Turning the Home Router from a Threat to a Helping Hand

lybid_1002The Federal Communications Commission is set to vote on a proposed rule that would require cable companies to offer consumers more choices about whether they use a rented cable box or home router or their own.  More choice is good, and one could make a strong argument that lack of consumer choice has retarded development of home routers.  However, this decision may come with a few pitfalls from a security perspective.

Home routers were recently a component of the attack against krebsonsecurity.com.  There are many reasons that this would be the case.  Some routers have as a blank password with user name “admin” that allows anyone to access them.  Others have well-known vulnerabilities in their software that has gone unpatched for years.  If the service provider is providing the router, then we can say that it is responsible for the device’s maintenance.  On the other hand, the consumer has a particularly bad track record of doing a good job protecting the device.

Second, because most consumers do not employ security professionals to protect devices in their homes, the service provider is in a good position to offer that protection.  It does require that the service provider have access to the home router to identify threats within the home itself.  By having some control over that device and having access to logging information, the home router is in a position to identify potential attacks within the home itself.  But the router itself needs some guidance to perform that task, and the router itself typically cannot retain all of the necessary knowledge.  Cloud services are useful for this purpose, whether managed by the SP or by some other entity.

Regardless of what the FCC orders, SPs are in the position of setting the standards necessary to connect a router to the Internet.  CableLabs has set several standards, one known as DOCSIS.  While the current specification has a limited security section, one could easily envision additional capabilities that would protect device within the home.  As new entrants such as Google and Ubiquiti develop additional capabilities, they may have more to say about security in the home.  If home users are to have a choice, one choice they should have is to allow service providers to protect them.


Picture courtesy Sergiy dk on Wikimedia CC BY-SA 3.0

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Who owns your identity?

“On the Internet, nobody knows you’re a dog.”  Right?  Not if you are known at all.  Those days are gone.  As if to prove the point, one of my favorite web sites is on the wrong side of this issue.  An actress unsuccessfully sued imdb.com for lost wages for having included her age on their site.  There is a well known axiom in Hollywood that starlets have a half-life, and age is something that is best kept secret.  IMDB countered that what matters is not an actress’ age but her ability to play a certain age.

My point is this: she sued and was unable to have information about her removed.  Is age something that you believe should be private?  I do.  I especially do for people born after 1989 where a birthday and a home city can lead to someone guessing your Social Security Number.

But what about other physical attributes one might consider private?  “He has a mole that you can only see if he’s naked.”  How about illness?  “This actor cannot lift his arm due to a stroke.”  Once the information is out there, there’s no way to get rid of it.   And this in the UK, which is subject to the European Data Privacy Directive.  The situation is considerably bleaker for your personal information in the United States.

Related to this is The Right To Be Forgotten.  In Europe they are considering new rules that say that you have a right to have information about you removed.  This has some American firms in an uproar, arguing that a lack of transparency only increases risk and inefficiency.  But what are the limits?  What about this actress who doesn’t want her age known?  How did her age provide for market efficiency?

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

WCIT, the Internet, the ITU-T, and what comes next

Courtesy of Mike Blanche of Google, the map on the left shows in black countries who signed the treaty developed at WCIT, countries in red who indicated they wouldn’t sign the treaty, and other countries who are thinking about it.  A country can always change its mind.

Over the next few weeks that map will change, and the dust will settle.  The fact that the developed world did not sign the treaty means that the Internet will continue to function relatively unmolested, at least for a time, and certainly between developed countries.   As the places that already heavily regulate telecommunications are the ones who are signing the treaty, its impact will be subtle.  We will continue to see international regulatory challenges to the Internet, perhaps as early as 2014 at the ITU’s next Plenipotentiary conference.  Certainly there will be heated debate at the next World Telecommunication Policy Forum.

This map also highlights that the ITU is the big loser in this debacle.  Secretary General Hamadoun Touré claimed that the ITU works by consensus.  It’s just not so, when matters are contentious, and quite frankly he lacked the power and influence to bring all the different viewpoints together.  This loss of consensus has split the Union, and has substantial ramifications.  There is no shared vision or goal, and this will need to be addressed at the next Plenipotentiary conference.

With different sectors and diverse participants, it is hard to lump the Union into a single group. Nations come together to manage radio spectrum in the ITU-R.  That’s important because spectrum crosses borders, and needs to be managed.  In the ITU-D, both developing and developed countries come together to have a dialog on key issues such as cybersecurity and interoperability.  The work of the -D sector needs to be increased.  Most notably, their Programmes need even more capability, and the study groups should be articulating more clearly the challenges and opportunities developing countries face.

