31 posts categorized "Canada" Feed

Experts Call For Ban of Killer Robotic Weapons

116 robotics and artificial intelligence experts from 26 countries sent a letter to the United Nations (UN) warning against the deployment of lethal autonomous weapons. The Guardian reported:

"The UN recently voted to begin formal discussions on such weapons which include drones, tanks and automated machine guns... In their letter, the [experts] warn the review conference of the convention on conventional weapons that this arms race threatens to usher in the “third revolution in warfare” after gunpowder and nuclear arms... The letter, launching at the opening of the International Joint Conference on Artificial Intelligence (IJCAI) in Melbourne on Monday, has the backing of high-profile figures in the robotics field and strongly stresses the need for urgent action..."

The letter stated in part:

"Once developed, lethal autonomous weapons will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend. These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways."

"We do not have long to act. Once this Pandora’s box is opened, it will be hard to close."

This is not science fiction. Autonomous weapons are already deployed:

"Samsung’s SGR-A1 sentry gun, which is reportedly technically capable of firing autonomously but is disputed whether it is deployed as such, is in use along the South Korean border of the 2.5m-wide Korean Demilitarized Zone. The fixed-place sentry gun, developed on behalf of the South Korean government, was the first of its kind with an autonomous system capable of performing surveillance, voice-recognition, tracking and firing with mounted machine gun or grenade launcher... The UK’s Taranis drone, in development by BAE Systems, is intended to be capable of carrying air-to-air and air-to-ground ordnance intercontinentally and incorporating full autonomy..."

Ban, indeed. Your thoughts? Opinions? Reaction?


Maker Of Smart Vibrators To Pay $3.75 Million To Settle Privacy Lawsuit

Today's smart homes contain a variety of internet-connected appliances -- televisions, utility meters, hot water heaters, thermostats, refrigerators, security systems-- and devices you might not expect to have WiFi connections:  mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins. Add smart vibrators to the list.

We-Vibe logo We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:

"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."

Image of We-Vibe 4 Plus product with phone. Click to view larger version We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.

Like any other digital device, security matters. C/Net reported last summer:

"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."

In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:

"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."

The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:

"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."

According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.

We-Vibe announced in its blog on October 3, 2016 several security improvements:

"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."

I briefly reviewed the We-Connect App Privacy Policy (dated September 26, 2016) linked from the Google Play store. When buying digital products online, often the privacy policy for the mobile app is different than the privacy policy for the website. (Informed shoppers read both.) Some key sections from the app privacy policy:

"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."

I don't have access to the prior version of the privacy policy. That last sentence seems clear and should be a huge warning to prospective users about the data collection. More from the policy:

"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."

In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.

Consumers should read the app privacy policy and judge for themselves. Me? I am skeptical. Why? The "unique device identifier" can be used exactly for that... to identify a specific phone. The IP address associated with each mobile device can also be used to identify specific persons. Match either number to the user's 10-digit phone number (readily available on phones), and it seems that one can easily re-assemble anonymously collected data afterwards to make it user-specific.

And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.

The About Us page in the We-Vibe site contains this company description:

"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."

Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.

The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.

All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.

What are your opinions of the We-Vibe settlement? Of its products and security?


Ashley Madison Operators Agree to Settlement With FTC And States

Ashley Madison home page image

The operators of the AshleyMadison.com dating site have agreed to settlement with the U.S. Federal Trade Commission (FTC) for security lapses in a massive 2015 data breach. 37 million subscribers were affected and site's poor handling of its password-reset mechanism made accounts discover-able while the site had promised otherwise. The site was know for helping married persons find extra-marital affairs.

The FTC complaint against Avid Life Media Inc. sought relief and refunds for subscribers. The complaint alleged that the dating site:

"... Defendants collect, maintain, and transmit a host of personal information including: full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats... Until August 2014, Defendants engaged in a practice of using “engager profiles” — that is, fake profiles created by Defendants’ staff who communicate with consumers in the same way that consumers would communicate with each other—as a way to engage or attract additional consumers to AshleyMadison.com. In 2014, there were 28,417 engager profiles on the website. All but 3 of the engager profiles were female. Defendants created these profiles using profile information, including photographs, from existing members who had not had any account activity within the preceding one or more years... Because these engager profiles contained the same type of information as someone who was actually using the website, there was no way for a consumer to determine whether an engager profile was fake or real. To consumers using AshleyMadison.com, the communications generated by engager profiles were indistinguishable from communications generated by actual members... When consumers signed up for AshleyMadison.com, Defendants explained that their system is “100% secure” because consumers can delete their “digital trail”.

More importantly, the complaint alleged that the operators of the site failed to protect subscribers' information in several key ways:

"a. failed to have a written organizational information security policy;
b. failed to implement reasonable access controls. For example, they: i) failed to regularly monitor unsuccessful login attempts; ii) failed to secure remote access; iii) failed to revoke passwords for ex-employees of their service providers; iv) failed to restrict access to systems based on employees’ job functions; v) failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendants’ network; and vi) allowed their employees to reuse passwords to access multiple servers and services;
c. failed to adequately train Defendants’ personnel to perform their data security- related duties and responsibilities;
d. failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security; and
e. failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures."

The above items read like a laundry list of everything not to do regarding information security. Several states also sued the site's operators. Toronto, Ontario-based Ruby Corporation (Formerly called Avid Life media), ADL Media Inc. (based in Delaware), and Ruby Life Inc. (d/b/a Ashley Madison) were named as defendants in the lawsuit. According to its website, Ruby Life operates several adult dating sites: Ashley Madison, Cougar Life, and Established Men.

The Ashley Madison site generated about $47 million in revenues in the United States during 2015. The site has members in 46 countries, and almost 19 million subscribers in the United States created profiles since 2002. About 16 million of those profiles were male.

Terms of the settlement agreement require the operators to pay $1.6 million to settle FTC and state actions, and to implement a comprehensive data-security program with third-party assessments. About $828,500 is payable directly to the FTC within seven days, with an equal amount divided among participating states. If the defendants fail to make that payment to the FTC, then the full judgment of $8.75 million becomes due.

