Wizard Prang’s Blog

IFSO: Richard Stallman: The Dangers of Software Patents

Richard Stallman speaks out on Software Patents and why “intellectual property” is an oxymoron. I don’t agree with him on everything, but he’s dead on here.

Story Here. And here and here and here and here and here and here and here and here…

Sam Peterson is a man in a hurry. So during his busy day he takes time out to park next to a coffee shop offering free wi-fi, open up his laptop and grab his e-mail before going off on his merry way.

Unfortunately, he lives in Sparta, Michigan, where the police seem to have little grasp of technology and even less of a sense of humor.

Here’s how it went down. One day, he is checking his e-mail when the local Police Chief spots him in the parking lot. Concerned that he might be stalking a local hairdresser the cop asks him what he is doing. Sam tells him. Cop says “ok” and lets him go.

Later, the cop had a change of heart. He later said “I had a feeling a law was being broken, but I didn’t know exactly what“

**Ahem**A cop didn’t know what law was being broken? So what was he arrested for - thoughtcrime? Did he feel something in his water? Was there a grave disturbance in the force?

This has “fishing expedition” written all over it - without a bass boat or even the obligatory six-pack of beer.

This is wrong on so many levels.

They charged him under Michigan’s “Fraudulent access to computers, computer systems, and computer networks” law. That’s right: They used an anti-hacking law to prosecute someone for checking his e-mail in the parking lot. Sam was the first person to be charged under that law, which dates back to 1979 and was revised in 2000.

He could have fought the charge - and would probably have won - but the legal fees would have been more than he could afford, and the penalty had he been found guilty would have been severe.

And don’t even think of using the “theft of services” defense;  the monetary value of the “theft” was less than a discarded sandwich-wrapper in the parking lot. And if there was a theft, it is a civil matter, not a criminal one - and the coffee-shop should sue, which is a completely different legal process.

The “crime” was not what he did, but where he was sitting when he did it. He could have been sending porn span while downloading movies, but if he had been in the coffee shop while he did it, that would have been ok.

Over the past few years, there have been several cases where people who have been piggybacking on someone else’s wi-fi - even for innocent purposes - have been subjected to similar draconian treatment.

The two best analogies that I can think of are reading a newspaper by someone else’s porch-light, and reading over someone else’s shoulder. Both are easily preventable. Neither are criminal offense - at least in places other than Sparta, Michigan.

The prosecution stands on the premise that Sam “did not have permission to use the network“. From an engineering standpoint that’s simply not true. A client’s laptop sends out a request for wireless service, and the Access Point (AP) grants it. It is also not always possible to determine which AP you have connected to. In an airport, your laptop might connect to a restaurant’s “for-customers-only” AP instead of the airport’s “public” one. It is therefore possible to be committing a felony without intending to or even being aware of it. It is therefore simply inappropriate to use a “no-permission” defense in this situation.

As things stand, the law does not put any requirement on the owner of a network to secure it. It ain’t hard, even in a coffee shop. Use a password. Change it daily or weekly, put up a sign or print the password on receipts.

Paradoxically, if someone connected to my AP and started downloading music, and the RIAA caught wind of it, I would be on the receiving end of their ire; they would not accept a “someone hacked my network” defense, because (they say) I am legally responsible for what happens on my network, and I am expected to do my due diligence to ensure that no illegal activity occurs on it. Yet here, the AP owner is not held responsible in any shape form or fashion.

Looks like a double standard to me - one law for businesses, one law for people.

I do not believe that it is the purpose of these laws to serve as a refuge for idiots who are too lazy and sloppy to take even the most basic steps to protect themselves. The law should be amended so that unprotected networks are fair game. It is easy enough to put up the equivalent of a “Private Beach - Keep Out sign”

I find it amusing that a coffee shop will spend hundreds or thousands of dollars getting trained professionals to install a state-of-the-art burglar alarm system, but can’t be bothered with the hassle of taking the most rudimentary steps to secure their network.

Any road up, Sparta MI is high on the list of places I don’t want to go.

