Following the RIAA from Pirates to Fantasyland

The prestigious Security For All Admiral James Norrington award [named for the primary antagonist in Disney’s “Pirates of the Caribbean” movies] for most entertaining and ludicrous battle against piracy goes to Recording Industry Association of America (RIAA) CEO Mitch Bainwol for his unmitigated audacity in spinning reality well past the breaking point. In this article in techdirt honorary Admiral Bainwol is quoted as follows.

In January, Chinese hackers infiltrated the systems of the biggest technology dog on the global block and, according to the company, stole Google’s intellectual property

In texting parlance, Google has finally had an OMG! moment when it comes to intellectual property. Unfortunately, it took this theft of their IP to flip on the switch.

Frankly, Google has never been very warm to the idea of copyright protections. Google routinely has sided with the “free access” (more aptly the “free of charge”) crowd against those who actually create the intellectual property.

Remember the Big G’s idea to digitize every book in the world and put it in their digital library? That went over so well that Association of American Publishers and the Authors Guild of America sued to stop Google from creating the virtual library.

Google argued that they were just trying to make the world a better place by making important works of literature available to people all over the globe. A rather egalitarian idea (unless you’re the authors and publishers who depend on people actually buying books in order for you to make a living).

What’s the effect of IP theft on the U.S. economy? First, let’s look at the IP industry’s share of the economy. A 2007 International Intellectual Property Alliance study found 11.7 million people working in the total copyright industries. That’s 8.51 percent of the U.S. workforce. These industries help drive our nation’s economy. In 2007, IP companies added $1.52 trillion or 11.05 percent to the GDP. When people say “we don’t make anything in America anymore,” just hit them with those facts.

Brilliant! Absolutely freaking brilliant! Where do you even begin to comment on something so thoroughly and patently asinine as the preceding foray out of Pirates of the Caribbean and into Fantasyland following the Pied Piper of Piracy Propaganda. While recognizing that I’m in the presence of a giant (moron), I humbly submit the following fact checks.

  1. The now infamous attack on Google [allegedly by Chinese hackers] was an exercise in corporate espionage. Since Google doesn’t produce “Intellectual Property” (IP) of the sort the RIAA is concerned with (music). The connection is more non-existent than tenuous.
  2. I’m quite certain that Google did have an “OMG!” moment. Only it was “OMG our famous security has been breeched and we’ve been hacked!” I’m also quite certain that more intrusive, fascist intellectual property laws wouldn’t have made a bit of difference in this case. Even assuming that Chinese hackers give a rodent’s patoot about those laws.
  3. It’s easy to imagine that Google has “never been very warm” to the RIAA’s idea of copyright protections, which are stupid and unworkable but I digress. What’s really amazing here is the assertion that those who provide free access to intellectual property – like say me when I give away my music at Christmas time – are “against those who actually create the intellectual property“. Now I’m having a WTF! moment.
  4. The lawsuit brought against Google by the Association of American Publishers and the Authors Guild of America was settled out of court not in small part because most authors found that when their books were available on Google books sales of the books actually increased. So I’m guessing that authors of books feel pretty much the same way about the AAP and AGA as musicians feel about the RIAA. Not warm and fuzzy.
  5. It’s hard to believe that anyone, even a consummate spinmeister like Admiral Bainwol, is still trotting out that tired old – and completely bogus – $1.52 trillion stat. In case you you were wondering that number is derived by taking any business that touches copyright, however marginally, and then assuming that all of the revenue they make is entirely due to copyright. Actually you could just quote Ed Black, from the Computer & Communications Industry Association who posited this equally absurd statistic derived in the same way “Businesses dependent upon exceptions to copyright contribute $2.2 trillion to the U.S. economy. They are responsible for one in eight jobs, for a total payroll of $1.2 trillion in 2006.“.

As if the preceding show of farce weren’t ridicules enough, it was followed up with another post covered in this article in techdirt wherein our honorary Admiral was quoted thusly.

