I frequently find myself attached to some public wifi hotspot trying to get work done, and while I try to make most of my connections via secure methods (e.g., all my email takes place over encrypted connections), most of my web surfing takes place in cleartext. Occasionally, I’ll read some weblog post about the various hosted VPN services and think that I should just use one of them, but never really get around to it. This week, I finally bit the bullet… but rather than subscribing to one of the services, I just set up my own VPN server at home to use.

I have a Linux machine in my home network, and I flirted with the idea of installing OpenVPN on it and using that as my server, but due to a few weird complexities in where that machine sits on my network, that wasn’t the most appetizing idea to me. It was then that I wondered whether someone had built a VMware virtual appliance with OpenVPN support, and it turns out that PhoneHome was just the ticket I was looking for. On my home Windows 2003 Server box, I started that puppy up in VMware Player; it took about a half-hour’s worth of tweaking to get it set up just perfectly for me, and another half-hour to get my home firewall (well, really a Cisco router with a detailed set of access rules) set up to play nicely with the server. Now, I have an easy-to-run, easy-to-connect-to VPN server that allows me to have a secure connection no matter where I am, and that just rocks.

One of the things I was worried about was that the VPN would massively slow down my network connection; between the bottleneck of encrypting all the tunneled traffic and the bottleneck of my home internet connection, I was pretty sure I’d be less than impressed with the speed of an always-on VPN. Surprisingly, the connection is pretty damn fast, though — I appear to have the full speed of my home T1 available to me.

speed test over VPN

If anyone’s interested, I’m happy to share details of the changes I made to the PhoneHome VMware appliance, and any other info you might want.

You might have seen the National Do-Not-Call Registry popping back up in the press recently — since the Federal Trade Commission opened the list in 2003, and numbers registered on the list expire after five years, there are a ton of numbers that’ll fall off the list next year unless people go and re-register them.

I discovered one annoying gotcha, though, related to how the FTC set up the online system for registering numbers and reporting violations of the list. Consider the following three bits of info:

  • the online system doesn’t make any distinction between registering a number on the list and re-registering a number that’s already on the list;
  • the law gives telemarketers a 31-day window to continue to call people after listing their numbers;
  • the online system doesn’t let you report a company’s violation of the registry if you’re within the 31-day window.

What that means is that even if you’ve had your number on the list for years, if you re-register it, you’ll start a 31-day clock where you can’t report any violations. It’s pretty annoying, actually — but of course, it’s certainly not a reason you should avoid making sure your numbers don’t fall off the do-not-call list.

Up until now, one of the larger reasons why I haven’t been too keen on Apple’s iPhone is that it’s locked to AT&T Wireless service, and in general, I’m a believer in the argument that AT&T is one of the more loathsome companies out there — the company has cooperated with the NSA, the RIAA and the MPAA to invade the privacy of its customers, it continues to charge iPhone users a $175 early-termination fee for canceling their contracts despite the fact that those users paid full-price for their phones (and thus, no argument about repaying them for a subsidized phone exists), and despite clear rulings that say it has to offer $10 DSL in certain markets, AT&T is doing everything it can to mislead consumers, bury the existence of the option, and generally obstruct people from signing up for the plan. Thus, when reasonable alternatives exist, I generally like to take them, and for that reason (and a few others), Shannon and I have remained Verizon Wireless customers. (Note that I’m not saying VZW is the paragon of greatness — but up until now, I’ve been pretty satisfied that the company’s efforts to screw me aren’t above the norm that we’ve come to expect in the cellphone industry.)

However, over the past week or two, bits of info have come out that might force me to rethink things a bit. First, I got a notice in the mail two weeks ago to let me know that Verizon wanted to share my personal info and calling habits with “authorized companies”, and that if I wished to prevent this, I had to call them and opt out of their plans. That was a little annoying. (Consumerist mentioned the notice in mid-September.) Then today, the Washington Post reported that Verizon has been turning over calling records to federal authorities without warrants for years, claiming that it doesn’t investigate the “legality or necessity” of the requests, because “to do so would slow efforts to save lives in criminal investigations.” While I understand the sentiment, I’m somewhat aghast at this — if Verizon really claims that see no need to evaluate whether a request to share their customers’ information is valid and legal, then I’m not sure I have a need to give them my money.

