Previous month:
March 2014
Next month:
May 2014

15 posts from April 2014

Massachusetts And Several States Attorney Generals Investigate Breach At Experian

I apologize to readers. I am almost caught up with blog posts after the DDoS attack last week against Typepad, the blogging service I use.

Last week, the Office of the Attorney General of Massachusetts announced an investigation, along with several other states' attorney generals, of the Experian credit reporting agency after criminals were able to obtain consumers' sensitive financial data. The statement said:

"On March 3, Hieu Ngo, a Vietnamese national, pleaded guilty to federal charges in New Hampshire federal court involving his operation of a website that offered his clients access to sensitive personal information for more than 200 million U.S. citizens, including social security numbers, which could be used to commit identity theft or financial fraud... Ngo gained access to the personal information when he obtained an account with a U.S. company known as Court Ventures by posing as a private investigator from Singapore. Due to a reciprocal data sharing agreement between Court Ventures and U.S. Info Search, LLC of Columbus, Ohio, Ngo’s account allowed him access to a database that allegedly contained names, addresses, dates of births, and social security numbers of more than 200 million U.S. citizens."

Ngo may have already resold stolen credit reports, since about 1,300 persons accessed his online account:

"For at least an 18-month period, more than 3.1 million queries were made to the database using Ngo’s account. According to Experian, it purchased Court Ventures’ assets in March 2012, and continued to honor Ngo as a customer until December 2012."

Experian and Court Ventures have sued each other about indemnification: who will pay the costs for this breach. Regardless of who pays in the end, it is bad. Very bad. With 200 million consumers affected, the breach will victimize consumers in most, if not all, states. Massachusetts AG Martha Coakley said:

"We are especially concerned about allegations that the companies may have known of this incident for over a year, while not reporting it so consumer could protect themselves. We will actively investigate this matter and in the meantime, we remind consumers to take proactive steps to protect their personal information.”

The Massachusetts Attorney General advised consumers:

  1. Order copies of your credit reports from the three major credit-reporting agencies (e.g., Experian, Equifax, and TransUnion) and review them for fraudulent entries.
  2. If you notice fraudulent entries on your credit reports, place a Fraud Alert on them.
  3. Review your credit card and debit card statements for fraudulent entries.
  4. Contact the fraud departments at your bank or card issuer to report fraudulent charges.
  5. File a police report with local police if you are a victim of fraud.
  6. Consider placing a Security Freeze on your credit reports for stronger protection.

Consumers that don't have a credit monitoring service can visit to order their free credit report once each year from the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion). Consumers that experience fraud can also submit complaints to the Federal Trade Commission, which tracks fraud affecting consumers.

Consumers who experience problems (e.g., poor customer service, failure to fix fraudulent charges you reported, etc.) with a credit reporting agency, can submit complaints to the Consumer Financial Protection Bureau, (CFPB). At the CFPB site, click on "the Submit A Complaint" link. The CFPB began overseeing credit reporting agencies in 2012.

Expect to hear more news about this breach investigation.

AOL Issued Statement About A Data Breach And Criminal Activity Affecting Its Customers

AOL logo Earlier today, AOL released a security statement about a data breach and criminal activity affecting its users. The statement read in part:

"We are writing to notify you that AOL is investigating a security incident that involved unauthorized access to AOL's network and systems... AOL's investigation began immediately following a significant increase in the amount of spam appearing as "spoofed emails" from AOL Mail addresses... AOL's investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts."

The statement said that 2 percent of its 3 million subscribers had been affected already by spam. The statement provided few details, maybe because it is still early in the breach investigation. The data elements hackers had unauthorized access to included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions.

It is wise for AOL users to pay close attention to all upcoming security statements. In today's statement, AOL advised it members to change their passwords and:

"1. If you receive a suspicious email, do not respond or click on any links or attachments in the email.

2. When in doubt about the authenticity of an email you have received, contact the sender to confirm that he or she actually sent it.

3. Never provide personal or financial information in an email to someone you do not know. AOL will never ask you for your password or any other sensitive personal information over email.

4. If you believe you are a victim of spoofing, consider letting your friends know that your emails may have been spoofed and to avoid clicking the links in suspicious emails."

If you nhave questions, AOL suggested that its users visit

FCC Shifts Its Policy On Open Internet Rules. The Consequences For Consumers Are Extensive

Federal communications Commission logo On Thursday, the Federal Communications Commission (FCC) announced its new policy about Open Internet Rules, frequently referred to as "Net Neutrality." FCC Chairman Tom Wheeler wrote on April 24, 2014 about the agency's new policy:

"The Notice proposes the reinstatement of the Open Internet concepts adopted by the Commission in 2010 and subsequently remanded by the D.C. Circuit. The Notice does not change the underlying goals of transparency, no blocking of lawful content, and no unreasonable discrimination among users established by the 2010 Rule. The Notice does follow the roadmap established by the Court as to how to enforce rules of the road that protect an Open Internet and asks for further comments on the approach."

Earlier this year, the D.C. Court of Appeals gutted the existing Open Internet Rules. In February, I cited in this blog the MediaPost explanation of the situation, which I repeat:

"In January, the D.C. Circuit Court of Appeals gutted the FCC's net neutrality rules, which prohibited broadband providers from blocking lawful content or apps. The court ruled that the FCC couldn't impose common carrier regulations on broadband providers, given that the agency classified broadband as an “information” service in 2002. Neutrality advocates now say the FCC must first reclassify broadband as a telecommunication service if the agency wants to impose neutrality rules that will stand up in court. That way, broadband providers will be subject to the same common carrier rules that require telephone companies to put through all calls."

This isn't real Net Neutrality. It is some weird, twisted corporation-friendly form of Net Neutrality. This is very troubling, and Chairman Wheeler's comments are perhaps misleading since he didn't mention reclassification. He should have mentioned it. The FCC classified broadband as an "information service" in 2002. The New York Times described the FCC policy shift:

"The Federal Communications Commission said on Wednesday that it would propose new rules that allow companies like Disney, Google or Netflix to pay Internet service providers like Comcast and Verizon for special, faster lanes to send video and other content to their customers."

The Wall Street Journal described the new FCC policy:

"Proposal Would Allow Broadband Providers to Give Preferential Treatment to Some Traffic... Regulators are proposing new rules on Internet traffic that would allow broadband providers to charge companies a premium for access to their fastest lanes... The proposal marks the FCC's third attempt at enforcing "net neutrality"—the concept that all Internet traffic should be treated equally."

