LAWTECH GURU BLOG by Jeff Beard

Crypto-Guru Bruce Schneier on IT Threats

Just after I posted regarding IE and malware, I came across this interesting Bruce Schneier interview at Neowin. Bruce is a well-known cryptologist and security expert, and I've read his informative book, "Secrets and Lies".

As you can tell from my prior post, I heartily agree with Bruce, particularly on this point:

"What do you see as the biggest threat in the IT age?

People. Since the beginning of time, people have always been the biggest security threat. That hasn't changed because of computers. People are why firewalls are invariably misconfigured. They're why social engineering works. They're why good security products are rarely deployed properly. Securing the computer and network is hard, but it's much easier than securing the person sitting on the chair in front of the monitor."

Regarding the ultimate responsibility for security:

"If you were to look at 3 areas - The Software Designer, The Systems Administrator, The User - who would you say should bear the burden of responsibility for security? Or do you perceive it to be a shared responsibility?

Right now, no one is responsible; that's part of the problem. In the abstract, everyone is responsible...but that's not a fair answer. In the end, we all pay. The question really is: what's the most efficient way to assign responsibility? Or: what allocation of responsibility results in the most cost-effective security solutions?

We can't survive with a solution that makes the user responsible, because users don't have the knowledge and expertise to be responsible. The sysadmins have more knowledge and expertise, but they too are overwhelmed by the sheer amount of security nonsense they have to deal with. The only way to solve the security problem is to get to the root of it, and the roots are in the software packages themselves. Right now, software vendors bear no liability for the software vulnerabilities in their products. Changing that would put enormous economic pressure on software vendors, and improve computer security faster and cheaper than anything else we can do. I've written about this here."

Again, this illustrates my point about users simply not knowing any better while contributing to the problem. But that's reality, like it or not. Some may take the initiative to better protect themselves (especially after getting burned at least once), and others won't. While there's a lot of self-help available online (you know it's bad when WSJ's Walt Mossberg covers spyware this month), it only goes so far. When it comes to security, people are often the weakest link in the chain. Just ask this law firm whose longtime bookkeeper fell prey to a Nigerian e-mail scam to the tune of embezzling $2.1 million. The breach in security wasn't just the person who embezzled the money, but also the management under which it occurred, and the bank manager who approved all of the wire transfers even though the bookkeeper was not authorized to make such transfers. I also recommend reading Sharon Nelson and John Simek's enlightening article on "Disgruntled Employees in Your Law Firm: The Enemy Within". Please don't misunderstand this as a "down on people" tone, as I can assure you it's not. It's about recognizing some of the root causes for security breaches and thereby being better prepared as a result. For example, "social engineering" preys on our fundamental tendency to trust one another, especially in a seemingly routine context.

I too would like to see software developers better address the issue. But unlike Bruce, I don't see that as quite the rosy picture he's painting. Reiterative security testing, while welcome, would no doubt increase the development cycle and overall cost of the software. Since it's not practical to expect all software developers to include an equally effective level of security testing and remediation, and since viruses and trojans authors generally find ways to proliferate their malware faster than developers can detect and close the holes, we're still going to need all of our expensive security software and experts to keep us relatively secure. Overall, we'd probably be more secure, but it's going to cost us. How much? As he mentioned, it's tough to determine what's the most cost-effective method for allocating responsibility. Not all that long ago, it occurred to me that the free market would probably determine how much security is appropriate and Bruce lays this out regarding Microsoft:

"The company is not a charity, and it doesn't make sense for them to make their products more secure than the marketplace demands. And right now the marketplace doesn't demand security."

Lastly, Bruce offers good advice, but inherent in that is the requirement for self-education (my emphasis added):

"Do you have any practical advice for our readers, in terms of staying secure, and safe?

Backup. Backup, backup, backup. You're going to get whacked sooner or later, and the best thing you can do for yourself is to make regular backups.

Staying safe in the Internet is actually pretty simple. If users bought a personal firewall and configured it never to accept incoming connections, and were smart about email attachments and websites, they'd be a lot safer. Also, the fewer Microsoft products the better."

A Rebuttal to Malware & IE

Forever, it seems, I've been reading the many posts and articles complaining about spyware, malware, and IE security issues. I acknowledge they exist, and I've done my fair share of removing adware, spyware and the like. The funny thing is, I've been using a powerful IE-based browser (MyIE2, n/k/a Maxthon) as my main browser for over a year, and pure IE before that, and can't recall having a browser-related spyware nor a drive-by downloading incident. I generally keep up on IE patches, and I've scanned my PCs many times with Norton Antivirus, Ad-Aware, Spybot, etc. I've also used my share of Netscape, Mozilla, and Firefox too, so I'm definitely not a Microsoft groupie. In my personal user experience, I've only encountered malware when I've installed a supposedly free program that had others bundled in as a means to defray their costs. We've all seen plenty of those -- some will tell or prompt you during installation while others just creep in unannounced. There's no excuse for the silent parasites -- we should at least be presented with the choice. But for the others, we've made a conscious decision to download and install them.

What prompted this post was Jerry Lawson's post about Ernie's Svenson's post about a Slashdot post (welcome to the link-crazy blogosphere), all of which recommend dumping IE ASAP due to the security and drive-by downloading problems.

Mind you, I'm not disagreeing with that, as I've said it myself from time to time. But since my IE settings and overall experience seem to differ greatly from the general public, I've concluded this wasn't simply a mere coincidence. I believe this greatly reduces the chance for malware getting into my system, coupled with savvy user-level decisions. I should also mention I use pure IE from time to time, when I want to ensure the maximum compatibility browsing to or downloading from active content-rich sites. Otherwise, I pretty much use MyIE2 with occasional use of Firefox when faster rendering speed is desired. I also like Firefox's fast way to disable Java and Javascripting from two simple checkboxes within the same settings dialog.

While MyIE2 features advanced content blocking (i.e., blocking inline ads, flash animations, popups, etc.) that only gets me so far in my malware defense. By far and large, I firmly believe most people have problems with spyware and malware just because they don't know any better (i.e., lack of savvy user education and not optimally configuring IE). By default, IE is left quite open for drive-by downloads, but that doesn't mean it can't be made to deflect them. Even when I use plain IE without any ad-blocking, I still have it set to block or prompt for most active content. As mentioned, I also use antivirus and anti-spyware programs, which also help.