Unfortunately, though, with every day’s news it becomes clearer that all of the various telecom companies are both doing everything they can to screw their customers and get as cozy with federal law enforcement officials as they can. Thus, I’m not sure that privacy concerns constitute a reason to rethink a telecom choice anymore… food for thought, indeed.

Shannon and I have seen the TV ad for LifeLock a few times this weekend; it’s the piece where CEO Todd Davis shows his Social Security number all over the place, and then reveals that the only reason he’s comfortable doing so is because of his ultimate faith in his company’s ability to prevent its customers’ identities from being stolen. Of course, the ad made me curious enough to see whether his gambit has paid off — and unsurprisingly, it looks like someone succeeded in impersonating Davis and getting an online loan. Better still, Davis then coerced a confession out of the alleged identity thief, so Fort Worth police had to drop all charges against the guy and the district attorneys aren’t going to pursue prosecution. And the icing on the cake is that LifeLock’s co-founder, Robert Maynard, Jr., seems to be an identity thief himself, and was forced to resign his role at the company amid the allegations.

You can’t make this stuff up.

A few short takes:

  • Michael Lopp, the man behind the weblog Rands in Repose, has the computer monitor setup I can only dream about. That’s a 30-inch Cinema Display on the left, and a 20-inch Cinema Display — turned vertically — on the right… all I can say is wow. Maybe if I lead a good, clean life from here on out…
  • I’m generally not the largest fan of Walt Mossberg’s, but he’s dead-on in his evaluation of today’s typical first-run experience on new Windows PCs. It literally takes hours to wade through all the crapware that manufacturers load onto a new PC these days, getting rid of trialware and all the other useless dreck that comes along for the ride; it’s one of the biggest differences between the first-run experiences on PCs and on Macs.
  • Mostly as a bookmark for myself: here’s how you tell your Mac to stop creating the annoying .DS_Store files on Windows file shares. Damn, these are one of the more irritating things that come part and parcel with using Macs in a Windows networked environment…
  • ImgRed.com, a new “service” that claims to provide a good cache for images you’d like to link to on the web, has collected a good number of links over the past few days; I’d love to know what their privacy policy is, though, and how the service plans to give webmasters the ability to prevent caching of images on a given site (since it’s fundamentally a whopping copyright violation in the making).

There’s been a bit of press given lately to Amazon Unbox, the internet behemoth’s move into the video download business, and I’d imagine that between it and Apple, the online video market is going to explode over the coming months. It’s for that reason that I’m grateful to people like Cory Doctorow, who put quite a bit of effort in Friday explaining how godawful the terms of service are for Amazon Unbox, and why people should treat the new service as they would an ebola-infected colony of monkeys. Summarizing any of the salient points of Cory’s analysis doesn’t do the whole thing justice; suffice it to say that the terms of service dictate when and where you’re allowed to watch any downloaded videos, prevent you from deciding how and when Amazon’s software runs on your computer and updates itself, and prevent you from recourse if and when Amazon decides that you’re no longer allowed to watch the things you’ve paid for and downloaded. If you had to find a single pullquote from the piece, this is it:

So this is just like renting a movie from Blockbuster, except that while you can give your Blockbuster movies to your boyfriend to watch after you’re done with them, these movies are only for you. Oh, and they cost more. Oh, and you have to pay for the bandwidth to transfer them to your home. Oh, and you have to wait for them to download. Oh, and you have to let them invade your privacy.

Given that Amazon has precious little independent interest in enforcing most of the the restrictions placed on users by the terms of service, it becomes clear that what’s being enforced are the desires of content producers like the MPAA, and by using a service agreement, the whole setup avoids the need for an actual legal basis for the demands placed on Unbox users. Most of my tens of readers know that I’m not one to tilt towards tin-foil-hat conspiracy land — the terms of service for Amazon Unbox are purely awful, and I couldn’t recommend more strongly that people find another way to spend their entertainment money.