The defendants must submit to the FTC a compliance report one year after the settlement agreement. The third-party assessment programs starts within 180 days of the settlement agreement and continues for 20 years with reports every two years. The terms prohibit the site's operators and defendants from misrepresenting to persons in the United States how their online site and mobile app operate. Clearly, the use of fake profiles is prohibited.

The JD Supra site discussed the fake profiles:

"AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” "

13 states worked on this case with the FTC: Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia. The State of Tennessee's share was about $57,000. Vermont Attorney General William H. Sorrell said:

“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website... I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it’s great to see that continuing.”

The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner reached their own separate settlements with the company. Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada said:

“In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”

Australian Privacy Commissioner Timothy Pilgrim stated:

"My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework... Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.”

Kudos to the FTC for holding a company's feet (and its officers' and executives' feet) to the fire to protect consumers' information.


What's New: Cruise Ship Vacations Through The Northwest Passage

Map of Northwest Passage itinerary. Click to view larger image You can now sail to parts of Canada and the Arctic Ocean that were previously inaccessible.

Since the 1500s, explorers have attempted to sail the Arctic Ocean and Northwest Passage, but were unable due to thick sea ice present all year long. With climate change, the sea ice has retreated far enough and long enough during the summer months for cargo and cruise ships to navigate this shorter route between the Atlantic and Pacific Oceans.

Crystal Cruises announced a new itinerary through the Northwest Passage to destination ports in the United States, Canada, and Greenland. Starting in August of 2016, the Crystal Serenity cruise ship will sail from Anchorage, Alaska to New York City, with port destinations at Kodiak (Alaska), Nome (Alaska), Ulukhaktok (Northwest Territories, Canada), Cambridge Bay (Canada), Pond Inlet (Canada), Ilulissat (Greenland), Nuuk (Greenland), Bar Harbor (Maine), and more.

Crystal Cruises is a high-end, luxury cruise line offering a truly all-inclusive cruise experience. Budget or entry-level cruise lines typically offer a low price, but add on a variety of fees. Many consumers prefer a one-price, all-inclusive vacation.

The cruise price includes complimentary fine wines and premium spirits, plus gratuities for housekeeping, bar, dining and Penthouse butler staff. It also includes fine dining at any of eight on-board restaurants, classes at the Computer University@Sea®, foreign language classes, themed cruises focusing upon music, film and entertainment shows, wellness and golf,  lectures featuring speakers, authors, and celebrities, art classes, an on-board fitness center, and concierge services to arrange personalized shore excursions.

The fitness center includes state-of-the-art exercise equipment, yoga classes, cycling classes, golf lessons, Pilates, and tai chi classes. The ship includes deluxe staterooms, staterooms with verandahs, penthouses, and penthouse suites. Staterooms include satellite TV, movie/DVD rentals, housekeeping, complimentary soft drinks and bottled water, complimentary beer, wine and spirits upon request, luxury bathrobes, and fine Egyptian cotton linens. Additional complimentary services are available in the penthouses and penthouse suites.

The Crystal Serenity cruise ship debuted in July, 2003. The cruise line spent $52 million in 2013 to redesign and upgrade the ship, including both staterooms and public areas. Besides the Northwest Passage itinerary, the ship sails to destinations in the Caribbean, South America, Hawaii, Australia, and the Mediterranean.

Prices for the 32-day cruise start at $21,855 per person double occupancy, and include the above onboard services plus transfers between the airport and cruise terminal in Anchorage. Prices exclude air fare and transfers between the cruise ship and airports in New York City.

Whether or not you believe in climate change, or agree that human activity contributes to climate change (a/k/a global warming), the retreating sea ice is an indication of changes in the planet.

Image of Crystal Serenity cruise ship


Safer Internet Day: Do Your Part

Safer Internet Day 2016 logo Today is Safer Internet Day (SID) #SID2016. This event occurs every year in February to promote safer and more responsible use of online technology and mobile phones, especially among children. This year's theme is:

"Play your part for a better Internet"

There are events in 100 countries worldwide. The European Commission’s Safer Internet Programme started the event, which has continued under the Connecting Europe Facility (CEF). This is the 13th annual event. According to its press release:

"Last year’s celebrations saw more than 19,000 schools and 28 million people involved in SID actions across Europe, while over 60 million people were reached worldwide..."

Hans Martens, Digital Citizenship Programme Manager at European Schoolnet and Coordinator of the Insafe Network said:

“The theme of ‘Play your part for a better internet’ truly reflects how stakeholders from across the world can and should work together to build a trusted digital environment for all. This approach is at the core of the Better Internet for Kids agenda, and we look forward to seeing many exciting onitiatives and collaborations, both on the day of SID itself and beyond."

Sophos, a security firm, described six safety tips for families. That includes learning to spot phishing scams to avoid password-stealing computer viruses and ransomware. Children need to learn how to create strong passwords, and never use these weak passwords. Read about several SID events in California, including teens brainstorming ways to fight online bullying and teens helping adults.

To learn more, watch the video below and then visit SaferInternetDay.org for events in your country.

Or, watch the video on Youtube.


Recording Ourselves To Death

Deaths from sharks versus selfies

This is not a joke. Related reading:


Payment Scam Dupes Airbnb Customer. Was There A Data Breach?

Airbnb logo Readers of this blog are aware of the various versions of check scams criminal use to trick consumers. A new scam has emerged with social travel sites.

After paying for a valid stay, an Airbnb customer was tricked by criminals using an wire transfer scam. The Telegraph UK described how an Airbnb customer was tricked. After paying for for their valid rental with a valid credit card, the guest:

"... received an email from Airbnb saying that the card payment had been declined and I needed to arrange an international bank transfer within the next 24 hours to secure the apartment. Stupidly, I did as asked. I transferred the money straight away to someone I assumed was the host as they had all the details of my reservation."

Formed in 2008, Airbnb now operates in 34,000 cities in 190 countries.

