Aetheric Research, Ltd.

Apologies for the mangled French title.  The BBC reports that several companies are challenging a French law insisting that they keep a record of users’ real names, telephone numbers, addresses, and–most damningly–passwords, to be turned over to police on demand.

In a proper, competent system, passwords themselves are never stored.  Instead, when an account (and associated password) is created, the password is passed through a complex mathematical function to produce what is called a ‘hash’–much like how reconstructing an order of ham hash into the original ham and potatoes is more difficult than anyone can reasonably be expected to accomplish, reconstructing a password from a hash is intended to be next to impossible.

When the user logs in, their password is passed through the mathematical function again, and the result compared with the entry in the password table.  Since the function is tuned to produce a complex but unique result from each input, if the hashes match then the password has been entered properly.

The recent high-profile crack at Gawker, where the password database was compromised, was only possible because their hashing algorithm was weak and most users’ passwords were also weak.  Indeed, the algorithm itself was not actually reversed–instead, a database known as a ‘rainbow table’ was used, which is the result of passing a dictionary of common passwords through a known hashing algorithm.

This French law completely ignores best-practices.  Besides the obvious privacy concerns, it requires that the companies make passwords available to the police–which means that, rather than a database of the hashes, the companies will be required to keep a database of the actual passwords.

This is an unnecessary and badly thought-out requirement, as it lays every single person in France who uses any of these services open to theft of their accounts should anyone be successful at exfiltrating the associated databases.  Worse, given that real names and addresses are associated with these accounts, it provides very nearly one-stop shopping for any French identity that an attacker could wish to have.  

In essence, no company that engages in anything resembling standard security practises can operate in France unless they irreperably damage standard procedures in order to engage in traffic with that country.

This law is badly thought-out and will irreperably damage France’s status in the EU and on the world stage.  Anyone who wishes for security in their dealings should avoid any companies that provide this data, as these databases will be inherently insecure.

Chase has reported (amongst other companies) that the vendor who handled their email notifications, Epsilon, suffered a security compromise and customer email addresses had been leaked.

While this is unlikely to result in a disclosure of financial information (given that financial information is generally not sent out via email, at least not to unsecured addresses) it does throw into the spotlight the practises of outsourcing IT functions to other companies.

Outsourcing is the practise of contracting with another company for the implementation of some of a company’s business functions.  This allows the business to focus on its core competencies while still maintaining relevance in the marketplace; the company doing the business functions acts, in effect, like a subdepartment of the company.

At least, that’s the theory.

Common outsourcing targets tend to be business functions that the company feels that they can do without the headaches of trying to manage: marketing, for instance, can be contracted out to any number of professional marketing firms (hence the sometimes edgy ads that get retracted now and then).  Customer service is also frequently contracted out to any number of outfits that provide call centers and the requisite infrastructure to maintain the same.  IT is also a frequent target of outsourcing, especially given the usual lack of ability of business majors in the field–it is the confluence of IT and customer service that gave rise to the Indian call centers that have dogged Tier 1 technical services for the past decade or so.

(Note: IT technical support tiers are numbered from Tier 1 to Tier 3, with Tier 1 talking to most customers and Tier 3 being highly technical experts who focus on fixing specific subsets of hardware or software problems)

At the confluence of marketing and IT lies Epsilon and other companies of their sort, that send out notification and solicitation emails to customers.  They are generally provided with a list of names and contact information (email addresses in this case) and serve as a distribution point for status notifications and the like.  Theoretically, the contracted company can manage the large quantities of mail to be distributed without the contracting company needing to manage a datacenter of the mangnitude required.

Unfortunately, this results in an increased attack surface for anyone interested in penetrating the security of the institution; especially for those institutions that deal with financial information.  Any information is good information, as far as attempting to penetrate the defenses of a bank, and commonly-checked email addresses provide two venues of attack.

The first venue is, naturally, phishing attacks.  With a list of known-good email addresses and a context for the attack, significant numbers of phishing emails can be sent to customers purporting to require their immediate intervention in order to ameliorate some problem.  This can result in significant compromise of the customers’ information, as incautions customers (who have not taken email security to heart) may end up providing more than enough information to successfully steal their identities to the persons or organizations who undertook the compromise.

The second venue will, in the case of this bank, require a bit more finesse; Chase requires pseudo-two-factor authentication, requiring any device without an identifying cookie set to re-register with the website to login and perform any financial transactions.  However, combined with any information gathered from a phishing attack and a knowledge of typical psychology, educated guesses can be made as to the credentials required to enter both the requisite email account and the bank credentials, in order for more profitable monetary gains to be made.  

