How ‘Ethical’ Hotel Chain Marriott Gouges Guests in the Name of Wi-Fi Security

How ‘Ethical’ Hotel Chain Marriott Gouges Guests in the Name of Wi-Fi Security
You’ve settled in, fired up your laptop—and not only is the $15-a-day hotel Internet slow as molasses, you can’t use your own hotspot for ‘security’ reasons. Why the policy is unlawful.
By Kyle Chayka
Dec 31 2014
<http://www.thedailybeast.com/articles/2014/12/31/how-ethical-hotel-chain-marriott-gouges-guests-in-the-name-of-wi-fi-security.html>

The Marriott hotel chain swears it has to force guests to keep using its expensive, creaky Wi-Fi connections because the alternative, personal hotspots, would open the door to cybercrooks. Too bad the argument is, at best, half-true. Hotels’ Internet monopolies may be hurting our security rather than helping it.

A recent FCC investigation found Marriott’s blocking of personal Wi-Fi devices to be “unlawful”—kind of like the hotel charging you for towels and banning any you brought yourself.  

The hotelier’s practice “unjustifiably prevents consumers from enjoying services they have paid for and stymies the convenience and innovation associated with Wi-Fi Internet access,” the FCC added.

Marriott was forced to pay $600,000 in penalties for its Wi-Fi blocking—a black mark for a firm that advertises itself as “a 2014 World’s Most Ethical Company.” So now the company is asking the FCC to, in effect, reverse itself.

“Rogue wireless hotspots [c]an cause degraded service, insidious cyberattacks, and identity theft,” Marriott told the FCC in a recent petition.

But regulators may have a tough time accepting Marriott’s logic, in part because the hotelier’s assertion “conflates two different downsides implicated by Wi-Fi hotspots,” said Justin Brookman, the director of consumer privacy at the Center for Democracy and Technology.

Sure, there’s some chance of “diminished performance from Marriott’s own networks because of signal interference” from the hotspots, Brookman said. But that’s a different issue from “the potential for rogue hotspots set up by criminals to steal personal information from people who decide to log on to those networks.” And in either case, “the significant benefit from allowing Wi-Fi hotspots outweighs these concerns.”

In other words, Marriott is mixing up the quality of its product—the speed of hotel Internet—with its users’ basic security.

Which makes one wonder whether the hotel’s excuses are less about security than protecting the Internet monopoly on its premises. These days, charges for such service can range from $250 to $1,000 for conferences and rise to $20 daily for guests (one woman recently paid $366 for a day of high-speed Internet at a hotel in Cannes, according to The Telegraph), even for legendarily bad Wi-Fi.

Blocking hotspots is “just an economic move to control the connection so they can continue to command $15 per day for Wi-Fi and $10 per movie,” said Steven Sesar, the COO of FreedomPop, a wireless Internet provider. Sesar points out that hotels often block Netflix and other streaming platforms within the network so guests have no other option but to pay up.

[snip]

Re: How the internet’s engineers are fighting mass surveillance

[Note:  This comment comes from friend Steve Schear.  DLH]

From: Steven Schear <steven.schear@googlemail.com>

Date: December 31, 2014 at 01:20:26 EST

To: dewayne@warpspeed.com

Subject: Re: [Dewayne-Net] How the internet’s engineers are fighting mass surveillance

As Bruce Scheier noted in 2001 in public and internal presentations, just before the collapse of his managed monitoring Counterpane Internet Security company, defenders must close every possible security hole attackers only need to find a good one and exploit it successfully. It was almost a restatement of Henry Kissenger’s analysis of the Vietnam war:

We fought a military war; our opponents fought a political one. We sought physical attrition; our opponents aimed for our psychological exhaustion. In the process we lost sight of one of the cardinal maxims of guerrilla war: the guerrilla wins if he does not lose. The conventional army loses if it does not win. The North Vietnamese used their armed forces the way a bull-fighter uses his cape — to keep us lunging in areas of marginal political importance.

I think all parties focused on improving communications privacy and security for the masses needs to look beyond an Internet dependent on easily monitored commercial exchanges and mobile carriers. They have to think like the Vietnamese thought. Make no mistake this is a war.

How the internet’s engineers are fighting mass surveillance
By David Meyer
Dec 30 2014
<https://gigaom.com/2014/12/30/how-the-internets-engineers-are-fighting-mass-surveillance/>

How the internet’s engineers are fighting mass surveillance

How the internet’s engineers are fighting mass surveillance
By David Meyer
Dec 30 2014
<https://gigaom.com/2014/12/30/how-the-internets-engineers-are-fighting-mass-surveillance/>

The Internet Engineering Task Force has played down suggestions that the NSA is weakening the security of the internet through its standardization processes, and has insisted that the nature of those processes will result in better online privacy for all.