After checking with their bank, the guest determined that the credit card payment had been processed correctly. So, the guest paid twice, with the second payment to the criminal. The guest believes that Airbnb experienced a data breach. According to one security expert:

"The fraud works by sending an email to a host that appears to come from Airbnb asking them to verify their account details. The host foolishly responds thus giving the fraudster access to their account and all the bookings correspondence. Even though the addresses are anonymised the fraudster can still send emails to the customers via Airbnb to try to extract a second payment by bank transfer."

What can consumers make of this? First, hosts should learn to recognize phishing e-mails. Don't respond to them. Second, guests need to remember that inattentive hosts can compromise their identity information. Third, guests should never make payments outside of Airbnb's system.

Criminals are creative, persistent, and knowledgeable. Consumers need to be, too. Read the Scams/Threats section of this blog.


Costco, CVS, And Wal-Mart Canada Investigate Possible Data Breaches

Walmart logo On Friday, CVS and Wal-mart Canada announced investigations into possible data breaches at their photo centers. On Monday, Costco announced a similar investigation about a possible data breach. Costco has also suspended operations of its photo centers. The number of credit card customers affected is unknown at all three retailers.

The outsourcing vendor involved is PNI Digital Media, with offices in Vancouver, British Columbia (Canada) and England. According to its website, PNI Digital Media operates 19,000 retail locations and 8,000 in-store kiosks. The New York Times reported:

CVS logo

"... the breaches highlighted the importance of more rigorously vetting I.T. vendors at a time when companies outsource more and more of their technology operations. Vendors have often proved to be the weakest link..."

Staples acquired PNI Digital Media in July, 2014. At press time, the vendor's latest tweet was May 20, two months ago. That tweet announced that hiring was underway for several positions, including front and back-end developers.

Until the retailers announce more about their breaches, experts advise customers of the above retail stores to closely monitor their bank and card statements for fraudulent charges.


Report: Researchers Compare High-Speed Internet Services Worldwide. Consumers In The USA Pay More And Get Slower Speeds

Since President Obama will mention competition and high-speed Internet services in his 2015 State of The Union address to the nation Tuesday evening, it seemed appropriate to discuss the state of high-speed Internet services (a/k/a broadband) in the United States. The "Cost of Connectivity 2014" annual report by the Open Technology Institute compared Internet prices and speeds in 24 cities around the world. The overall finding:

"... the data that we have collected in the past three years demonstrates that the majority of U.S. cities surveyed lag behind their international peers, paying more money for slower Internet access."

The researchers investigated both home and mobile high-speed Internet prices and speeds. Data was collected between July and September of 2014. The list of cities:

  • Americas: Bristol (Virginia), Chattanooga (Tennessee), Kansas City (Kansas), Kansas City (Missouri), Lafayette (Louisiana), Los Angeles (California), Mexico City (Mexico), New York (N.Y.), San Francisco (California), Toronto (Canada), Washington (D.C.)
  • Asia: Hong Kong, Seoul (So. Korea), Tokyo (Japan)
  • Europe: Amsterdam (Netherlands), Berlin (Germany), Bucharest (Romania), Copenhagen (Denmark), Dublin Ireland), London (United Kingdom), Paris (France), Prague (Czech Republic), Riga (Latvia), Zurich (Switzerland)

For home usage, the researchers looked at "broadband-only" plans. If a provider didn't offer a broadband-only plan, then they looked for the cheapest bundle (e.g., phone plus Internet, "triple-play bundles of phone, Internet, and television, etc.). Prices in foreign currencies were converted to U.S. Dollars using:

"... the World Bank’s purchasing power parity (PPP) metric."

The researchers used the broadband definition by U.S. Federal Communications Commission (FCC): a minimum of 4 Mbps download and 1 Mbps upload. The researchers collected the following information about each broadband service:

  • Network technology (e.g., DSL, cable, fixed wireless, fiber optic),
  • Download and upload speeds,
  • Monthly subscription costs (excluding promotional prices),
  • Data caps and any penalties (i.e. overage fees or throttled speeds),
  • Activation and installation fees,
  • Modem and equipment rental or purchase fees, and
  • Contract lengths (e.g., number of months, no contract)

Consumers in Asia and Europe get the best value (e.g., highest speeds at the lwest prices):

"Most Asian and European cities provide broadband service in the 25 to 50 megabits per second (Mbps) speed range at a better value on average than North American cities (with a few key exceptions). In addition, when it comes to the estimated speeds a customer could expect to get for $50 in each of the cities we surveyed, the U.S. is middling at best, with many cities falling to the bottom of the pack. Our analysis also finds that, in terms of speed and price, cities with municipal networks are on par with Hong Kong, Seoul, Tokyo, and Zürich and are ahead of the major incumbent ISPs in the U.S."

This merits repeating. The areas in the USA that offer the best value for consumers are municipal broadband networks and not the corporate Internet Service Providers (ISPs). Yet, local laws in 19 states prevent or restrict consumers from building municipal broadband services. Yet politicians in the United States are quick to promote privatization (e.g., corporations are good; government is bad) as a catch-all solution.

And, it is worse for mobile phone and tablet users:

"In the mobile broadband space, USB dongle and wireless hotspot device offerings continue to be expensive substitutes for home broadband connectivity, with consumers in some other countries paying the same price for mobile plans with data caps that are up to as 40 times higher than those offered by U.S. providers."

Providers of home services in cities with the fastest broadband speeds both increased speeds and reduced prices in 2013 compared to 2012, and again in 2014 compared to 2013:

"Virtually every city in this ranking has seen an annual increase in its top speed offering since 2012. In cases where ISPs offer the same speed as last year, those ISPs have tended to lower their prices. For instance, Lafayette, LA charged $999.95 per month for its gigabit service in 2013 and dropped that price to $109.95 per month in 2014. In Mexico City, a 200 Mbps package was available for nearly $100 less than the price offered for that speed by a different provider in 2013. The average download speed of plans in this ranking increased from 233 Mbps in 2012 to around 500 in 2013, and almost 650 Mbps in 2014. Nearly half of all cities in this ranking offer gigabit speeds, and more than two-thirds of all cities offer service over 500 Mbps."

