. The VA rating is the amperage of your equipment multiplied by your voltage. You can usually find the amperage on a sticker on your equipment – like one at the bottom of a laptop computer. Then, tally up the VA ratings of all of the equipment that you plan to plug into the UPS. Some people suggest that once you get the cumulative VA rating, you should buy a UPS that has a VA rating 20% or more higher than the one you calculated. Good advice, especially if you will be adding equipment in the near (or not so near) future. For most home users, though, you can probably get away with a VA rating 10% to 15% higher.

If you need more help figuring out which UPS is right for you, there are tools available on the Web. APC, one of the top makers of UPS systems, has an online selector that lets you choose the right UPS for your needs. You can find online selectors here and here.

Something else to consider is price. You can get a decent UPS for around $30 (USD). A good one will cost $50, and probably more. If you'll be buying more than one UPS, factor the overall cost of those units into your budget and choose your price point accordingly.

Finally, look at the small print – specifically the warranty and how often you'll need to replace the battery. If you're in an area where you know that you'll get a lot of use out of the UPS, then a good warranty is a must. As for battery replacement, one rule of thumb is three to five years. Again, that depends on how much you're using the UPS.


Conclusion

An uninterruptible power supply is a lot like an insurance policy.
In many cases, you won't need it. But when you do, you'll be glad it's there.

Filed under hardware by al

Permalink • Print • Comment

September 1, 2008

10 common security mistakes that should never be made

  • Date: August 15th, 2008
  • Author: Chad Perrin

Read about ten very basic, easily avoided security mistakes that should never be made — but are among the most common security mistakes people make.

The following is a list of ten security mistakes I see all the time. They’re not just common, though — they’re also extremely basic, elementary mistakes, that anyone with a modicum of security knowledge should know better than to make.
  1. Sending sensitive data in unencrypted email: Stop sending me passwords, PINs, and account data via unencrypted email. Please. I understand that a lot of customers are too stupid or lazy to use encryption, but I’m not. Even if you’re going to give them what they want, in the form of unencrypted sensitive data sent via email, that doesn’t mean you can’t give me what I want — secure communications when sending sensitive data.
  2. Using “security” questions whose answers are easily discovered: Social security numbers, mothers’ maiden names, first pets, and birthdays do not constitute a secure means of verifying identity. Requiring an end user to compromise his or her password by specifying a question like that as a means of resetting the password basically ensures that the password itself is useless in preventing anyone that is willing to do a little homework from gaining unauthorized access.
  3. Imposing password restrictions that are too strict: The number of cases I’ve seen where some online interface to a system that offers the ability to manage one’s finances — such as banking Web sites — impose password restrictions that actually make the interface less secure is simply unacceptable. Six-character numeric passwords are dismayingly common, and the examples only go downhill from there. See a previous article, “How does bad password policy like this even happen?” for another example in more detail.
  4. Letting vendors define “good security”: I’ve said before that there’s no such thing as a vendor you can trust. Hopefully you were listening. Ultimately, the only security a corporate vendor really cares about protecting is the security of its own profits and market share. While this sometimes prompts a vendor to improve the security of its products and services, it sometimes prompts exactly the opposite. As such, you must question a vendor’s definition of “good security”, and you must not let vendors tell you what’s important to you.
  5. Underestimating required security expertise: People in positions of authority in corporations often fail to understand the necessity for specific security expertise. This applies not only to nontechnical managers, but to technical IT managers as well. In fact, standards working groups such as the one that produced the WEP standard often include a lot of very smart technologists, but not a single cryptographer, despite the fact they intend to develop security standards that rely explicitly on cryptographic algorithms.
  6. Underestimating the importance of review: Even those with security expertise specific to what they’re trying to accomplish should have their work checked by others with that expertise as propecia package insert well. Peer review is regarded in the security community as something akin to a holy grail of security assurance, and nothing can really be considered secure without being subjected to significant, punishing levels of testing by security experts from outside the original development project.
  7. Overestimating the importance of secrecy: Many security software developers who make the mistake of underestimating the importance of review couple that with overestimation of the importance of secrecy. They justify a lack of peer review with hand-waving about how important it is to keep security policies secret. As Kerckoffs’ Principle — one of the most fundamental in security research — points out, however, any system whose security relies on the design of the system itself being kept secret is not a system with strong security.
  8. Requiring easily forged identification: Anything that involves faxing signatures, or sending photocopies or scans of ID cards, is basically just a case of security theater — putting on a great show without actually providing the genuine article (security, in this case) at all. It is far too easy to forge such second-generation (or worse) low quality copies. In fact, for things like signatures and ID cards, the only way for a copy to serve as useful verification is for it to actually be a good enough copy that it is not recognized as a copy. Put another way, only a successful forgery of the original is a good enough copy to avoid easy forgery.
  9. Unnecessarily reinventing the wheel: Often, developers of new security software are recreating something that already exists without any good reason for doing so. Many software vendors suffer from Not Invented Here disease, and end up creating new software that doesn’t really do anything new or needed. That might not be a big deal, if not for the fact that the new software is often not peer reviewed, makes security mistakes that have already been ironed out of the previous implementation of the idea, and generally just screws things up pretty badly. Whenever creating a new piece of software, consider whether you’re replacing something else that already does that job, and whether your replacement actually does anything different that is important. Then, if it is doing something important and different, think about whether you might be able to just add that to the already existing software so you will not create a whole new bundle of problems by trying to replace it.
  10. Giving up the means of your security in exchange for a feeling of security: This is a mistake so absurd to make that I have difficulty formulating an explanation. It is also so common that there’s no way I can leave it out of the list. People give up the keys to their private security kingdoms to anyone who comes along and tells them, “Trust me, I’m an expert,” and they do it willingly, eagerly, often without thought. “Certificate Authorities” tell you who to trust, thus stripping you of your ability to make your own decisions about trust; Webmail service providers offer on-server encryption and decryption, thus stripping you of end-to-end encryption and control over your own encryption keys; operating systems decide what to execute without your consent, thus stripping you of your ability to protect yourself from mobile malicious code. Don’t give up control of your security to some third party. Sure, you may not be able to develop a good security program or policy yourself, but that doesn’t mean the program or policy shouldn’t give you control over its operation on your behalf.

Filed under security by al

Permalink • Print • Comment
« Previous PageNext Page »
Made with WordPress and an easy to customize WordPress theme • Sky Gold skin by Denis de Bernardy