Month: May 2008

CFP2008: Deep thoughts on deep packet inspection

DPI came up on the Friday morning discussion of network neutrality and when exactly an ISP has crossed the line. There is a material distinction between “content” and “meta-data” of communications. For example the rules around a pen register / trap-trace and different and more stringent than those governing a full wiretap. For IP communications, the parallel for phone number is the header of an IP packet, which might describe its destination, how much data it contains and perhaps hint at the protocol.  Looking past that into the payload of the packet is what can be termed “deep packet inspection.”

On the panel it was pointed out that DPI simply not commercially feasible until recently. The hardware required to look at every packet flying by a high-speed gigabit link is not exactly stocked at the local BestBuy. According to David Reed, initial demand was driven by intelligence applications. But Moore’s law does not discriminate between military and commercial use. As soon as the capability was within striking distance for large ISPs, people started looking for ways to capitalize on it: in other words, a solution in search of a problem. As with most of these contrived, artificially created uses of technology that start from the ISDN position (“innovations-subscribers-don’t-need”) the first attempt has proved less than brilliant.

The proposals from Charter and British-Telecom cross the line from dubious into no-doubt-about-it nefarious. This is the one scenario where less intrusive solutions are not possible because the business model favors collecting more data about customers. There is an interesting correlation between how far into the IP packet the ISP must look and the social acceptability of its objectives. Comcast can manage its scarce resources by simply counting bits– looking at the size of the IP packets sent, without regard for its destination or port. As it turned out their first crude, inept attempt did look at port numbers and single out BitTorrent. Luckily bandwidth is bandwidth and while the ISP has every right to create different pricing models that may require limiting resources consumed by the heaviest users, it has no business deciding which protocol the customer will use or what endpoints they choose to communicate with. Looking at the size of the IP packet and keeping tabs on usage is good enough for this purpose.

Looking at more data in the packet cranks up the intrusiveness level. Destination address will reveal the websites the customer is visiting. Advertising networks have traditionally relied on this information for targeting. This is the same data Charter and British-Telecom are going after. The final step will involve looking past the header and directly into the contents of the packet. Moore’s law is not on the side of privacy in this case. The CFP discussion and Peter Ohm’s ideas about the ECPA connection are very timely.

cemp

Ford Motor Company and the long-anticipated rude awakening

According to CNN/Money, Ford Motor Company concedes that high gas prices are here to stay, and as a result the company will not be able to execute on its profitability plan by 2009 as forecasted earlier.  Readers maybe wondering why this is news. Detroit has been a single trick-pony for a long time. All three manufacturers had established businesses in light-to-heavy trucks and SUVs. These bet paid off handsomely through the 1990s and well into the first half of this decade with the exception of the brief recession following dot-com implosion. Meanwhile the passenger car market was ceded to foreign imports and there was virtually no interest in new fuel efficient alternatives. But such over-specialization is extremely dangerous: it is generally recognized that dependence on a single product line creates a major vulnerability. The technology parallel is MSFT, a perennial two-trick pony with operating systems and productivity software. The difference is MSFT has been very aggressively trying to diversity into online services, gaming consoles and automative computing, to name a few. Ford has been forging full speed ahead.

It’s not clear whether Ford management failed to see this coming or if the internal structure prevent action. A more charitable interpretation is that Ford did not hedge correctly on price of oil. The last decade of the 20th century showed a clear upward trend in price of crude and gasoline, with long periods when the price of the refined product seemingly “unhinged” from the price of the underlying commodity. Yet the fluctuations did not appreciably change lifestyles. There was no price elasticity, commentators argued, because the amount of fuel consumed is decided a long time in advance based on the commute and vehicle. Once individuals migrate to the exurbs and commit to 45 minutes of rush-hour driving with the 8000lb SUV, it’s difficult to respond to changes in pricing.

But the laws of economics were not permanently suspended. There is a price point where even existing owners may change their consumption pattern. More importantly before that point is reached another pressure appears: prospective car buyers will gravitate towards higher milage options. Ford CEO Alan Mulally says: “We saw a real change in the industry demand in pickups and SUV in the first two weeks of May. It seems to us we reached a tipping point.” This acknowledgment is an important first step but arrives about 5 years too late. Interesting enough Mulally was vice president at Boeing earlier, another company very vulnerable to oil prices and no easy way out: there is no such thing as a hybrid 747 although Virgin airlines grabbed headlines with a brief biodiesel experiment. Fortunately airlines unlike consumers have always factored efficiency into their purchasing decisions. Bringing this insight into Ford could be one of his main contributions. Meanwhile Ford remains unlikely to garner a “buy” recommendation any time soon.

cemp

CFP 2008: Network neutrality and the end of flat pricing models

(Reflections on the past Computers, Freedom and Privacy conference.)