The album [“Hope for Haiti Now”] is now widely available on illicit BitTorrent sites like The Pirate Bay, Torrentz and more. The posting highlights a truly ugly side of P2P piracy — the undermining of humanitarian fundraising efforts via online theft of the “Hope for Haiti Now” compilation. So much for the notion that illegal downloading (“sharing”) is an effort to help advance the plight of artists.

Wow! Just Wow. The boring and decidedly non-piratical facts are these:

  1. A group of popular musicians released the “Hope for Haiti Now” digital only album, with proceeds going to Clinton Bush Haiti Fund, Oxfam America, Partners in Health, Red Cross, UNICEF, United Nations World Food Programme, and Yele Haiti Foundation in the wake of the devastating earthquake. “Hope for Haiti Now” did quite well, topping the Billboard sales charts. The entire “Hope for Haiti” effort, including the telethon has raised more than $58 million so far. An excellent and very successful fundraiser for an important cause.
  2. While I’m sure that there are pointers to torrents for this – and pretty much every other album in recorded history – on some torrent sites, it’s hard to imagine that the losses due to “piracy” were anything but miniscule. In fact I’m willing to bet they were a lot closer to non-existent than miniscule. I certainly hope that there aren’t many people sleazy enough to torrent a charitable album instead of donating to the cause.

Turns out that MusicAlly wondered the same thing after reading the good Admiral’s piece.

But reading that, I wondered just how popular the album is on file-sharing networks. It might be available, but how many people are downloading it? So I asked someone best placed to answer that question – Eric Garland of BigChampagne, which tracks activity on these networks.

At its peak on 24th January, Hope For Haiti Now was being downloaded 2,680 times a day according to BigChampagne – compare that to [Lady Gaga’s] The Fame Monster’s 63,845 downloads the same day. Meanwhile, by 23rd February, Hope For Haiti Now’s daily downloads had dwindled to 820, compared to 47,971 for the Gaga album.

And then there’s that last sentence: “So much for the notion that illegal downloading (“sharing”) is an effort to help advance the plight of artists“. Say what? I have no idea what that means. Or implies. Or what in the devil it has to do with “Hope for Haiti”. Or anything. So here’s to you Mitch. I stand humbled by your truly awesome BS abilities.

The “Hope for Haiti Now” digital only album is still available at the Amazon and iTunes.

Greatest security breakthrough?

Ask Dr. SecurityDEAR DR. SECURITY: I am sending you this email in an unfortunate state of complete sobriety (given that it is after quitting time here). Should I over indulge however, Gmail has my inebriated back, so to speak. While adjusting my settings I came across this feature which can be enabled: Mail Goggles by Jon P

Google strives to make the world’s information useful. Mail you send late night on the weekends may be useful but you may regret it the next morning. Solve some simple math problems and you’re good to go. Otherwise, get a good night’s sleep and try again in the morning. After enabling this feature, you can adjust the schedule in the “General” settings page.”

Apparently this is built on the theory that drunk (tired?) people can’t do math – something any tip-dependent bartender knows all too well.  Some basic questions came to mind when I saw this innovative computer security functionality and I decided to contact you, my favorite security blogger, to get some input.

  1. Does the non-scalability of this platform prevent it from accurately blocking access to the intoxicated math elite, while at the same time, wrongfully exclude the math illiterate?
  2. Could this type of faculty-based access control could be used to prevent a much wider array of offending internet behavior?
  3. Will I soon have to demonstrate SAT math section mastery to perform basic Google searches?
  4. Is there any way this type of faculty-based security could be implemented to to prevent politicians who can’t do math from accessing federal funds?

This seems to me to be the greatest breakthrough in computer security so far!

Let me know what you think — GOGGLES FAN.

Continue reading

Security ideas for your mom part 2

Let’s recap shall we?

