Tuesday, April 29, 2008

Wireless security: home-field advantage, and "playing on the road"

Last week, a local television station (WJLA) in Washington discussed wireless security in businesses that keep consumer records, such as medical offices. I discussed the report at this URL.

A similar concept comes up with wireless security at home and particularly when traveling. Many motels and restaurants may offer free unsecured wireless access. A question would come up about doing personal transactions in such environments. This may be comparable to questions about doing personal transactions in hotel “business centers” on hotel computers or in Kinkos. I have done these before, even in Europe, and never had “a problem” (it was easy to get Internet services everywhere in Spain, France, Britain, etc.) One problem with personal business is the ability to check it frequently. If one is traveling for business, company policies may not allow personal use of their computers, and require that the individual manage his own access with his own laptop or hotel computers. The more often one can check basic information, like bank accounts, the lower the practical risk.

It is safer to do wireless work on the road (or at home) if one subscribes to a commercially managed network, or which Verizon is the best known but there are many. I have not yet picked a provider for future road travel with a laptop, but Verizon tells me that its access is “secured” at hotspots, which cover most of the country. The visitor can visit this site
or chat with one of their agents.

Modern laptops are sold with various cards for broadband and wireless access. Dell Inspiron (as of 2006) had 1394 Net adapter (firewire, not recommended for broadband);
Intel® Pro/Wireless 2200BG Network Connection (wireless); Broadcom 440 x 10 / 100 Integrated Controller (cable). When I boot up I see a “security-enabled wireless access” unit come up with no identification as to company. Sometimes, on the road, various unsecured networks show up, many of them with weak signals. Airports have them (Columbus Ohio had a very good and quick-responding network the last time I was there; BWI in Baltimore did not yet, although I don’t know about now). Dell’s website hints that some of its computers may connect to Wayport, but I called the company and it said that it has no specific relationship with Dell, and that the appearance of a strong signal at home from a secured network would be coming from a nearby home or local business that has set up a secured network. The appearance of signals (particularly unsecured – secure access signals usually come from reputable places) on a laptop when working even with cable broadband (Comcast for me) means, according to Wayport, that conceivably a wardiving hacker could view transactions done on the laptop even when not wireless-connected (even when the user has McAfee and Windows firewalls), and that a user in these circumstances show take more steps to secure potential wireless access. A couple of links on the blogger link at the beginning of this posting (about the WJLA report) discuss home wireless security in great technical detail.

When one purchases a wireless plan from a major provider, often it is connected to plans involving cell or Internet phone use, and sometimes cable or FIOS access. Often wireless will not be available at home unless one sets up a home network with a wireless router and one has cable or FIOS access, however one would be able to take the laptop to a nearby hotspot for the company and get reasonably secure access.

Can someone "safely" use regular “paid” commercial wireless hotspots at home and on the road with normal laptop Windows and anti-virus security? Probably. Issues could arise when one accesses bank or brokerage accounts (to trade online) or ISP’s to publish online, or email. The practical risk is probably low if one can stay on top of everything one takes responsibility for and owns. Probably. It’s a good idea to limit oneself to secured connections (https) when conducting transactions or publishing online. McDonalds, Starbucks, and small establishments might be a little safer than hotels, malls and airports. Keeping track of one’s personal stuff when on the road (and required to be by work) is still an issue, and adds another complication these days to business travel.

Update: May 6:

The FBI has made a posting about wireless security and the danger of connecting to unsecured free wireless at "hot spots" here. The safest networks are those that you pay for from major companies (that stands to reason). It is even possible for a hacker to read information from a computer with an active wireless card even when the user hasn't connected.

