Why we all should care about net neutrality

Many people will see the words, “Net neutrality” and groan about yet more tech gobbledygook and geeks who spend too much time pretending to be Mr. Spock and watching Star Trek re-runs.  Nobody on Main Street cares about net neutrality, right?  Isn’t this all just an arcane concept that never intersects with real people on Main Street?

Well, not so fast.

The real story – behind all the tech jargon – is as old as the first antitrust issue ever to come before the US Government more than 100 years ago.  And it will effect everyone who connects to the Internet, which is pretty much everyone these days.  For people who think tech is only for weenies, think money.  $Billions in money.  And all of it comes from your pocket.

Net neutrality means Internet Service Providers (ISPs) are supposed to treat all Internet traffic equally, end to end.  Every data packet should be treated equally to all other data packets, regardless of source or destination.  ISPs should be neutral carriers and not make judgments about favorable or unfavorable traffic.

Here is the issue.  Without net neutrality, large ISPs will have the legal right to mess with your traffic.  Large players will have monopoly power and will control your access to services you care about.

And what happens when any monopoly player offers its own, competing services?  Forget high tech for a minute.

Let’s say Alice runs a restaurant.  But Bob controls all the streets in town.  If Charlie wants to eat at Alice’s restaurant, Charlie has to travel over Bob’s streets to get there. What happens if Bob’s sister, Doris, opens a restaurant that competes with Alice?  Bob wants to make sure money stays in the family, so Bob sets up toll booths for all travelers on his streets. But people who eat at Doris’s new restaurant get their tolls refunded, courtesy Bob.  Of course, this puts Alice at a competitive disadvantage, so Alice eventually closes.  Before long, Bob controls all the restaurants in town.

Now back to high tech.  Today’s large cable companies offer bundles that include phone service, Internet service, cable TV, and premium services such as movies on demand.  These companies control both distribution and content.  They control many of the streets and some of the restaurants. They want to control all the streets so they can encourage you to eat at their restaurants.

If any single ISP becomes your only choice to connect to the Internet, that ISP controls your access to the services you care about.  ISPs can exercise that control with pricing and surcharge gimmicks, much like the antitrust monopolies of old.  But today’s ISPs also have even more powerful tools.   They can prioritize traffic or play other quality of service games, to treat traffic badly they don’t want to carry.

Today’s familiar services such as Amazon, Netflix, Hulu, Facebook, Google, LinkedIn, and others, at their core, are elaborate websites.  The path from your house or business to those services runs through the Internet.  Without net neutrality, ISPs can grant or deny or regulate or tax access to these services as they see fit.  If an ISP decides it wants to offer, say, retail services, what access policies will it set up for Amazon?  Let’s say you put your business in the cloud, but your ISP offers a competing cloud service.  What quality of service will your ISP give you?

This is not hypothetical.  Comcast, for example, blocks traffic coming from email servers located in home networks.   More ominous, thousands of Netflix users are complaining about bad Netflix movie quality when connected to Comcast.  Comcast counters that it has a right to prioritize traffic as it sees fit because it wants to protect occasional Internet users from heavy downloaders.  Following that line of reasoning, I wonder if Comcast prioritizes its own Movies on Demand service similarly to Netflix, which competes with its own service?

Net neutrality is under constant attack.  If open access to Internet services is important to you – and it should be – then familiarize yourself with the details around net neutrality and make your voice heard.  Your livelihood may depend on it.

(Originally published on my Infrasupport website on Feb. 17, 2014.  I backdated here to match the original posting.)

What is the right way to deal with IT security vulnerability disclosures?

With all the IT security issues in the news lately, suddenly IT security is everyone’s problem.  One natural question behind the headlines is, what is the right way to handle IT security vulnerability disclosures?

Here are some thoughts.

To keep things simple, let’s limit this discussion to three major players.  The real world is more complicated, but this is enough to illustrate the concepts. The first player is Bob, leader of an organization.  Next is Ingrid who discovers a security vulnerability.   And, of course, Trudy, the evil intruder we all love to hate.  Trudy spends most of her waking hours probing the Internet, looking for weaknesses she can exploit and secrets she can steal.

Let’s say Bob’s business operates a website and Ingrid finds a security vulnerability that exposes sensitive information about Bob’s customers.  How should Ingrid proceed?

Here is a blog post I put together a few months ago with an example of what happens when players proceed the wrong way.

This is what should happen.  When Ingrid finds the vulnerability, she realizes Trudy is already trying to exploit the weakness to steal personal information from Bob’s customers.  The race is on to fix the problem before Trudy exploits it for her own evil purposes.  And Trudy has a head start.