I've found that changing the settings in IE's Security / Internet Zone / Custom Level to be quite effective against unwanted malware. I've disabled some features (especially on those "not marked safe"), set some to "high safety" and set most of the remainder to prompt me, particularly regarding ActiveX and scripting content. This allows me to decide if/when active content should run to access desired content (e.g., Microsoft's various support/update sites, launching the PDF reader when clicking on a PDF file, loading a desired flash animation etc.), versus blocking the potentially harmful active web content. This solution presents me with many pop-up dialog prompts, but after a little while they didn't bother me because I get to choose what happens next: I'm not a victim of an unfortunate browsing accident.

Knock on wood, as I know this doesn't close all of IE's holes, but I've yet to encounter a drive-by malware downloading. Why? I believe it's because my IE and IE-based browsers either ignore or prompt me for what to do when it encounters most active content. I've run a number of updated anti-spyware scans on my PCs and they come up clean each time. Of course, the distinguishing variable is knowing how to answer those browser prompts. If I'm downloading a PDF or Flash animation I want to see, then I allow it to run. If I don't know what's prompting me, I click on "No", and then see if the web page will load properly. If it does, great. If it doesn't, then I need to decide if the desired content is worth the risk of allowing the active content to load. So far, so good.

Obviously, there's a trust and/or judgment factor involved as well. Most large corporate sites are not going to want to risk alienating their market by inflicting malware. For those that have, they've usually learned a painful lesson in customer relations and the power of the Web to replicate such information very quickly and LOUDLY. If I'm visiting a new or strange site, then I err on the side of caution. I don't need more smileys for my e-mail or IM program, and I know I'm not going to win anything by clicking on a moving ad (regardless of how satisfying it may be to virtually smack that annoying purple monkey!) or answering that "Friends" trivia question for which anyone over three knows the answer.

We all know IE has a lot of security holes, no argument there. But my individual experience leads me to conclude that specifically regarding browser-delivered malware (adware, spyware, viruses, trojans, etc.), the choices made at the computer operator level (hey, that's us!) are by far the largest contributor to allowing harmful content into our systems in the first place. This stuff generally doesn't get there by itself. Someone had to make the decision to visit a particular site (whether via Google, directly, or from some other link), using a web browser configured in a specific way. Even alternative web browsers have security issues. It all comes down to where you surf on the web, what you're using to get there, and what choices you're making in how you access the online data once you've arrived. Even choosing which free programs to download and install requires judgment. For help, check out sites like SpywareInfo and Spyware-Guide.com before you download a new program. They provide helpful information and maintain lists of spyware- and malware-ridden programs.

This isn't begging the entire Microsoft security issue, and Microsoft clearly needs to address it. But unless or until that happens, it's up to us to either educate ourselves to address it, or hire someone else who's savvy enough to take care of it and educate us on an informed way to do it. In other words, good ol' personal accountability. As Smokey said: "Only you can prevent forest fires." This doesn't excuse the malware developers in the least, nor Microsoft, but a good many incidents are avoidable with an appropriate approach.

So instead of throwing the IE baby out with the bath water to clean house, I'd rather come up with a better way to keep the baby clean. I've written here previously about how I've all but dumped IE as my main browser, and that's true. My main motivation was to find a better browser for power user features while maintaining a common set of bookmarks. As my main replacement browser is based upon the underlying IE engine and its flaws, I tasked myself to find a way to get all the benefits I was looking for while securing it as much as possible. So far, I like the result. It's not perfect (what is?), but it works for me.

I was quite tempted to conclude this with the typical, "Your mileage may vary" -- but then shouldn't we ask the critical question: Why?

21 Blogs of Interest for a Law Firm CIO / IT Director

Hot on the heels of LawNet 2004, here's an interesting find for Legal CIO's:

Ed Schembor's Blog looks relatively new and has a new article listing and discussing suggested blogs for Law Firm CIO / IT Directors to read. He's picked a number of legal technology blogs, many of which I've read and listed here in my blogroll. Welcome to the blogosphere Ed.

Ed states: "The list of blogs I have put together below covers the ones which I have found are ideally suited to the knowledge needs of a senior project manager, director of technology or CIO at a medium to large size law firm. These blogs generally cover strategic aspects of technology of interest to law offices, and may also cover more tactical and technical subjects."

Ed, you're off to a great start, but I'd add the following blogs to your list, as they tend to have either a compelling strategic or legal IT flavor, or both:

• DennisKennedy.blog

• Electronic Discovery and Evidence

• Professional Marketing Blog

• Real Lawyers :: Have Blogs

I'm sure there's even a few I'm forgetting, with apologies to my fellow blawgers.

Live From LawNet 2004

I'm out at LawNet 2004 this week, and thus far it's been a very worthwhile trip. The weather has been relatively cool for Phoenix (in the low 100's for the week), so we haven't melted. LawNet is to be commended for keeping us connected: In addition to dedicated Ethernet access in the Laptop Oasis, there's Wi-Fi access throughout the conference rooms and exhibit hall, which is really the way to go nowadays for any large conference or meeting. It's truly an enabler.

There's already been a number of useful sessions. I'm glad to see the legal market has been "getting it" regarding workflow, collaboration, and integration. As various systems become even more complex (document and matter management, etc.), these systems have to become even more usable to the end users -- a daunting task indeed. Thus it's encouraging to see the sneak peeks and upcoming product announcements, many of which are focusing on tying discrete systems together, addressing workflow issues, and coming closer to delivering on the "seamless" promises we've heard for so many years.

Having said that, it's vitally important to recognize there are no silver bullets. Many xMS solutions (DMS, CMS, KM, etc.) require an insightful game plan: identifying and setting overall goals and scope, savvy needs assessment, customization, training, and the like (none of which is easy, I might add). However, I feel a sense of optimism that the legal market is once again moving forward after the entrenchment spawned by the recession over the past few years. While it's not a tidal wave, I'm hearing more about firms who are implementing more extranet and web-based solutions, and upgrading to newer versions rather than staying pat.