The Electronic Frontier Foundation (EFF) described the new policy:

"... Chairman Wheeler’s new proposal embraces a “commercially reasonable” standard for network management. That standard could allow ISPs to charge companies for preferential treatment, such as charging web-based companies like Netflix or Amazon to reach consumers at faster speeds. This kind of “pay to play” model would be profoundly dangerous for competition. New innovators often cannot afford to pay to reach consumers at the same speeds as well-established web companies. That means ISPs could effectively become gatekeepers to their subscribers... The devil will be in the details."

Preferential treatment is a pretty good description. A better description might be, "net discrimination." Juan Cole wrote in his Informed Comment blog:

"FCC Plots Murder of Blogs on Behalf of Billionaire Media Lords... What does this mean? It means that the companies with more money and more bankrolling (and a better way to bribe services like Comcast) will have more broadband, while other, smaller companies that haven’t curried favor with their corporate overlords are going to be left with the table scraps. ISPs cannot legally slow traffic on purpose, but when you have a two tier system and the corporate approach to ethics (that is, “catch me doing something wrong, I dare you”), how do you tell the difference between slow and “slow?” "

Preferential treatment and greater fee revenue are exactly what Verizon, AT&T, and the large telecom corporations wanted. And Chairman Wheeler seems happy to give it to them. Presidential Candidate Obama acknowledged the importance of Net Neutrality, but President Obama isn't pushing the FCC to reclassify broadband. That's not the change I wanted nor voted for.  President Obama appointed Wheeler as FCC Chairman and Wheeler began work as FCC Chairman on November 4, 2013.

Chairman Wheeler also wrote on Thursday:

"The Court of Appeals made it clear that the FCC could stop harmful conduct if it were found to not be “commercially reasonable.” Acting within the constraints of the Court’s decision, the Notice will propose rules that establish a high bar for what is “commercially reasonable.” In addition, the Notice will seek ideas on other approaches to achieve this important goal consistent with the Court’s decision. The Notice will also observe that the Commission believes it has the authority under Supreme Court precedent to identify behavior that is flatly illegal."

The terms "unreasonable discrimination" and "commercially reasonable" allow plenty of room -- too much room -- for telecommunications companies and Internet Service Providers (ISPs) to create price increases embedded within fast and slow lanes. Think of it this way: what do your think an ISP will do for a publisher's website that refuses to pay such fees? That site won't receive the same delivery speed and/or level of service (to users) as other sites that paid the fees. Otherwise, there's no incentive to pay the fees. And boom... you have fast and slow lanes. That's the ISP's leverage to force publishers to pay fees.

The result: ISP services with fast and slow lanes that are dictated by the ISP. This is not consumer choice. This is not the marketplace at work. Think of it this way: can you pick and choose specific channels today with your cable television service? No. Your cable provider arranged the packages of stations. Consumers view that as unreasonable although the cable industry views it as reasonable. Now, the FCC seems content to let ISPs do the same with broadband... and call that "commercially reasonable."

So, your ISP gets to decide the packages of Internet sites it will offer. Not you. You will lose that freedom. Here comes broadband Internet with even higher prices, no faster speeds, and no better service.

Plenty of Net Neutrality advocates have make these price-increase arguments previously. Chairman Wheeler addressed the price-increase topic in his Thursday post:

"The allegation that it will result in anti-competitive price increases for consumers is also unfounded. That is exactly what the “commercially unreasonable” test will protect against: harm to competition and consumers stemming from abusive market activity."

I found Chairman Wheeler's comments to be mistaken on this point. The cable industry has proven it will raise prices continually. The same companies also offer broadband Internet, and want to consolidate via merger. The FCC's policy shift does not restore Net Neutrality. It kills it. The indicator: no longer is all content treated equally. No longer do consumers decided where to go with the broadband bandwidth they've paid for. ISPs can charge some publishers fees for content they believe and can "reasonably" justify. Think of your favorite video sites, since video consumes more bandwidth than plain text. If a publisher can't pay the fees, then they will have a tougher time getting their content and websites distributed.

Think about your favorite cloud services and all of your files -- text, music, and video -- that you have stored there... assuming unlimited Internet access. Guess what? The ISPs could lump those cloud services sites (e.g., Dropbox, Apple iCloud, etc.) along with other video sites in the fast lane; or in the slow lane if the publishers refuse to pay the fees.

Think about cash-strapped start-ups. The new FCC policy doesn't increase innovation. It stifles innovation.

I found Chairman Wheeler's comments and the new FCC policy troublesome also because he didn't address the fact that the USA lags many other countries in broadband speeds while leading with the highest prices. Consumers in the USA simply aren't getting the value citizens in other countries get. I don't seen any of Wheeler's comments addressing this.

FCC Chairman Wheeler promised innovation. Where's the innovation? Where's the beef? It seems like a big, fat zero to me. A price increase and windfall for telecommunications and ISP companies; with no downward pressure on prices for consumers. Add to this the fact that many telecommunications companies have already inserted binding arbitration clauses into their agreements with consumers, and you have a playing field that is even more heavily tilted towards telecommunications companies and against consumers.

Add to the fact that the playing field is tilted even further by restrictive laws in some states that prevent towns and municipalities from operating their own fiber Internet services. If is fair to ask: how many more jobs and new businesses would have been created in your state (or city) if it had fiber Internet access everywhere? Some local towns tried and got squashed:

"In North Carolina a couple of years ago lobbyists for Time Warner persuaded the state legislature to make it almost impossible, virtually impossible for municipalities to get their own utility... And so now North Carolina, after being beaten up by the incumbents is at the near the bottom of broadband rankings for the United States... All those students in North Carolina, all those businesses that otherwise would be forming, they don't have adequate connections in their towns to allow this to happen..."

It is fair to ask Chairman Wheeler: how many more jobs would be created in the USA with broadband reclassified as a telecommunications service (e.g., utility)?

What should consumers do now?