The event had no coherent theme this year unlike the relevance of copyright in 2002, electronic voting in 2004 at Berkeley, the panopticon of commercial surveillance in 2005 at Seattle and the corresponding questions around intelligence in 2006 in DC. Network neutrality and the recent overtures from Comcast, British Telecom and Charter may have been the closest to a shared preoccupation with the crisis-of-the-day.

One welcome development is that the audience on the whole had moved beyond the particulars of Comcast blocking BitTorrent, discussed earlier here. Many people including Paul Ohm and David Reed (who coined Reed’s law describing the value of collaborative networks) made the point that the purported goal of managing scarce upstream bandwidth could have been managed by much less intrusive means including metering usage regardless of the protocol involved. Network neutrality principle rules out any justification for picking on one protocol or application– even if Comcast network engineers decided empirically that one protocol was responsible for the lion’s share of bandwidth usage. And there is no excuse for injecting bogus network traffic (forged reset packets) in response to perceived usurping of bandwidth. Comcast to its credit had a recent moment of clarity and announced a more nuanced approach for managing its available capacity, emphasizing “protocol agnostic.”

As the CFP discussion made clear, BitTorrent and its alleged use for sharing copyrighted content is a red herring, a distraction from the core issue that is purely economical. It is the question of who is paying for bandwidth and exactly how much. Throughout much of the 1990s residential Internet access remain slow, primitive and uncommon. Dial-up connections were the norm and subscribers paid for amount of bandwidth used. In this environment bits were precious, applications were designed to eke out the greatest utilization from the modest bandwidth available and spam literally cost money by driving up usage charges. Eventually as the amount of capacity expanded everywhere, from the massive amounts of fiber underground bulking up the backbone to upgrades in the so-called last mile to the home, it became possible for ISPs to enter the market with a disruptive business model: flat monthly fee for unlimited usage. When AOL switched over to this structure in 1996, it was overwhelmed by the response.

During the transition from dial-up to broadband this tradition of all-you-can-eat pricing was inherited. Granted, service tiers still existed and greater bandwidth could be purchased for higher monthly fees. Within a particular tier it made no difference if the subscriber surfed the web all day along or rarely powered up her computer. This was either the realization of an old prediction made about nuclear energy (“electricity to cheap to meter”) realized in the context of bandwidth, or a sign that everyone was on board with the arrangement of infrequent users subsidizing the high-demand households. It would not have been the first time: similar subsidies occur all the time in technology, including for example different SKUs for software where enterprises pay far above cost to enable consumer versions to be sold at deep discounts.

Either way, the tacit agreement between subscribers and ISPs has continued. Until now. As predictable as the post World War II euphoria over nuclear energy making electricity essentially free disappeared in the Cold War anxiety as the long term problems were better understood, the visions of exponentially improving bandwidth quickly disappeared. Unlike CPU and memory, it proved surprisingly resilient to Moore’s law. Broadband access by DSL or cable still costs comparable to what it did several years ago, and while available network speeds increased gradually, it was a far cry from the doubling every 18 months rate that other components of the PC experienced.

The major disruption instead was the rise of new bandwidth hungry applications, particularly those clamoring for upstream bandwidth. Peterson’s law says that work expands to fill the time available. Internet applications did the same thing for bandwidth. Streaming video may have brought us to an inflection point. All-you-can-eat makes sense when the subsidies are reasonable; in other words the expected range of consumption lies in a narrow band, where the difference between heaviest users and less demanding ones is small. (That is a proxy for the amount of subsidization going on. Less frequent users are missing out on that much value and the heavy users get a corresponding free ride.) In the good old days of narrowband, the difference between the Internet addicts and infrequent users may have been insignificant. Today the difference between checking email and streaming a Netflix movie can be two orders of magnitude.

It’s clear that ISP networks are over provisioned: there is not enough capacity to deliver 10Mbps to every user at the same time even though that is the advertised service level. As long as the average demand works out to below some threshold, everyone is happy. That situation calls for a mix of connection profiles: some idling, others engaged in low bandwidth-intensive tasks and another fraction going full throttle. When more subscribers start maxing out their usage and disparities in consumption grows, the flat pricing model can not survive. Not surprising for a telco, Comcast tried to solve this problem in the most crude and heavy-handed way by trying to “take out” one protocol and suppress demand. Equally predictably, it just dug itself into a deeper hole, sparking a new round of debate on network neutrality and even stirring government into action.