After the Snowden documents dropped in mid-2013, the IETF said it was going to do something about mass surveillance. After all, the internet technology standards body is one of the groups that’s best placed to do so – and a year and a half after the NSA contractor blew the lid on the activities of the NSA and its international partners, it looks like real progress is being made. 

Here’s a rundown on why the IETF is confident that the NSA can’t derail those efforts — and what exactly it is that the group is doing to enhance online security.

Defensive stance

The IETF doesn’t have members as such, only participants from a huge variety of companies and other organizations that have an interest in the way the internet develops. Adoption of its standards is voluntary and as a result sometimes patchy, but they are used – this is a key forum for the standardization of WebRTC and the internet of things, for example, and the place where the IPv6 communications protocol was born. And security is now a very high priority across many of these disparate strands.

As IETF chair Jari Arkko told me, if previous battles over the inclusion of encryption in the internet protocol set hadn’t been won by those advocating greater security – their opponents were governments, of course – then using the net would be a riskier business than it currently is. “Fortunately we decided we should have strong encryption, and I do not know what would have happened if we did not make that decision at the time,” he said, pointing to e-commerce and internet banking as services that may never have flourished as they have.
With trust in the internet having been severely shaken by Snowden’s revelations, the battle is back on. In May this year, the IETF published a “best practice” document stating baldly that “pervasive monitoring is an attack.” Stephen Farrell, one of the document’s co-authors and one of the two IETF Security Area Directors, explained to me that this new stance meant focusing on embedding security in a variety of different projects that the IETF is working on.

As Arkko put it:

I think a lot of the emphasis today is on trying to make security a little more widely deployed, not just for special banking applications or websites where you provide your credit card number, but as a more general tool that is used for all communications, because we are communicating in insecure environments in many cases — cafeteria hotspots and whatever else.

On Sunday, Germany’s Der Spiegel published details of some of the efforts by the NSA and its partners – such as British signals intelligence agency GCHQ — to bypass internet security mechanisms, in some cases by trying to weaken encryption standards. The piece stated that NSA agents go to IETF meetings “to gather information but presumably also to influence the discussions there,” referring in particular to a GCHQ Wiki page that included a write-up of an IETF gathering in San Diego some years ago. 

The report mentioned discussions around the formulation of emerging tools relating to the Session Initiation Protocol (SIP) used in internet telephony, specifically the GRUU extension and the SPEERMINT peering architecture, adding: “Additionally, new session policy extensions may improve our ability to passively target two sides communications by the incorporation of detailed called information being included with XML imbedded [sic] in SIP messages.”

[snip]

Politician’s fingerprint reproduced using photos of her hands

Politician’s fingerprint reproduced using photos of her hands
At a Chaos Computer Club convention, hacker Starbug suggests notable people wear gloves.
By Megan Geuss
Dec 29 2014
<http://arstechnica.com/security/2014/12/politicians-fingerprint-reproduced-using-photos-of-her-hands/>

Last week at a Chaos Computer Club (CCC) convention in Hamburg, Germany, German hacker Starbug claimed he reproduced a fingerprint belonging to German Defense Minister Ursula von der Leyen using nothing but some commercially available software and a number of high-resolution photos of her hand.

Starbug, whose real name is Jan Krissler, said that he used a close-up photo of von der Leyen’s thumb that was taken with a “standard photo camera” at a press conference from a distance of three meters (about 10 feet). He also used several other pictures of her thumb which had been taken from different angles at different times. Then, according to VentureBeat, Starbug used a program called Verifinger to recreate the print.

Fingerprint readers like those that are commonly found on more recent iPhone models have been hacked in the past. Starbug himself is famous for circumventing Apple’s Touch ID in just 48 hours—and he spoke to Ars about the feat at length in an interview. But recreating a fingerprint with just a photo takes a well-known hack a step further. On CCC’s website, the group described the conclusions of Starbug’s most recent hack: “In the past years, it was successfully demonstrated a number of times how easily fingerprints can be stolen from [their] owner if a person touched any object with a polished surface (like glass or a smartphone)… With this knowledge [of recreating fingerprints from photos] there will be no need to steal objects carrying the fingerprints anymore.”

“Politicians will presumably wear gloves when talking in public,” Starbug told the audience according to the BBC.