Just got a Tungsten T3. Picked it up on eBay last week for $130. Came with a hard case and a Wi-Fi SD Cartridge.

I tested the wi-fi cartridge while walking around the block. The results left me horrified. Not because of the hardware - that worked beautifully. What bothered me was now many wireless routers were broadcasting in the clear with no security at all.

Only about one-third of the routers that I saw had security of any kind. Of the remainder, about half did not even change the default settings.

Now all that I was doing was looking for networks. I was not trying to use them for anything - and even if I had, the only thing that I would be doing would be e-mail, which is pretty harmless.

The next dude in the area might have less benign intent.

This blog entry made me chuckle, though I don’t agree with their conclusion.

I am a software engineer by profession, a geek by nature. I program to pay the bills, and build and fix computers for fun. This is one way for me to put something back, and I am happy to help and teach others wherever possible. My motto is “I don’t charge my friends; my enemies cannot afford me”.

However, over the years there are some people whom I will not help:

The Stingy: Some people expect a lot but won’t pay for anything. They’ll happily pay a monkey in grease-stained overalls $80+/hr labor to fix their BMW, but expect a degreed, trained and experienced IT professional to fix their computer for free. What’s wrong with this picture?

The Ignorant: Reformatting and reinstalling a machine can be done in a few hours or days. Cleaning out a system and recovering data takes a lot longer - days or weeks. If I spend three days manually removing viruses and spyware from your machine, I will usually give you a lecture on security and best practices (”Keep your system patched, use an antivirus, a spyware scanner and a firewall, don’t install crapware and for Heaven’s sake back up your data!“). Come back to me six months with a buggered system with no Windows updates (”but it takes too long!”), antivirus (”updates?”) firewall (”what’s that?”) or spyware scanner and I will not be kind. I am happy to help those in need, but I will NOT subsidize your stupidity. At least not for free.

The Impulsive: It is said that the only stupid question is the one you don’t ask. I am happy to give advice, but I prefer it when people ask me before they do something silly, such as…

• The guy who upgraded his Windows 98 machine to Windows 2000 and then complained it was “running slow” (”Dude you have only 64MB of memory!” “Wha… I need more?“)
• The people who run out and buy new machines then ask me “What do you think of the $200 e-Machines that is  on sale at Wal-Mart?” “It’s a piece of crap“, “Oh, I just bought one.” “Why the HELL are you asking me what I think of it NOW?“

The Lazy: Nine out of ten problems can be found with a little Googling. I expect at least due diligence on your part. If you are too damned lazy to at least type the error description into a search engine, don’t expect me to be impressed.

From time to time you will hear me talking about this this guy, whom I regard as one of the foremost experts on security. I found a writeup about him that you might find interesting.

On a slightly less serious note, here is a spoof site about him… enjoy!

Windows genuine disadvantage (The Register)

Over the weekend I spent several happy hours helping a friend build a new computer. For once, everything worked first time; this is, in itself, cause for celebration.

The most time-consuming part of the entire operation was the series of install-and-reboot cycles that are necessary to install a plethora of Windows XP security updates.

In the past, Microsoft have repeatedly and voiciferously exhorted us to set “Automatic Updates” to download and install updates automatically, for the very sensible reason that most non-technical users do not keep their pachines patched.

However, I prefer to stay in control of what gets installed on my machine, so I have always stopped short of giving Microsoft that level of discretion. As with every machine that I touch, I configured Automatic Updates on this machine to download and notify. I could not tell you why, just a vague paranoia that MS or someone else would one day use the Automatic Updates for some nefarious means.

That day has finally arrived. There in the list of “Critical Security Updates”, was Windows Genuine Advantage.

WGA is Microsoft’s way of making sure that your copy of XP is “legit” (this was), and remains “legit” in the future. WGA has been around for nearly two years (since September 2004), but until recently it was strictly optional.