Chase’s fraud department is likely to be very busy in the next few weeks.

No information seems to be immediately available on how the compromise at Epsilon was effected, but all the usual recommendations on avoiding phishing–link is above–apply, especially regarding not clicking on any links found in an email and independently checking any recomendations made by an email purporting to be from a financial institution, especially an unsolicited email.

The foundation of democracy–the foundation of representative government–is the principle of free access to information required to make effective choice.  Without this information, there’s no way to tell, for instance, which of two candidates is most suited for your particular set of causes–other than the words of the candidates themselves, which are neither reliable nor likely to be accurate.  

Accordingly, without this free access to information, the very founding principles of government will be compromised.  Without free access to information, there is no means of remaining properly informed about events in the world and in the country to make an effective choice.  Without free access to information, there is no effective way to keep educated, to remain competitive in the job market.  Without free access to information, we may as well live in a third-world country, overseen by a dictator.

AT&T, a monopoly already broken up once, has decreed that it will impose arbitrary and undocumented usage caps on its “broadband” offerings.

Leaving aside that there is already an intrinsic cap in place–their internet connections are charged by the alleged peak download speed; rate multiplied by time yields amount, as anybody with a fourth-grade education could tell you–these caps and the associated overage fees are clearly an anticompetitive practise aimed at restricting the entertainment options of the subscribers.

AT&T has been pushing their “U-verse” service–a combined internet and TV package–to subscribers for more than a year now.  UVerse delivers content digitally, so the TV shows that they are pushing use the very same connections that the internet services do–however, only the internet service not directly connected to their TV service–TV that they receive advertising revenue for–is capped.

Their excuse is, as always, that a “small population” of users use a “disproportionate” amount of the bandwidth available.  This is the same excuse that has been tried and has been shot down by numerous other ISPs.  There are numerous reasons why this is fallacious, not the least of which is that the technology already exists to ensure continued QoS during peak hours.

AT&T has been happy to market their connections as “unlimited” for years, and to receive new customers on this basis.  Any change now amounts to the most fraudulent sort of bait-and-switch, especially combined with the obvious anticompetitive, monopolistic capping of all competitive services to their in-house TV service.

This is the very sort of thing that net neutrality was intended to prevent–this erosion both of consumer rights to freely consume whatever content they desire, and to obtain the information they require to make effective choices.  Without free access to information, there is no means to accomplish a democracy.

The recent debacle surrounding the approval of usage-based billing plans in Canada seems finally to be coming to a close–the Prime Minister there has taken an interest, and a plurality of parties have realized that quashing this particular bit of regulation is likely in their best interests.

It started when the largest telecom providers–the ones who own all the copper and fiber that the internet travels over in Canada, infrastructure that was paid for in part by the taxpayers–decided that there was no way they could continue to provide so-called “unlimited”* service to their customers.  Accordingly, they sought–and received, from a regulatory body that was mostly composed of persons with strong ties to the telecommunications industry–approval to implement so-called “Usage Based Billing.”  

By itself, as a concept, the idea isn’t quite so bad–you use more, you pay more–but the Devil, as the proverb goes, lies in the details.  Previous plans with an imposed cap allowed usage up to greater than 100 GB; for your typical web surfer, that’s not too onerous and well within their ability to comply.  Under the new regulations, however, the cap above which overages could be charged was lowered significantly; 20 GB was deemed fair–at the same price point, resulting in an effective fivefold increase in cost to the consumer.  

The overages themselves were onerous as well, with costs exceeding $1/GB–unless you live in a French-speaking area, where that cost doubled for some reason–despite the marginal cost to the ISP (the actual resources used to deliver that data) being somewhere around the one or two cent per GB range.  

Add to this that the resellers of bandwidth–those ISPs that did not own the fiber, but instead leased capacity from the major telecoms–were to be mandated to follow the same low-cap structure rather than to continue to offer so-called “unlimited” plans, and the new regulations begin to appear somewhat onerous.  

Absent a wikileaks-style exposure of the internal logic behind the move, there can be only speculation as to the underlying cause–but there are some very suggestive details that may indicate a logical reason why the larger telecom companies would take such steps.