The researchers look at what consumers could get with spending $40 monthly:

"In 2014, five providers offered gigabit service for under $40, up from just one in 2013 and none in 2012. The U.S. cities on this list that are ranked at the middle or higher (Kansas City, KS; Kansas City, MO; and San Francisco, CA) are represented by local, innovative providers who offer competitive alternatives to the services provided by incumbents."

Incumbents are the large, national corporate ISPs (e.g., Verizon, AT&T, etc.). So, the top five best deals under $40 monthly:

Rank - CityMonthly Cost ($ U.S.)ProviderSpeedsNetwork Technology
1. Seoul $30.30 HelloVision 1,000 Mbps download & upload Fiber
2. Hong Kong $37.41 Hong Kong Broadband 1,000 Mbps download & upload Fiber
3. Tokyo $39.15 KDDI 1,000 Mbps download & upload Fiber
4. Paris $38.81 SFR 1,000 Mbps download & 200 Mbps upload Fiber
5. Bucharest $32.35 RCS & RDS 1,000 Mbps download & 30 Mbps upload Fiber

Now, compare the above prices to what you pay and the speed you get. I did. Here in Boston, Comcast charges $66.95 per month for what it calls "Performance Internet." That's the regular price, and not the promotional price. The Comcast website states:

"Restrictions apply. Not available in all areas. Limited to new residential customers. Not available in all areas. Requires subscription to Performance Internet service. Equipment, installation, taxes and fees, and other applicable charges extra, and subject to change during and after the promo. After 12 mos., service charge for Performance Internet increases to $54.99/mo. After promo, or if any service is cancelled or downgraded, regular rates apply. Comcast's service charge for Performance Internet is $66.95/mo. (subject to change). Service limited to a single outlet. May not be combined with other offers. Internet: Wi-Fi claim based on the September 2014 study by Allion Test Labs. Actual speeds vary and are not guaranteed."

So, the site doesn't even disclose what speed consumers get for $66.95 per month. The true price is higher once you add in equipment and taxes. And that is for older cable technology; not fiber. So, it is difficult for consumers to determine the value of Comcast Internet. Yes, Comcast offers a promotion price of $39.99 per month for 12 months, and then the monthly rate increases. I ignored this promotional price since the researchers compared regular rates. You should, too, so you know what the service really costs. And Comcast includes enough caveats that if you change anything in your subscription, regular rates apply.

Verizon FiOS is a fiber Internet service here in Massachusetts. Below are the service's prices:

Verizon FiOS prices in January 2015. Click to view larger image.

The prices are very high, and the speeds are slower than the above leaders mentioned in the "Cost of Connectivity 2014" report. So, it seems appropriate to ask: are you getting good value (e.g., monthly price divided by download speed) for home Internet where you live? Probably not; unless you live in an area with a municipal service provider. Do you have a state-of-the-art fiber connection? Probably not.

The researchers compared high-speed Internet services between Europe and the USA. They found:

"... median prices are higher in the U.S. for speeds equivalent to those in Europe. Except for the lowest speed tier reported in this graph, the median price in every other tier is noticeably higher for the U.S., indicating that customers pay more for the same broadband packages than their European peers."

The researchers analyzed and compared Internet services in several ways. Since consumers often set a household budget for items, the researchers looked at what consumers get with a monthly budget of $50 for Internet services. Providers in the USA didn't fare well:

"Figure 7 demonstrates the estimated speeds a customer could expect to get for $50 in each of the cities we surveyed. Hong Kong and Seoul are far ahead, with around 300 Mbps at $50, while Tokyo and Paris both hover around 200 Mbps. Most of the U.S. cities cluster between 25 and 45 Mbps, with only San Francisco, CA, and Chattanooga, TN, falling out of that range on the high and low end, respectively. Mexico City ranks last with an average of around 8 Mbps."

Sometimes, consumers seek a certain Internet speed to perform certains tasks. So, the researchers looked at which countries provided the best value with a download speed of 25 Mbps or faster. 25 Mbps download is fast enough to download a short video clip in 1.3 seconds, 10 songs in about half a minute, or a 2-hour video in 13 minutes. That speed allows you to do most things you'd want to do, especially since most mobile devices store your files in the cloud. Once again, the USA lagged other countries:

"Figure 8 demonstrates the estimated monthly price for 25 Mbps in each of the cities we surveyed. The results are largely consistent with our other observations, although in this analysis London comes out at the top of the list at around $24 a month, followed closely by Seoul, Bucharest, and Paris. The U.S. cities are still clustered in the bottom half of the pack, with the exceptions of Kansas City, KS and Kansas City, MO. Notably, Hong Kong drops much lower in this analysis, which reflects the fact that some providers offer speeds ranging from 8 to 100 Mbps at very similar or identical prices."

Feeling proud about American exceptionalism? The next time you hear pundits or politicians profess American exceptionalism, ask them what they are doing to lower your monthly high-speed Internet prices, and speed up your connection, so you get the same (or better) value as consumers in other parts of the world. Write to your elected officials and tell them high-speed Internet prices are too high.

What are your opinions of this report? Of the monthly prices you pay? Do you think that ISPs in the U.S.A. are doing a good job?


Sony At The Center Of Several Issues, Not Just A Decision To Cancel A Movie Release

Sony Pictures logo News media and social networking sites are ablaze with discussions about Sony Pictures and its film, "The Interview." Everyone has an opinion, and many seem to want the company to stand up for First Amendment rights of creative artists, and not surrender to threats by politically-motivated hackers.