Mom wants to get online to read email, surf the web and Google stuff that you don’t even want to know about. We’ve already presented 4 ideas – which essentially boil down to 2 themes:

  • Use Common Sense
  • Know how to use your stuff

Okay, now we’re ready to get serious and specific about helping mom manage the risks of her internet behavior. So let’s look a little closer at each of the things mom wants to do:

Send and receive email – This will clearly require an email client, but what else? Well, let’s assume that mom wants to check out pictures of you and your significant other frolicking in the surf on your last vacation. And of course there’s Uncle Edgar who sends out those swell PowerPoint presentations and Aunt Thelma who sends MP3s of the latest hymns (at least that’s what mom says they are). So far all of this  can be handled by any personal computer (and most cell phones) running any OS with either built in or free add on software.

Email risks fall into 2 categories, cyberfraud (e.g. phishing scams) and attachment-borne malware (e.g. worms or trojans embedded in attachments). While there are virus scanners that can scan your email for malware attachments, these will never sufficiently mitigate the threat without a judicious application of the first 4 ideas. Unfortunately almost all cyberfraud is undetectable by virus scanners, simply because there is nothing wrong with the email format or data itself. The fraudster relies on the recipient to actually take action to fall into the trap. So the only way to mitigate a cyberfraud threat is by using the first 4 ideas. While there are “anti-phishing” mechanisms built into most browsers and some email clients these days, they are useless if you don’t understand them and they are certainly not foolproof.

Surf the web – This is going to require a web browser. Again, any personal computer and most cell phones will come with a web browser sufficient to the task. While the actual choice of browser is mostly a personal taste kind of deal (if there is a choice – which there may not be on a cell phone) some browsers definitely have better security features than others (more on that later).

Web surfing risks include cyberfraud (note that email cyberfraud will almost always utilize some web-based component like a malicious web site that the email links to), downloaded malware (e.g. a trojan embedded in a file you download), malformed images (pictures that are designed with intentional flaws to crash the browser – or worse), malicious active content (all those cute dancing hamsters are really little programs that can actually do worse than just annoy you), leakage of personally identifiable information (e.g. some web sites will collect personal information from you in exchange for some goodie – and then sell it to spammers or phishers) and privacy invasion (e.g. tracking your surfing habits using third-party cookies). The right choice of web browser software and associated “plugins” will go a long way toward mitigating these threats, but again you must apply ideas 1 – 4 to achieve a decent level of threat mitigation. It should be noted that your web surfing habits have a dramatic impact on the risk you incur. Specifically if you intend to visit adult (porn) or warez (pirated software) sites your risk is increased exponentially. Whereas reputable sites like legitimate shopping sites or wikipedia are relatively low risk, a trip to the typical warez site can almost guarantee several of the above threats being real and present. So the moral of this story is don’t even think about stealing software or surfing for porn unless you really know what you are doing and take extreme measures well beyond the scope of what I’m going to tell you about in these posts.

Using search engines – Usually all you need is a browser for this, but almost invariably search engines like Google are way more than just search engines. Google, for example, is an entire suite of web services. They have portals, email, calendar, instant messaging, contacts, office tools and a whole lot more. And they are not alone. Yahoo has similar offerings as does AOL (to some extent). And each and every one of those bad boys wants to install some kind of browser toolbar and desktop application on mom’s computer. My advice is (again see the first 4 ideas) decide on single search provider and use only what you need. Otherwise you will subject yourself to a cornucopia of conflicting crapware. Trust me, it bites wind and mom won’t like it.

Search engine risks include all of the web surfing risks listed above (well Duh! search engines raison d’être is to allow you to surf lots of places really fast). But in addition there is a search engine specific risk of search engine gaming (e.g. a porn site will intentionally embed words like “angels” or “family values” into pages just so the search engines will direct you there when you search for those words). Luckily if you are a firm adherent to the first 4 ideas, this can usually be minimized to simply an annoyance. Also most modern search engines do a pretty good job of filtering out gamed results.