It is time to take action. That means, contact your elected officials today and demand genuine net neutrality; not the faux net neutrality FCC Chairman Wheeler pitched. Demand that your elected officials force the FCC to reclassify broadband Internet as a utility. John Nichols said it well at

"Recognize that this is the time to send a clear signal of support for genuine net neutrality. The FCC has listened in the past when a public outcry has been raised, on media ownership issues, diversity issues and Internet access issues. Wheeler is a new chairman. It’s vital to communicate to him and to the other members of the commission that President Obama was right when he said that establishing “fast lanes” on the Internet “destroys one of the best things about the Internet — which is that there is this incredible equality there.” "

It is important for consumers to speak up twice: now and later when the FCC releases its Notice of Proposed Rulemaking (NPRM). Voice your concerns and outrage. As the EFF warned:

"While all we have now is a statement that a proposal for what the proposed rules might look like is being circulated in private within the FCC, the public should be poised to act. In an FCC rulemaking process, the commission issues what’s called a Notice of Proposed Rulemaking (NPRM). After the NPRM is issued, the public is invited to comment to the FCC about how their proposal will affect the interest of the public. The FCC is required by law to respond to public comments, so it’s extremely important that we let the FCC know that rules that let ISPs pick and choose how certain companies reach consumers will not be tolerated."

Have you contacted your elected officials? Are you ready to comment when the FCC releases its NPRM?

DDoS Attack Hits Typepad Blogging Service

The last few days have been interested. This blog uses the Typepad blogging service, which was hit by a Distributed Denial of Service (DDoS) attack first on Friday, and then again on Monday and Tuesday. I am not going to explain what a DDoS attack is. You can find online plenty of definitions, or follow the above link.

The bottomlne is this: it has been frustrating for both readers and for bloggers. All blogs were affected and were unavailable. Perhaps, you found my blog available but were unable to submit comments. For most of Friday and Monday, I was unable to sign in to approve comments or write new blog posts. For the moment, services appear to be all back up. I'd like to thank all of my readers for your patience through this frustrating time. Like other Typepad bloggers, I check Everything Typepad for status updates and the Typepad Twitter page. This tweet was posted 2:37 pm Tuesday:

@typepad Typepad is up for most. Mapped domains + certain extensions ( ,, .fr) still experiencing issues. #typepadstatus

I'd also like to thank the good folks at Typepad for all their hard work to restore services. They haven't said (yet) who is behind the attack. My guess, and it's purely a guess, is that it's retaliation by offshore spammers after Typepad implemented some really good security enhancements last month that blocked spammers and greatly reduced the tsunami of spam comments.

After this DDoS attack, the recent Heartbleed OpenSSL privacy flaw, and ongoing dragnet online surveillance by government spy agencies, the Internet surely seems like a far less reliable and safe tool than we all thought or hoped for. Over the last 15 to 20 years, people worldwide have shifted many tasks and businesses to the Internet: shopping, banking, news, sports, customer service, and more. How do we make the Internet safer and more reliable?

Michaels Stores Confirmed 3 Million Debit And Credit Card Customers Affected By Breach

Michaels Stores confirmed on Thursday that 3 million credit card and debit card users were affected by its recent data breach. The retailer's statement read in part:

"After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware... we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers... the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014."

In some Michaels stores, the attack lasted for a short duration. Michaels announced its data breach in January. The attack lasted about the same duration, eight months, at Aaron Brothers stores:

"Regarding Aaron Brothers, the Company has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware. The Company estimates that approximately 400,000 cards were potentially impacted during this period."

The retailer's statement did not explain what security steps were taken so that a breach like this does not happen again. In its statement, Michaels seemed to try to minimize the breach impacts by emphasizing the portion of customers affected:

"Regarding Michaels stores, the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. he analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period."

If you were one of the affected customers, there is no minimizing the hassles and disruption you experienced to get a replacement card from your card issuer, reset online billing and automatic payments for your new card account, and report fraudulent charges and/or money stolen to your card issuer for reimbursement.

Affected Michaels stores (Adobe PDF) are in 49 states, excluding Hawaii. Affected Aaron Brothers stores (Adobe PDF) are in Arizona, California, Colorado, Nevada, Oregon, Texas, and Washington.

Google Revises Its Terms To Reflect Scanning Of Inbound And Outbound Email Contents

On Monday, Google revised its Terms of Service to better reflect the fact that it scans the contents of all e-mail messages sent and received via Google Mail (Gmail). Ars Technica reported:

"The change comes as Google undergoes a lawsuit over its e-mail scanning, with the plaintiffs complaining that Google violated their privacy. E-mail users brought the lawsuit against Google in 2013, alleging that the company was violating wiretapping laws by scanning the content of e-mails. The plaintiffs' complaints vary, but some of the cases include people who sent their e-mails to Gmail users from non-Gmail accounts and nonetheless had their content scanned."

So, Gmail users should read the revised terms of service. Consumers who don't use Gmail should be aware that their e-mail messages are scanned when they send nessages to or received messages from friends, family, colleagues, and classmates who use Gmail. Is it right for people who don't use Gmail to have their e-mail messages scanned? Many people believe it isn't right, and that's one reason for the lawsuit.

It's important to note that you can't always tell when somebody you know uses Gmail. The domain in e-mail addresses is an indicator, but it isn't 100 percent accurate. Why? Gmail provides custom e-mail services to many schools and colleges. Last fall, I experienced this first hand when I took a class last fall at a local community college. During registration, the college required me to sign up for its e-mail service, a custom e-mail service provided by Gmail. My college e-mail address had the standard .EDU extension.

This is not new since Google and Microsoft have provided custom e-mail services for years, which saves money for cash-strapped schools. What's new is that you, or the students in your family, probably don't realize all of the instances when you communicate with somebody who uses Gmail.

The community college where I took my classes went a step further and provided this in its Computer Use Policy:

"7. Users of the College's Computer Network for electronic mail purposes should have no expectation of privacy. The College reserves the right to access or interrupt e-mail communications or transmissions for routine system maintenance, technical problems, criminal investigations, or in response to, and in compliance with, a request made under the Commonwealth's Public Records Laws."

Throughout most of my class, I used my personal e-mail address instead of my school e-mail address. Students and staff using custom e-mail services should closely read the terms and privacy policies provided by their education institution and e-mail vendor.

The tradeoff should be clear: give up all of your privacy and in return receive free e-mail services and relevant targeted ads based upon the contents of your e-mail messages. Is that a fair trade? What's your opinion of custom e-mail services? Of the lawsuit against Gmail?