Perhaps the largest theme I've observed is that the lines are once again blurring regarding definitions. For example, document management and third party developers have expanded their offerings to include records management, content management, workflow, collaboration, approvals, e-mail integration, metadata cleaning, webified interfaces and platforms, and more. Thus the concept/definition of "What is a document?" is dramatically broader than ever before. In one of the DMS presentations, one source indicated that 90% of new documents being created today are electronic. This doesn't surprise me in the least.

Thus one of the many challenges for law firms, corporate legal departments, clients, and the legal system itself will lie in making the quantum shift in thinking away from paper and into the electronic realm. Some have already gotten their feet wet. With the advent of document tagging, tracking, digital rights management (DRM), metadata, electronic discovery, and compliance with new regulatory requirements, we collectively need to understand the new "laws of physics" such a paradigm shift entails. I'll agree with one of the Microsoft presenters, who said we need "Solutions, solutions, solutions, and not just technology, technology, technology."

Taking Electronic Discovery to the Molecular Level

Ever since nanotechnology heated up with discussions of nano-sized computer chips, I've been wondering when it would be extended to storing information. This time, it's taken on an organic spin: Courtesy of Engadget, it's been reported that "Korean scientists have created the world’s first Nano-DNA Barcode System (NDBS)."

"Suspended in a DNA-friendly buffer solution, the synthetic DNA may be sprayed-on or suffused into items that are normally hard to tag with a sticker, such as oil, agriculture products, or even money, providing invisible information on product origin, quality, or supplier. And unlike the stuff in us, this barcode DNA doesn’t mutate and is unhackable, making code alteration impossible."

This reminds of when, a number of years ago, graphic artists and photographers starting inserting digital signatures and copyright notices directly into their JPEG images -- due to the massive copying of web art going on at the time.

A DNA barcode would be a cool surreptitious way to track items and supposedly prove authenticity at the same time. However, I question whether it could also be abused. For a simple example, while the DNA code is purportedly unalterable, could a less-than-ethical oil distributer add a lesser grade of oil into a DNA-barcoded lot to "cut" or dilute it, yet still piggyback or pass itself off on the "authentic" DNA code present in the remaining original molecules? It seems to me there would need to be a parts-per-million type baseline established before it shipped, and not the mere presence of the barcode as the authentication.

The "money" application above also opens itself up to tracking other kinds of paper documents -- thus making the usually low-tech analog world of paper suddenly rich with its own style of metadata.

While some of this sounds Sci-Fi-ish, I've been thinking for quite some time that techno-tagging is going to get a lot more personal. RFID and DNA barcoding issues are only the first baby steps. Right now they're only sewing it into our garments.

I've seen numerous EED checklists expanding due to new data storage advances (PDA's, flash drives and memory cards, iPods, cell phones, hybrid consumer devices, etc.). I fully expect that list to become noticeably longer over the coming decade and beyond.

When People Ask Me Why I Left the Practice of Law...

...I just point them to things like this, the judge's order, and especially this.

Regarding the order, it sounds like all involved need to go on sabbatical with a good dose of self-examination, including the federal judge. On a related note, I'm with Ernie regarding his Worthwhile post. Money isn't enough and life is just too short if you aren't happy in what you're doing. In my case, I didn't have to leap all that far, since I'm still heavily involved in the legal profession -- just from a different angle. Almost ten years ago (my, how time flies), I chose to blend my long-standing computer hobby with my professional career, and am much, much happier and I count myself more successful (I'm not talking about money here, either). Funny thing, as I keep running into more and more tech-savvy lawyers who are doing the same.

My choice taught me that the right kind of passion makes all the difference.

[8.20.04: An update on the above federal case is on the ABA Journal eReport site. The money quote, by the plaintiffs' lead counsel: "It’s important to remember to try your case and not the judge’s patience."]

Why Law Firms Need to Understand (and Even Embrace) Six Sigma

I was catching up on Larry Bodine's Professional Marketing Blog, when I came across his post on "Six Sigma at Professional Firms". Six months ago, I would've thought, "Hmm, nice idea."

Now, after having joined Caterpillar Inc. as their Legal Services IT Manager, and experiencing firsthand a fully-immersed 6 Sigma culture, I would say it's worth heavy consideration for some law firms, for several good reasons:

• Six Sigma is based upon continual improvement and efficiency by reducing the number of defects of a given process. An important part of the input comes from actively obtaining the VOC, or "voice of the customer". (How many firms are doing this systematically and thoroughly with a controlled process for continual refinement?)

• A number of large companies are steeped in Six Sigma culture. At Caterpillar, it is the daily way that projects get done, and there are thousands of such projects. At our global headquarters, one can't even walk far along the hallways without seeing many visual reminders and results obtained from this process.

• I certainly can't and won't speak for GC's, but if all else was fairly comparable between two competing firms and it was me making the call, I'd want to spend time getting to know the firm that understands the way my company does business -- because the firm itself is walking the walk and talking the talk. I'd also hope to see some of the efficiency benefits manifesting themselves as lower overall fees, higher quality work product, and improved customer service.

• In my perception, a resulting recommendation made by a Six Sigma team is much more likely to be given weighty consideration and, ultimately, approval -- if the value proposition is sufficiently compelling.

I've taken the Green Belt training, and am serving as such on a number of Legal IT 6 Sigma projects. A personal observation: One of the greatest challenges with this process is that it was initially developed in a manufacturing context. Thus it's much easier to sample and measure the exact dimensions of a metal part than it is to apply these principles to "soft" service areas, such as the practice of law and customer service. In this regard, sometimes one has to become quite creative, and the path to success isn't as obvious. Thus savvy judgment is required to balance the thoroughness required in arriving at an optimal set of recommendations vs. taking the additional time the process adds to get there. If you're looking for a quick fix or snap decision to leap ahead, then in my humble opinion, a full Six Sigma process isn't the right tool to use.

As Larry said, it's a major culture change for law firms. However, properly implemented, I can see where firms can obtain both internal benefits as well as cultivating deeper and more successful relationships with their larger corporate clients. And in my book, that's something that deserves more than a passing glance.