Throughout this post it may seem that (in addition to not adding anything tangible to our list of ideas) I’ve been using the terms risk and threat interchangeably. Just so there’s no confusion let’s go right to the definition of the relationship between them:

Risk management is a structured approach to managing uncertainty related to a threat.

This seems like a logical place to break so we’ll pause here for station identification and finish this up in another post.

Security ideas for your mom part 1

So here’s the scenario:

Your mom wants to get a PC so she can get email, check out those internets and use the google. She’s heard about all the nasty stuff out there like in those commercials with the little old lady speaking with the voice of a biker. So she knows it’s a dangerous world out there on the internets and knows she must get some of that security to protect her. Of course she calls you, since you use that stuff all the time at work. Oh … and she thinks those “I’m a Mac, I’m a PC” commercials are really cute and that a Mac would be great because it doesn’t get any of those nasty viruses.

Sound familiar? Thought so. So what do you tell her? How about, “Gee mom, sounds like what you really need is a good cell phone, not a computer” or “Sure, get a Mac and then you can be stylish while getting pwned“. Problem is, you like your mom and want to help her make the right choice. Other problem is that you also like your significant other and really don’t want to commit to a full-time tech support gig.

What you’ve just encountered is the fundamental problem in personal computer security. For years Bill and Steve have been telling us that a personal computer is an appliance, just like a television or a toaster. That certainly sells lots of PCs and Macs but the problem is that, well, it’s balderdash. Hogwash. Crapola. When you purchase your first computer you discover this right away. Ahh, but not to worry – Uncle Bill (actually Uncle Steve now) has you covered. They’ll automatically push out fixes (to stuff they built wrong!) to keep you safe and secure. Okay… But wait! There’s more! There are many companies out there just dying to help you be more safe and secure who can’t wait to get their hands on your money. So before you know it that spiffy new computer you bought runs like a bloated turtle and you get to pony up annual payments for that privilege. And are you really safe and secure? Maybe. Possibly. Who knows?

So let’s go back to the original question: what is security in this context? What are the risks that your mom will face online and how does she manage them? Can you really “buy security” (or lease it per current business models) to manage these risks? Hang on there, Hoss! You just listen to Uncle Joe before you turn over any of mom’s hard-won dinero. Here is the Joe’s official in order list of security ideas for your mom.