These are all valid concerns. However, Sony seems to be at the nexus of several important, related issues that shouldn't be confused nor overlooked:

  1. Whether or not Sony Pictures should have made the film, "The Interview."
  2. Sony Pictures decided to cancel the Christmas release of the film. Many people feel this was a bad decision, arguing that the company surrendered to the hacker's threats, and that surrender encourages more attacks by politically-motivated hackers.
  3. Sony Pictures considers how to release the film (e.g., streaming?) given liability and safety concerns. It may use its Crackle video-streaming service.
  4. Several news media outlets published the content of e-mail messages stolen during the hack attack. Despite First Amendment rights in the U.S., Sony threatened legal action against news media outlets that published more e-mail messages. Some people supported Sony's position.
  5. The theft and publication of e-mails with embarrassing and insulting content is a reminder of the fragility of online privacy: nothing you say, type, text, post or do online can be guaranteed to remain private. This is important, especially given the growth in usage of  "erasable" social services (e.g., Snapchat) and cloud services.
  6. The data breach raised concerns that Sony allegedly failed to adequately protect both its networks and servers wtih sensitive information it was entrusted with. The latest data breach affected both current and former employees.
  7. Several lawsuits have been filed against the company by current and former employees regarding #6, and
  8. The U.S. government weighs a "proportional response" given national security concerns of hacking attacks by a foreign country. North Korea denied the cyber-attack, and then proposed a joint investigation with the USA. The USA later rejected that proposal.

Sony Corporation logo Sony Corporation's headquarters is in Tokyo, Japan. Sony Pictures' headquarters is in Culver City, California in the USA. Issues #6 and #7 merit further discussion.

This latest data breach at Sony was not the company's first incident. It experienced several breaches during 2011, notably a massive incident at Sony Playstation Network affecting 77 million customers, and at Sony Entertainment Network. Later that year, Sony executives apologized. Earlier this year, the company agreed to a settlement resolving lawsuits about its Playstation Network breach. However, there's more. Forbes magazine reported:

"An email from Courtney Schaberg, VP of legal compliance at Sony Pictures, to general counsel Leah Weil, dated 16 January 2014, reported a compromise of the Sonypictures.de site. The website was swiftly taken down after it emerged the site had been hacked to serve up malware to visitors. Schaberg also expressed concern that email addresses and birth dates for 47,740 individuals who signed up to the site’s newsletter had been accessed by the attacker. On Friday 17 January 2014, Schaberg told Weil that it was unclear whether personal information had been taken as an investigation by a third party would not start until the following Monday, but it was unlikely Sony would disclose the breach publicly."

After the Sony Pictures cyberattack, both current and former employees have already filed lawsuits. TechCrunch described some of the details:

"... Christina Mathis and Michael Corona have filed a federal court complaint against the movie studio, alleging that the company did not take enough precautions to keep employee and employee family data safe... The complaint references tech blog reporting to note that Sony was aware of the insecurity on its network..And it cites several instances of Sony failing to adequately inform former employees of the situation... there were only 11 people on the Sony information security team at the time of the hack..."

The plaintiffs seem to have several valid concerns. Krebs On Security reported:

"According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems."

Krebs on Security also reported:

"Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals... Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data."

So, the sensitive personal data stolen is out in the open where criminals can use and abuse it. And, there may be more. The hackers have threatened to release more stolen information if Sony Pictures releases the film.

On December 15, Sony Pictures published several breach notices, including this general breach notice to its current and former employees (Adobe PDF) worldwide. Accompanying this general notice are several specific notices for residents in the United States, Canada, and Puerto Rico. There are detailed breach notices for residents of Maryland, Massachusetts, North Carolina, and Puerto Rico.

The Sony Pictures breach notice for Massachusetts residents (Adobe PDF) listed the specific data exposed and probably stolen:

"... the following types of personally identifiable information that you provided to SPE may have been subject to unauthorized acquisition: (i) name, (ii) address, (iii) social security number, driver’s license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, social security number, claims appeals information you submitted to SPE (including diagnosis), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to SPE outside of SPE health plans..."

If any items had been encrypted, Sony Pictures probably would have mentioned it. Why wasn't this sensitive information encrypted? That's one problem. Next, the data stolen includes the mother-lode of personal, financial, and healthcare information; stuff identity criminals seek for reselling proftiably to other criminals, for impersonating breach victims both online and offline, for taking out fraudulent loans, and for obtaining free health care services.

Sony Pictures has arranged for 12 months of free identity-protection services with AllClearID. As I have written before repeatedly, 12 months is insufficient. the data elements stolen do not magically become obsolete in 12 months. Five or ten years of identity-protection services would be better.

Sony's latest breach, and unencrypted data storage, makes one doubt that its executives have truly learned from prior data breaches; whether the company's executives have truly embraced best practices for data security, or continue to cut corners. As TechCrunch reported:

"Sony Director of Information Security Jason Spaltro even gave an interview in 2007 whose whole point was to revel in Sony’s security loopholes: “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he said at the time. This hack is estimated to cost Sony $100 million after all is said and done. The last one cost the company a cool $171 million..."

What are your opinions about Sony, its data security, or the above list of issues? Are there any additional issues?

Click for larger image. Movie approved by the DPRK

[December 24 update: Sony Pictures reversed its prior decision and will release the film in select theatres on Christmas.]


Banks Pay Huge Fines, Again. This Time For Foreign Exchange Trading Abuses

J.P.Morgan logo There is an interesting article in the Washington Post titled, "You Should Never Underestimate How Far Bankers Will Go To Game The System." Several banks recently paid huge fines:

"This time, it's a $4.2 billion fine. That's how much UBS, HSBC, Citibank, JP Morgan Chase, Bank of America, and the Royal Bank of Scotland are collectively paying to U.S., U.K., and Swiss regulators for rigging the foreign-exchange, or FX, market."

Citibank logo How the banks rigged the trading exchange:

"Traders at supposedly competing firms worked together to rig the benchmark FX rates in their favor. They deliberately triggered clients' stop-loss orders—the price they'd automatically sell at to limit losses—to boost their own profits. Along with revealing what trades their customers were about to make, which would let them all make it first... the bankers set up [online] chatrooms charmingly named things like "the 3 musketeers" where they planned all this out..."

Bank of America logo Kudos to regulators for catching the banks doing illegal activity. Before, it was abuses with residential mortgage-backed securities. The banks have often apologized for the abuses, but those apologies (and fines) are a mild, first step. Consequences must be more extensive.