By the way, and somewhat contrary to Larry's advice, I wouldn't recommend trying to bluff one's knowledge of Six Sigma, particularly with a savvy corporate counsel who's gone through the training. Personally, I'd give outside counsel more credibility for acknowledging what they don't know, as long as they understood the underlying philosophy and weren't just trying to snow me to get my business. I do, however, recommend reading up on Six Sigma basics before broaching the subject.

Thus if you're new to Six Sigma or would like a more plain-English explanation, I suggest starting at "New To Six Sigma" and "Six Sigma - What is Six Sigma?", both available at iSixSigma.com.

2004 U.S. Corporate Counsel Litigation Trends Survey Report

Here's something that should interest both outside and corporate counsel alike: Earlier this year, Fulbright & Jaworski commissioned a survey of corporate general counsel regarding corporate litigation issues and trends. They've recently published the results as a free 20-page report in PDF format. Rather than reiterate the contents here, the ABA Journal eReport has a good write-up on it worth reading.

According to the report, it is "one of the largest surveys of corporate litigation issues ever conducted." It had 300 respondents, and identifies such things as the top five litigation areas of concern, a breakdown of litigation concerns by industry, methods of controlling costs and compensating outside counsel, and more. It also identifies trends and breaks down results by company size class and geographic region. Arbitration and mediation are also covered.

All in all, it's an interesting read, and you may be surprised to learn that the top litigation of concern to most GC's is labor and employment. I particularly found page 7 to be interesting: It charts the percentages of companies using various cost-reduction methods, and the percentage of each method rated as effective by its users. It does likewise with use of computer-based litigation tools. Regarding cost reduction methods, I found it quite interesting that some of the least-used methods (rated by percent used) were conversely rated as highly effective (around 80%), such as success-based bonuses, task-based billing, and electronic billing.

To answer Ron Friedmann's and Dennis Kennedy's recent question regarding e-billing, perhaps there are a few "bold GCs willing to talk about the elephant and take it head-on".

[Updated 8.19.04: Lisa Henson, Fulbright's Web Content Manager, contacted me today to thank me for posting this, and suggested a friendlier URL to their registration page, which I've incorporated above. In addition to their original link, I had initially posted a more direct download link because some of Fulbright's web pages would not load properly in my browser (due to some of their active web content), and felt others would have a similiar problem.

However, purely in the spirit of professional courtesy, something that is often lacking nowadays, upon Ms. Henson's request I've removed the direct download link. I believe I'm not legally required to do so and am removing it without relinquishing or releasing any legal rights. Nor did Ms. Henson make any such inference, I might add. We had a very friendly conversation about this and she asked me most politely. As I've also experienced firsthand, developing web sites that load equally well in all browsers is a challenging task. Thus if you should encounter any problem obtaining the report via their registration page, then I heartily suggest contacting Ms. Henson directly at (713) 651-8372. I'm sure she'll be happy to assist you.]

Bust a Myth

PCWorld has a nice article that addresses some of the really tough PC questions:

- Do magnets really zap your data?
- What happens when you forget to "stop" a USB device before disconnecting it?
- Do browser cookies track everything you do on the Internet?
- What happens when you turn off your PC without shutting down Windows first?
- Does opting out of spam generate more spam?
- Does turning off your PC daily to save power really shorten its life?
- Is the government reading everyone's e-mail?

You'll have to read it to find out.

Great Listing of Alternative Software by Category

This week's tip is finding new software with ease. Tech columnist Jeremy Wagstaff (LOOSE wire) recently posted some very useful program listings in the following categories. Particularly nice is the inclusion of lesser-known or alternative programs to the "name brands". Even experienced software hounds would be hard-pressed not to find something new here. Well done.

• Directory of Browsers
• An Index Of Blogging Tools
• Directory of RSS Readers
• Directory Of Indexing Programs
• Directory of MindMapping Software
• Directory of Acrobat Converting Software
• Directory of Outliners
• Directory Of Firewalls
• Directory of Virus Removal Tools

[Updated 8.17.04 to add the Acrobat and Outliner listings.]
[Updated 9.7.04 to add the RSS Reader listings.]

Legal Tech Talk

As part of his phenomenal "Five by Five" series, Matt Homann recently posed this conundrum to five savvy legal technologists (I'm honored to be one of them):

What five new technologies should all lawyers incorporate into their practices, but probably won't?

Since the question is versed in the negative, I enjoyed reading the thought-provoking answers even more than participating in the submissions.

As far as I know, we each submitted them independently from one another. Thus it's interesting to see certain themes relating to RSS feeds and readers, blogging, personal productivity tools (especially regarding taming your e-mail and note-taking with Microsoft OneNote), spreadsheet use, and more -- which are particularly perceived as technologies that lawyers (taken as a whole) probably won't be utilizing in their practice. Scary, isn't it?

Although, with that said and being the optimist I am, I'm still heartened by the response to West's Mike Wilens query back at the ABA TECHSHOW 2004's keynote: "How many of you read blogs?" I would say at least half of the filled grand ballroom crowd raised their hands. Taking into account the nature of TECHSHOW attendees (i.e., legal professionals and support staff who are actively interested in and seeking out technology ideas and solutions), I'm tempted to conclude that a distinction needs to be made here: There's a new breed of evolving lawyer, and they're pushing the envelope much more than traditionalists because the legal and business climate has changed. Efficiency and competition is driving some of it, as well as clients' demands and dislike for complacency. Just read Matt's blog for a very good example of a lawyer who's not afraid to "break the rules" of law firm management and marketing by thinking outside the box.

While there are no silver bullets, I've found that even a little increase in overall tech savvy goes a long way, and you can't always wait until someone else has tested the waters for you first. While there's always some risk, I'm a firm believer in having first-mover advantage. But even if you're risk averse, I've found it's worthwhile to take the time to monitor early adopters' movements, including their successes and setbacks. That makes it somewhat easier to be at the forefront of the wave when it reaches critical mass -- simply because that knowledge can enable you to jump on the ladder a few rungs higher than the rest. Thus I'd say that one of unwritten themes in our responses to Matt's question is don't be afraid to experiment. On a personal note, I approached creating this blog purely as a "little experiment", and am still amazed by the dynamic range of benefits in doing so.

Here's the money quote you can take from this post: There are many useful and productive technologies lawyers can test without breaking the bank or wasting a lot of time. Waiting for other lawyers and firms to try them first is like watching two turtles play leap frog -- while they're absorbed in making all the methodical machinations, the hare has already zipped by them unnoticed.