Security Ideas for Mom

  1. Think. Don’t be an idiot. The vast majority of cyber incidents that result in actual damage could have been prevented by a simple smell test. This covers a lot of territory, but basically it comes down to this – use common sense. Obvious stuff like, don’t open email attachments you weren’t expecting or can’t identify. Or if something pops up you don’t understand – find out what it is before you click on it. My friend, a computer novice, recently upgraded to get online. He had all of the stuff you are supposed to have including anti-virus software from a leading vendor (think yellow box). So he gets this browser pop-up while he’s surfing that says “Your computer is infected with a virus!!! Press this button to remove it and make your system safe!!!” So he does. And it does heinous things to his computer, including disabling his spiffy yellow AV. DOH! It’s time to put that PC out of it’s misery and start over. This ugliness could have been prevented had my friend, an otherwise intelligent person, just thought about it for a moment and asked himself one simple question: “does this seem fishy?” (the smell test!). But isn’t that a little harsh? I mean we already established that he’s a computer novice. No, actually, it’s a dandy segue into the next point.
  2. Learn how to use your hardware and software. Or stated in the reverse, don’t use something you don’t understand. What I’m not suggesting here is that mom should become a hacker just so she can check email. Look at it this way: I don’t understand the complete operation of the stability control system in my Honda, but I do know that when the “TPS (Tire Pressure Sensor)” light comes on that I better check and adjust the tire pressure, and if the light doesn’t go off when I’ve done that I should take it in to my local Honda dealer. (Honda – here is an excellent sponsorship opportunity). The point is that you don’t need to be an expert, you just need to know basically how the system works and what it’s trying to tell you. In the example of my friend of #1, Had he known what to expect from his AV software when it encountered a virus, he wouldn’t have been fooled by the phony. If you don’t understand what a program does, then you almost certainly don’t need it. But wait – what about all that stuff that comes with mom’s new computer? Isn’t the point of that to take care of everything so that she doesn’t have to know anything about computers? In a word, NO! The purpose of that stuff – which is mostly crapware – is to sell you more stuff you don’t need. You think the company who manufactured your computer has your best interest at heart? See #1. And once again another dandy segue into the next point.
  3. It’s your computer. You don’t have to run anything you don’t want. Mom needs to show that machine who’s boss – Yeah who’s your mama! The point here is that just because your computer came with XYZ security suite (one month trial!) and your internet service provider gives you ABC security suite (the “lite” version – but for a fee you can get the real version!) you don’t have to use either. Remember – who’s your mama! If you really want to use a security suite then do a little research (see #2) and check out the many excellent free and open source packages. Chances are you can get out of this without parting with more of your dough. But more to the point, choose your computer wisely in the first place. Most folks walk into their local electronics superstore and expect the friendly sales staff to educate them about what they should buy. Duh – see #1. Why not, instead, make the idea of computer as appliance your goal? Lets take this from the top: Mom wants to a. get email, b. surf the web, c. search for information (as translated from the earlier mom-speak). My iPhone does all that and much more. In fact my iPhone does way too much for what mom needs, so she shouldn’t spend the money. My son has a modestly priced smart phone that does everything mom needs. Both phones are totally cool and pretty easy to use and you can turn off stuff you don’t need. And both are quite a bit more like an appliance than your average PC. The idea here is that you should get something that does what you need and only what you need. Also, forget the idea that you should “buy something that you can grow with”. Balderdash. Hogwash. Crapola. Whatever you buy today is going to be landfill fodder in 5 years (actually 3 years if you depreciate it with the IRS). There is no rule that says you must be able to read email, surf the web, chat with your friends, edit photographs, make music and produce movies all on the same device. Despite what the commercials say. See #1. In fact, let me assure you as a semi-serious electronic music producer, I definitely do not want my studio machine to be surfing the web. Remember – who’s your mama! Yeah I have multiple machines. One to do email and internet-related stuff and, well, lots of others to do other stuff (I admit it – I’m a geek). But my email and internet box is old (like 8 years old!) and cheap and it does it’s one job really well. Just like a toaster. Don’t be afraid to look into a mini laptop. These babies are small, cheap and will do everything mom needs. So on to the next idea (which is really a corollary to #1). Sorry lame segue this time.
  4. Your friends are clueless. Sad but true. When mom starts getting email she will no doubt have friends and relatives who think that chain letters really do bring good luck and/or prosperity and everyone they know should be alerted to the latest (to them) internet jokes and inspirational (why are angels supposed to be inspirational?) ravings. These well meaning folks will grab onto an internet hoax or urban legend and spam every one they have ever known with it. Some of these will turn out to be phishing scams, or “manual malware” (e.g. “to defeat this evil virus that no AV software can detect remove the KERNEL.SYS file“). Bottom line is, mom should seriously suspect any content she receives from these lovable – but clueless – folks. Especially when they state “you must see this adorable …” – no you must not. But just in case mom refuses to believe that Aunt Helen would ever send her something nasty. I know this guy in Nigeria who really needs to get a bunch of money out of the country and he’s willing to cut someone in if they’ll help him.

So before this post gets (even more) out of hand, notice that these first – and most important – four ideas have nothing to do with which anti virus software is best, or whether Macs are more secure than PCs. They are about common sense. Which isn’t all that common. I’ll actually get into addressing specific risks when “Security ideas for your mom” continues in another post.