Sunday, April 27, 2008

In DC area, school systems ponder off-campus social networking policies to deal with cyber-bullying

The Washington Post on Sunday April 27 carried, on p B1 Metro in the print edition, a story about cyber bullying in District and area schools. The article is “Schoolyward Face-Offs Blamed on Facebook Taunts,” by Daniel De Vise, link here.
The problem is that “normal” teenage "teasing" accelerates into bullying when it can be seen all over the planet (or at least in very large and unknown audience) from social networking site profiles. Whitelisting of site profiles for minors does help. But now school systems are considering whether they need more policies dealing with what kids write at home on their own profiles, when the material is likely to affect the school campus. Lawyers and First Amendment specialists now have to debate this further.

Monday, April 21, 2008

Arlington County (VA) sends out emergency warnings with cyber alerts

Arlington County (VA) sends out emergency warnings to by email to subscribers, and among these now are warnings about computer worms and email phishing scams. Today, Arlington alerted users to an FBI page concerning ongoing cyber investigations.

The latest scam seems to be sending a fake grand jury summons. This email might say that the subject is under grand jury investigation, or is called to testify before one. The FBI link is here. As always, the FBI recommends not opening such emails, but the greatest danger would come from embedded links.

A grand jury summons would always be delivered "in the real world" by appropriate legal service process, never by email.

Recently, I wrote about another issue with "spam comments" in blogs, where the spammer makes it appear that it is a legitimate member of the blogger publishing community. Always be careful about clicking on links in comments that appear to be ambiguous, come with little explanation or in comments with "word salad" or especially with multiple links to the same site. Fake anti-virus programs are being promoted in such comments. I monitor all comments.

Saturday, April 12, 2008

Does YouTube encourage anti-social behavior for "15 Minutes of Fame"?

YouTube has drawn criticism for allowing or “encouraging” immature teens to stage fights or attacks and then post videos of them in order to become global “celebrities.”

Several female teens and a couple of males were charged as adults in Florida for a "going viral" assault and possible kidnapping or false imprisonment after such an incident. ABC has a story by David Schoetz, Andrea Canning and Johann Brady, April 11, 2008, story here.

Anick Jesdanun of the AP has a story about the legal implications here. Lawyers are saying that this doesn’t mean that YouTube or other similar sites are legally responsible. The 1996 Telecommunications Act contained a well known provision, section 230, that exempted ISP’s from downstream liability in these situations, and this laws has been broadly interpreted as applying to sites that host content posted by others. Another well known case about this law is “JuicyCampus.”

Nevertheless, sites like YouTube always have Terms of Service, and will remove content known to be illegal when they are notified. But there are complaints that YouTube has not done this, or that it is hard for non-members to notify them of dangerous, offensive or illegal material. In the UK, there was an article in July 2007 in The Observer by Anushka Asthana and David Smith “Teachers call for YouTube Ban over Cyber-Bullying,” here.

There is also legal controversy (as in JuicyCampus, as I discussed on my main blog here) whether a content facilitator incurs more legal liability by promising to remove offensive content and then not doing so. Generally, most ISP’s and content hosts say that they will not routinely “fish” for offensive or illegal content, because doing so could incur liability; they will remove content when notified by a proper procedure. The DMCA safe harbor works under such a mechanism.

One mother in Florida told NBC News, "I hate the Internet."

Electronic Frontier Foundation’s discussion of Section 230 is here.

There is even more controversy because an employee of the Dr. Phil show helped bail out one of the defendants.

New Line Cinema distributed a movie about this "snuff" issue in 2001 by John Herzfeld, "15 Minutes." And in 1999 20th Century Fox released David Fincher's "Fight Club" with Brad Pitt.

In Richmond VA, in 1988 there was a (pre-Internet) arrest and conviction (and possible life sentence) for an attempted "snuff" crime that was going to be a video for sale.

Wednesday, April 09, 2008

Football player at Wake Forest gets in trouble over interpretation of his Facebook posting

There is another story about the fact that both public school and university officials now have to take a “zero tolerance” approach to “threats”, even implied ones, even when posted on social networking profiles or blogs owned by students, teachers, or any others.

