More Airline nonsense!

Yes the airlines are at it again. This time, according to the Wall Street Journal, they are complaining about the idea that you might actually want to get off of a plane after some number of hours of sitting on a tarmac. The pendulum has swung so far to the side of the airlines that they think that they can simply bully the FAA into backing off on the meager regulations they’ve proposed. I have another idea.

With the airlines threatening to cancel flights at the first hint of trouble, I propose that the FAA institute one additional rule: when a flight is canceled, the airline responsible must rebook a passenger for a flight to his or her destination on that same day, or allow the passenger to book the next available flight to his or her destination on any airline. Just for spice, we might add something about allowing that booking to be in a higher class of service if it is the only available manner to get a passenger moving.

Still think we don’t need a real Passenger’s Bill of Rights?

Loading ...

How Important Is Your EMail Address To You?

Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like. Others just use SMS, where their cell phone number is the important for people to reach them. For some, however, their email address is their identity, and their only means of being reached by friends and family. That’s true for me, at least. I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use. This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.

If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint? Why would you want to do this? Let’s look at a few cases:

Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else. What happens if you decide to change ISPs? Do you lose your email address? And do you care? Can someone else get your old email address, and what are they likely to receive?
You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into. The first thing the bad guy does is change all of the security questions that are meant to cover password recovery. How, then, are you able to prove to the service provider that the account was yours in the first place? Can you even get your old account shut down, so that the attacker can’t masquerade as you?
This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account? Who do you go to in order to prove that you are the legitimate owner of the account?
Your mail service provider goes out of business, and the domain they have been using for you is sold.
There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off. It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.

For all but the last case, you have a way of at least mitigating the problem by have your own domain name, like ofcourseimright.com. That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain. However, is this just moving the problem? It could be if someone breaks into a registrar account that is not well secured. However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).

The hard part is finding someone to host your domain. This sounds like a royal pain in the butt. And it is! So why not just use your cell phone or a social network site? Cell numbers are at least portable in many countries. Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen. Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.

Loading ...

Olympic moment: the Women’s Biathlon

Last night we watched the Magdalena Neuner of Germany win the Women’s Biathlon at the Vancouver games. I have only three questions about this event:

With all of those guns, if someone is in front of you, can you shoot them to get ahead? After all, this is a competition?
With all of those guns, where were all of the Americans? Not a single one apparently was in the final. In fact, it seems that this is a Russo-European race. Four continents went completely unrepresented.
With all of those guns, where the heck was James Bond? I kept expecting to seem him cut across the track, while all the competitors from Eastern Europe started aiming at him. THAT would have been entertainment.

(I have no idea why we watched this particular event. We’d just finished watching Slum Dog Millionaire for the first time. That was good.)

Airlines’ motto: Squeeze now, apologize later

Who’s getting squeezed? Of course we all are. with additional costs for everything, including seat assignments, baggage, and (Heaven help you) change fees, airlines are making money again, on our backs. One might think there would be an easier way to do this, like simply increasing fees, but for whatever reasons, it’s not the case. Southwest has always been on the forefront of charging for this or for that. It’s latest adventure into charging people who seem too large seems to have gone awry, thanks to the light shown on this policy by Hollywood director Kevin Smith. A spokesman told CNN, “We want to assure everyone that has expressed concern over the situation that we will use this experience in our customer service program when training our employees on the correct way to apply the policy.”

This discussion isn’t about the size of individuals, or even Southwest’s policy on large people. It’s about the fact that they were able to impose a policy, which until this point hasn’t really given them much grief. And why not? Many people agree with the policy in principle: you take up more than one seat and you should pay for it. The problem is, of course, in how the policy was implemented, and this is often the case. Often the result of poor training, contracting of services, or just underpaid staff, passengers are subjected to policy fabrications. A classic case that we have suffered is whether our FAA-certified car seat can go on board a passenger plane. What often happens is that it is allowed in one direction, and then we have to argue for it to be allowed in the return direction. Worse was when we were in Newark Airport and were told by a staff member that we would not be allowed to rebook our flight when a security incident occurred, even though Continental Airlines had stated on its web site that we could.

And so what do the airlines do after such events? They apologize. They ask for our forgiveness. I would gladly give them that forgiveness, were it not for the fact that forgiving often doesn’t go both ways. If I need to make a change to my flight will they forgive me? If my daughter is ill and we need to reschedule our trip, will they forgive me? Of course not.

The underlying problem is that individual consumers have very little buying power. Even large corporations get very little say in how airlines treat them. With market entry costs in the tens of billions of dollars for an airline, consumer protection laws are needed to keep airlines honest. Kevin Smith should be compensated for the poor service he received. So should people who are less visible, who are not Hollywood directors. America really needs the same sort of protections that the European Commission implemented in 2005.

Airlines may argue that such regulation hampers their ability to offer tailored services, or that it is simply too costly. It’s difficult to quantify the impact of such legislation as well, because airlines airline statistics in Europe are not easily available. Still there is a moral need to address the problem. Agree? Disagree?

Loading ...

Get mad? Get Even? Or get up and running again?

When a system is broken into, the management often has a choice to make: should they take some time to try to figure out who was behind the break-in, should they bring in the police, or should they just clean up the mess that they find and move on. This is the choice that the City of Norfolk faced when a time bomb clobbered 784 systems, according to this blog. Debugging and understanding how a break-in occurred is a bit of a black art unto itself, requiring a substantial amount of expertise that focuses on the innards of Windows, and it requires time for the experts to track back what they think the source of the problem is, and even then the ability to do a trace may not be possible. For one, it depends on what sort of forensic evidence can be found within logs, whether those logs themselves have been tampered with, and what sort of backups were taken of the systems involved.

Here’s the problem with not trying to trace back: the miscreant who screwed you the first time can do the same thing again, using the precise same attack vector. At the very least it helps to have relationships with your security vendor to be able to report the problem, but as defenses get more complex, our continuing game of Cat and Mouse demands that so do the attacks. An initial attack vector might itself lead to the use of secondary means to attack. For instance, probing attacks work very poorly against a walled off Intranet, and in fact can be a means to alert The Guys In White Hats that the probing system has been broken into. However, the likelihood of that happening from within the Intranet is smaller. What’s more, as white collar criminal investigators know, one cannot rule out the possibility that someone on the inside will in fact have gotten things going.

This supports the whole notion of what Cisco calls Borderless Networking. That’s a marketing mouthful for a concept that Steve Bellovin articulated many many years ago, which says that bottleneck firewalls are going to need to give way to more sophisticated forms of defense on devices themselves.

A combination of good backups and logging to secure systems might have helped. Logs give some notion as to who did what when, assuming that you are logging the right things. Backups provide you a means to preserve state. This works in three dimensions: you can, perhaps even incrementally, look back into the history of a system for forensic purposes, you can preserve a crime scene through a very low level backup, and you can get back to a known good state.