The Hacker Factor Blog

A couple of days ago I wrote about my need for wireless network capabilities when traveling, and my fear of becoming an early adopter of new peripherals. The feedback I got back was amazing. A few people posted comments but nearly a dozen people wrote to me directly with advice, suggestions, and horror stories.

The feedback identified three classes of solutions:

Standalone hubs. There is a class of 3G router that connects to the network and acts like a local WiFi hotspot. As long as your computer can talk regular 802.11 (a/b/g/i/whatever), it can connect to the hub. The hub connects to the 3G network, giving you Internet access. Dr. Silk recommended the MiFi 2200 from Verizon. I gotta agree with him -- this looks like an excellent solution, especially for residences that cannot get cable or DSL but with 3G coverage (like my friend who lives a few miles outside the city limits). The downsides are not too extreme: claimed 4 hour battery life (forums make it sound like 2 hours with heavy use) and tied to Verizon's 5GB limit for an expensive $60/month. Again, if you can keep it plugged in and have a couple of people at home using it, then $60/month isn't bad at all.

Tethered. A tethered solution is where you have a USB cable going from your computer to your cell phone. The cell phone provides the modem/router support and connectivity to the 3G/Edge/4G/etc. network. As long as your cell phone works, you should have network connectivity. This is a great solution for anyone with a smartphone (like the iPhone or Android) -- particularly since you are probably already paying for the bandwidth and you're just not using it.

Every now and then I looked into smartphones. Right now the battery life isn't acceptable for me. My current phone can go nearly a week with heavy use (well, heavy use for me) before needing a charge. It can go nearly 2 weeks if I rarely use it and leave it turned on. My EeePC gets about 7 hours per charge and that includes heavy use (programming and compiling and networking). In contrast, most smartphones last 4-8 hours at best.

In my case, I don't have a smartphone. While I do have a cell phone, it is almost always turned off. (I don't like cell phones and I only use it when traveling.) I'm actually on a pay-as-you-go plan and I usually spend about $100 a year on the phone. For my use model, the prepaid option is a great and inexpensive choice. For this reason, I cannot justify getting another phone (a smartphone to replace my Motorola v195) for the sole purpose of having network access when I travel.

Frankly, I'm griping about paying $10/day for Internet use at hotels. For the $60/month plan, then means I need to stay at hotels more than 6 days per month for this to be a viable option. And this doesn't take into account the $50-$200 price of the smartphone with a 2-year commitment. (Some smartphones are free with a 2-year contract, but they are either not iPhone/Android, or are running older operating system versions.)

USB Dongle. At first glance, these USB dongles seem perfect for me. The calling plans are usually not as expensive as a smartphone, there's no extra power supply (it runs off the USB power), and the use model is intended for laptops and travelers. However... these dongles are not just regular modems.

My Bad Experience

After a lot of soul searching, I finally settled on the T-Mobile webConnect USB dongle. As I understood it, there is a 200MB plan with overage fees and a 5GB plan with no overages for $40. And best yet, T-Mobile is having a sale, so the webConnect is only $20 instead of $45 (with 2 year contract). While the device only says that it supports Windows and Macs, there are plenty of people in the forums who say that have it working for Linux.

Well, spoiler alert: nothing is as it appears.

Remember the old days when modems spoke that Hayes "AT" control code stuff over a serial port? It didn't matter what kind of computer you had as long as you spoke RS232 and used the standard AT command sequences. That's not the case today. +++

Today, the USB dongles do speak the AT command set (with additional commands for broadband negotiation). However, there is nothing standard about how you access the modem. There are three types of devices on the market right now, and if you choose wrong, you'll get screwed.

Plain modem or NIC. There are a few USB dongles that plugin and look either like a serial modem or like a network interface card. These have out-of-the-box support by most Linux distributions. Unfortunately, these seem to be limited to the older devices. Some don't support 3G and most have no means for supporting the new 4G and HSPA+ networks.

Dual device and ZeroCD. The description from the usb-modeswitch package for Linux describes this very well:

Several new USB devices have their proprietary Windows drivers onboard, especially WAN dongles. When plugged in for the first time, they act like a flash storage and start installing the driver from there. If the driver is already installed, the storage device vanishes and a new device, such as an USB modem, shows up. This is called the "ZeroCD" feature.