U.B.S. logo This latest set of fines highlight what is wrong with the banking sector. Basically, the wrongdoing will continue as long as the likelihood of getting caught is low, no bankers go to prison, and the profits from said activities exceed the fines paid:

"... it's important to remember that these penalties are just the price of doing business for big banks—and tax-deductible ones at that.  And that's why the better news is that the Justice Department is still looking into criminal charges against some of these traders. Far too often, as Matt Taibbi has argued, the Justice Department has all too happy to have banks cut them a fat check rather than—and at the expense of—pursuing criminal charges that are hard to prove and even harder to explain to a jury."

The trading abuses went on for years. The Guardian UK reported:

"Two UK and US regulators said they had found a “free for all culture” rife on trading floors which allowed the markets to be rigged for five years, from January 2008 to October 2013.... In the UK, UBS was handed the biggest fine, at £233m, followed by £225m for Citibank, JPMorgan at £222m, RBS at £217m, and £216m for HSBC. Barclays has yet to settle. In the US, the regulator fined Citibank and JP Morgan $310m each, $290m each for RBS and UBS, and $275m for HSBC."

Consumers: when fines are tax deductible, it's a huge gift to banks because you are paying for the wrongdoing and not the banks. If fines continue to be tax-deductible fines, enforcement agencies fail to put bankers in prison, and politicians support the status quo, then the time to gather your torches and pitchforks fast approaches.


Home Depot Discloses More Details About It Data Breach Affecting 53 Million Shoppers

Home Depot logo If you shop at Home Depot, then today's blog post is for you. On November 6, 2014, Home Deport disclosed more details about its data breach investigation. Criminals gained access to the retailer's computer network by using a third-party vendor's credentials (e.g., user name and password), and:

"These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada...  separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information."

The announcement did not explain how the criminals gained "elevated rights" with the stolen credentials. Home Depot did not disclose the name of the third-party vendor.

In a prior September 8, 2014 press release (Adobe PDF, 188.4K), the retailer confirmed the breach affecting shoppers who used credit cards in its stores during April to September of 2014. The retailer began its breach investigation on September 2 after several banks and law enforcement agencies notified it of a possible breach. Also on September 8, the retailer offered affected shoppers free credit monitoring services. To learn more about these services, interested shoppers should visit the Home Depot website or call in the USA 1-800-HOMEDEPOT (800-466-3337). Shoppers in Canada should call 800-668-2266.

In its latest announcement, Home Depot said it is notifying affected shoppers in the United States and Canada. The stolen e-mail data means that affected shoppers should also be on alert for phishing e-mail scams designed to trick consumers to reveal their sensitive personal and financial information.

How should consumers view the Home Depot's breach?

53 million affected shoppers is a massive breach. If your credit card payment information has been stolen, the hackers will likely sell the stolen information to other criminals who will then try to use the stolen information to make purchases and/or take out new loans fraudulently. This is what identity criminals do. So, it's wise to seriously consider the retailer's offer of free credit monitoring services.

As things progress, we will probably hear more details about its breach investigation. In its latest announcement, Home Depot did not disclose how many shoppers experienced both stolen e-mails and stolen credit card payment information. This overlap is important. If the overlap was 100 percent, then that says something very different than an overlap of 5 percent. If the overlap was concentrated in certain stores or states, then that says someting else. To feel comfortable about shopping at Home Depot, shoppers deserve an explanation of both the overlap and how the related security holes are being fixed.

Back in September, Home Depot took the opportunity in its breach announcement to also announce the upcoming availability of its smart loyalty cards with EMV chips embedded. It seems that the retailer hopes that its smart loyalty cards will help make shoppers feel comfortable. So, we'll probably hear more about its smart cards during the coming weeks. However, smart cards alone do not make a secure computer network and purchase transactions.

While consumers may not focus upon the "elevated rights" statement in Home Depot's latest announcement, you can bet that data security experts, banks, and other retailers are watching closely. Why? eWeek provided an interesting analysis:

"That's the real root cause, in my view—a privilege escalation flaw. Getting into the network itself is interesting, but without the right privileges, which the third-party vendor did not have, the attacker could not do any damage... Home Depot has also reiterated that the malware that was deployed by the attackers, once they had executed their privilege escalation attack, was malware that had previously been unknown. That means it was not the Backoff malware that has impacted 1,000 retailers. What the new Home Depot breach details clearly show is that the breach was a multistage attack that wasn't just about any one failure but rather several defensive inadequacies. Third-party access was breached by an attacker, so that's one point of failure. The privilege escalation issue is the second. The undetected malware itself is the third point of failure. Finally, the fact that the data was taken out from the network without detection is the icing on the cake."

EMV chips won't fix these four failures. Free credit monitoring services won't fix these four failures. The retailer needs to improve its computer systems end-to-end, as the eWeek analysis suggested. What are your opinions of the breach? Of Home Depot's breach investigation? Of the eWeek analysis?


Burger King And Tim Horton's Agree To Merge. The Consequences

Burger King logo This morning, several news sources reported that Burger King, the fast-food chain, and Tim Horton's restaurants have agreed to merge. Horton's is based in Canada. The merger allows Burger King to benefit from a tax inversion, where:

"The combined Canadian coffee chain and U.S. burger chain will have its global headquarters in Canada... In a tax inversion, two international companies merge and move their tax domicile to the lower tax country."

Last month, Bloomberg BusinessWeek published an interesting and informative analysis of the company, its young management, corporate history, and current marketplace challenges. You'll probably want to read the BusinessWeek report titled, "Burger King Is Run By Children."

Professor and former U.S. Labor Secretary Robert Reich posted on Facebook the following about the merger (links added):

"BK’s profits have been flat, mainly because its mostly lower-income customers don’t have enough money to boost sales. So the pending deal is welcome news to investors, who today sent its stock up nearly 20 percent. But it’s a lousy deal for you and me and other Americans because we’ll have to make up for the taxes Burger King stops paying. We’re already subsidizing Burger King because it refuses to raise the pay of its frontline workers, who are now at or near the minimum wage. So we're paying for the food stamps, Medicaid, and wage subsidies its workers need in order to stay out of poverty. That means when BK deserts America to cut its tax bill, we’ll be paying twice. That's a whopper of a slap at America."