Ingrid has an ethical duty to immediately inform Bob about the problem and make Bob aware of the potential consequences.  Bob, always skeptical about gloom and doom warnings, listens to Ingrid because Ingrid makes a coherent and credible presentation about the problem.  Bob heeds the warning, fixes the problem, and quickly informs his customers and takes remedial action.  A newspaper or popular blog eventually publishes the story, giving credit to Ingrid for her dedication.  Evan, an executive from an influential software company, reads the story and offers Ingrid a job as Director of IT Security.   Everyone lives happily ever after, except Trudy, who was denied the opportunity to steal from somebody.

That’s how things should work.  But it doesn’t always happen that way.

Let’s say Ingrid presents the problem to Bob, but Bob ignores the warnings.  Now what?  Trudy is out there.  When Trudy finds Bob’s vulnerability, she will exploit it and steal from Bob’s customers.  Trudy might even drive Bob out of business.  How does Ingrid respond if Bob fails to respond?

Let’s say Bob uses software from a company named, say, Orange Computer, and Ingrid finds a security problem with that software.  Ingrid contacts the right people at Orange, but Orange sits on the problem and does nothing.  Trudy is out there.  If Orange fails to address the problem, Trudy will exploit it.  What does Ingrid do?

Ingrid’s only course of action in this case is to follow a best practice called responsible disclosure.  After trying to warn Bob.  After contacting Orange.   After taking all reasonable steps to inform the right people, and after waiting a reasonable amount of time for a response, and as a last resort, Ingrid has a duty to disclose the problem publicly.  Ingrid must assume Trudy and her friends are already quietly exploiting the problem, and Trudy will hurt too many people if Ingrid fails in her duty.

Ingrid also has a duty to protect herself.  She should document her attempts to contact Bob and the people at Orange Computer as appropriate because when the problem becomes public, it will ignite a firestorm of controversy with Ingrid in the middle.   This will create an opportunity for Ingrid to educate the public and a threat from people who blame the messenger for creating the problem.

Politicians will weigh in with uninformed opinions and instant experts hungry for publicity will offer canned analysis for gullible press outlets hungry for sensational stories.  The noise will be deafening; real information will be scarce.

Amid all the noise, what about customers, the people who use software from Orange Computer and the people who use Bob’s website.  How do they respond?

Customers should do independent homework and look for the real story.  Security vulnerabilities happen all the time.  Is this one just another sensational story or is it real?  What are the prudent steps to protect against it?  What are the plans from Bob and/or Orange Computer to address the problem?  What are the consequences of not addressing the problem?  Customers need to find credible answers to these questions and make informed choices on how to respond.

After the initial disclosure shock wears off, some other questions are appropriate. Who is Ingrid?  What were her motives?  How did she find the problem?  Before the problem went public, what steps did Ingrid take to contact the right people?

That scenario assumes Ingrid discloses the vulnerability responsibly.   What if Ingrid wants to make a name for herself and she discloses the vulnerability without first informing Bob?  In this case, Ingrid is really a bad guy disguised as a good guy and trying to gain notoriety at the expense of Bob’s company.

Bob learns about the problem on the TV news along with the rest of the world and his company phones start ringing a few seconds later as press outlets everywhere look for comments and controversy.   What does Bob do?

Bob faces multiple threats.  He faces a public relations threat from sensational press stories spawned by Ingrid’s improper disclosure.  Bob and his customers also face a material threat from Trudy, quietly exploiting the vulnerability at the expense of  Bob and his customers.

To meet the PR threat, Bob needs to get in front of a runaway public relations train and slow it down.  This is the time for visible leadership and Bob must get in front of the cameras and take charge.  Provide explanations and frequent progress updates, and answer questions honestly and directly to repair credibility with a skeptical public.

Simultaneously and behind the scenes, Bob must also immediately address the actual vulnerability because Trudy wants to steal from Bob’s customers.  This might mean bringing in outside experts, it may even mean temporarily suspending business.   It will cost money.  Probably lots of money.  But if Bob handles this crisis properly, it can also be an opportunity for Bob’s company to come out of it with more trust and more credibility than before.

What if  Bob himself is a bad guy?

In 2005, Mark Russinovich was Ingrid and multibillion dollar Sony Corporation was both Bob and Trudy when Sony compromised thousands of computers around the world by surreptitiously introducing a rootkit when anyone played a Sony BMG music CD on a Windows PC.   A rootkit is illicit software that modifies core system components and is designed to conceal itself from malware countermeasures such as antivirus products.  Bruce Schneir summarized the story here.  Mark Russinovich’s original blog post with details on his great detective work uncovering the problem here.