Your Car Is The Next Advertising And Data Collection Frontier

Advertisers view your personal auto as the next frontier to display targeted, relevant advertisements based upon when and where you drive, plus how long you park at certain locations. All of this is possible as manufacturers equip cars with computing technology similar to what's in your smart phone and tablet computer. Think of you car as simply another mobile device.

Business Insider explained advertisers' interest:

"Americans spend an average of 1.2 hours a day traveling between locations and American commuters spend an average of 38 hours a year stuck in traffic. If mobile apps and Internet-based services can shoehorn their way into the in-car environment, that means a great opportunity to expand their ability to engage consumers, absorb their attention, and gather data."

It really doesn't matter whether you drive your car, or you use the Google self-driving car. The data collection will be massive and advertisers plan to capitalize on the opportunity. Say Media reported:

"... the McKinsey Global Institute estimates that the automotive industry will be the second largest generator of data by 2015. Gartner reports that, by 2018, one in five cars on the road will be "self-aware" and able to discern and share information on their mechanical health, their global position and status of their surroundings."

The data collected is not only GPS location and engine performance from sensors embedded throughout the car. The data collected is not only your travel directions and map information. It also includes your music selections and interactions with other mobile devices, since cars are Internet connected, access files in cloud services, and often operate as WiFi hotspots.

Then, there is the coming practice of "geo-fencing," the dynamic, real-time display of location-specific advertisements:

"According to the Placecast Blog, they and Aha™ by HARMAN have begun testing new in-car advertising that delivers relevant, real-time promotional offers to consumers based on the vehicle's locations. Quiznos is the first brand to activate promotional offers using the new service. When your vehicle enters a geo-fenced area, a Quiznos audio ad is inserted into the stream. A tap on the interface emails a coupon to your mobile device for use in the store..."

So, if you are driving near a particular fast-food restaurant chain, you will likely see advertisements and/or coupons displayed in your car (and/or on your mobile device connected to your car) about nearby restaurants and stores. Say Media posed some more relevant questions:

"... how much access advertisers will actually have to proprietary in-vehicle systems. Should auto manufacturers act as a gatekeeper, shielding their car's drivers from unwanted messages? Or should auto brands open-source their code for in-vehicle modules like the Ford Motor Company? Ford's strategy is to provide a link allowing apps on Android phones or iPhones to be controlled through the car's electronic units."

Proprietary in-vehicle systems includes the myriad of sensors embedded throughout your car that monitor and report information about specific components (e.g., engine, brakes, cameras, speed, road conditions, etc.). For me, consumers should be in control. And, there are many more questions:

  • Who stores the data collected by your car, and how long is it retained?
  • Who owns the data collected by your car (e.g., driver, auto manufacturer, operating system software developer, mobile app developer, advertiser, advertising network, mobile device manufacturer, insurance company, etc.)?
  • What other companies is the data collection shared with (especially auto maintenance, repair, and sensor information)?
  • Who controls the data sharing?
  • When and where are relevant policies (e.g., privacy, terms of use) displayed?
  • Are programs opt-in or opt-out based for consumers? Hopefully, the former.
  • What privacy tools will be available for drivers?
  • What anti-virus options to prevent malware, spam and bot nets using your car?
  • Will cars include embedded coded by the NSA and other intelligence agencies?
  • Supposedly, targeted and relevant advertisements are a convenience for consumers. How much convenience is enough?

If current Internet practices win out, then your car will likely operate similar to your Web browser, with a race by advertisers and companies to collect as much as possible via a variety of technologies (e.g., not just browser cookies) that track you and your movements.

What are your views about smart cars? About advertisements via geo-fencing? About privacy options for drivers?

Heartbleed Spreads, The NSA Denies It Knew About The Security Flaw

Heartbleed logo A lot happened last week. First, there was the revelation about the Heartbleed security flaw, Then, the Heartbleed bug was found in Cisco routers and Juniper Networks equipment. Networking vendors, including F5 Networks and Fortigate, issued security alerts about their equipment. Many mobile devices running the Android operating system are vulnerable. There was speculation Friday about when the intelligence community learned about Heartbleed. Bloomberg reported on Friday that the NSA knew about it and used it for surveillance and hacking.

Also on Friday, the developer who introduced the error into the SSL open-source code apologized. For readers that are unfamiliar with the history of SSL (Secure Sockets Layer), it was introduced by Netscape in 1994.  Like any other software, there have been several versions (e.g., 1.0, 2.0, etc.) of it. Some versions have more vulnerabilities than other versions. SSL is also open-source software, meaning it is community-based: developers from several companies work on it (as their employers donate time and resources) to improve it. The theory is that several people working on software will make it stronger and better than otherwise.

There is no way for consumers to know which OpenSSL version a website uses. Sites may use their own, proprietary version or the open-source version. The Heartbleed site listed the vulnerability by version:

"OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable. OpenSSL 1.0.1g is NOT vulnerable. OpenSSL 1.0.0 branch is NOT vulnerable. OpenSSL 0.9.8 branch is NOT vulnerable. Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."

This makes one wonder if there wasn't enough invested in OpenSSL improvements. Or, too many websites used older versions. Or both. Meanwhile, online criminals and identity thieves have gotten better and more skillful. So, software like OpenSSL needs to be continually improved.

Later on Friday, the Office of the Director of National Intelligence (ODNI) issued a statement responding to the Bloomberg report. The ODNI statement on April 11 read in part:

"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report.

Reports that say otherwise are wrong. Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services... If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

So, we are to believe that the largest, most advanced, and heavily funded intelligence agency on the planet did not know about a security flaw in encryption software. Encryption is essential to the business of spying, and we know from past news reports that the NSA sought to break all encryption.

So, I'm not believing the ODNI statement. The NSA and ODNI have made less than truthful statements before to the U.S. Congress. If they will lie to elected officials, they will lie to journalists and citizens. When these lies happen, they break the public's trust.

With trust broken, I find it most difficult to believe that the largest, most heavily funded, and advanced intelligence agency on the planet missed the Heartbleed security flaw. That's like the entire intelligence community missing the 9-11 hijackers' planning.

Since the surveillance document disclosures started last year, I have learned that it is important to parse the exact words in any statements from the ODNI and NSA. Did any NSA contractors and vendors know about Heartbleed? Did any NSA vendors and contractors exploit the Heartbleed flaw for surveillance and hacking? Did any other U.S. intelligence agencies know and use the Heartbleed security flaw? Did any other country's intelligence organization (e.g., GCHQ) know and use the Heartbleed security flaw? What definition of the word "know" is the ODNI using today? Did the NSA refer to this security flaw by a different name?