No longer. Once the Automatic updates were installed (with the exception of WGA, which I had specifically de-selected), I decided to check out the Windows Update website and see if there was anything that we had missed. The first thing that I was told when I got there was that we needed to install a new version of Windows Update. This has happened before, so…

Install >click<

Installing Windows Genuine Advantage.

Noooooooo! >Cancel< >Cancel< >Cancel< >Cancel<

Thankfully I was able to stop the installation in time, but I was incensed that Microsoft was resorting to this kind of trickery in order to install a piece of software that I had specifically prohibited.

Since when is WGA “a new version of Windows update?“

I have a big problem WGA being installed as a Critical Security Update; three, in fact.

1. It is not critical to the running of Windows.
2. It is nothing to do with security.
3. It is not an update to the OS; it is an extra feature.

So there you have it; three lies for the price of one.

The idea of WGA is not a bad one, but its execution leaves a lot to be desired. By all means, allow users to check if their license is legit, and by all means provide them with incentives to do so. But foisting a mandatory and continuous check - however well-meaning - on your users after the fact is just plain wrong. No matter what the EULA says, we did not sign up for this!.

As Steve Gibson would say, “It’s my computer!“

As we have already seen, Microsoft will resort to trickery and deception to install a piece of software that provides absolutely no benefit to the user and cannot be removed (at least not not easily) once installed.

There has been some talk of WGA actually being spyware, and there are lawsuits pending. The lawsuits will probably fail; Microsoft’s defence is that since they have permission to install WGA then it cannot, by definition, be spyware.

Technically this is true, but Microsoft is again being disingenuous. The permission that they speak of is in the End User License Agreement (EULA) that you have to agree to in order to install Windows in the first place. This EULA basically gives MS the keys to your machine; they can do what they want, when they want, and they are not responsible or liable for damages. It would be interesting to see if the EULA - which most people don’t read and could not understand if they did - would stand up to serious scrutiny in a courtroom. I suspect that it would not, but in the meantime…

Don’t like the EULA? Don’t install Windows.

Feds Retrieve Google Records after Gmail Used for Hate Speech

A hard lesson for those who think that an “anonymous” e-mail address allows them to make death threats with impunity. One character who allegedly did this got a knock on the door from the men in black.

Bravo.

The FBI did some checking with Google, which led them to Yahoo, which led them to a specific machine and the person who was apparently using it to make death threats. I am all for privacy and anonymity, but that does NOT free us from responsibility for our actions. The Feds did this by the book, with court-sanctioned warrants and specific requests for specific information.

There’s a big difference between a by-the-book investigation and a warrantless information-gathering “fishing expedition” that is only legal “because we said so”.  There are situations where a anonymity on the Internet is a good thing; this isn’t one of them.

Moral: If you wouldn’t say it face-to-face, don’t say it on the Internet.

Homeland Security accepts fake ID

Words Fail Me.

How You Are About To Become Responsible For Credit Card Fraud

The basic idea is simple enough; back up a credit-card purchase with a PIN-type electronic signature. So far so good.

What is not so good is the change that this will make in the Credit Card system.

Under the current system “Chargebacks are a big pain in the butt for online merchants. Right now the card holder (you or I) has considerable latitude in refusing to pay for anything that is bought in a shop, especially online… most people do not actually realize just how much power they have under law when seeking to nullify a payment made by credit card. When a card holder does this, it is called a “chargeback” to the merchant..”

That’s right, the merchant takes all of the risk for bad transactions.. but not for much longer. In the view of the credit-card industry, this new system is now secure enough to move that risk. Given that there are only three parties in the transaction - the merchant, the bank and you, guess who will be left holding the bag?

That’s right… you. “…if you are hacked and fraudulent transactions appear on your bill, then you and the bank that issued the card to you are going to have to sort it out. You will not be able to charge the fee back to the merchant.”

First Check 21, now this.

If you were looking for a good reason to stop using credit cards, you have just found it.

Wired News: Everyone Wants to ‘Own’ Your PC

An ecxcellent piece by my favorite Guru, Bruce Schneier.
To quote Steve Gibson, “It’s MY Computer!“