Future predictions? Instituting pay-as-you-go may be a challenge, even when it is most efficient allocation of bandwidth. Customers are used to the flat fee structure. Instead we might expect two things. First is a global cap on amount of bandwidth available per month, similar to wireless plans, with overcharges or reduced service levels when the cap is reached. The second response would be an increasing number of service tiers: for example a “file-sharing plan”  (obviously named something more acceptable) may offer higher upstream bandwidth and greater caps. All of these are consistent with network neutrality: the subscriber gets an allotment of bandwidth in terms of maximum available, sustained over a period of time and perhaps for the duration of a month. The user is free to exercise this bandwidth any way they choose: any protocol, any website, any time etc. without interference from the ISP. Limitations imposed on exceeding the expected demand level are transparent and fixed in advance. More importantly the customer can decide to opt for the next service tier when necessary.

cemp

LifeLock proves social security numbers can not be defanged

“I’m Todd Davis, CEO of LifeLock. And ..-…-…. is my real social security number.”

This was the full page advertisement in New York Times Sunday magazine. Except the SSN was not blanked out and this was no careless redaction error. LifeLock had developed an identity theft solution so reliable that the CEO was willing to disclose his own social security number to prove it. Brave indeed: SSN is by far more dangerous than the credit card numbers for many reasons: the card networks have already accepted the risk of payment card fraud and absorb losses (at least in the US; your mileage may vary by jurisdiction), cards can be revoked and the damages are bounded by the spending limits on cards. SSN on the other hand enables so-called “new account fraud” because it is used as an authenticator: knowing the SSN for a person counts as proof of being that person. Lenders are happy to extend credit based on this ludicrous authentication protocol and there is no Visa/Mastercard to underwrite that risk by refunding consumers for losses. (Full disclosure: more on this distinction appears in a chapter this blogger contributed to an upcoming book by Stanford press.)

This distinction has implications for a breach. Having a credit card number made public is easily recoverable and often with minimal damage. In the 2006 FTC Survey on identity theft, the median losses from existing card fraud were exactly $0. It would not be quite as impressive if the LifeLock CEO had published his credit card number in the newspaper, except it may run a foul of the card-holder agreement in case there are any requirements towards “due diligence” in security. But the social security number is an identifier US residents are stuck with for life. It can not be revoked or easily changed. If any protection service could control the risk to the point that an individual can publish their SSN in a newspaper, that would have been a major breakthrough.

Today a Wired article shows it’s too early for celebration. LifeLock is getting sued on behalf of three customers who claim that the service does not work. The attorney filing the charges points to the fact that the there have been 87 attempts to fraudulently use the identity of the CEO– including one that succeeded where the perpetrator succeeded in taking out a payday loan in Texas. In addition the article concedes:

“Davis said it’s possible driver’s licenses have been issued to other people in his name because of the widespread availability of his personal information – and because of what he described as the flimsy mechanisms in place to report that kind of fraud.”

This is not completely surprising: virtually all of the identity theft protection services depend on the triumvirate of credit bureaus for detection. Any new loan applications will be reported to these companies (in fact even the existence of a credit-check prior to granting the loan is recorded) and can be periodically queried. But a new driver’s license will not appear on the radar. This is not surprising: SSN is used in an open, distributed ecosystem without a centralized clearing point. Payment card networks have complete visibility into all transactions involving the card. Actions involving the SSN can only be reconstructed by putting together fragments of records from data brokers such as the credit reporting bureaus, Axciom, Choicepoint and Seisint (now owned by Lexis-Nexis) The case against LifeLock suggests that this patchwork solution is far from being a reliable identity theft defense.

cemp

Website monitoring: canary in the mine for traffic shaping?

Website monitoring is an established business. Perhaps the best known example is Keynote, whose statistics carry a weight akin to Neilsen ratings minus the subjective element of user preference. These systems measure the performance of websites as perceived by customers. Typically they have an array of sensors, distributed across the globe– the more dispersed, the better a picture that emerges– that periodically pings a website to check how quickly the pages load, whether any errors are returned or key services such as authentication experience an outage.

So far none of them have stepped up to the plate and offered to detect traffic shaping. Considering that network neutrality is under attack from all directions, this could be the next application. Suppose an ISP in North America decides to put the brakes on downloads from Netflix while prioritizing streaming video traffic from a competing website. (It’s not a stretch to imagine a kickback, revenue sharing model or even past grudge against Netflix could motivate this behavior.) An extensive sensor array would reveal this anomaly, provided there is at least one sensor inside this ISP boundary. The measurement may reveal an unexpected latency compared to other network locations in the same region or strange bandwidth caps in effect over time.