Hopefully, some investigative journalists are re-reading the disclosed documents for references to Heartbleed or an equivalent. More importantly, it is time for citizens to hear from Congressional officials on the intelligence oversight committees. It is time for the politicians responsible for oversight to do their jobs, or resign so we can elect representatives who will faithfully do their oversight jobs. It is time for the oversight committees to ask the tough direct questions, get honest (not prearranged) answers, hold the NSA and intelligence community accountable, and share what they've learned with their constituents.

NSA Android logoOn Friday, we also learned that the Heartbleed bug was found in Cisco routers and Juniper equipment. Networking vendors, including F5 Networks and Fortigate, have also issued security alerts about their equipment. What other brands have been affected? There are direct and indirect costs resulting from this mess. A poll earlier this year found that the public's confidence in online privacy has fallen for three straight years. Experts have warned that the dragnet NSA mass surveillance could cost U.S.-based cloud-services vendors $35 billion in lost revenues. Remember, lost revenues equal lost jobs.

In July 2013, we learned that the NSA had inserted code into the Google Android operating system software. Remember that? BusinessWeek reported on July 3, 2013:

"Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS... Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device."

So, we are to believe from Google that the NSA is trying to enhance or make security better. Really? How's that working for you? It doesn't seem too well, especially if it missed or failed to focus on OpenSSL encryption.

Some consumers have privately expressed their frustrations with having to change their online passwords piecemeal as each site implements Heartbleed fixes. Some people have just gone ahead and changed all of their passwords while hoping for the best. This raises more questions:

  • How long can this mess continue before it starts to have a big negative impact on people's willingness to use the Internet?
  • Will consumers use the Internet less and only for banking and shopping?
  • Or, are consumers so dependent on the convenience of the Internet that they will continue using it regardless of privacy abuses, except upon threat of death?
  • Can the Internet be fixed so it becomes the reliable, secure, private, and trustworthy medium we all hoped it would be?

The Heartbleed Security Flaw, How Long It Existed, And The Role of the Intelligence Community

Heartbleed logo To say that this has been an interesting week would be a severe understatement. It has been an absolutely terrible week for privacy.

The week started with the announcement about Heartbleed, which refers to a flaw in OpenSSL, the encryption technology most websites use to provide users with a secure method of entering password credentials. The flaw allows hackers to collect users' passwords. With stolen passwords, thieves can steal users' credit cards and other payment information.

This flaw struck at the heart of the Internet. The Schneier on Security blog reported:

"Heartbleed is a catastrophic bug... an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable."

On Tuesday, the Los Angeles Times reported:

"The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability. On Tuesday, Tumblr, which is owned by Yahoo, became the largest website to disclose that it had been hit by the "Heartbleed Bug" and urged users to change not just the password for its site but for all others as well."

Next, some security experts advised consumers to update all of their passwords, and avoid online banking until fixes were implemented. Then, experts advised consumers not to update all of their passwords. The revised advice was based upon the nature of the security flaw, and upon the fact that some websites hadn't yet fixed their security flaws.

Some websites promptly announced fixes for their users. Some sites announced that they were unaffected. Other sites said they were still investigating. Mashable published on Wednesday a "Hit List" of websites consumers should change their online passwords for. It quickly became apparent that websites implemented different versions of OpenSSL, and some versions are vulnerable. So, consumers should first check with the sites they use to see if (and when) they should change their passwords.

As if all of this wasn't enough, then we learned that the intelligence community may have known about Heartbleed for months if not far longer and used the security flaw as an opportunity to collect passwords and encryption keys:

"... when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled... and since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery to conduct spying on a mass scale... Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data."

Note the "two-year old security hole" statement. It makes one wonder why the intelligence community, created to protect citizens, didn't warn somebody. I guess that when you are focused upon offensive cyber weapons, a warning is a bridge too far.

The cynic in me concluded that if the intelligence community knew about Heartbleed years ago, they probably used it and/or their contractors. Why? "The Secret War" report by Wired in June 2013 provides some context:

"Defense contractors have been eager to prove that they understand Alexander’s worldview. “Our Raytheon cyberwarriors play offense and defense,” says one help-wanted site. Consulting and engineering firms such as Invertix and Parsons are among dozens posting online want ads for “computer network exploitation specialists.” And many other companies, some unidentified, are seeking computer and network attackers... One of the most secretive of these contractors is Endgame Systems, a startup backed by VCs including Kleiner Perkins Caufield & Byers, Bessemer Venture Partners, and Paladin Capital Group. Established in Atlanta in 2008... According to news reports, Endgame is developing ways to break into Internet-connected devices through chinks in their antivirus armor. Like safecrackers listening to the click of tumblers through a stethoscope, the “vulnerability researchers” use an extensive array of digital tools to search for hidden weaknesses in commonly used programs and systems, such as Windows and Internet Explorer. And since no one else has ever discovered these unseen cracks, the manufacturers have never developed patches for them."

OpenSSL seems to me to be a commonly used program. There are several takeaways from this Wired report. One is that the finding and using of vulnerabilities in Internet-connected computers is a big, profitable business. Remember, privately-held (and secretive) corporations are beholden only to their investors. Another takeaway: corporations involved in cyberwarfare are free to sell the vulnerabilities they have found to anyone (links added):

"According to Defense News’ C4ISR Journal and Bloomberg Businessweek, Endgame also offers its intelligence clients—agencies like Cyber Command, the NSA, the CIA, and British intelligence—a unique map showing them exactly where their targets are located. Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what’s called network situational awareness... It will allow Endgame’s clients to observe in real time as hardware and software connected to the Internet around the world is added, removed, or changed. But such access doesn’t come cheap. One leaked report indicated that annual subscriptions could run as high as $2.5 million for 25 zero-day exploits... The question is, who else is on the secretive company’s client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish... The companies trading in this arena can sell their wares to the highest bidder—be they frontmen for criminal hacking groups or terrorist organizations or countries that bankroll terrorists..."

Remember, there have been several instances (e.g., Lexis-Nexis, Experian, ChoicePoint, Lexis-Nexis again) where credit reporting agencies and data brokers have sold consumers' sensitive personal information to criminals and other bad guys. So, it is a real risk for cyberwarfare vendors to sell vulnerabilities to bad guys, as the report rightly mentioned.