Most versions of the T-Mobile webConnect device are in this category. If you put it in and it doesn't work as a serial modem, then install the usb-modeswitch package. This will temporarily turn off the ZeroCD feature and allow you to access the modem.

Total software solution. Beginning last December, a few manufacturers began to roll out "lite" versions of these USB modems. From what I can tell, they totally removed most of the firmware and do most things in software. I suspect that this was done more for cutting hardware costs than for any actual performance or flexibility gain. Unfortunately, there is unlikely to be any Linux support unless the manufacturers port their code to Linux.

Hear No Evil

At the time I was doing the purchase, I specifically asked about Linux support. The woman who was helping me at the T-Mobile store wanted to make sure too, so she called their technical support. The first two people she spoke with didn't know what Linux was. (OMG! Are you kidding me? It's 2010! My Grandmother knows what Linux is! Every sales person in the store knew about Linux! And this is the T-Mobile technical support?)

She finally reached one technical support person who basically said, "Does it work under Linux? I should know the answer to that, but I don't know and there really isn't anyone else if I escalate this." Since the Linux forums had many success stories with the webConnect (before I knew about the "lite" versions), I decided to risk it. Bad choice on my part.

As it turns out, the $20 "on sale" device from T-Mobile is actually a Huawei UMG1691 (also called the E1691). The 1690 and 1692 are ZeroCD devices and appear to be supported by usb-modeswitch. The 1691 is a lite version and only has software for Windows and Mac. After a few days of fighting with it, doing much more homework, and even calling tech support, I finally learned about the UMG1691 -- it is a total software solution and will never work under Linux (without additional software that doesn't exist today).

See No Evil

At this point, I had two options: return it or exchange it for a different version. As long as your CPU isn't running at a full load, the performance between the ZeroCD and Lite devices should be similar. I gave it a quick try in my Mac desktop system to see if it was worth exchanging. I ended up noticing two things.

First, the bandwidth was limited to 200MB. Huh? I paid for the 5GB and no overages for more than the advertised $40 price. Well, the offer on the web site doesn't match the offer in the store. In the store, it is 200MB with or without overages. The store does not offer an Internet-only plan for $40 with 5GB and no overages.

After you go over your monthly limit, they either charge you $0.05 per MB or nothing (no overages). In the latter case, they simply reduce your bandwidth.

So how fast is the bandwidth? My Mac's benchmark reported at about 400KB per second down, and much less up. Uh, I deal with computer forensics. I'm usually transferring very large files -- CDs or DVDs or on some occasions, multiple DVDs. For me, 1MB per second is slow and 400KB/sec is unacceptable.

T-Mobile is Evil

The upside is that I was allowed to return it to T-Mobile within the 2-week window for a refund. (I was 3 days into the contract.) No connection fee, reimbursed for the hardware, and they waved the 1MB of bandwidth I used (no prorating service since I couldn't get it to work on the desired system). However, they did keep a $10 "restocking fee" that was buried in the fine print. (Had I known that there was a chance of failure and a $10 restocking fee, I would have passed on this experiment.)

So to summarize: (1) Stay away from the UMG1691 like the plague -- it is the 3C501 of the USB wireless broadband world, (2) watch what they are selling and make sure it matches their offers on the web site, (3) if you have the option to use a hub or tethered solution, do that instead of the USB dongles, and (4) ask about any restocking fees -- even if they tell you that you will get a full refund within a 14 day grace period.

Finally, I have to think that there is something seriously wrong with the mobile phone market. Every store I went into (T-Mobile, Verizon, AT&T, and Sprint) had a huge number of customers hanging around. T-Mobile, Sprint, and AT&T each had a person adding names to a waiting list. In each case, the majority of customers were not there to buy -- they were there seeking returns, refunds, or corrections. The last time we saw something like this, the housing market collapsed and huge numbers of people defaulted on loans. Are we heading toward a communication breakdown since the phone companies are investing in an acceptable level of service?