Crossing the Wi-Fine Line?

If you access an open Wi-Fi connection in the woods and nobody hears you, have you broken the law?

This type of mixed question seems to be stumping a lot of experts. Thanks to Ernie posting a related link, I just read a great article by Mark Rasch, the former head of the Justice Department's computer crime unit, who now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Mark gives a number of everyday examples, and points out the thorny legal issues. One of the big ones is how much should individuals be held accountable for not securing their own Wi-Fi networks?

Mr. Rasch responds:

"You're busted! You see, when you "broadcast" the cable connection, you are opening it up for anyone to potentially use it. So other people can potentially get Internet access from Comcast without paying for it. In Maryland, for example, it is illegal to use an "unlawful telecommunication device" which is a "device, technology, [or] product . . used to provide the unauthorized . . . transmission of . . access to, or acquisition of a telecommunication service provided by a telecommunication service provider." Delaware, Florida, Illinois, Michigan, Virginia and Wyoming all have laws on the books that may do the same thing."

Regardless of the outcome, it's just not wise to expose oneself to the threat of prosecution, embarrassment, and substantial legal defense fees for the sake of convenience. Regarding intruders accessing unsecured access points, Mr. Rasch properly raises the "slippery slope" problem, "How much security must you have on a system in order to be able to prosecute someone for accessing it without authorization?"

However, in regard to the "cable sharing" laws above, one would think the Wi-Fi network owner's simple act of enabling encryption, disabling the network name broadcast, and other easy security steps would be enough to keep him/her out of hot water. Again, how much security is required?

His answer to all of the above: "But ultimately if we want to move to ubiquitous wireless computing, where you can use the WiFi protocols for cheap, mobile VOIP communications, or have near universal wireless Internet access, we are going to have to persuade the law to get the hell out of the way."

My take on this is that intent plays a large part of the equation. Did you just set up your first wireless router and left it open out of sheer ignorance? Or did you then tell your neighbors, "Pssst, want some free cable Internet if you cut my lawn?" In a busy downtown coffee shop, did your wireless laptop automatically jump onto another's Wi-Fi network because its default settings told it to connect to the first open access point it found? What if that wasn't the coffee shop's free network, but that of the business next store? The problem is that other than reading the SSID (the wireless network's broadcasted name), it's not easy to know whose network it is. It's not like when you go to log in at the office, and a message pops up to tell you it's a private network, keep out unless authorized.

Both the technology and the law need to meet somewhere on these issues. Many of these questions and cases are very fact-specific. But here is the Catch-22: If the technology needs to add features like the ability to broadcast a "Private Property: Keep Out" message to provide notice of unauthorized access, then that broadcast itself is compromising security by announcing the network's presence in the first place. Perhaps this could be mitigated by enabling basic security as a default in the hardware from the manufacturers. In turn, the laws need to address the intention issues.

In the meantime, given the rate at which the law generally lags behind technological advances, we're probably in for a bumpy ride.

Things to Make Your Broadband Zing!

Here are some tips, sites, and programs to help you test and optimize your broadband connection speed:

Broadband speed test sites:

While there are many such test sites, the perhaps the best place to find them is at Broadband Reports' Speed Tests page. Here you'll find a nice long list of free test sites around the world. You'll generally get the most reliable results by choosing a server that is closest to you geographically. Some of these sites' tests run a Java applet, so you'll need to turn on Java in your browser if it's not already enabled.

Broadband speed test software:

Alternatively, download and install Dan Elwell's Broadband Speed Test. It will run a series of ping, download, and packet loss tests to a variety of servers around the world. Then it generates a nice report for you. Alas, this program couldn't get out past my corporate proxy server, but it worked just fine on my home network.

Optimize Windows' Network Settings for Your Broadband Connection:

Depending on your Internet connection (dial-up, DSL, cable, etc.), your current Windows settings may seriously impede your speed and cause other connection problems. For instance, a common problem is that the MTU (Maximum Transmission Unit, or packet size) value generally needs to be set to 576 for dial-up, 1492 for DSL, or 1500 for cable or regular Ethernet networks.

Here's an easy way to optimize these settings:

1. Before proceeding, if this is a corporate or firm PC, check with your IT department first. They probably have already optimized your settings, and you won't endear yourself to them by mucking it up. The following is intended for home PCs only:

2. Test your broadband speed a few times to get an average baseline measurement (see above).

3. Download, install, and run CyberTweak, a fantastic free program that will make these Windows registry changes automatically for you based upon your broadband connection type.
   • As a precaution, I strongly recommend that you back up your registry before using any program like CyberTweak (there's a lot of these programs available online).

   • An alternative is that when you first run CyberTweak, do NOT choose your connection type in the first screen, but instead manually scroll to the right, through the screens, to observe and document your current settings before making or committing any changes. Then you'll have your original baseline settings.

   • Now go back to the first screen and select your Internet connection type and apply the changes. You must reboot before the changes will take effect in Windows.

4. Re-test your broadband speed a few times to get a new average measurement. If it's better, you're done. If it's worse, you can re-run CyberTweak and either restore your prior settings or tweak them further. Don't forget to reboot after each set of changes before re-testing.

To give you an idea of the difference CyberTweak made for me: On a PC previously optimized for dial-up (i.e., MTU was set to 576), my download speed was a mere 300 kbps. After selecting "cable" in CyberTweak and rebooting, my download speed tested between 1.8 to 2.0 mbps per second. No other changes were made in between. Moral of the story: Size does matter!

Blogging Abuses are Escalating

First there was comment spam: Spammers artificially boosted various web sites' Google page rankings by embedding links to those sites in blog comments. Google rankings favor sites that have a lot of inbound links, especially from highly ranked sites.

Then there was trackback spam: Blogs supporting trackbacks (i.e., the ability of blogs to learn which other blogs are linking to them) were nailed by artificial trackback pings containing spam web site links -- and they were harder to remove than comment spam. Luckily, I only received a couple of those.

