More Frightening than "Three Little Words"

If you’ve heard me speak, you know I give a quick example (a diatribe, really) about how the new three little words strikes fear into everyone’s hearts. Those words?

“On the Web“.

I mean pictures, videos, messages of, and about you, on the web. Scary? You bet!

For the record, the old TLW used to be “I love you”. 😛

All that said, here’s some new scary words for you .. far more than three words, though. This came in last week via USPS:

We are writing to let you know that computer tapes containing some of your personal information were lost while being transported to an off-site storage facility by our archive services vendor.

Now, that’s scary. Let’s discuss:

• They’re trying to avoid fault by stating “by our archive services vendor“.
• They’re creating fear by stating “your personal information“, with all the issues surrounding identity theft.
• They’re assuring us they have remote backups (John and Jane may not get this, but I do), which is usually a good thing.
• Tapes?!?

Then:

While we have no reason to believe that this information has been accessed or used inappropriately, we deeply regret that this incident occurred and we wanted to explain the precautionary steps we have taken to help protect you.

Umm:

• “.. we have no reason to believe that this information has been accessed or used inappropriately”: Optimistic, at best. How do they know if they can’t find the tapes? Are the tapes in their possession now, or are they still missing? If recovered, can they tell if the tapes were read or restored to a system?
• “We deeply regret“: Wow. An apology (sort of).
• “.. explain the precautionary steps we have taken ..“: Sorry kids, but precautionary means you planned something in advance, not reacting (as you are) to a situation you (oh, sorry .. your vendor) created.

Then comes some background into the kind of information that was lost; in this case, stockholder information for publicly-traded companies. They didn’t specify which companies, however, I’ve only worked for one publicly-traded company, and that was Microsoft.

Next (this was in bold, by the way):

Please note that while the timing of this notice was affected by our forensic investigation into the nature and scope of this incident, based on information received to date, we have no reason to believe your information has been or will be improperly accessed or misused as a result of this incident.

This is fun now:

• “.. timing of this notice was affected by our forensic investigation ..“: what the Hell does this mean? Did they anticipate the data loss and are sending this in advance, or did they want to get the notice into the mail as soon as they discovered the loss? In the finance world, “forensic” typically means the analysis of statements, and logs, cross-referencing them against the universe of facts, like date, time, location, who benefited, etc.
• “.. we have no reason to believe ..“: Folks: they have no idea. Not sure why they want to say this again (especially in bold).
• “.. as a result of this incident ..”: “This” incident? There are others? Gawd.

“Unbreakable” is a great film in which Samuel L. Jackson plays a physically-challenged cynic. He tells Bruce Willis that when someone has an offer that’s too good to be true it will follow with an ask for a credit card number.

Surprise, surprise. No free lunch, in other words.

Back to my letter. This vendor (yes; it’s from a vendor) doesn’t ask for a CC number .. in fact, they offer a two-year subscription to their usually-for-pay, identity-theft-protection and credit-notification service as a means to repay for their mishandling of my records.

This suddenly raised the question with me: Was my data ever actually lost, or is this just a come-on for their service? I’m a pragmatist, not a cynic .. but I can’t help to think something could be fishy here.

Further, what if their Terms of Service (which, nobody reads anyway) includes an indemnity clause that prevents further action against them if I accept the service. This was one ToS I read very, very carefully. Candidly: the cynic in me was (almost) disappointed that it didn’t. Would have made for a far more interesting post.

Did I sign up? Yes. I did sign up for the free service. Why? Well:

• It was offered with no risk (they didn’t ask me for a credit card number).
• It seems quite comprehensive (i.e., all credit agencies and credit-related actions).
• It’s quite interactive, including alerts for changes to my credit rating, including inquiries, “potentially negative” events (I had to report a CC lost this past week, and the service notified me).

I’ll let you know how it goes.

Original Post: September 28, 2008

The Newspaper is Dead

Long live the newspaper!

Nope .. not like me at all. This is me:

• While I appreciate the USA Today that finds its way to my hotel room door, I usually pass it by.
• There are times at the gym that my Zune battery is dying or in the waiting room and my mail is caught up.
• Those pretty pictures sometimes catch my eye and I skim through the articles.

The bulk of the time (even by an overly-optimistic 80/20 rule), the newspaper is irrelevant to me.

So, where is the value of the daily rag? Is it:

• with older-than-50-somethings (for the record, I’m 50) as their primary source of news?
• with folks who simply refuse to “connect”?
• with folks who just like to get their hands dirty?

Besides hotels, who is buying enough newspapers to keep the industry alive?

In short, no one. Like all businesses facing the power of the Web, newspapers have to adapt, or become extinct.

One way to keep a profitable bottom line is to reduce staff .. but you need to reduce the right staff. With automation, you probably don’t need as many printers, but you need enough folks to run the machinery. This leaves assistants, sales people, managers, editorial staff and reporters .. the latter two being the most critical to maintain content quality.

I’m afraid to ask which groups the newspapers have cut .. there is a site called Newspaper Death Watch with all the latest stats (update to the 2008 version of this post).