A little over a week ago a US intelligence analyst was arrested for submitting classified documents to Wikileaks. I have some serious issues about this arrest. While the analyst may have thought he was doing something ethically right, he went about it by doing something legally wrong. For example, while some of his wikileaked materials probably did need to be exposed (like the mistaken killing of two journalists and the subsequent cover up), how many operations and soldiers lives were put in danger by the leak?

I can hear some people right now saying "Huh? What?" Think about it. With the exception of leaked videos, the general public do not know our full, technical capabilities. As I recently heard on an NCIS repeat: the schematics for Air Force One are a secret. Hollywood just guesses at the layout. But here is SPC Bradley Manning, showing how things are really done. This is information that the enemy can use against us. By leaking an uncensored video with audio, Manning may have done far more harm than good; he exposed a cover up, as well as processes, procedures, and technologies that the United States and its allies use against real terrorists and threats to our nation.

There were also better ways to expose a cover-up. For example, he could have anonymously contacted a congressman. This would make the information public without releasing the video. Any anti-war congressman would have been a good choice.

While Manning may have thought that he was ethically correct in releasing the video, I cannot think of anything that would make leaking "an entire repository of classified foreign policy" documents, "260,000 classified U.S. diplomatic cables", or "a classified Army document evaluating Wikileaks as a security threat" ethically correct. Manning's actions look like treason to me.

From Bad to Worse

Wikileaks is intended as a forum for anonymous whistle blowers. If you are going to do something anonymously, then do it anonymously. Don't go around telling people that you were actually behind it. And if you're going to tell someone it was you, then don't tell it to a reporter. And of all the reporters you could talk to, don't choose one who has a history of unethical behavior!

That's right: Manning chatted with Wired's Adrian Lamo. When people create lists of hackers, they always include the notorious ones: Kevin Mitnick, Jonathan James (aka c0mrade), Max Ray Butler (aka Max Vision), Kevin Poulsen (aka Dark Dante), and others -- including Adrian Lamo (aka The Homeless Hacker). Even lists that don't list the "most notorious" include Lamo. (Thanks Adam for the link.)

Is there any reason to think that Lamo would not turn in Manning? I think not. Frankly, there are few reporters that I trust (very few). Most are more interested in sensationalism than accuracy. That, along with Lamo's established ethical lapses makes me distrust him more than most reporters. Manning put his trust in a reporter with a criminal record, and the reporter exposed his source for notoriety.

Looking for the Good

Every list of "hackers" that I found online mentioned the evil ones. The lawbreakers, criminals, and socially deviant ones. However, not all hackers are evil. I've recently had conversations about identifying good hackers. (Thanks to Mike, Bill, R., and the Internet Storm Center's handlers for the great insight.)

When it comes to naming hackers, people immediately recall the bad guys. I mean, everyone has heard of Kevin Mitnick, but who can remember the name of the guy who caught him -- without consulting Wikipedia or Google? (answer: Tsutomu Shimomura; half credit if you remembered John Markoff.)

Perhaps one reason is the postage stamp mentality. The US Post Office won't put someone on a stamp until they are dead. The reason: Bad people may continue to do bad things without harming their reputation. However, a good person may screw up at the end and tarnish everything they have previously done. So someone who is an awesome, positive role model and hacker today could be tomorrow's villain.

The other problem comes from the large number of good hackers who are better known by their software than their own actions. For example, Snort is an awesome piece of software, but who can remember that Martin Roesch created it? Roesch is a good guy hacker, but his software is better known than him. The same goes for Tatu Ylonen and Bjorn Gronvall (SSHv1 and SSHv2), Giorgio Maone (NoScript), and many other people.

The real question is: What sets a notable good guy apart from the rest? If writing good code is good enough, then certainly Flash, HTML, and Photoshop could also be included. (Their developers were not intentionally evil...) But can you actually say that someone changed how we act (or react) in a positive way?

I guess what I'm really wondering...
If you had one team of evil villains (Mitnick, Lamo, Poulsen, etc.) on one side, who would you stack against them as memorable good guys on the other side? (Mitnick vs Frank Abagnale Jr. -- after Frank turned good; Poulsen vs Mudge? Lamo vs ?)

Here's my short list of good guy hackers who's influence is far more than just code.