The original story concerned a Wake Forest University (in Winston Salem, about 100 miles north of Charlotte) football player (Lucas Caparelli, a graduate of Robinson Secondary School in Fairfax County) and a brief appeared on ESPN in later January, concerning an incident Jan. 14. The students was detained by campus police that day for writing on Jan. 13 a sarcastic note and poem that were perceived as a “threat” on his own Facebook profile. Taken at face value, at least one sentence (mentioning a “uzi”) could be taken as such. The rest of the posting is obvious parody and sarcasm. The original AP story appeared on ESPN here.

The detailed analytical story appears in the Sports section E1 of The Washington Post this morning, by Preston Williams, “In an instant, message has a lasting impact, online posting leads to suspension.” The long story is here and offers a slide show about the football player. Ironically, individual slides may be “purchased” from the Post.

The story includes the text of the note, which is written in the third person (as noted by AP). The third person wordage might have been intended to make the posting "fictive" and apparent to be a "hoax."

He was suspended from school, and county district attorneys in North Carolina are considering whether to prosecute. Since the message was posted from a computer in Virginia, it would sound as if there could be federal issues, but there are no reports of interest in federal prosecution. Actual prosecution would depend on application of an applicable statute as it is worded and normally interpreted; in the Internet age, interpretation is quite difficult and varies from court to court and state to state. In many school-related incidents, students are expelled or suspended but, in practice, not prosecuted. According to the news story, the student might be able to reapply next fall after psychological evaluation. There is also the element of the "adolescent brain," which even at age 20, often does not fully calculate or even grasp the potential downstream consequences of statements.

The student resented the attitude of “better off” students whom he feels had not “paid their dues” or earned their place in the world. He felt he was snubbed by them. Communicating social resentment and discomfort at meeting the social expectations of others was apparently his intent.

The Post story has a sidebar by Montana Miller at Bowling Green State University (Kentucky) in which she says “an online poster has to keep in mind how his words will be digested by a vast and often unknown audience.” She indicated that an Internet posting will be done in a particular “frame” (that is, frame of reference) understood by the author and perhaps others in the author’s personal circle, but school officials often do not know what that frame is, and must err on the side of caution. Here, the situation resembles the ban on jokes in airport security lines, because TSA screeners have no way of knowing what to take seriously. Speakers in the general public are in a kind of tug of war: there is instantaneous communication and freedom to speak, but there is a great risk of material being taken out of context because of the continuous media reporting of violent (or sexual) incidents around the country and around the world, especially post 9/11.

Even so, I wonder how John Stossel in ABC 20/20 would react to this case. He might say "Give me a break!"

The reports of "misintepretation" incidents generated by social networking profiles and blogs have accumulated in the past two or three years. Earlier, back in the late 1990s (even before 9/11, but perhaps after Columbine and similar incidents), people were sometimes prosecuted for making "threats" or sending otherwise illegal material by email or through instant messages, but cases caused by content being found by search engines were then less frequent. There were several such email cases in Florida that I recall from 1999.

As some of my visitors know, I was involved in a controversy in 2005 in the Fairfax County Public Schools when I was substituting because of the way a fictitious screenplay I had written and posted on my own website had been interpreted when found (apparently by parents at home). The details are on the July 27 2007 entry here. At issue there is how the law behaves when “fiction” too closely simulates “reality” and when the speaker seems identifiable as a character. This sounds to me like an important and so far unexplored legal question about “implicit content” -- the "It's only a movie" problem.

Monday, April 07, 2008

Virginia is apparently first state to require Internet safety education in public schools

Today, April 7, 2008, NBC4 in Washington reported that Virginia is the first state to require Internet safety training in all grade levels, and this started in the fall of 2007 with the school year. The link is here; the original story is brief but is likely to expand with updates, as is NBC4's practice with developing stories.

I’m not sure that this means there is training in kindergarten or very early grades, and I haven’t heard anything about this and the SOL’s. But I do know from other discussions that the Virginia General Assembly mandated that school boards develop Internet safety education, at least for middle and high schools. My understanding was that Isafe is a major source of the educational materials.