That still leaves open one question: whether the web service provider could have any legal recourse once they discover their traffic was being discriminated against.

cemp

Next version of MSFT office to support open document format

The times they are changing for MSFT. A recent announcement that the next version of the Office suite will support new open source formats may be the most revealing example.

Interoperability is a complex strategic game but can be summarized this way: interop always helps the smaller competitors against a large established player. This is a standard consequence of network effects. Before Word had significant market share and was the small, scrappy upstart trying to gain a beachhead position against Word Perfect, it was imperative to read and write WP documents. This allowed customers to switch to Word but still continue to interoperate with the majority of people still using the more ubiquitous application. The developers for Word Perfect, on the other hand, have no incentive to help accelerate this switch, so their application would not recognize the new format. Here is a divergence from the golden rule of getting along in a network world: “be conservative in what you send out and generous in what you accept.” If interoperability were the only objective, every application would be able to open documents published by any other formats while itself using a very well narrowly-scoped that would be easy for these other applications to understand.

The same pressure applied to Excel when it was competing for market share against Lotus Notes. As MSFT Office became the de facto standard in the enterprise and eventually for consumers, this pressure gradually eased even though the import/export capability for the “legacy” formats remained. At some point the scales tipped and the burden shifts to the competing applications with smaller market share to work with the leading formats.

Open source software follows the same path: it was imperative for Open Office to be able to accept Word documents, as well as save new documents in Word format. This mean that every new release of Office required catch-up effort from the community to add necessary interop functionality. (It did not help that the office formats were largely undocumented and had to be reverse engineered until the XML based Open Office XML specification, which itself fueled another line of controversy during its push for standardization.) Same goes for cloud services: it is no coincidence that Word documents, Excel spreadsheets and PowerPoint presentations can be uploaded.

The announcement that MSFT Office will support the new open-source formats is not due to a tipping point in market share. Its current position remains virtually unassailable. Even the Apple commercials that try to mock PC platform as a square, clueless fellow are forced to pay a backhanded complement by emphasizing that the latest generation of Macs can run Office. Is this the sign that demand for interoperability has arrived? Is the golden rule a more compelling option than trying to create lock-in effects by using proprietary formats and breaking changes on every release that force open source alternatives to play catch-up? At least the European Union is not convinced and announced its own intentions to verify this:

“The Commission will investigate whether the announced support of Open Document Format in Office leads to better interoperability and allows consumers to process and exchange their documents with the software product of their choice.”

Between the competition from free Open Office, disruptive Google Apps for the Enterprise, Adobe trying to unify presentation layer with PDF and now additional regulatory scrutiny, it is getting interesting for the future of desktop productivity software.

cemp

Blame it on the FCC?

EFF takes Windows Media Center to task for intentionally restricted functionality, in the name of compliance with a non-existent legal requirement. WMC will decline to record certain over-the-air digital TV broadcasts. Quoting the official response to CNET:

“As part of these regulations, Windows Media Center fully adheres to the flags used by broadcasters and content owners to determine how their content is distributed and consumed.”

The problem is, as the EFF Deeplinks blog points out, a DC circuit court has already struck down this requirement on hardware and software vendors, in one of the rare victories for sanity. This is one case where design decisions and conflicting priorities can not be blamed on the government.

cemp

The geography of traffic blocking

The Max Planck Institute for software systems has released the results of a study on BitTorrent blocking. The research was conducted by asking volunteers around the world to download and run some code on their computers that simulates BitTorrent traffic to test servers controlled by the institute. By  carefully monitoring what is happening on both sides of this connection, it’s possible to determine any unexpected traffic shaping attempts.

What emerges is a global map of non-intereference with US and Singapore having the dubious distinction of being the only countries to have sizable fraction of tampered connections. (The percentages are not reliable; it’s quite likely that self-selection lead to many users on Comcast and Cox to volunteer for the experiment.

cemp

Laptop theft: catching the incompetent ones

By way of The Unofficial Apple Weblog comes this story of criminal ineptitude. A Macintosh user traced her stolen laptop and identified the criminals responsible by using nothing more than standard OS X features. Alerted by a friend that her missing laptop appeared to be online (because she was signed in to an instant messaging application, another case of COTS software doubling as security alarm) the owner used the Back To My Mac functionality to remotely connect to the machine. She turned on the built-in iSight camera and a few minutes later was rewarded with a live view of the perpetrators. Luckily they turned out to be familiar faces who attended a party at her residence earlier. Law enforcement must have gotten a good laugh out of this one.