What are your opinions of the Heartbleed security flaw? Of websites' responses and notifications? Of the role of the intelligence community?

[Editor's note: after I published this blog post this morning, Bloomberg confirmed this afternoon that the NSA used the Heartbleed bug for several years to surveil and hack sites. This is why the word "probably" appears above as strike-through text.]

Related articles:

Internet Access: A New I've Been Mugged Topic

Everyone needs access to the Internet. Most of us pay an Internet Service Provider (ISP) monthly fees for this access. The new "Internet Access" topic provides fast, convenient access to blog posts about ISPs and their activities (e.g., new pricing schemes, targeted advertising programs, joint ventures with technology vendors, mergers and acquisitions, privacy abuses, and lobby efforts with government). This new topic also includes posts about Net Neutrality since these rules are changing and will affect how ISPs price and charge fees to consumers.

Note: in the right-column tag cloud, this new topic replaced the old "Technology" category which has been deleted. I hope that you like the new category.

Surprise! Metadata About Your Online Activity Reveals Where You've Been

An earlier blog post discussed the metadata associated with your mobile phone calls, and with photos and videos you upload to social networking sites. Today's post discusses what metadata about your online activity reveals.

Cyrus Farivar devised a test to learn what metadata about his online activity revealed when he logged into a website. We all do this -- log into sites to access information, to blog, to read news, and/or to post comments. When you go online, your Internet Service Provider (ISP) assigns an IP address to your computer or mobile device. When you log into a site, that site records the date and time you logged in, plus your IP address and summary data about your device (e.g., operating system, screen size) -- metadata about your online activity.

Farivar used the Ars Technica site for his test:

"For 11 days in February 2014, Ars tracked all of my logins. The working theory was that since I’m telling Ars who I am... and loading the site multiple times per day, my logins would actually give Ars a clear idea of my actions and movements."

At the end of the test, Farivar reviewed the Ars Technica server logs containing metadata about his online activity. He found:

"... it showed when I started and ended my work day... generally speaking, I was consistently online by about 7am and ended around 5pm...Second, the data showed physical places that I knew I visited in the Bay Area: a particular San Francisco office building, an Oakland café, and the University of California, Berkeley, campus... I didn’t realize that Comcast distinguishes its IP information in the hostname of business versus residential accounts. Anything that shows up as is a residence..."

Farivar learned how much the IP address reveals when you access the Internet via WiFi or wired computer networks away from home:

"... I was logged in at a particular San Francisco IP address. Looking up that IP on turned up not only the city, but one of two possible street addresses as well... If I was Google doing this analysis or the [National Security Agency], I would already have a large database as to what [building corresponds] to this IP address, or what all the information I know about [that IP] is... Lots of companies are already doing this, creating physical maps influenced by the location of known, fixed Wi-Fi networks."

And the goal of any surveillance entity is to link where you go with who you are:

"One thing that we know that the NSA does on their non-US wiretaps is bind usernames to cookies, so if you see a request for LinkedIn or YouTube or Yahoo, these are all sites that have user ID in the clear... This is why the NSA went after Google ad networks; they include user identification [broadcast] in the clear: ‘I am person X at this location."

Farivar concluded:

"...metadata is surveillance..."

What can consumers make of what Farivar learned? Several things:

  1. Metadata about your online activity allows companies (and governments) tracking you to deduce what specific business you visited (not online) in the physical world. Perhaps, your visit was a meal with family or friends. Perhaps, it was something else: a sales pitch, help a client fix a problem, sign a contract, or a job interview.
  2. By tracking log-in days and times, plus IP addresses, an entity can easily plot your habits and travel patterns in the physical world: where and when you go, and how long you stay there. Metadata reveals a lot about you.
  3. Consumers should think long and hard about where and when you log into the Internet from (e.g., public WiFi, supermarkets, restaurants, etc.).
  4. Consumers should think long and hard about which sites you choose to remain logged into for long periods of time. You are giving that site a clear view into your habits and travel patterns. You may or may not want to give that site so much information. Chances are, you are logged into certain sites (e.g., social networking, banking, etc.) for long periods or all day long with your mobile devices. You may not check-in at a specific location with a certain social networking site, but that social site probably collects that location data anyway.
  5. All of this provides consumers with a view of the extensive surveillance advertising networks perform for themselves and/or for government spy agencies.
  6. Any time you hear a politician or pundit claim that metadata is harmless, you now know another reason why metadata is not harmless (and to view that talking head's claims with skepticism).

Farivar also concluded that the privacy tools he uses help:

"... I run all kinds of anti-tracking software on my browser: constant private mode, Ghostery, Disconnect, and my VPN... If you have your browser set to clear cookies every time you quit, it really helps..."

The Internet has morphed into something entirely different that I expected when I started building websites in the mid 1990's. I thought that the Internet would help with the distribution of information to all consumers, and not just the wealthy. The Internet has helped the distribution of information, and then some. It has morphed into this corporate-controlled surveillance mechanism by advertising networks, companies, and governments. And that surveillance now marries together your online activity and your movements in the physical world.

Sometimes, I wish we called smart phones what they really are: pocket computers. Perhaps, we should also call these devices what they are being used for: perpetual tracking computers.

What's your view about metadata of your online activity? About surveillance by both spy agencies and advertisers?

Predicting With The Spies. The Intelligence Community Wants People Good At Predicting World Events

Good Judgment Project logo While writing today's blog post, I could have easily used, "Predicting For The Spies" instead of "Predicting With The Spies." Last week, National Public Radio (NPR) reported about the Good Judgment Project, an experiment sponsored by the U.S. intelligence community (e.g., NSA, CIA, NRO, etc.), to harness the predictive power of groups by using citizens to predict world events. NPR reported:

"According to one report, the predictions made by the Good Judgment Project are often better even than intelligence analysts with access to classified information, and many of the people involved in the project have been astonished by its success at making accurate predictions."

The predictive power of groups is based on research that while each individual's prediction will vary greatly with error, the average prediction of the group is far more accurate. Sample questions:

"Will any country in the Euro zone default on bonds in 2014?" or "Which party will win the most seats in the next parliamentary election in Egypt?"

NPR described one citizen participant in the GJP experiment and her high success rate at predicting world events:

"She's in the top 1 percent of the 3,000 forecasters now involved in the experiment, which means she has been classified as a superforecaster, someone who is extremely accurate when predicting stuff like: Will there be a significant attack on Israeli territory before May 10, 2014?"