Regular blog sites ended up being used to increase Google page rankings for various online pharmacies, casinos, porn sites, and more. I've personally had to clean this dreck from my blog. Usually it wasn't too bad -- just a couple a day, easily deleted. I've always resisted the urge to curtail commenting as I truly wanted to encourage a lively discussion. Then, just last month, I suddenly got hit by over 1,600 spam comments in a single week (no, that's not a typo), and they were increasing each day after. Since the comments were always made to older posts where there were virtually no new comments, the easy solution was to run a script that closes comments older than "x" number of days. It's a pretty good compromise so far, as most comments are made within a few days after posting, and I still want to have commenting enabled. (I've known about the MT-Blacklist plugin for a while, but I didn't have the time nor the inclination to upgrade my blog software just for that alone.)

Over the past six months, I've seen an increase in "me too" blogs -- ones in which the overall motivating factor was to have a site which ranked highly on Google. Then I started receiving link exchange e-mails from commercial services that had nothing to do with this blog's topics. Naturally, I ignored them the same as any spam e-mail.

Now, according to Wired News, the online porn industry is at it once again. But for the very first time, it seems they're not touching my blog, nor others. No, they've figured out they can better directly manipulate Google rankings by setting up their own set of blogs and then cross-linking between themselves. This part isn't all that novel, as many bloggers know you need to exchange links to benefit in page rankings.

But this time around, the pornsters are using Google's technology against itself. Google owns Blogger. So they've set up dozens of free Blogger sites and are using them to create the necessary inbound links to manipulate Google. Ironic, isn't it?

Here's the money quote from Wired: "It's just like (when) the first couple of people who got the idea to try to manipulate the meta-keyword thing might have been successful, but then everyone jumped all over it.... These things run their natural evolutionary course after awhile."

Note that a number of search engines don't use metatags for that very reason. Because of abuses like this and "Google bombing" (hint: do a Google search for "miserable failure" to see how anyone can be targeted), Google has been under increasing criticism due to these manipulations' effects on the integrity of the results. Like metatags, I expect that the abuses will go the normal route of getting worse before they get better. Eventually, when a particular abuse hits critical mass, then the search engine companies attempt to adapt their technology to preclude or ignore it (much like metatags are now ignored). Since Google's core technology has always focused on the link factor, this should prove interesting indeed.

That is, until the next exploit is discovered, and then we get to repeat the cycle. Get ready...

Thanks to All on My Wireless Router Query

A number of people replied to my query a few weeks ago, when I was trying to decide between the Linksys WRT54G and Netgear WGR614 wireless "g" routers on a security basis. I just wanted to say "thanks" for all the feedback. As you can tell from my recent posts, I've been playing around a lot with my wireless network to get the best performance and security out of it. All I can say is "This Rocks!", and I should have done this much, much sooner. But then again, I wouldn't have had the many benefits of having a "g" router if I bought "b".

Most people replied they didn't see much difference between the two models security-wise, but surprisingly many more favored the Linksys model, almost to the exclusion of Netgear. I ended up trying both of them thanks to a generous return policy at my favorite store. The security features were mostly the same, and while the Netgear had more user-friendly help screens and wizards, I kept the Linksys and returned the Netgear. Why?

The Linksys beat the Netgear router in wireless signal range alone, and it didn't hurt that it had two antennas to Netgear's one. Although Netgear definitely has the cooler-looking, more compact design, I'll take performance over looks any day. Also, the Netgear router's web interface didn't work well with my Norton Internet Security (NIS) firewall enabled. I had to disable my personal firewall just to reliably program the router. No problem with the Linksys, which incidentally ships with a trial version of NIS. The Linksys router also has additional encryption methods for supporting RADIUS and WPA key servers. While this is overkill for most home networks as these are usually enterprise solutions, it demonstrates a commitment to providing additional security features.

Last but not least, I really liked the fact that the Linksys firmware is based on Linux, and you know what that means. Yep -- open source. A little Googling led me to quite a variety of alternative open source Linksys firmwares offering a host of additional features. It piqued my interest that many included included the ability to adjust the transmit power of the router up or down (something Linksys doesn't provide, presumably due to FCC limitations).

However, I've since learned that a number of recent Linksys firmware releases introduced some bugs. While this is not good, the open source community works very quickly to report them and come up with alternative solutions. This is nice in that affected users don't have to wait months for the manufacturer to fix the bugs (if ever). In this regard, open source really works, and I have to wonder if this is part of the reason why the WRT54G is such a popular wireless router.

Regardless, the Linksys WRT54G has performed admirably and reliably. Even though I've placed it down in my basement office to limit signal leakage to potential hackers, it covers my entire house and back deck -- even the rooms on the top floor, which are two floors up. Amazing. I'd recommend it with the shipping v. 2.02.2 firmware version with the firewall enabled to close a remote administration security hole. If signal strength is important to you, stay clear of the two latest firmware versions, as quite a few people have reported this problem. I experienced it firsthand when I tried it before going back down to 2.02.2. Still, it performs better than the Netgear router, so I'm pretty happy with it overall.

Thanks again to all those who responded with a recommendation.

Various Wi-Fi Security Technologies Explained

The Ziff-Davis Channel Zone has a good article explaining the differences between the new wireless networking (Wi-Fi) security technologies, such as TKIP, AES, and 802.11i, and alerts us to some of the latest Wi-Fi security holes and threats. Thus it's appropriately entitled, "Making the Most of Wireless Security". Great companion piece to my "Wireless Networking Best Practices: Version 2.0" article.

Wireless Networking Best Practices: Version 2.0

I've updated my Wireless Networking "Best Practices" to add even more things you can do to harden your wireless network against intrusion. Please keep in mind there is a diverse range of networking equipment available, and that this information is provided as a courtesy. I've taken considerable time to compile and publish this information, because I have not found any single good source for all of these items. It's grown into quite a compilation.

This is also mostly geared toward home Wi-Fi networks, but the concepts are adaptable for corporate networks as well. Thus, you choose to make all changes at your own risk. If your router or access point has an option to backup its settings, then I highly recommend you back it up before and after making any changes, as well as being diligent in documenting any changes made. If you don't want to be an easy mark for wardrivers or your neighborhood hacker, read on. It's worth your while.

First, you really must change many of the default settings. Hackers and wardrivers know them all, because there are web sites that publish them.