A whopper of a slap, indeed. Mr. Reich posted in an update (link added):

"It’s one thing when a company the Pfizer flirts with corporation desertion (technically, a tax “inversion”) to become a foreign company and lower its tax bill. But Burger King, like Walgreen, is highly visible to consumers. Walgreen dropped its plan to desert the United States after a customer backlash and bad publicity. So a boycott of Burger King, accompanied by letters to the local press, picketing for the broadcast media, and a general ruckus, should be helpful."

The phrase "tax inverson" sounds clinical and almost meaningless. I like and prefer the phrase, "corporate desertion" since it better describes what is really happening. And, a boycott seems the appropriate consequence for the burger chain's actions.

What are your opinions of Burger King's tax inversion? Of the "corporate desertion" phrase? Of a boycott?


Traveling Abroad? New T.S.A. Rules For Inbound Flights To The U.S.A.

In response to intelligence reports about possible terrorist attacks Al Qaeda groups in Yemen, the Transportation Security Administration (TSA) issued new rules for flights inbound to the USA. The New York Times reported:

"... the United States has, for the first time, asked officials at more than a dozen foreign airports to confiscate from passengers any electronic devices that cannot be turned on, American officials said on Monday... Passengers will have to turn on the electronic devices while being screened by security personnel to prove that the devices are harmless, the T.S.A. said Sunday. The fear is that unresponsive phones have been hollowed out and filled with explosives..."

The affected airports are in Europe, the Middle East and Africa. The TSA does not screen passengers at foreign airports. The government agencies in each country perform that task, but:

"... foreign airports have to meet a series of requirements from the Department of Homeland Security and the Transportation Security Administration in checking such passengers before they board."

If you will travel abroad, this means you should make sure that all of your electronic devices (e.g., laptops, smartphones, tablets, etc.) are charged because you will be asked to turn them on in order to board your flight to the USA. Otherwise, you may have to leave behind your powerless device.

Read the July 6 announcement by the TSA.

What are your opinions of the new T.S.A. rules?


Highlights From Yesterday's NSA Reform Protest

The Day We Fight Back. Reform the NSA The protest yesterday included both physical and online events. The online activity included both the #Stopthe NSA and #TheDayWeFightBack hashtags. Consumers placed 86,454 phone calls and sent 178,903 e-mail messages to their elected officials in government worldwide. All within 24 hours.

Activity in the United States:

Visit The Day We Fight Back site to learn more about activity in the United States and worldwide. Notable tweets yesterday by elected officials in the United States:

Tweets by Senators Tom Udall and Ron Wyden

Tweet by Senator Ron Wyden

Tweet by Senator Patrick Leahy

Tweet by Senator Bernie Sanders

Meanwhile yesterday, House Speaker John Boehner tweeted about the ACA and the death of Shirley Temple, but did not tweet anything about NSA reform and surveillance. Senate Leader Harry Reid did not tweet anything about NSA reform and privacy, either.


NSA Reform: Take Action Now

The Day We Fight Back. Reform the NSA I hope that you will join me in today's protest to demand that the USA government reform the National Security Agency (NSA) programs that spy on everyone. Why take action? The Center For Internet And Society (CIS) at Stanford law School explained the situation well:

"With unfettered information about everyone, we can be singled out, targeted, marginalized, investigated, discredited, or jailed for pushing for peaceful change... So we join The Day We Fight Back to help end mass surveillance, and we hope you will join us, too... Last summer, the world learned that the United States’ intelligence agencies are conducting mass surveillance of millions of innocent people--Americans and citizens of other nations. We don’t know the whole story. Surveillance practices are secret, targets are secret, and even some of the laws under which the agencies operate are secret. The government has many techniques for masking the full scope of its information collection. Nevertheless, newspapers report that the National Security Agency obtained 70 million French telephone calls and 60 million Spanish ones in a single 30-day period. In a single day, the agency sucked in 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers. The NSA also collects daily contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts. It collects approximately 250 million communications and “communications transactions” a year from inside the United States, a collection that includes Americans’ messages and calls with people overseas, as well as improperly collected purely domestic communications the NSA nevertheless keeps. The agency also obtains hundreds of thousands of peoples’ calling records under a law whose primary sponsor says was never conceived of for bulk collection purposes. Perhaps worse, the United States government actively undermines Internet security by subverting the process for adopting encryption standards and forcing companies to install surveillance back doors."

Action by Congress is long overdue. Unfamiliar with the issues? Read the Surveillance section of this blog, and follow any of the above links. Then, take action. You can contact your elected officials using the banner that overlays all posts on this blog, here, or here.


RSA Announced "ChewBacca" Malware Attacked Retailers In 11 Countries

Global security firm RSA announced the discovery of "ChewBacca" malware attacks which targeted point-of-sale (PoS) systems in retail stores. The malware attacked and stole shoppers' credit card payment information in 11 countries, including the United States, Australia, Canada, and Russia:

"While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems."

Tracks 1 and 2, developed by the banking industry, on the magnetic stripe on your credit cards typically include the following payment information:

  • Cardholder's full name
  • Credit card number
  • Credit card expiration date
  • Country code

Track 3 of the magnetic stripe is used to store PIN, currency, authorized amounts, and other payment data for debit card transactions. It appears that a different malware version targetd both credit and debit cards via infected PoS terminals during the Target data breach. Neiman Marcus has disclosed a few details about its data breach, while Michaels Stores hase not -- so far.

The malware copied payment information from the PoS terminal's memory when the shopper's payment data was unencrypted. The malware then sent the stolen payment information to a  hidden Internet-connected server.

The Trojan was named "ChewBacca" because the sign-in page for malware users features an image of the popular character from the Star Wars films. To protect shoppers' payment data against malware like ChewBacca, RSA suggested:

"Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

So, doing nothing is not an option. Business-as-usual is not an option.


Are You Walking Blindly In The 'Big Data' Revolution?