• Jim Christy and Clifford Stoll. They cracked the Hannover Hackers and brought international awareness to hacking as cyber espionage. Before that point, nobody realized the threat and all discussions were theoretical. Jim went on to found the Pentagon's first digital forensic lab and was the director of the Defense Cyber Crime Center (DC3) -- the first and largest computer forensics lab. (It just goes to show that a $0.75 accounting error can lead to more than a few pennies.)
  
  
• Mark Rasch. He spent nine years as the head of the United States Department of Justice computer crime unit. During that time, he was responsible for investigating the Hannover Hackers, Kevin Mitnick, and Robert T. Morris. He also helped the FBI and Treasury Department develop their procedures on handling electronic evidence.
  
  
• Phil Zimmermann. Without Phil, public crypto would probably still be nothing but underground software and munitions. Phil is more than just PGP -- today's PGP was created by a slew of developers. The remarkable element is how Phil paved the way for the world to use cryptography.
  
  
• Marcus Sachs. A voice of reason, advising Presidents and helping set national policies on cyber threats. He's a hacker who's influence is more than just a piece of code. Marcus also heads the Internet Storm Center -- the ISC handlers are like the Super Friends or Justice League. (Is Swa Frantzen the Belgium equivalent of Gleek?)
  
  
• Jeff Moss (aka Dark Tangent). While not known for code or exploits, this geek has put together a world-renowned set of hacker conferences: Defcon and Black Hat. More earth shattering updates come from one week of these conferences than an entire year of Patch Tuesdays.
  
  
• Bruce Schneier. This cryptography guru continually exposes security theater, where peddlers use snake-oil and provably inaccurate beliefs to influence and set policies.

A couple of people mentioned Dan Kaminsky. Dan's a nice guy and has done oodles of good things by making vulnerabilities public -- and I am still in awe of how he handled that world-wide DNS update. However, he likes to get drunk while giving presentations at Defcon and other conferences... While Dan is fun to watch, public drunkenness doesn't exactly scream "role model".

There are plenty of other people I could add to this list. I'm curious who other people think should be listed here. Remember the requirements: good guy, computer security or computer forensics, hackers, and most of all, influence beyond their immediate field or software.

I recently watched a short video titled "Patently Absurd". (Thanks to Shawn Merdinger for the pointer.) This 30-minute video discusses the harm caused by software patents and a recent Supreme Court case (Bilski v. Kappos) which will be decided soon.

The video itself isn't going to win an Oscar. (As video production and acting goes, it ranks up there with Star Wars Episode I, the Phantom Menace.) However, this documentary is about the message and not the filmography. And the message is clear: the patent system is totally screwed up.

Patent Problems

Patents were initially intended to give credit and protections to someone who develops a novel technical advancement. For example, if you developed a new farm tool that help cut costs and improve harvesting, then you should be rewarded for that good idea. The reward comes in the form of licensing fees for other people to use your idea.

Patentable ideas should be novel and distinct; someone with the same basic knowledge and skill set should not be able to trivially re-develop the same good idea. For example, if a chair with 4 legs exists, then you can't patent another 4-legged chair (not novel or distinct). And expanding to a 5-legged chair is a trivial extension, so it shouldn't be patented either.

Unfortunately, that isn't how patents are being awarded or used. Today, patents are given out to anyone who files a distinct idea. The novel aspect is no longer a requirement. For example, patent 6,368,227 is for a way to swing at a playground, and patent 6,004,596 is for a peanut butter and jelly sandwich. Neither of these are novel or non-trivial. For example, the sandwich one is for making sealed peanut butter and jelly pockets. But... Pop-Tarts are sealed jelly pockets. So isn't the inclusion of peanut butter a trivial addition?

Today, patents are used to retain a monopoly. I have an idea and I'm going to tell everyone so I can stop them from using my idea. Monopoly, extortion... call it what you want. I was once advised by a patent attorney: don't file a patent on anything you cannot afford to protect. In other words, unless you have enough money to sue everyone and their cousin for using the idea, it isn't worth filing a patent.