This means you'll need to access your wireless router's configuration screen. One of the easiest ways is doing this through your web browser, and while you should be careful in the settings you change, it's something even a novice can do. While this isn't an all-inclusive list of security measures, these are things most home network users can do with care:

• Change the default SSID (Service Set ID or network name).

  Hackers know all the default values for nearly each make and model, as they are posted all over the Web. If you really want to know, try another simple Google search for the following: default wireless SSID.

  The SSID is your network name, and your wireless cards use this like a login name to connect to your network. That's why it's so important to change it from the default value. Resist the urge to name it after yourself or anything personally identifiable -- this just makes it easier for a hacker to find or guess a targeted network's name, and you just provided the casual hacker with your name.

• Disable the SSID broadcast.

  By default, most wireless network equipment broadcast the network name to make it easy to find and connect to. If it's a convenience to you, it also makes a hacker's job a whole lot easier. Free programs like NetStumbler make it a breeze to find nearby networks and to tell its user the network names, whether or not they're encrypted, and much more. Disabling the broadcast of your network name essentially hides the network's login name. If convenience is a concern, then instead of broadcasting your network name, you're much better off setting your wireless software on your laptop to automatically login to it as a "preferred network".

  Be forewarned, however, that even if you turn off your router's or access point's SSID broadcast, your laptop's Wi-Fi card will give it away. Wi-Fi cards broadcast the SSID in clear text when they attempt to connect to your Wi-Fi network. Like many of the other precautions listed here, disabling the SSID broadcast just makes it a little harder for the bad guys. The upside is that you're not broadcasting your network name 24 x 7, and that helps to make your network less visible. Otherwise, leaving the SSID broadcast enabled is the same thing as putting up a neon sign that says, "Hey guys, here I am, come hack me!"

• Change the default password for the router's Administrator account.

  Again, wireless hackers know these defaults, most of which are simply "admin". Try a Google search for: default wireless router passwords. You'll find sites that list the login names and passwords for many manufacturers. Even if your particular model isn't listed, many manufacturers use the same values across their models.

  If you don't change the password, then an intruder could easily reprogram your router to lock you out and open more security holes to allow him/her easier access. You'd then have to reset your router back to its default factory settings, and start all over again.

• Enable MAC Address Filtering.

  This is a key wireless security measure, as it adds yet another layer of protection. Every Ethernet network card, wired or wireless, has a unique number called a MAC address. Enabling this feature tells your router to only allow access to authorized Ethernet cards. While it's possible for hackers to "spoof", or fake, a MAC address, it requires a higher level of hacker savvy, and it takes longer. The idea is to make it as difficult and time-consuming for wireless hackers, to discourage them to move on to easier pickings.

  If you're wondering where to find each network card's MAC address, many of them have it printed on a label right on the card. Here's another easy way to find it:

  For Windows NT/2000/XP/Vista:
  1. Click on Start, Run, and type in cmd
  2. Click OK, and a DOS-like window will appear.
  3. Type ipconfig /all and press ENTER.
  4. This will likely list information both for your ethernet network card and for your second wireless card. Under the wireless card, the "Physical Address" line should provide the 12-digit MAC address.

  For Windows 9x/ME:
  1. Click on Start, Run, and type in winipcfg
  2. Click OK, and an information window will appear.
  3. In the pull-down section, click and select your network card.
  4. The "Adapter Address" is your card's 12-digit MAC address.

  This 12-digit number is the one you need to enter into your wireless router's table. Make sure MAC filtering is set to only allow specified MAC addresses access to your network.

• Limit the number of allowed connections to the bare minimum needed.

  Most routers will let you restrict the number of network connections. For example, if you have one desktop and one laptop, you only need two connections.

• If you can, consider disabling DHCP and assigning each of your PC's a static IP address.

  DHCP (Dynamic Host Control Protocol) is a method in which your wireless router automatically assigns an IP address to each PC connected to the network. Thus if a hacker joins your network sufficiently, your router will cheerfully give her an IP address as well. Which is why limiting the number of connections is so important, and turning off DHCP so they don't get an automatic IP address.

  BIG CAVEAT: It's probably ill-advised to set a static IP address if you connect your laptop to an office network. Most corporate networks use their own DHCP servers to assign and control IP addresses, and your static IP address could conflict or be in the wrong range. Thus if your laptop needs to connect to two or more networks, you probably will want to leave this alone.

• Enable the highest encryption possible: WEP 128-bit (802.11b) or WPA with TKIP or AES (802.11g).

  Due to the relative ease in which WEP (Wired Equivalent Privacy) is cracked, WPA (Wi-Fi Protected Access) is vastly preferred. For home use, most people will want to enable WPA Pre-shared Key (WPA-PSK) and use a long key name with a mix of upper and lower case letters, numbers, and odd characters (such as ~!@#$%^&*).

  For the WPA Algorithm, at a minimum choose TKIP (Temporal Key Integrity Protocol). Better yet, use AES (Advanced Encryption Standard) if your router, Wi-Fi card, and software support it. TKIP is an interim industry solution, but it adds the ability to automatically generate new keys at preset intervals. (For you Trekkies, this is akin to rotating the shield harmonics to repel the Borg. ;^) Rapidly changing keys gives the wireless hacker much less time to "sniff" and break the code before it changes again. Again, AES is the stronger encryption method that the wireless networking industry has been moving toward and is the preferred choice. If you have it, use it. [Update: The TKIP protocol has been partially hacked, so only use it if your router doesn't support AES. Many router manufacturers provide free firmware updates for your router that will allow you to use AES encryption instead.]

  Please note that encryption reduces your overall network performance. However, since Internet speeds via cable and DSL are usually much slower than your network with encryption (especially under the "g" protocol), it should have no effect on your Internet access speed, just on file and print sharing speeds within your local network.

  If you don't have WPA as an option, check your wireless equipment's manufacturer's web site for any firmware upgrades to WPA. If you can't upgrade your equipment, then enabling WEP encryption is better than nothing. However, I strongly suggest spending the money and upgrading to newer equipment that features much stronger encryption and is faster (12mbps with "b" wireless vs. 54mbps with "g" and 108mbps with "super g").

  [Update: If your router and wireless devices support WPA2, use it instead of WPA as it is more secure.]