Russinovich found the problem and reported it publicly in his blog.   This was the right thing to do and Sony eventually paid millions of dollars to settle fines and class action lawsuits.

What if Bob is a government agency and Ingrid discovers a vulnerability or abuse of power?  Now the consequences might be global.  Scenarios like this have spawned long discussions over the generations about ethics and whistle-blowing.  Sometimes, Ingrid is a lonely crusader pursuing justice against powerful forces.  Other times, Ingrid is an egomaniac, pursuing her own interests at the expense of everyone else.  And Trudy is always out there, ready to strike at every opportunity.  Ingrid has a duty to proceed with caution and carefully weigh the consequences of any action.

If you find yourself in a position similar to my hypothetical Ingrid, how do you decide what to do?  Who is harmed, who is helped if you disclose the vulnerability?  And who is harmed, who is helped if you do not disclose it?  If you take action, are you serving justice or your own ego?  Confide in a few people you trust and make your choice based on honest answers to those questions.  Do it responsibly.   Careers and lives may depend on the choices you make.

(First published on my Infrasupport website Feb. 14, 2014.  I backdated here to match the original posting date.)

What should a small business IT security system look like?

Given the recent security breaches all over the news, what would a good Main Street business security solution look like and how much would it cost?  After all, if organizations such as the NSA and large retailers such as Target can’t keep their secrets safe, what chance does Main Street business have?

A pretty good one actually. Keep reading.

First, an assumption. No piece of equipment is hacker proof.  You must assume bad guys want to get inside your devices and use your equipment and your network for their own evil purposes.  They have specs for everything you own and probably know more about the internal workings of your equipment than you’ll ever hope to learn. They’re smart, they’re greedy, they collaborate, and they want what you have.

That’s the nature of the threat.  Here are the pieces to deal with it.

It starts at the firewall.  You need a real firewall with provision for multiple LANs.  A real firewall is a router with multiple segments and some rules to regulate how each segment interacts with the other segments.  Most credible DSL and cable modems can accommodate firewalls behind them if configured properly.  Here is a PDF file you can download with some firewall frequently asked questions.

Your firewall will have at least one public, Internet facing segment.  It might have more public segments if you want multiple Internet feeds from multiple providers so you always have a path out if one feed drops.  Multiple Internet feeds is probably overkill for a business like a Chinese takeout restaurant, unless that restaurant depends on, say, a website to operate hour by hour.

You may choose to have an HA (highly available) firewall system with redundancy at your boundary that can juggle multiple Internet feeds and do automated failover routing in case an Internet feed goes offline.  This may also be overkill for that Chinese food takeout restaurant.  It may not be overkill for a multiple site retail operation that depends on the HQ site always being available.  Start small and scale as the business grows.

It will have a “people” segment where you put your employee computers.  This is where you put in the typical rules you see in most business networks. You’ll want a credible antivirus solution on all your workstations in this segment.  It can also become elaborate. You can put in web filtering appliances to regulate which websites your users visit, for example. If you choose to host your own email or web server(s), you can put in rules to accommodate those, and rules to accommodate spam filtering. This is overkill for small operations and a logical growth path for larger businesses.

If you’re a retailer, your firewall will also need a POS segment for your Point of Sale systems.  A simple POS terminal might interact only with your credit card processors.  Credit card processors all have IP Addresses, so your firewall will have rules to allow anything in the POS network to interact only with those IP Addresses.  The firewall will also have a rule blocking anything between your “people” segment and POS segment.

If your POS network is more sophisticated, those POS systems might need to interact with, say, a database server.  That database server, in turn, may need to access servers in your “people” network.  In this case, carefully construct firewall rules to accommodate this traffic and log attempts at any other traffic.  This is overkill for that Chinese restaurant, but might be essential for a franchise of Chinese restaurants or a sophisticated retailer with, say, a loyalty program.

Maybe you want to offer wifi as a convenience for your customers. This is tricky to do properly because of the nature of wireless and because you don’t want your customer wifi to mingle with your employee wifi in your stores.  Isolate the customer wifi from your employee wifi and all your other segments.  The wifi segment is only a convenience for your customers to get to the Internet.  Nothing crosses the border between the customer wifi into the “people” segment or the POS segment.

And there you have it in a few short paragraphs.  A topology that does a wonderful job of enabling your business, serving your customers, and keeping bad guys out.  Total investment includes a properly built firewall and either a few physical network switches or a smarter switch with VLAN capability.  Budget a cost of about $4k to start. The actual cost might be a little less for small operations, probably more for larger operations.  The antivirus subscriptions and other support subscriptions will also cost some op-ex each year.

(First published on my Infrasupport website on Feb. 8, 2014.  I back-dated here to match the original posting.)