There is a good article in the BBC News website about the trends and impacts of technology -- namely about how "big data" is transforming the entire planet. "Big data" refers to information companies and governments collect about consumers. They collect this information from a variety of sources:

"... not only from posts to social media sites, mobile signals and purchase transactions but increasingly from sensors on objects from lamp-posts to skyscrapers...In Birmingham, lamp-posts are being fitted with sensors that can transmit information about cloud cover to offer hyper-local weather forecasting. In Norway, more than 40,000 bus stops are tweeting, allowing passengers to leave messages about their experiences... At MIT's Senseable City Lab, 5,000 pieces of rubbish in Seattle were geo-tagged and tracked around the country for three months to find out whether recycling was really efficient..."

You've probably noticed video surveillance cameras on street lights across the country. That's another source. This blog has reported about many other sources:

All of these types of devices will be used more and more in what people call a "smart city:"

"The core functionality of a smart city requires a vast amount data to be collected on every aspect of our lives every minute of every day. The question is how does that data get used? And it doesn't require a huge amount of imagination to see how it could be used to monitor people... the control of information is being taken away from citizens, and companies providing services are rushing to find ways of generating revenue from the data they hold. The danger is... individuals will not be able to control the ways they are monitored or what happens to the information, which is exactly the opposite of how it should be."

It seems to me, you can distill all of this into a single issue about consumers:

"... People have clicked "yes" to those terms but don't realise that everything you share can be collected. We could be walking blindly into a 24/7 surveillance society..."

We have traded privacy for convenience.

Are you walking blindly? Are you willing to continue trading convenience for privacy? Are you willing to question online processes, privacy disclosures, and website terms of usage? Are you willing to push back and say: enough? Are you willing to demand that your elected officials place consumer protections before privacy abuses happen, and not minor, ineffective protections afterwards? Are you willing to support any of the consumer advocacy groups that look out for your privacy?


CBC Interactive Map Of Foreign Travel Advisories

I like to travel to different countries. So do many people. If you plan to travel to other countries, then you might find this resource helpful to avoid getting mugged, your identity information stolen, or worse during foreign travel.

The Canadian Broadcasting Corporation (CBC), based upon data from the Canada's Department of Foreign Affairs, produced an interactive map of travel advisories for consumers. The map highlights places to avoid and places to take extra security precautions.

In the United States, the Bureau of Consular Affairs within the State Department provides similar information with alerts and warnings for foreign travel.


5 Online Privacy Tips To Keep You And Your Family Safe

Monday will be Data Privacy Day (DPD), with celebrations in North America and Europe to raise awareness and provide consumers with education about privacy. DPD was started in 2008. This year's theme is, "Respecting Privacy, Safeguarding Data and Enabling Trust." This year's events will be started with a privacy forum at the George Washington University Law School in Washington, DC. Federal Trade Commissioner Maureen Ohlhausen is the keynote speaker. More events are scheduled nationwide throughout February.

To support this event, Anchorfree and the National Cyber Security Alliance have developed together a list of tips for consumers to maintain their privacy when connected to the Internet via your smart phone, tablet, or laptop/desktop computer:

"1. Risky business - Make sure all family members understand the public nature of the Internet and its risks. Any digital information they share -- emails, photos or videos -- can easily be copied and pasted elsewhere, and is almost impossible to take back. Anything that could damage their reputation, friendships, wallet or future prospects should not be shared electronically."

A recent study found that 30 percent of teenage girls meet in person strangers they met online. So, it is critical for parents and families to practice safe habits while connected to the Internet and in the physical world. If you are a parent, grandparent, or guarding who plans to buy a smart phone for a child, then you definitely should read this contract one smart parent created to help her manage her teen's online usage.

2. Keep it hidden, keep it safe - Make sure all family members are careful about sharing sensitive information such as birth date, addresses, phone numbers, location, financial information, social security numbers, passwords and vacation plans. Most reputable online services have privacy settings. Teach your kids how to use them, too."

3. Browse intelligently - Avoid using sketchy, unfamiliar websites, and delete suspicious emails, particularly those that ask for unnecessary personal information or request that you download something. These may be malware or phishing sites out to steal your personal data.

There are several products available to automatically delete browser HTTP cookies and other files (e.g., Flash Cookies, and other LSO's = Locally Shared Objects) websites use to track you while connected to the Internet. This blog has reviewed some of them, including the MAXA Cookie Manager. I use the BetterPrivacy plugin with the Firefox browser.

The next item is critical because smart phones and tablets save a ton of metadata with each photograph or video you take. The metadata with your photos include a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata combined with your GPS location, a company can tell a lot about you, your purchases, your lifestyle, plus what you did/spent when and where.

That metadata gets uploaded to your favorite social networking website whenever you upload photos. Some social networking sites collect, save, and share all of that metadata. Others use some of it. So, consumers should:

4. Turn off geolocation - Many apps' permissions include backdoor location trackers that are constantly streaming your location. If you're not actively using your phone to navigate, turn them off. The FTC recently noted that many apps aimed at children are disclosing location; make sure your kids are following this rule of thumb as well."

The last tip cannot be over emphasized. Public WiFi hotspots are everywhere. If you expect to perform sensitive tasks (e.g., online banking, access/use sensitive documents from your employer) while connected to a public WiFi hotspot, you should:

5. Get behind a shield - Use a VPN such as Hotspot Shield, which will help identify malware sites and provide a secure, encrypted connection to the Internet for desktop or mobile devices, protecting your browsing from hackers and snoops. This is particularly important when using public Wi-Fi or other unknown networks."

AnchorFree produces Hotspot Shield. There are other brands available. Take a look at Get Cocoon and PrivateWiFi.

The National Cyber Security Alliance is a nonprofit organization formed to educate and empower consumers about Internet privacy. It collaborates with government, corporate, other non-profit and academic entities. NCSA board members include: ADP, AT&T, Bank of America, EMC Corporation, ESET, Facebook, Google, Intel, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Trend Micro, Verizon and Visa.

Some of those board members have a ways to go regarding privacy in their products or services. As a business consultant, I regularly use VPN software to remotely and securely access my clients' networks and servers. This blog post is not an endorsement of Hotspot Shield, since I have not used it.

What's your opinion of this list of tips? What VPN software do you use?