The -T standardization sector is considerably more complex.  It’s important not to lose sight of the good work that goes on there. For example, many of the audio and video codecs we use are standardized in ITU-T study group 16.  Fiber transmission standards in study group 15 are the basis for long haul transmission.  Study group 12 has some of the foremost experts in the world on quality of service management.  However, the last six years have demonstrated a fundamental problem:

At the end of the day, when conflicts arise, and that is in the nature of standards work, because of one country one vote, the ITU-T is catering to developing countries who by their nature are not at the leading edge of technology.  The ITU-T likes to believe it holds a special place among standards organizations, and yet there have been entire study groups whose work have been ignored by the market and governments alike.  To cater to those who are behind the Rogers adoption curve is to chase away those who are truly in front.  This is why you don’t see active participation from Facebook, Twitter, or Google in ITU-T standards, and why even larger companies like Cisco, IBM, HP, and others prefer to do protocol work largely elsewhere.1

So what can be done?

In practice study groups in ITU-T serve four functions:

  • develop technical standards, known as recommendations;
  • provide fora for vertical standards coordination;
  • direct management of a certain set of resources, such as the telephone number space;
  • establish accounting rates and regulatory rules based on economics and policy discussions.

The first two functions are technical.  The other are political.  The invasion of political processes into technical standards development is also a fundamental issue.  I offer the above division to demonstrate a possible way forward to be considered.  The role of the -D sector should be considered in all of this.  Hearing from developing countries about the problems they are facing continues to be important.

The ITU-T and its member states will have the opportunity to consider this problem over the next two years, prior to its plenipotentiary meeting.  There is a need for member states to first recognize the problem, and to address it in a forthright manner.

What Does the Internet Technical Community Need to Do?

For the most part, we’re at this point because the Internet Technical Community has done just what it needed to do.  After all, nobody would care about regulating a technology that is not widely deployed.  For the most part, the Internet Technical Community should keep doing what we’re doing.  That does not mean there isn’t room for improvement.

Developing countries have real problems that need to be addressed. It takes resources and wealth to address cybersecurity, for example. To deny this is to feed into a political firestorm.  Therefore continued engagement and understanding are necessary.  Neither can be found at a political conference like WCIT.  WCIT has also shown that by the time people show up at such places, their opinions are formed.

Finally, we must recognize an uncomfortable truth with IPv4.  While Africa, Latin & South America still have free access to IPv4 address space, the rest of the world has exhausted its supply.  Whenever a scarce resource is given a price, there will be haves and have nots.  When the have nots are poor, and they often are, it can always be classed as an inequity.  In this case, there truly is no need for such inequity, because IPv6 offers everyone ample address space.  Clearly governments are concerned about this.  The private sector had better regulate itself before it gets (further) regulated.

Another Uncomfortable Truth

Developing countries are also at risk in this process, and perhaps most of all.  They have been sold the idea that somehow “bridging the standardization gap” is a good thing.   It is one thing to participate and learn.  It is another to impede leading edge progress through bloc votes.  Leading edge work will continue, just elsewhere, as it has.

1 Cisco is my employer, but my views may not be their views (although that does happen sometimes).
[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

What’s WCIT about? It depends on who you ask.

This week the World Conference on International Telecommunication (WCIT) began with a remarkable and important declaration from the Secretary General, Dr. Hamadoun Touré:

And WCIT is not about Internet governance.  WCIT is about making sure that we connect the billion people without access to mobile telephony, and that we connect the 4.5 billion people who are still off line.

Let’s first take a moment to celebrate the fact that 2.5 billion people have access to the Internet, and that the rate of Internet penetration has grown at a rate of 14% over the last few years to 35%, according to the ITU’s own numbers.  That’s great news, and it leads to a question: how shall WCIT focus on improving on that number?   How have the International Telecommunication Regulations that have served 2.5 billion people not served the other 4.5 billion?

Unfortunately, none of the proposals that have been made available actually focus on this very problem.  Instead, at least one prominent proposal from Russia focuses on… Internet governance.  Let’s wish the Secretary General great success in persuading Russia and other governments that indeed that is not what this conference is about.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

How Important Is Your EMail Address To You?

Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like.  Others just use SMS, where their cell phone number is the important for people to reach them.  For some, however, their email address is their identity, and their only means of being reached by friends and family.  That’s true for me, at least.  I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use.  This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.

If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint?  Why would you want to do this?  Let’s look at a few cases:

  1. Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else.  What happens if you decide to change ISPs?  Do you lose your email address?  And do you care?  Can someone else get your old email address, and what are they likely to receive?
  2. You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into.  The first thing the bad guy does is change all of the security questions that are meant to cover password recovery.  How, then, are you able to prove to the service provider that the account was yours in the first place?  Can you even get your old account shut down, so that the attacker can’t masquerade as you?
  3. This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account?  Who do you go to in order to prove that you are the legitimate owner of the account?
  4. Your mail service provider goes out of business, and the domain they have been using for you is sold.
  5. There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off.  It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.

For all but the last case, you have a way of  at least mitigating the problem by have your own domain name, like ofcourseimright.com.  That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain.  However, is this just moving the problem?  It could be if someone breaks into a registrar account that is not well secured.  However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).

The hard part is finding someone to host your domain.  This sounds like a royal pain in the butt.  And it is!  So why not just use your cell phone or a social network site?  Cell numbers are at least portable in many countries.  Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen.  Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.

My online identity is tied to...

View Results

Loading ... Loading ...
[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]