Now seems as good a time as any to dump a few links here that have accumulated in tabs in my browser over yesterday and today:

  • Michael Bronner has a fantastic article over at Vanity Fair’s website that uses the recordings of NORAD’s efforts the morning of 9/11 to paint the picture of just how unprepared our country was to deal with the attacks, and how chaotic the information flow was as it reached from the trenches up to those invested in protecting the airspace of the East coast. I guess it doesn’t surprise me how difficult it was for the commander of the Northeast Air Defense Sector to get reliable information that morning, but it’s astounding nonetheless, and in all honesty it serves as a potent argument for the creation of the Department of Homeland Security, and the establishment of clear and decisive plans for dealing with crises on the scale of 9/11.
  • Pamela Colloff has an equally fantastic article in the latest Texas Monthly about Charles Whitman’s massacre from the top of the University of Texas Tower 40 years ago yesterday, an article that’s almost entirely told through the first-person words of people who were in the thick of it. It’s a very moving piece, and gives a voice to how shocking the event was at the time, and how different the immediate police response was in 1966 than it’d be in 2006. (via MetaFilter, which has a bunch more links to related info)
  • Dahlia Lithwick took a look this past weekend at privacy rights in the age of weblogs, using the affair between Robert Steinbuch and Jessica Cutler (the skanky ex-Capitol Hill assistant who was once better-known as Washingtonienne) as her focal point. I’m not sure if this is the first time, but I found myself disagreeing with Lithwick’s final point, that Cutler’s exposition of the affair on her weblog might have violated Steinbuch’s privacy. It seems to me that a person has every right (absent a specific contract to the contrary) to talk about that which is going on in his or her own life; it’s not like Cutler was passing on a rumor of someone else’s affair, she was talking about her own sexcapades.
  • In August of 1958, young and new-to-the-business photographer Art Kane was tasked by Esquire Magazine with taking a photo to illustrate an article about jazz. He wasn’t entirely sure how best to approach the assignment, so he started out by doing something I’m sure he felt would be a failure: he contacted as many major New York City jazz musicians as he could, and asked if they would meet on 126th Street at 10 o’clock in the morning. Much to his surprise, 57 of them showed up, leading to one of the most amazing photos I’ve ever seen. My favorite bit of the photo is the lower right corner, in which Dizzy Gillespie’s goofing off caused Roy Eldridge to turn around just as the image was captured. (via kottke)

And today, TPM Muckraker presents a big, huge, gargantuan reason why it should now be obvious how foolish it was that Congress was willing to allow U.S. Attorney General Alberto Gonzales to testify about the NSA wiretapping policy without having to be sworn to an oath of truthfulness. From details that are now leaking out of the NSA like a sieve, it turns out Gonzales was lying the whole time.

It’s particularly saddening to note that this news hit on the same day we’ve learned that our Department of Justice has dropped its investigation into the NSA wiretapping program because the government refuses to grant high-enough security clearances to the DOJ lawyers. It’s fascinating, really — we now have a government which has implemented programs in direct contravention of the rule of law, and is willing to use its ability to grant or deny security clearances as a way to prevent a lawsuit into that program. Exactly how far does this all have to go before the other branches of government put their collective feet down and say that this has clearly crossed the line?

There are times when I’m disappointed in our nation’s leadership, and then times when I wonder how we, as citizens, can allow our current batch of leaders to remain in office for even one second longer. Today is one of the latter times, specifically after reading that Bill Frist has threatened to restructure the Senate Intelligence Committee if it deigns to vote to hold hearings on the Administration’s use of warrantless wiretaps. The Intelligence Committee has been unique since its inception in that the rules establish a much more balanced distribution of power between the two political parties, all in the name of establishing as nonpartisan oversight as possible of our government’s intelligence activities. In a letter yesterday to Harry Reid, the Minority Leader of the Senate, Frist threatened to rewrite those rules to prevent the investigation of Bush’s eavesdropping policy:

If we are unable to reach agreement, I believe we must consider other options to improve the Committee’s oversight capabilities, to include restructuring the Committee so that it is organized and operated like most Senate committees.

To me, this feels like another example of our current ruling party changing the rules to better allow their continued lawless and unethical ways. From mid-decade redistricting in Texas to protecting Tom Delay by changing the House ethics rules to redefining such basic notions as who is a prisoner and what comprises torture, the Republican party is showing that it’s willing to do literally anything it can get away with to perpetuate its goals. You’d figure that with Bush’s approval ratings swimming in the sewer, there would be more of an effort within the party’s ranks to behave better, but I guess that there are some addictions that are too difficult to give up cold-turkey.