• Don't run your wireless network as a mixed "b" and "g" environment.

  While 802.11b and 802.11g networks are compatible, it's not desirable regarding both security and performance results. The problem is that as soon as you add even a single "b" device to your wireless network, it brings the network down to the lowest common denominator. In this case, that means you only get the weaker and inferior WEP encryption (unless the "b" device can handle WPA), and the much slower "b" network speeds. Thus running a "pure g" network is better all around.

• Limit folder/file sharing to the minimum with password protection.

  If you're home network is typical, you may have enabled folder/file sharing between your PC's for convenience. If you must enable sharing, then limit it to only those subdirectories required. Don't enable sharing at the root level of the hard drive. For instance, you might want to move a shared "My Documents" folder to another drive or partition and only grant access to it, rather than your entire hard drive.

• Change the default IP address of your wireless router or access point.

  Again, hackers know these default addresses, so they know where to find your network devices. For instance, many Linksys routers default to 192.168.1.1 and Netgear's are 192.168.0.1. Under Internet standards, one of the three available private network IP ranges is from 192.168.0.0 to 192.168.255.255. (Tip: Each 3-digit section can only go from 0-255. Also, since 0 and 255 can have some special significance, avoid these two values.)

  For example, you could change the IP address of a Linksys router from 192.168.1.1 to 192.168.100.1, or 192.168.1.100 (depending on which of the last two segments you want to change). Or you could pick a really odd number to make it difficult to guess, such as 192.168.177.13. Just keep in mind that it's more important that you can remember it. Otherwise, you won't be able to access your router to make changes (at least not without having to reset it to factory defaults and losing all of your hard work -- not good).

  If you change this default IP address, also keep in mind that if you ever need to reset the router back to its factory defaults, afterward you'll have to manually login at the default address (e.g., 192.168.1.1) and change it back to your custom number. If your router is not using DHCP, then it's a good idea to keep your PC's IP addresses and the router's address coordinated.

  By changing your router's default IP address, you are changing its location on your private network. Thus a hacker looking to access your router for reprogramming or discovering your settings will not find it nearly as easily.

• Make sure the router's firewall is enabled.

  Most routers have their firewall enabled by default, but just make sure it's enabled, along with any related feature to block pings or "anonymous Internet requests". This will help stealth your network's presence to the Internet at large.

• Make sure the DMZ is disabled on the router.

  A DMZ (DeMilitarized Zone) is a buffered zone that separates the Internet from your private LAN. However, in most SOHO routers, enabling the DMZ bypasses your router's NAT (Network Address Translation) and other filters, so it greatly weakens the security of any device located in the DMZ. Thus unless you're very savvy with networking, keep the DMZ feature disabled.

• Disable the router's Remote Management feature.

  Remote management allows you or others to access your router to change its settings from outside your local area network. This should already be disabled as a default setting, but check it. Disabling remote management only allows access to the router's settings from within your private network.

• Disable Universal Plug 'n' Play (UPnP) on your router unless you absolutely need it.

  UPnP is used for some devices like the Xbox game system. If you don't have a UPnP device, then make sure it's disabled. Otherwise, it's another potential security hole for your network.

• Use a VPN to connect to your office network when using a wireless network.

  A VPN (Virtual Private Network) provides remote access to an organization's network over the Internet, through secure "tunnels" created by additional encryption. Typically, when your PC is connected to your office's network via a VPN, it can't "see" the rest of the Internet. Thus it's no surprise that VPNs are commonly used to help secure wireless networks. If your organization offers VPN use, it's yet another wireless networking best practice in your arsenal.

• Place the wireless router or access point away from outside walls to minimize signal leakage.

  The closer you locate it to an inside wall, the more signal drop-off will occur by the time it reaches the outside. You don't want to provide a nice strong signal for others to jump onto your private network.

• Configure your laptop's wireless card software appropriately.

  To avoid accidental connection with strange Wi-Fi networks (you don't know where they've been or who's on them), configure your wireless card's software for the following:

  1. Connect only to access point (infrastructure) networks, to avoid any undesired "ad hoc" peer-to-peer connections, and
  2. Uncheck any feature for automatically connecting to non-preferred networks. Otherwise, your laptop will jump onto the first open network it finds. If you routinely forget to turn off the card's radio, this will help stop it from getting you into trouble.

Additional "Must Use" Safeguards:

• Personal or software firewalls, such as ZoneAlarm Pro and Norton Internet Security

  Even if your router has a good firewall, it generally won't stop outgoing traffic from spyware and malware that's phoning home. A properly configured personal firewall will. You also need a personal firewall on your laptop when you connect to other access points, such as when traveling.

• Good antivirus software

  I'm quite partial to the Norton Antivirus line, it just works without causing me any problems.

• Anti-spyware/malware programs, such as Ad-aware, Spybot Search & Destroy, and PestPatrol

Ongoing Maintenance for the Best Security:

• Keep the personal firewall and antivirus programs updated with the latest definitions.

• Keep up with the various security patches from Microsoft.

• Change the router's login name and/or password periodically. Use strong passwords (at least 7-8 digits, with mixed case, numbers, and other characters).

• Change the wireless network SSID value periodically. Again, use strong names (at least 7-8 digits, with mixed case, numbers, and other characters).

• Change the WEP or WPA encryption keys periodically. Same advice regarding strong passwords applies.

• Always check all of the above settings after performing any router firmware upgrades. For example, Linksys router owners discovered that upon upgrading from firmware version 2.02.2 to 2.02.7, Linksys changed the firmware's UPnP default to "enabled" just to earn Microsoft Xbox certification. However, for most of their customers, they just opened up another potential security hole. Thus it's helpful to print out all of your router's setting pages and keeping them in a secure place for reference.

Naturally, the more secure you make it, the less convenient the setup. But I'll take the extra wireless security anytime, because wireless networks are still horribly insecure compared to wired. But as you can see from the above, you can still do a lot to harden it against intrusion, and it doesn't take a networking guru for many of them. Wi-Fi itself is a tremendous convenience and enabler, if it's done right.

[Update 11.29.08: Please see my post, "Wireless WPA Encryption Component Hacked -- How to Protect Yourself" in light of the published TKIP vulnerability.]