Wednesday, December 22, 2010

Tutorial: PC Security, Revisited

Now that the Christmas shopping season is in full swing, most of us are going to shop online at some point or another.  Some of us may even buy a new computer, too.  The blogs and pundits are abuzz about computer security with a lot of talk about password management. Password management is just one aspect of security. Today, we’re going to review security as layers of protection rather than attempting to use just one solution for protection.  The ideas I will present here will show how to provide a decent gauntlet for security threats before they can take over a computer.

A little history about me is in order here. I have had the opportunity to watch the Internet grow from the early days in 1991. I got my first email address that year with a BBS (Bulletin Board System) called the 0x0 Republic. With my first email correspondence, I was fascinated with the notion that I could exchange emails with someone across the world. Maybe more than a few of you are old enough to remember those days of the BBS, Compuserve and the 14.4k Modem.

Back then, I had a humble Commodore Amiga 500 computer. No, it didn't run MS-DOS, it ran the AmigaDOS. As you can see from the screenshot for the Amiga 500 in the preceding link, this computer didn't run Windows, either. The AmigaOS borrowed many ideas from UNIX, allowing the use of a command line or windows and icons for operation of the computer. Their user interface was very advanced compared to the Mac and the PC at the time. Unfortunately, through their own management errors, Commodore eventually went into bankruptcy.

Around the time that I was an Amiga user, computer security wasn't really an issue for consumers like it is now. Most personal computers were still single user, general purpose computers and apparently, only a few people bothered to write a virus for the Amiga. Back then, very few people even connected their home computer to another network let alone the Internet.  I can remember reading about the Ethernet connection and wanting to know how I could get one for my computer.  Commodore was a very proprietary company and that made it hard to find a standardized component that would connect my computer to the Ethernet, whatever that was.

Eventually I got an Apple PowerBook 140b. It was with this computer that I first got a taste of the World Wide Web around 1994-5. It was a slow, stodgy, black and white experience, built onto a dial-up connection. But it was enough for me to do my research at the time. Back then, Alta Vista was the search engine of choice and they were considered to be the fastest search engine of the time.

In 1997 I got my first Windows laptop in 1997. I can remember shopping for Windows software for the first time and laughed when I realized what I had been missing while working on the Mac. I found a nice dialup ISP to work with, too. From there, I started to really get a sense of what could be found on the Internet. For years, I went without antivirus, not completely oblivious to the dangers - but just being careful not to open attachments from strangers.

In 1999, I got a computer with Windows 2000 Professional. Around that time I had moved into a place with cable access to the Internet. I went from a 56k modem to 1.5 Mbs in speed. I had taken some classes on Windows and learned something about the security built into it. I started to read the tech news every day and noticed that more and more, viruses and trojans were making the news. So I got some Antivirus software.

I started out with Norton Antivirus and eventually moved on to ESET's NOD32. While working with the antivirus software, I remembered something that my Dad taught me in terms of strategy: no defense can anticipate all attacks. So I started collecting tools and programs in an effort to build a secure environment for myself.  This combination of software tools is what I'd like to share with you. It is built from years of experience and through more than 14 years of running Windows. Because of this training, learning and vigilance, I've only had to rebuild a computer once due to a virus.  

Keep in mind also, that no software can stop you from doing something that you know you shouldn’t do. If you open an email attachment from someone you don't know, you're only asking for trouble. If you click on a link in a spam message that takes you to a site harbouring malicious software, your computer is likely to be toast, even with the best defense available.  Such a site is just waiting for you, and the authors of the site have anticipated the most likely defenses your machine will offer.  So let’s look at the layers of defense you can use to protect your computer.  

First and foremost, if you're running Windows, you're likely to be running as an administrator. An administrator account can do *anything* to your computer, and that includes damaging it. On the other hand, you can also use a "limited" account (XP/Vista) or “standard” account (Windows 7). This is a regular user account that can do very little, if any damage to the computer. To put it simply, admin accounts should only be used for maintenance, upgrades and software installation/removal. Limited user accounts should be used for everything else. A limited user can be used for your daily computing tasks like web browsing, email, playing games, writing correspondence, online banking, etc.

You’re probably asking why you didn’t know about the difference between accounts. Microsoft has slowly but surely been improving the way they educate their users.  However, Microsoft still tends to favor convenience over security and so they tend to leave that part about administrator rights in the education they provide to users.  