First, there is no real competition between them: each of these top-level telecoms has what amounts to a regional monopoly; there are few markets that are served by more than one of them.  This is much like the cable TV operators in the US; they’ve expanded regionally, and once they were in a region there was no cause for any other operator to arrive.

Second, they also own the content: the programming and other services that the infrastructure carries are sold by the owners of said infrastructure.

Third, these content services directly compete with internet services–and here’s where the strongest evidence for their motivations surfaces.  Pay-per-view programming (as well as the TV programming) is delivered digitally, along the same data connection that is used for the internet services.  It takes up a comparable slice of bandwidth to internet video services (especially those specifically called out–youtube and netflix) but does not count towards the bandwidth caps mentioned above.

Logically, then, if the “preferred” content is delivered without a cap but the non-”preferred” content is capped, and if said “preferred” content is directly owned by the company doing the delivery, and it makes significantly more revenue for the company than the non-preferred content, there is a strong motivation for the delivery company to do everything it can to steer people towards this content–and to penalize customers who do not wish to consume it.  

The evidence here strongly suggests that the large Canadian telecoms are attempting to monetize youtube, netflix, and similar services for their own gain.

This is similar to the tactic that the larger US ISPs have begun suggesting, that of attempting to charge the “large users” of bandwidth–again, netflix, which competes with their own video programming–for the “usage” of their infrastructure.  It is worth noting that certain interested parties are attempting to neuter the FCC’s recent decision to attempt to regulate this sort of activity; “follow the money,” as the saying goes, to determine the influence in this instance as well.

Further, there have been numerous attempts by US ISPs over the past few years to implement low-cap internet plans.  Wireless has had the greatest success here; the noted iPhone plans are limited to a 200 MB quota for normal consumers–a paltry amount of data, barely worth using.  The operators plead infrastructure overload, but have made no moves to upgrade their supply to meet the obvious demand, despite the clear profitability of doing so.

Given that ecommerce increasingly depends upon fairly significant data transfers–most modern online stores have fairly bandwidth-intensive displays with pictures and video of products, flash animations, etc.–the institution of low caps can only serve to harm commercial interests.

*The so-called unlimited plans have an inherent cap built in, which can be determined through multiplying the maximum “allowed” speed advertised for the rate by the number of seconds in a billing cycle.  The resulting product, by simple cancellation of terms, will be the theoretical maximum amount of data that can be transferred during that time.  Given that most advertised connections do not connect at the advertised speed much of the time, and given that usage drops off significantly on ‘non-peak’ hours and, hence, the link is not saturated, the implications as to the reasonableness of the caps in question should become apparent.

It has come to the attention of this publication that Certain Persons (one Philip J. Berg by name) attempted to halt the recent Presidential Elections by insisting that one of the candidates, and the ultimate victor in the contest, was not born in balmy Hawaii but instead in Darkest Kenya.

While certainly Mr. Barack Obama’s name is somewhat exotic for the tastes of a white-bread easterner such as Mr. Berg, one need only look to the profusion of exotic names in the telephone directory of any of our cities to see examples of even more unlikely names of people who are, nonetheless, just as American as anyone else born on this soil.

Mr. Berg’s shrill insistences have gone so far as to antagonize the justices of the Supreme Court, where he attempted to petition for the court to hear his case and to delay, if not cancel, the recent elections. Needless to say, his petition was denied and the election has gone forward unimpeded.

This petition is merely the latest in a long line of misinformed pronouncements by persons of various degrees of lucidity to contest Mr. Obama’s birthplace. Rumors of ineligibility for the office of the Presidency have circulated since Mr. Obama’s candidacy was first announced; one might be excused for assuming that said rumors were the action of persons with racist leanings, given the sheer number and variety of the approaches taken towards more-or-less one angle.

The august persons at Snopes have taken the time to catalog a number of these rumors and show the proof of the falsity of the same. Indeed, even the state of Hawaii has flatly stated that Mr. Obama’s birth is uncontested and that the allegations are so much tommyrot.

It would appear, however, that Mr. Berg has chosen to carry on with his rather ludicrous crusade, given that his writings have been recently updated.

While perseverance in the face of adversity is usually to be admired, it is the opinion of this writer that the stubbornness shown by Mr. Berg has gone beyond the bounds of reason and is, perhaps, exemplary of mental delusion. His past activities adhere to the pattern as well; it appears that Mr. Berg is a conspiracy theorist of the first water. Thus, while it is fairly obvious that the complaints given are without merit, it is unlikely that we have heard the last of Mr. Berg on this particular issue.