Big companies like HP, IBM, and Microsoft have a whole slew of patents that they use as trading cards -- each company is violating someone else's patents, so they agree to no sue each other. For example, if Nvidia ever decides to sue IBM over some patent claim, IBM will likely pull out 100 IBM patents that Nvidia is violating (with the sheer number of patents, it is hard not to violate something...) and force Nvidia to concede. In the worst case, someone will likely determine that the patents are either too vague or too trivial to be enforced. For example, Rambus sued Nvidia over some alleged patent infringement. The USPTO decided that none of the claims were an infringement. Rambus withdrew some of their allegations, and the rest are still pending.

Patenting Software

There used to be a rule that you could not patent something found in nature. And math was considered a natural system. Since programs are nothing more than applied math, you couldn't get a software patent.

However, that isn't the case anymore. Anyone can submit a software patent as a "method" for accomplishing a task. If you have ever used Photoshop then you have seen that startup window that lists dozens of patents that "protect" the software. Photoshop Elements 4.0 lists over 50 patents. (Good luck trying to look them up since you can't cut-and-paste the patent numbers and the "About" window scrolls them off the screen before you can write them down.)

For full disclosure, I have one software patent (7,296,084) and seven others pending at the USPTO (most have been pending for 7 years). However, I don't actually "own" them -- all of the rights were transferred to a corporate entity. (Most companies pay their employees a bounty for patentable ideas. So I was compensated for these.)

Today, software patents are causing a chilling effect. Software developers fear distributing code because they might infringe on some patent written in legalese. And while a patent lawsuit may have no basis, a lone software developer will likely go bankrupt defending himself.

Personally, I don't spend any time looking up patents. My rational:

1. If you know about a patent and infringe on it, then you can lose triple damages. So not knowing is cheaper.
   
2. I usually create my own code for complex systems. If I end up recreating someone else's patented system, then it clearly fails the "novel" test since someone else with the same basic knowledge and skill (me) reached the same conclusion.
   
3. If it is complex enough, then it is distinct enough to not infringe.
   
4. Most software patents are vague to the point that you cannot implement a solution based on the patent's information. (Most software patents are almost as bad as academic research papers. They leave out critical steps and details needed to validate or implement the system.) Software patents usually contain very little useful information.
   
5. Most software patents were written by patent attorneys. Their legalese is worse than contract lawyer legalese. Unless you are a patent attorney and technical, you probably won't understand the patent.

Frankly, I'm more concerned with software licensing than patents. (I believe that GPL is evil since it dictates distribution requirements.)

Finally, I don't like how patents require public disclosure. If I don't want someone else to copy my work, then why would I release details of my work publicly? Instead, I use security-by-obscurity, and the knowledge that anyone copying my work will violate copyright laws and constantly be playing catch-up to me. If someone tries to recreate my software, then they will likely be at least two major revisions behind the current development cycle. As long as they play catch-up, I will always be the leader.

In contrast to patents, I am a huge fan of copyright law. And plagiarism should be a death-penalty offense.

I received my 2010 Census form last week. I was lucky, I got the short form. But there are so many things about the 2010 Census that bothers me... is the census even needed anymore?

A Better Life

According to the flood of TV and radio commercials, the census is needed to help improve our way of life.

One of the examples claims that the census ensures that schools have enough teachers. Huh? The census is conducted every 10 years. Kids who were born in 2001 are already 9 years old and have been in school for over 4 years.

The census doesn't tell schools how many students they will have. Instead, the number of students is known because households pay taxes to their school districts (number of potential families), hospitals track birth records (how many new students), real-estate sales track the number of incoming and outgoing households, and most importantly: school districts know that if they have x students this year, then they will likely have x students next year. There is always a little fluctuation, but it isn't in the hundreds of students between years.

The census may tell congress how to allocate funds for schools, but it isn't the only method. Congress knows where the money should be spent because they get annual numbers from the individual states. Using the census to identify teacher shortages? That sounds bogus to me.

Taking the High Road

Another commercial says that the census will help cities determine which roads to fix.

Again: the census is taken every 10 years. In less than 10 years, unfixed potholes can consume cars. And city planners already know where the traffic problems are. For example, when my city installed a traffic light for my neighborhood, they didn't wait 10 years. Instead, the city measured the traffic (those rubber hoses that go across the street). They looked at the traffic volume and installed a light -- less than two years. Saying that the census helps cities fix roads is bogus.