It all starts when you booted your computer for the first time.  When you start Windows up for the first time, you're prompted to provide at least one user name and additional names for other people who might use the computer.  You will also be given an option to create passwords for each of these users.   Neither Windows XP, Vista or 7 give you much of an explanation for the differences in user accounts, either. So, unless you're informed, you create one or more admin accounts to use on your computer.  Most people run with the original account that they created from that first day that they started using their computer. Many of them set up that one account to automatically login without any password security. And most of them are hardly aware of the dangers of using that account.

As a rule, you should never be running as admin unless you need to install a printer, software, remove software and the like. For anything else, operate your computer as a limited user. To put this in perspective, analysts estimate that more than 95% of the problems with Windows security goes away if you're not running as admin.

The reason for this is simple, but not very well understood by the general public. You see, most of the latest viruses and trojans install on your computer silently. Virus writers realize that most people will trash emails with attachments from people they don't know (and even from people they do know if they were not expecting that email). So the virus writers use stealth.

When your computer is being attacked, you will get no clue that new software is being installed - when you are running as an admin. Windows 7 can help this in some ways, but W7 also has a very similar programming philosophy to Windows XP: convenience over safety. Yes, you can still get warnings that software is trying to install, but a determined piece of malware can work around that and trash your computer - if you are running as administrator. You can even turn off the security warnings that you would usually get from Windows if you want to.

After a successful attack, you won't really notice much other than that your computer is running a bit slower - maybe even a lot slower - than before. Malware tends to change the computer for its own benefit at the expense of other functions.  Why is it running slower Because when it’s infected, it’s shipping spam by the thousands, hosting a web site, participating in Denial of Service attacks or even offering up more viruses to other people.

Now if you're running as a non-admin or limited user, and you click on a drive by download, you're going to get a message indicating that “you do not have permission to install this software - please contact your administrator!” If, at this point, you were not planning on installing any new software, it's time to leave quietly and never come back to that site. Ever.

So, if you have not done so already, create another admin account. Be sure to give it a password (and don’t lose that password - you’ll need it later). An admin account with no password is an open target for malware.  Then take the account that you've been using from the beginning and turn it into a limited account.  This way, you’ll still have access to your favorites, all your settings, and your documents. Whenever you need to add something to the computer or to do maintenance, log in to your admin account. For everything else, it's Visa, er, Vista, I limited account.

So that's the first step. Just changing the type of account you use for daily computing is a big step towards preventing infection from a virus or trojan.  Remember, over 95% of the vulnerabilities go away when you’re not running as admin.

Windows Update. Whatever you do, once a week, run Windows Update, or at the very least, run it when you see a Windows Update notification. It’s also very important to run Windows Update on the day they are issued, the first Tuesday of every month.  The reason why is that most malware is designed by reverse engineering the latest updates to find the security holes and then targeting new attacks there. Malware engineers are expecting people to be lazy in running their updates.  Running updates for Windows on a regular basis, (and any other operating system for that matter, including MacOS and Linux) will further limit your chances of infection.  If you see a notification for updates on your computer, it’s time to get them done.

It should be noted that Windows 7 has a couple of new features that I’ve never seen before except in Linux and MacOS.  Windows 7 allows you to send notification to non-administrator users that new updates are available.  This allows standard (or limited) user accounts to see them and install them.  You might recall that in XP, Windows will reveal a little yellow badge with an exclamation point on it in the task bar on the lower right-hand corner of your screen. That is the Windows Update notification.  In XP, that is only revealed to administrators on the computer. With Windows 7, even if you’re not an administrator, you can see that too, if you can set yourself up for it.  And when updates are available, you can install them, too.  With this setup, installing updates is the only administrative task you can do as a non-administrator.

Note also, that on April 8th, 2014, Microsoft will no longer release updates for Windows XP. If you don't want to upgrade to the next version of Windows, consider alternatives like Linux Mint, Ubuntu Gnome and Fedora. They are all much more secure than Windows and they will extend the life of your computer by using fewer resources than Windows did. This is great for your kids' career prospects since Linux skills are still hard to find, and when they don't know much about Linux, it's rather difficult for them to mess up their computer by installing a "happy mouse" program they downloaded from some unscrupulous website.

The nice thing about the Windows update notification for non-admins is that you’re not running as administrator all the time, you’re still notified of updates and you can install them without logging out and logging in as an administrator.  This makes it easier to update your computer, and that means your computer will be kept up to date even when you run on a non-administrator account.