[snip]

On the new Snowden documents

[Note:  This item comes from friend David Rosenthal.  DLH]

On the new Snowden documents
By Matthew Green
Dec 29 2014
<http://blog.cryptographyengineering.com/2014/12/on-new-snowden-documents.html>

If you don’t follow NSA news obsessively, you might have missed yesterday’s massive Snowden document dump from Der Spiegel. The documents provide a great deal of insight into how the NSA breaks our cryptographic systems. I was very lightly involved in looking at some of this material, so I’m glad to see that it’s been published.
Unfortunately with so much material, it can be a bit hard to separate the signal from the noise. In this post I’m going to try to do that a little bit — point out the bits that I think are interesting, the parts that are old news, and the things we should keep an eye on.

Background

Those who read this blog will know that I’ve been wondering for a long time how NSA works its way around our encryption. This isn’t an academic matter, since it affects just about everyone who uses technology today.

What we’ve learned since 2013 is that NSA and its partners hoover up vast amounts of Internet traffic from fiber links around the world. Most of this data is plaintext and therefore easy to intercept. But at least some of it is encrypted — typically protected by protocols such as SSL/TLS or IPsec.
Conventional wisdom pre-Snowden told us that the increasing use of encryption ought to have shut the agencies out of this data trove. Yet the documents we’ve seen so far indicate just the opposite. Instead, the NSA and GCHQ have somehow been harvesting massive amounts of SSL/TLS and IPSEC traffic, and appear to be making inroads into other technologies such as Tor as well.
How are they doing this? To repeat an old observation, there are basically three ways to crack an encrypted connection:

• Go after the mathematics. This is expensive and unlikely to work well against modern encryption algorithms (with a few exceptions). The leaked documents give very little evidence of such mathematical breaks — though a bit more on this below.
• Go after the implementation. The new documents confirm a previously-reported and aggressive effort to undermine commercial cryptographic implementations. They also provide context for how important this type of sabotage is to the NSA.
• Steal the keys. Of course, the easiest way to attack any cryptosystem is simply to steal the keys. Yesterday we received a bit more evidence that this is happening.
I can’t possibly spend time on everything that’s covered by these documents — you should go read them yourself — so below I’m just going to focus on the highlights.

Not so Good Will Hunting

First, the disappointing part. The NSA may be the largest employer of cryptologic mathematicians in the United States, but — if the new story is any indication — those guys really aren’t pulling their weight.

In fact, the only significant piece of cryptanalytic news in the entire stack comes is a 2008 undergraduate research project looking at AES. Sadly, this is about as unexciting as it sounds — in fact it appears to be nothing more than a summer project by a visiting student. More interesting is the context it gives around the NSA’s efforts to break block ciphers such as AES, including the NSA’s view of the difficulty of such cryptanalysis, and confirmation that NSA has some ‘in-house techniques’. 

[snip]

Why Airlines Want to Make You Suffer

Why Airlines Want to Make You Suffer
By TIM WU
Dec 26 2014
<http://www.newyorker.com/business/currency/airlines-want-you-to-suffer>

This fall, JetBlue airline finally threw in the towel. For years, the company was among the last holdouts in the face of an industry trend toward smaller seats, higher fees, and other forms of unpleasantness. JetBlue distinguished itself by providing decent, fee-free service for everyone, an approach that seemed to be working: passengers liked the airline, and it made a consistent profit. Wall Street analysts, however, accused JetBlue of being “overly brand-conscious and customer-focussed.” In November, the airline, under new management, announced that it would follow United, Delta, and the other major carriers by cramming more seats into economy, shrinking leg room, and charging a range of new fees for things like bags and WiFi.

It seems that the money was just too good to resist. In 2013, the major airlines combined made about $31.5 billion in income from fees, as well as other ancillaries, such as redeeming credit-card points. United pulled in more than $5.7 billion in fees and other ancillary income in 2013, while Delta scored more than $2.5 billion. That’s income derived in large part from services, such as baggage carriage, that were once included in ticket prices. Today, as anyone who travels knows well, you can pay fees ranging from forty dollars to three hundred dollars for things like boarding in a “fast lane,” sitting in slightly better economy-class seats, bringing along the family dog, or sending an unaccompanied minor on a plane. Loyal fliers, or people willing to pay a giant annual fee, can avoid some of these charges; others are unavoidable.

The fees have proved a boon to the U.S. airlines, which will post a projected twenty-billion-dollar profit in 2014. To be fair, airlines are not just profiting because of fee income. Reduced competition, thanks to mergers, helps. There is also the plummet in the price of oil, which the airlines seem to have collectively agreed is no reason to reduce fares or even remove “fuel surcharges.” But for the past decade it is fees that have been the fastest-growing source of income for the main airlines, having increased by twelve hundred per cent since 2007.