Unequal

The census is required by law. However, laws are supposed to be applied equally. With the census, most people get the short form but a few get the long form. You are legally required to complete whatever form you receive.

While I can certainly understand and agree with the use of a statistical sample for more detailed information, this isn't applying the law equally. If it were equal, then everyone would receive the same form.

I also have to wonder why my form asked for (1) my name, (2) my age, and (3) am I Hispanic? Is there some particular reason why Hispanics are called out in the census and other ethnic backgrounds are not?

Almost Private

The 2010 Census says that the information provided "is protected by law". But what does that really mean?

If you assumed that the information will be kept private, then you are grossly mistaken. The census will likely release a summary of names and potentially identifiable metrics within a year. (If your parents gave you a unique name, then you have no privacy.) The full details of the information provided today will become public record in 72 years.

All In The Family

So ignoring all of the issues about inequality, bogus claims of relevancy, and untrue privacy claims... what does the census provide?

If you are into genealogy then the census is a goldmine. It is one of the few sets of records that document families in the United States. Today, there are many records that track families, but few are official, government, public records. And even fewer are all located in one convenient location.

However, there are some serious limitations. For example, many marriages and cohabitation relationships last less than 10 years. Those will be completely missed by the census. Better resources for tracking people are available than any snapshot that the census provides. Today there are so many different documents tracking people that data mining the records is much more valuable than the census records.

As a valuable resource, I have my serious doubts about today's census. I mean, seriously, what value does it provide? As I previously mentioned, the census is slow, expensive, and inaccurate. While it was a great idea 100 years ago, today it just seems to be a waste of taxpayer money.

One of my coworkers attended a productivity presentation a few months ago. This person came back fully convinced that Facebook, Yahoo!Mail, and other social networking sites were primary causes of procrastination. At this person's request, I created a bunch of firewall rules. The rules blocked access to these social sites during business hours. Access is granted outside work hours, from 4:00pm to 8:00am. I also permitted access during lunch (11:30 - 1:00) and on weekends. But access is blocked all other times.

My coworker has been thrilled with the results. By blocking access to social networking sites during office hours, my addicted coworker is forced to focus on the task at hand.

Working Smarter

I have many different filtering rules in place. For example, the local DNS server intercepts requests for domains associated with pop-up marketing sites and malware. My router blocks other sites that are frequently used for banner ads. The result is that web pages load significantly faster if you don't have to wait for ads.

Another great time saver is the NoScript plugin for Firefox. Most flash, javascript, and ads on sites are not needed. If the site requires it, then you can always add that specific site to the whitelist. It takes seconds to permit sites and by not adding in things like Google Analytics, banner ads, and quick-links for posting to Digg, Facebook, and ReddIt, most sites load almost immediately.

As a side-effect of NoScript, phishing sites are no longer an issue. Your bank should be in your NoScript white-list, but phishing sites are not. One of my associates actually remarked that NoScript saved them from compromising their bank account. "Why doesn't my bank's page look right? Why is NoScript blocking my bank? Oh! It isn't the correct URL!" I can only wonder -- how many malware sites have been blocked over the years because NoScript wouldn't load that portion of the page?

Time's Up!

Unfortunately, this week I've received a number of complaints about the router's configuration. "It's 11:45 and I can't get to my Facebook page!" (The sign of a true addict. Remember: my coworker asked for the router block; I didn't impose it without permission.)

The problem turned out to be related to the router itself. You see, the date when Daylight Savings Time occurs changed in 2007. Unfortunately the router, a D-Link DI-604, has no means for updating when DST occurs. The clock was off by an hour. Making matters worse, the DI-604 is no longer supported by D-Link; they dropped support in 2008, before fixing the timezone information.

We didn't notice this earlier because we had not used time-sensitive router rules before.

My solution? I changed the timezone on the router (was MST, now CST). Now, I just need to remember to set the router's timezone whenever DST rolls around. That's going to be easier than waiting for my coworker to overcome a serious Facebook addiction.