Great story but this is still a case of the old adage about cybercrime: “we catch the dumb ones.” The thieves in this case made made several mistakes: for started they booted up the machine using the existing operating system. That alone would have given any protection software the chance to hop on any open wireless network in the vicinity and send out a cry for help to some server in the cloud. On top of that they decided to connect the laptop to a network, without a firewall to block incoming remote connections. The machine was left running in this state for several hours, not realizing that several application were designed to automatically login to services. Even without a user being able to remotely command the laptop, these logins alone would have created a trail of evidence linking them to the machine. This is how service providers often get dragged into theft cases. Suppose the user configured their OS to automatically login  a particular user after boot and also saved their password with Yahoo Messenger for auto-login. Each time the stolen machine is booted, Yahoo will see its IP address and anyone on the user’s contact list will notice user presence. That includes the original owner: most instant messaging applications are designed to log out the user from one machine after a more recent login at another machine. The clueless criminal is up against serious pitfalls.

But professionals would have been home safe: wiping out the drive or swapping in a new one is a good start. This implies the loss of any software on the machine so it’s understandable why perpetrators would be motivated to resell the machine intact. The market is awash in “laptop recovery” solutions, all of which are based on the idea of calling home when the laptop decides it has gone AWOL. Most of them depend on software running on the computer and a network connection. If the drive is wiped out or swapped with a new one, that protection is moot. Some of them also claim to protect the data on the drives– but that is best reserved for full volume encryption solutions such as Bitlocker or PGP. Tracking is not about the value of data on the drive, which can be protected cryptographically, but the cost of the hardware itself.

At least one product claims that it can use GSM for remotely tracking and destroying data on the laptop. (Interestingly their product literature presages the Mac story by suggesting that in some cases perpetrators picture can be recovered using an integrated camera on the laptop.) Having this independent channel is a major improvement. With stories of remote tracking in the news, would-be-thieves will become more reluctant to connect them to a machine. But the machine still has to be booted for the recovery software to function. If the drive is removed first, it can be mounted from another machine and the data recovered. There is no substitute for encryption in this case.

Even with hardware support, there is no reliable way of tracking a laptop. One can imagine implanting tracking beacons that report their location to a remote server. The problem is GPS requires line of sight to satellites (does not work indoors) and cellular connections require reliable reception– does not work in remote area and can be jammed.  Finally if the adversary suspects the existence of tracking devices, they could open the laptop and attempt to remove it completely. This is why LoJack devices are hidden in one of dozens of possible locations in a car. The internals of a laptop offer few opportunities for stashing away relatively bulky electronics.

cemp

Credit card fraud and photo ID

Does asking consumers for photo ID before accepting a credit card purchase help reduce fraud? Perhaps but the question is moot because doing that is a violation of the card network-merchant agreement, as made clear in a series of Consumerist posts. Actually it is more subtle: Visa and Mastercard make this a bit tricky for merchants. They are allowed to ask for identification, but they can not decline a purchase if the shopper refuses to show one.

This convoluted compromise must have been the result of conflicting incentives between the network and the merchants, with Visa/MC deciding to make a concession. On one side, merchants want to reduce the possibility of fraud because they risk getting stuck with charge-backs. Strangely enough bricks-and-mortar stores are in a better situation here because the would-be-criminal must walk in the door, produce the card and risk having their mugshot appear on hundreds of surveillance cameras. That’s much higher bar than the card-not-present or “CNP” type of transactions such as mail-order and Internet where the physical possession of the card can not be verified. The plastic is reduced to a bunch of easily phished digits and the fraudsters can sit comfortably in a different jurisdiction halfway around the world. Without proof that the customers was in possession of the card, the merchant is forced to issue the charge-back and absorb the loss. (In principle a bricks-and-mortar retailer is off the hook with a signed receipt; the issuing bank eats the loss.)

On the other side, card networks want to make the purchase experience as convenient and hassle-free as possible for card holders. Any transaction that does not complete is revenue missed out on the interchange fee. The card network recognizes that downside and does not want the merchant to arbitrarily prevent shoppers from using the card.

The result is the current mess: “you can ask for  ID but you can not require it.” This is banking on consumer ignorance or cooperation: the assumption is most people will either not know the rights granted by the merchant agreement or will simply choose to cooperate as the path of least resistance. If that is the plan, retailers need to do a better job at educating employees. More incidents of consumers threatened and cards confiscated can only lead to greater awareness, upsetting this uneasy truce.

cemp