Does anyone remember ChoicePoint, the data warehousing company that gave criminals access to the personal data of over 150,000 U.S. consumers back in 2004? When the story broke about a year ago, I made note of how ChoicePoint itself actually had been part and parcel of the problem, and lamented the way in which the media was portraying ChoicePoint as a victim rather than as a participant in the destruction of privacy. In light of that, I’m superbly happy to see that the Federal Trade Commission agreed with me today, fining ChoicePoint $10 million and noting that the firm had failed to tighten its internal security despite specific federal warnings going back as far as 2001. The firm also has to pay $5 million into a consumer redress fund, establish comprehensive information security programs, and submit to biennial security audits through the year 2026. (Of course, ChoicePoint netted $147 million in 2004, so part of me would have loved to see even steeper fines; that would have been as clear a message as possible that putting American consumers’ personal data at risk is a corporate practice that will effectively lead to the end of your corporation.)

Oh, great — two more government agencies appear to have been lapping at the warrantless search bowl for the past three years. According to David Kaplan over at U.S. News and World Report, the FBI and the Department of Energy have been performing radiation monitoring at over one hundred sites in and around the Washington, D.C. area, in many cases going onto private property without warrants in order to set up the surveillance equipment. It also looks like, at times, they’ve extended the program into Chicago, Detroit, Las Vegas, New York, and Seattle, and that many of the people who have been caught up in the surveillance have been U.S. citizens.

Seriously, what does it take for the people of this country to start caring about how power-hungry our government has become?

Since I pointed yesterday to Bruce Schneier’s piece on Bush’s use of the NSA for domestic spying, I’d be remiss if I didn’t also send you his way to read today’s piece on what the spying means for privacy rights, and for the idea of Presidential power. It feels to me like nobody’s stated the issues more clearly and forcefully:

The result is that the president’s wartime powers, with its armies, battles, victories, and congressional declarations, now extend to the rhetorical “War on Terror”: a war with no fronts, no boundaries, no opposing army, and — most ominously — no knowable “victory.” Investigations, arrests and trials are not tools of war. But according to the Yoo memo, the president can define war however he chooses, and remain “at war” for as long as he chooses.

This is indefinite dictatorial power. And I don’t use that term lightly; the very definition of a dictatorship is a system that puts a ruler above the law. In the weeks after 9/11, while America and the world were grieving, Bush built a legal rationale for a dictatorship. Then he immediately started using it to avoid the law.

This is, fundamentally, why this issue crossed political lines in Congress. If the president can ignore laws regulating surveillance and wiretapping, why is Congress bothering to debate reauthorizing certain provisions of the Patriot Act? Any debate over laws is predicated on the belief that the executive branch will follow the law.

Schneier’s piece is chock-full of legal analysis and precedent that demonstrates how illegal the wiretapping efforts of the Bush Administration are, and provides tons of links to other peoples’ analysis of the program and the Administration’s stated justifications for it. One link, to Scott Rosenberg’s view over at Salon, is also worth a read, for the first postscript as much as for the rest of it.

Add my voice to the chorus recommending that everyone read Bruce Schneier’s essay about the Bush Administration’s illegal use of the National Security Agency for domestic wiretapping. If you haven’t been keeping up to speed on this story in the past week, Schneier’s piece will catch you up, and help you understand how far across the line the Bush Administration has strayed.

Wow, Friendster just violated their own Privacy Policy and gave my email address out to a third party for use in administering a survey. How do I know it was them? Here’s the story.

The Pittsburgh Post-Gazette has a great profile of John Gilmore, as well as the fight he’s taken up against the government’s requirements to show ID before boarding planes. It’s a more in-depth and balanced piece than the others I’ve come across, well worth the read.

I’m so freaking sick of today’s headlines claiming that “hackers” somehow broke into ChoicePoint’s (obscenely comprehensive) consumer databases and obtained information which allowed them to then steal people’s identities. This is a story that’s been discussed on Dave Farber’s Interesting People mailing list since yesterday, and the truth of the matter — reported correctly only by MSNBC thus far — is that a group of criminals managed to create fake businesses and then set up entirely valid accounts with ChoicePoint in the name of those businesses, and then obtained the information about consumers via those accounts.