Three people co-lead the GJP experiment:

  • Phil Tetlock, the Leonore Annenberg University Professor in Democracy and Citizenship at the University of Pennsylvania. He is the author of the award-winning Expert Political Judgment.
  • Barb Mellers, the George Heyman University Professor at the University of Pennsylvania with appointments in the Department of Psychology and the Marketing Department of the Wharton School of Business.
  • Don Moore, an Associate Professor in the Management of Organizations group at the Haas School of Business at the University of California Berkeley. He and Max Bazerman wrote the text Judgment in Managerial Decision Making.

The GJP experiment described itself as:

"We are participating in the Aggregative Contingent Estimation (ACE) Program, sponsored by IARPA (the U.S. Intelligence Advanced Research Projects Activity). The ACE Program aims "to dramatically enhance the accuracy, precision, and timeliness of forecasts for a broad range of event types, through the development of advanced techniques that elicit, weight, and combine the judgments of many intelligence analysts." The project is unclassified: our results will be published in traditional scholarly and scientific journals, and will be available to the general public."

GJP participants do not have access to classified information. The GJP experiment is currently operating in season three of its four-year plan. It is not accepting any more participants for season three, which ends in May 2014. If you want to participate, you can apply online for season four, which starts in July 2014. Not all applicants are accepted. Based upon the application form, the project seems to prefer participants with degrees from accredited higher education institutions.

IARPA described three goals of its ACE program:

"The ACE Program seeks technical innovations in the following areas: (a) efficient elicitation of probabilistic judgments, including conditional probabilities for contingent events; (b) mathematical aggregation of judgments by many individuals, based on factors that may include: past performance, expertise, cognitive style, metaknowledge, and other attributes predictive of accuracy; and (c) effective representation of aggregated probabilistic forecasts and their distributions."

The NPR article asked a very relevant question:

"How is it possible that a group of average citizens doing Google searches in their suburban town homes can outpredict members of the United States intelligence community with access to classified information?"

While the researchers seem to believe that the answer is based upon the predictive power (e.g., accuracy) of a group's average prediction, I think that context matters. One must look at the broader picture for an answer.

NSA Android logo With the NSA's dragnet surveillance program, is it collecting more information than it can process? The NSA built this new $2 billion facility to store all of the data it collects. At the SXSW conference earlier this year, Snowden and other panelists discuss how mass surveillance on everyone wastes resources. When a government collects too much information or too much of the wrong information (e.g., data about innocent people; spying on mobile games; violating citizens' privacy when searching non-citizens' communications; inserting back doors inside operating system software; breaking all encryption systems; secret courts, laws, and processes), it places a priority on analyzing and sifting through the information collected (e.g., making predictions).

NSA Inside logo From the documents released since last summer, the extensive NSA surveillance seems to collect everything it can because it can, through both warrant-backed and warrantless searches where the assumption of wrongdoing is tenuous at best. A more targeted data collection means less data to analyze, less wasted resources, and an either time making predictions; or more accurate predictions. Said simply, collect less and focus your energies (and skills) at improving your predictions. Then, you wouldn't need help from a group of citizens to predict world events.

What is your opinion of the Good Judgment Project? Of the intelligence community sponsoring this experiment?

NSA Confirmed It Performed Warrantless Searches Of U.S. Citizens Phone Calls And Emails

The Guardian UK newspaper reported on Tuesday that the National Security Agency (NSA) confirmed it used a "back door" in surveillance law to perform warrantless searches of phone calls and e-mail messages. The confirmation came in a letter to Senator Ron Wyden, an Oregon Democrat on the intelligence committee, from the director of national intelligence, James Clapper.

The Guardian obtained a copy of the letter, which read in part:

"There have been queries, using US person identifiers, of communications lawfully acquired to obtain foreign intelligence targeting non-US persons reasonably believed to be located outside the United States...”

What is this "back door" in surveillance law? The newspaper reported:

"The NSA's collection programs are ostensibly targeted at foreigners, but in August the Guardian revealed a secret rule change allowing NSA analysts to search for Americans' details within the databases... The legal authority to perform the searches, revealed in top-secret NSA documents provided to the Guardian by Edward Snowden, was denounced by Wyden as a “backdoor search loophole.” "

The newspaper described in August 2013 the surveillance law loophole:

"The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection. The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as "incidental collection" in surveillance parlance."

So, purely domestic communications by U.S. citizens, vacuumed up via "incidental collection," has been searched by the NSA. The NSA has not disclosed the number of citizens affected, the number of records collected via the back door loophole, nor the number of records searched.

This extensive government surveillance is having an unexpected impact. A recent Harris survey found that 47 percent of adults have changed their online habits due to NSA spying. 26 percent said that they do less online banking or less online shopping. Among the 18-34 age group, 33 percent said they do less online banking or less online shopping. And, 29 percent of women do less online shopping. These statistics signal a new and growing trend by consumers to use caution about what they say, do, and post online.

In response to the news reports about the NSA's confirmation, U.S. Senator from Connecticut Richard Blumenthal said Tuesday in a statement:

"Loopholes in the law allowing warrantless, backdoor searches of Americans’ calls and communications are an outrage that cannot be tolerated. This disclosure is further evidence that the intelligence community will spy on Americans if it believes it has the legal authority to do so, and therefore it must be reined in by stronger protections and oversight... I urge immediate action by the President and Congress. Americans deserve to know their communications are private, and that our intelligence community is not exploiting loopholes in violation of the spirit of the law.”

I agree. When reading any statements by the NSA, I have found it wise to parse every word mentioned. Nothing is said accidentally. It is troubling that more politicians, especially those in the (supposed) oversight committees in Congress, are not saying more about the NSA's latest confirmation.

What is your opinion of the revelations from the Guardian UK's report? Have the NSA spy revelations changed your online habits? If so, why and how?

Fire Your Cable Provider And Create Your Own TV, Phone, And Internet Services Bundle

Consumer Reports magazine. May 2014 cover

Many consumers subscribe to cable providers for Internet, television, and phone services. Some consumers are unhappy with the high prices and poor customer support by their cable providers. If you are unhappy, the May 2014 issue of Consumer Reports magazine provides ratings and resources to lower your monthly bills or find alternate providers.