If fees are great for airlines, what about for us? Does it make any difference if an airline collects its cash in fees as opposed to through ticket sales? The airlines, and some economists, argue that the rise of the fee model is good for travellers. You only pay for what you want, and you can therefore save money if you, for instance, don’t mind sitting in middle seats in the back, waiting in line to board, or bringing your own food. That’s why American Airlines calls its fees program “Your Choice” and suggests that it makes the “travel experience even more convenient, cost-effective, flexible and personalized.”

But the fee model comes with systematic costs that are not immediately obvious. Here’s the thing: in order for fees to work, there needs be something worth paying to avoid. That necessitates, at some level, a strategy that can be described as “calculated misery.” Basic service, without fees, must be sufficiently degraded in order to make people want to pay to escape it. And that’s where the suffering begins.

The necessity of degrading basic service provides a partial explanation for the fact that, in the past decade, the major airlines have done what they can to make flying basic economy, particularly on longer flights, an intolerable experience. For one thing, as the Wall Street Journal has documented, airlines have crammed more seats into the basic economy section of the airplane, even on long-haul flights. The seats, meanwhile, have gotten smaller—they are narrower and set closer together. Bill McGee, a contributing editor to Consumer Reports who worked in the airline industry for many years, studied seat sizes and summarized his findings this way: “The roomiest economy seats you can book on the nation’s four largest airlines are narrower than the tightest economy seats offered in the 1990s.”

[snip]

The Slow Death of ‘Do Not Track’

The Slow Death of ‘Do Not Track’
By FRED B. CAMPBELL Jr.
Dec 26 2014
<http://www.nytimes.com/2014/12/27/opinion/the-slow-death-of-do-not-track.html>

HAYMARKET, Va. — FOUR years ago, the Federal Trade Commission announced, with fanfare, a plan to let American consumers decide whether to let companies track their online browsing and buying habits. The plan would let users opt out of the collection of data about their habits through a setting in their web browsers, without having to decide on a site-by-site basis.

The idea, known as “Do Not Track,” and modeled on the popular “Do Not Call” rule that protects consumers from unwanted telemarketing calls, is simple. But the details are anything but.

Although many digital advertising companies agreed to the idea in principle, the debate over the definition, scope and application of “Do Not Track” has been raging for several years.

Now, finally, an industry working group is expected to propose detailed rules governing how the privacy switch should work. The group includes experts but is dominated by Internet giants like Adobe, Apple, Facebook, Google and Yahoo. It is poised to recommend a carve-out that would effectively free them from honoring “Do Not Track” requests.

If regulators go along, the rules would allow the largest Internet giants to continue scooping up data about users on their own sites and on other sites that include their plug-ins, such as Facebook’s “Like” button or an embedded YouTube video. This giant loophole would make “Do Not Track” meaningless.

How did we get into this mess?

For starters, the Federal Trade Commission doesn’t seem to fully understand the nature of the Internet.

Online companies typically make money by utilizing data gleaned from their users to sell targeted ads. If the flow of user data slows down, so does the money. A study commissioned by the Interactive Advertising Bureau with researchers from Harvard Business School underscores the point: at least half of the Internet’s economic value is based on the collection of individual user data, and nearly all commercial content on the Internet relies on advertising to some extent. Digital advertising grew to a $42.8 billion business last year, a sum that already exceeds spending on broadcast television advertising.

Essentially, the collection of user data makes possible the free access to maps, email, games, music, social networks and other services.

Digital privacy advocates, understandably, view the online ecosystem differently. They are alarmed by the growth of the surveillance economy, in which companies compile and store information about what a user reads, looks for, clicks on or buys. In this world, disclosure is fairly meaningless, because almost no one reads the terms of service that define the relationship between the customer and the company.

The regulatory process is the wrong way to address this fundamental tension. If the government wants to shift the Internet economy away from a “barter” system (exchanging personal data for free services) toward a subscription-based system, Congress should take charge.

Even worse, the Federal Trade Commission has abandoned responsibility, all but throwing up its hands. Instead of leading the effort to write good rules, based on the broadest public participation, the commission has basically surrendered control of the process to the industry panel, the “tracking protection working group” of the World Wide Web Consortium, or W3C.

The outcome could be worse than doing nothing at all.

The industry recommendation is expected to distinguish between companies that have a “first party” relationship with users — consumer-facing Internet content providers and Internet service providers — and “third party” companies, which include most small advertising-technology companies.

[snip]