Notice the difference? If it’s reported that nefarious hackers broke into ChoicePoint and stole the data, then ChoicePoint comes out looking like a victim. On the other hand, if it’s reported that the failure was in ChoicePoint’s internal mechanisms for verifying the validity of an account application, the existence of the company behind that application, and the right of that company to obtain credit information, then ChoicePoint is revealed as a remarkably large part of the problem. Add to that the fact that ChoicePoint is only notifying consumers in the one state that requires them to (hell, there isn’t even a note about it on the company’s news release page), and doing so four months after they sold consumer data to criminals, and the story truly does take on a different character.

As soon as my TiVo downloaded the latest operating system and enabled TiVoToGo, I downloaded the trial version of Sonic’s MyDVD that includes support for burning the TiVo files to DVDs. For the most part, the software worked — despite an incredibly slow transcoding process, out of the ten or twenty shows that I tried to burn to disc, only two or three of them failed. (I wasn’t ever able to get MyDVD to burn non-TiVo videos to disc reliably, but that’s another story entirely.) All in all, I’d have to say that at the end of my trial period (last week), I was just where Sonic wanted me — ready to send them money to buy the full version of MyDVD.

Alas, that’s when I started reading the TiVo Community forums, and came across a post that described someone’s experience with what happens when a computer’s clock accidentally gets changed during a MyDVD trial period. After resetting the clock to the correct date, MyDVD still wouldn’t work; uninstalling and reinstalling it didn’t fix the problem either, and Sonic didn’t reply to requests for help. In the thread, someone mentioned that installing MyDVD created a few registry keys and directories on their computer that referenced “PACE Anti-Piracy,” and I filed that little fact away to look into later, before deciding whether I’d buy the software.

Today’s when I looked into it, and I’d have to say it’s opened my eyes a little bit. It turns out PACE Anti-Piracy is a company that develops applications which can enforce trial periods and other restrictions on downloaded software. That’s all fine — companies should be able to release trial-period software without knowing that they’re going to lose business to people who figure out how to get around the restriction — but it also turns out that PACE does a bit more. According to this page by an end-user and PACE’s own documentation (PDF file), the software installs a kernel-level driver onto your Windows machine, does its best to blend into the woodwork (the device driver is named “TPKD”, the support files get buried in a common-apps directory, and at no point in the its process of validating a trial period does it display its name or other information to the user), and uses some method of compiling unique information about your computer in order to do its anti-piracy thing. And there’s no obvious way to get the PACE Anti-Piracy software off of your computer once it’s there.

So in this specific case, I installed MyDVD and had no idea that I was also installing another company’s application that includes a kernel-level driver and doesn’t include any mechanism for uninstallation. The MyDVD website omits this fact, as does the email that I received with my trial serial number and the clickwrap license to which I had to agree during the installation. Hell, even the Sonic privacy policy talks about their use of updater software that sends out information about your computer, but is silent on the fact that they also install another company’s apps alongside their own that could be doing pretty much anything. (Where I come from, they call that spyware.) This all doesn’t sit well with me; I guess I’ve swung from being a ready, willing Sonic customer to being a person who’s unlikely to spend any money at all with the company unless they clean up their process of giving customers complete information.

While checking in for his flight from London’s Gatwick Airport to Dallas-Fort Worth, Cory Doctorow found himself asked for a list of the names and addresses of every single person with whom he’d be staying in the U.S., a request which was explained as the result of some unnamed security regulation. He asked for escalating levels of detail about the unusual request, to much confusion, and eventually was told that his Platinum AAdvantage cardholder status absolved him of any requirement to provide the list. (That last part is the oddest to me — could there really be TSA directives that are as specific as making exceptions for people who are members of the elite frequent-flyer programs? If so, can AAirpass members expect to have a certain amount suspicious information ignored given their contribution to the business of air flight?)

It frightens me how much about air travel is now dictated by some functionary’s proclamation that an odd rule or occurrence is the result of heightened security. (My own, way less-significant, example: last month, Shannon and I were unable to check in online for the return leg of a flight for which online check-in for the first leg hadn’t been a problem. When I called to ask why, I was told that the representative didn’t have a definite answer, but that it was very likely to be security-related. It was clear that that statement ended the conversation, and ended any inquiry into whether there could actually be a problem with the online check-in system.) It’s all just so silly; I hope that, at a minimum, John Gilmore’s case ends up forcing a greater deal of transparency upon the security-related apparatus that has grown so prominent over the past four years.