Over he past few decades, cable providers have raised their prices. The magazine found that the price of "expanded basic cable service" has risen faster than inflation since 1998, and:

"According to a recent report by the Mintel Group, the average cost of home communication services is $154. In the course of a year, that works out to $1,848 -- more than the average household spends on clothing, furniture, or electricity."

For consumers (especially people who subscribe all three services: TV, Internet, and phone) that want to lower their monthly cable bills, the magazine included a section explaining which fees are unavoidable, negotiable, reprehensible, and cut-able. Another section described five negotiation tactics you can use. It pays to negotiate:

"Among the hagglers, 46 percent said their provider dropped the price by as much as $50 per month, 31 percent got a new promotional rate..."

However, the magazine also warned:

"... the high times for hagglers might be coming to an end. Cablevision CEO Jim Dolan has publicly stated that his company will stop offering repeat promotional discounts to subscribers. "The customer that has been bouncing from one company to another on promotional discounts has hit a dead end with us..."

So, consumers must be willing to fire their cable providers. What I liked most about the Consumer Reports article was its ratings and bundle suggestions for replacement services. The magazine provides ratings of more than two-dozen service providers in the following categories:

  • Telecom bundles
  • TV Service
  • Internet service
  • Phone service

Ratings included value, reliability, satisfaction, billing, support, call quality (phone), speed (Internet), and picture (television). I found the ratings informative and helpful. Comcast, Time Warner, and Verizon seem to consistently rank near the bottom. Wise consumers already know that USA residents don't get good value because our Internet speeds are slower and cost more than in other countries.

I also liked the magazine's suggestions of replacement services that consumers can  use to create their own custom bundles. The bundle you create depends upon where you live, the combination of services (e.g., Internet, phone, television) you use to currently, and your television habits (e.g., basic, expanded basic, premium, pay-per-view). Sports fans will probably create different bundles than movie lovers. The magazine's analysis mentioned providers I hadn't heard of before (e.g., WOW, Ooma for phone service, SuddenLink, Bright House), the usual suspects (e.g., Roku, Hulu, Verizon FiOS, Cablevision, DirecTV, Vonage), and others.

You'll have to read the magazine to learn about the specific bundles it recommended. The magazine also provided a mini-review of Google Fiber:

"Broadband speeds in the U.S. are pretty slow -- averaging 9.8 megabits per second... a few cities have hit the jackpot thanks to Google's venture... Kansas City... Provo, Utah... Austin, Texas... Initial setup was quick and easy, but it took three additional visits by Google technicians to fix some bugs. The service promised up to 200 Mbps, although Vidmar's tests using Ookla Speedtest show that he's been averaging 50 Mbps..."

My home is now cable-free. We fired Comcast several months ago after decades with basic cable service. The monthly bill for that service had almost tripled since the mid 1990s. When Comcast encrypted its television transmission, I ordered the free adapters it provided. The problem: Comcast sent low definition adapters and failed to notify me that high-definition adapters were also available. The low-definition adapters (instead of a cable box) provided a degraded television viewing experience. We now use a bundle with Mohu Leaf digital antennas for free over-the-air television, Netflix, and the public library. Our savings paid for the digital antennas in a couple months.

Recently, Pew Research reported that two-thirds of Americans are actively engaged with, use, and value public libraries. So, my library usage is consistent with other's usage.

The bundles you create will vary, as everyone has slightly different television viewing habits. I was never a fan of premium cable channels. I prefer to spend my money on travle rather than television services. People who know me have heard me talk in terms of "cruise units" -- the price of a typical seven-night Caribbean cruise ship vacation. Using the above $154 average monthly cable bill, in five months I've paid for a cruise -- and if I plan ahead, that could include airfare, too.

Of course, consumers' custom bundle creations will change if Congress and the FCC fail to restore net neutrality. Without net Neutrality rules, experts predict several changes to your Internet access including higher prices and degraded service. In that scenario, I expect Internet bills to become as complicated, convoluted, and fee heavy as your current cable television bills. I described in this blog post one provider's Internet prices without net neurtrality.

What custom bundles have you created to replace your cable provider?

23 Domino's Stores In New York To Pay $448K To Settle Wage Theft Charges

Yes, today is April 1. This news item is not a joke. Last week, the office of the New York State Attorney General announced a settlement with 23 Domino's stores regarding wage theft charges. The settlement includes a restitution payment of $448,000 for alleged underpayment wage violations. Attorney General Eric Schneiderman said:

"The violations in these cases demonstrate a statewide pattern of Domino’s franchisees flouting the law and illegally chiseling at the pay of minimum-wage workers... My office will be relentless in pursuing fast-food employers that underpay the hardworking people who are the backbone of their operations.”

The Domino's restaurants are located in eight counties: New York City, Dutchess, Erie, Nassau, Rockland, Schenectady, Suffolk and Westchester. The restitution payment will go directly to 750 minimum-wage workers. Most workers will receive $200 to $2,000.

The attorney general's office conducted an investigation and found that from 2007 to 2013, the restaurants:

"Some franchisees paid delivery workers as little as $5 per hour, which is below the $5.65 tipped minimum wage that has applied to delivery workers since 2011 under New York law.

Two franchisees failed completely to pay adequate overtime, as required by law. Other franchisees underpaid overtime because they did not combine all hours worked at multiple stores owned by the same franchisee or because they used the wrong formula to calculate overtime for tipped workers, unlawfully reducing workers’ pay.

Delivery workers who used their own cars to make deliveries were not fully reimbursed for their job-related vehicle expenses. Delivery workers who used their own bicycles to make deliveries were typically not reimbursed for any expenses related to maintaining their bicycles, nor were they provided with protective gear as required by New York City law.

Some stores violated a state requirement that employers must pay an additional hour at minimum wage when employees’ daily shifts are longer than 10 hours.

Some stores also violated a state requirement that employers must pay restaurant workers for at least three hours of work when those employees report to work for a longer shift but are ultimately sent home early because of slow business or other reasons."

The settlement agreement requires the restaurants to implement a complaint process, provide bi-lingual employee handbooks, train supervisors on labor law, post a statement of workers' rights, and submit compliance reports quarterly to the Attorney General's Office. Two restaurants with the most violations are also required to hire an independent auditor that will conduct unannounced inspects for the next three years.

Investigations of additional Domino’s franchises are ongoing.

Congratulations to the Attorney General and his staff for excellent work.