As to evolution, the blogosphere is full of “me too” types. Now, I raise my hand: guilty as charged for a 1/3 of my content. Many bloggers just read news and other blogs and then post their opinions about them. In my defense, I post the link either as a supporting story, or I’ll make a glib comment and expect the reader to make the connections that are relevant to them.

However, the “me too” folks need something with which to start, and that something is a news story, captured by a reporter, edited by an editor and published in one form or another. Our news consumption would suffer greatly if we cannot retain / replace the news generated by the newspaper industry.

So .. the problem is not editorial or in content generation, it appears to be in deployment. Can the newspapers afford to race to an all-online model before they run out of dough?

SearchEngineLand posts a detailed commentary of the newspapers’ plight in “Can Newspapers Be Saved?” (2008 reference).

What do you think?

Original Post: August 18, 2008

Free Wi-Fi: Safety and Security be Darned!

You probably already know that Starbucks offers Wi-Fi free of charge at their locations. Some exceptions include ‘franchise’ stores like those at airports (which are typically belong to the food service provider that owns the relationship with the port).

There is a ton of free Wi-Fi out there; intentionally, or not. Access is available legitimately, or by “Wi-Fi Roguing” (stealing wireless Internet from unprotected networks) to private networks.

When looking (in advance, of course) use your search of choice; start with “WiFi zip code” in a search box; both Bing and Google will provide you a list.

So now you’ve found some Wi-Fi .. but you should be concerned that non-commercial / non-sponsored Wi-Fi may not be secure.

Free Wi-Fi at Starbucks, Panera Bread or some other gathering place, falls into the ‘sponsored’ category, as does your local coffee shop, community center, etc. I would expect sponsored Wi-Fi to be legitimate; safe from folks who might collect credentials. Since you really don’t know the operator, this is a risk, and your corporate IT may suggest / insist on the use of a Smart Card or secure proxy.

When roguing, you’re totally at risk when you connect to an unknown network; whether owned by random private individual whose condo is in range, or some punk with a laptop putting up a familiar (think: ‘linksys’, ‘netgear’ or “Free Public Wi-Fi”) SSID.

Hell, even commercial SSIDs run the risk of being spoofed. See “Wi-Fi Access Point or Account Credential Honeypot?” for a detailed walk-through of my observations in range of a (most likely legitimate) AT&T public Wi-Fi hotspot.

If in doubt, don’t connect.

Original Post: October 15, 2007

Wi-Fi Access Point or Account Credential Honeypot?

I shouldn’t have to say this as we all know better, but here it is: We need to exercise caution when connecting to ‘foreign’ Wi-Fi signals.

I’m no stranger to ‘roguing’, but I’ve recently become aware of significant security risks associated with connecting to unknown networks. Here is some food for thought:

You’ve seen this image before, I’m sure. It’s a peer-to-peer (computer-to-computer, versus access point-to-computer) networking icon. You should NEVER (except under the circumstances when a known and trusted user is sharing their connection with you), connect to a wireless signal that has the peer-to-peer icon.

You may see these icons when looking for Wi-Fi signals in busy public places. They are broadcast because of an unusual feature of older Windows versions wireless network stack that causes a computer to broadcast the last-connected SSID when not connected to a wireless network.

I STRONGLY suggest you edit the advanced properties of your wireless network card to connect ‘to ‘Access point (infrastructure) networks only to filter them out.

My flight was delayed at SeaTac the other day, so I did my usual “is there a wireless network in the building in the building that I trust" search. I have a T-Mobile account, and sometimes I get lucky. In this case, there wasn’t.

However, there was a seemingly-helpful AT&T access point in the building. Nothing against AT&T, it’s probably a legitimate hotspot. But their login page was interesting, offering a list of ‘other providers’ (presuming a reciprocal relationship with AT&T), on the left.

It’s a healthy list, but none of which I have an account. Ah, being helpful, there’s an ‘Other Provider’ link at the very bottom.

Once you find an Access Point, you should NEVER connect to a wireless network using your credentials from another wireless network (i.e., T-Mobile via xyzzy Wireless) unless you enter your credentials into your native wireless account logon page (I have seen services that do this, redirecting to a T-Mobile login page that ‘advises’ the local wireless the account credentials are valid).

You have no idea how your credentials are being used. If you post your credentials to a foreign wireless site, you have just given your login and provider information to an unknown party who might use it for illegitimate or illegal purposes, leaving you to hold the bag or pay the bills.

To finish this story, I filled out the login page like this (I didn’t log in, of course):

Let me point out that it would take a mediocre hacker about ten minutes to set up a page and host it on a laptop with a web server in an airport. In a busy public area, I’m confident a hacker could collect a pile of logins in just a few hours. Make the login experience compelling enough, including enough providers and data-hungry travelers will happily post their credentials rushing between planes. A polite "we cannot confirm your credentials at this time" message, and the traveler is none the wiser.

Be wireless-safe, people.

Original Post: August 18, 2006