The National Center for Missing and Exploited Children (http://www.missingkids.com/) is also a contributor. Over a third of minors say they have seen unwanted explicitly “adult” materials online. It’s not clear how well this tracks with parents’ use of Internet filters or monitoring of kids’ use, such as by centralizing a “family computer” or by using software than enables them to monitor their kids’ accounts.

As I’ve indicated, I believe that it should be mandatory for high schools (in English and social studies and perhaps technology classes) to offer specific instruction in workplace conduct, libel, privacy, fraud (impersonation, “dreamcatching” or “fiction” manipulation) and copyright law, and even the nebulous area of “reputation defense”. Teachers and administrators may need to seek outside help (as from universities or community colleges in their areas, or even law schools – and, to some extent, and with some caution -- from software companies themselves) to develop and present the curricula.

Several parents and teachers commented on my March 9, 2008 posting here on the FTC guidelines, and they bear rereading (see archives).

Friday, April 04, 2008

Web of Trust (MYWOT) is a new website safety rating service.

I got an email today from a new website rating facility called "Web of Trust", http://www.mywot.com/ which says it will offer safety scores of websites based on user community ratings.

(I wonder how WOT rates xpantivirus, which keeps sending out spam comments.)

The components of a rating are trustworthiness, vendor reliability, privacy, and child safety. It is not clear how closely child safety is related to just the presence of explicit pornography, or whether it can try to judge the murkier areas of implicit content and possible enticement. It could be tailored after the legal definition of "harmful to minors" as in COPA (now struck down) and other proposed legislation, but I am not sure of this yet.

One concern is that a site could get downgraded by users if it is frequently the subject of "spoofed" email spam (where the website is falsely used as the "sender" of the email, in violation of the CAN-SPAM Act).

There is a Youtube video here.

The blog for this site is here.

The most dangerous sites were "adult sites" "software" and "entertainment" (presskit link).

Offhand, the mechanics of the reporting from the site seem similar to McAfee Site Advisor: the "traffic light" approach of red, yellow and green, with color coded balls by search engine results placed there by plug-ins. However, user input is supposed to drive the rating. McCafee Site Advisor does give WOT a grade of "green."

This sounds like a website online "reputation defense" monitor. In a sense, it could become a reputation parameter for individuals who run their own websites.

Stay tuned on this one.

Update: April 16, 2008

WOT tells me that release Beta Version 3 early April 6. Here is a link for the scorecard for this blog.

Tuesday, April 01, 2008

Myspace back in news: must it protect minors? Can it? Section 230 challenge? GMA story on Missouri case, also

I wrote about the Missouri Myspace hoax case in December on this blog (link) and got a couple interesting comments. This morning (April 1, 2008), ABC Good Morning America interviewed Ashley Grills, who was involved in setting up the “hoax” to spy on the teenager girl who would commit suicide when she believed she was “rejected.” The story is by Jonann Brady, “Exclusive: Teen talks about her role in web hoax that led to suicide; teen admits she create profile and wrote messages; testifies against neighborhood mom” link here. There is a federal grand jury investigation in Los Angeles based on the theory that the perpetrators created “wire fraud” by “defrauding Myspace.”

This whole tragic event reminds me of the other issue of "fiction" in blogs, websites and books, that too closely resembles "reality." I've discussed that on my main blog (March 26).

There is an AP story on AOL by Michael Kunzelman, “family pursues Myspace lawsuit,” in which a Texas family is asking a federal appeals court in New Orleans to renew a “downstream liability” case against Myspace, after a federal judge in Austin denied that Myspace has a legal ukase to protect minors against sexual predators. The story is here. At issue is Section 230, the liability shield, in the 1996 Telecommunications Act, which shields ISP’s from liability. Here is the Cornell Law School link for Section 230.