And now for antivirus. This is part of what is known as the Windows Tax. The first part of the Windows Tax is that you pay for the Windows license no matter where you buy your computer, even if you don’t want to use Windows. That is the Microsoft way. Then you pay for the antivirus and other security software. Most good antivirus programs are going to cost $40-60 for the first year, and 20-30 bucks thereafter for maintenance. The best antivirus will do a complete update of signatures without user intervention. Norton Antivirus was not one to do that when I was using it (though it’s been a few years and perhaps things have changed with Norton).  As an alternative, I heartily recommend ESET NOD32 simply because the updates occur automatically without you being an logged in as admin. Version upgrades will require admin access, but that is a fairly rare occurrence (once or twice a year).

I don't recommend Symantec/Norton for a couple of reasons: they are a big, fat, complacent company with a huge market share. Try getting a hold of customer service there and you’ll see what I mean. On the other hand, ESET is hungry for your business. I can easily get a hold of their techs without cycling through their entire music on hold playlist. While their songs are interesting, they’re not compelling, and they do offer good tech support.

Yes, there are others to consider, such as the free version from AVG. But you do, in a sense, get what you pay for. Caveat Emptor.

Remember what I said about how no defense can anticipate all attacks? Well, even NOD32 isn't perfect. So I strongly recommend antispyware as well. SuperAntiSpyware or AdAware are both great products that can find a lot of stuff like cookies that you don’t want on your computer.  Cookies can be used to track your movements around the web and send that information back to the Mother Ship. They make a good complement to your antivirus software.

It's worth noting here, that a fellow IT guy told me the following: ESET (NOD32) recommended SuperAntiSpyware as a complement to their own product. I asked ESET about this by phone and they acknowledged that their product won't catch *everything*. That is a very humble and honest statement to make, and heartening for me to hear. I've had similar experiences first-hand myself, so it's nice to hear it from someone else. That is why I like ESET.

So, we've covered the user accounts, the antivirus and the antispyware. You're also going to want a personal firewall. This is useful for stopping malicious software that is trying to call home, you know, to the Mother Ship. I have experience with two products for this purpose: ZoneAlarm and ESET's Security Suite w/NOD32. They are both highly recommended with full acknowledgement of other products out there.

They both provide security for those loose cannons known as "open ports". You can learn something about this, here. Gibson Research Corporation has helped me to understand the open ports issue and inspired me to try ZoneAlarm. Personal firewalls allow you to see when software is trying to call home and gives you a chance to block transmission of sensitive information back to the Mother Ship!

There's another kind of firewall known as a router. This is a physical firewall device that you will know as a sort of switch that allows you to share the Internet connection with more than one computer. Common brand names for routers include Linksys, Netgear, and D-Link. These are all top brands and they all provide an extra level of security. But that security only works if you enable it and configure it properly.  

You can think of the router as the bouncer.  The router uses a public IP address to connect to the world, and gives all of your computers a private IP address that isn’t recognized by the rest of the world.  The router checks each packet or message that comes to it.  When you click on a link in a web page, a request for information behind the link is sent to the inside port of the router.  The router inspects the message, notes it’s destination and then waits for information to come back.  The router then sends the message out to the destination server, which then responds by sending information back to you, through your router.  The router checks to see if the information is “invited”.  If that information is not on the list, it’s not getting in.  But if you made a request for the information, the router will let it in.  That’s what a bouncer is supposed to do.

All routers require some form of administration to enable security. Nowadays, all consumer routers come with a CD you can run to walk you through the steps of configuring the router. This is especially important if you're using a wireless router. On any router, you want to make sure that remote administration of the router is disabled - this is usually the default setting. You will also want to reset the admin password which is usually "admin", by default. If you do not reset the password, someone else can do it for you, as well as reconfigure the router to their liking rather than yours. Check the CD and the online manual for your router for details.  

If you’re not sure how to configure your router, it is highly recommended that you consult an experienced friend or professional you can trust to do the job for you.  If you do consult someone else, make sure he clearly documents the setup so that you know what he did and you can convey that information to someone else if you need to.

If you're using a wireless router, you must also set the passcode for access to your wireless network. Otherwise, your network will be "open" and anyone can freeload on your cable or DSL Internet access. They can also see your computer and the resources on it. It's important that you use very strong passwords to secure your devices and accounts. Words that are easy to remember are also subject to the dictionary attack on passwords. A strong password is a series of characters that doesn't make any sense and is comprised of at least upper and lower case letters and numbers. You should also use non-alphanumeric characters (i.e., !@#$%^&*(_+) as part of your very strong password. The last word on wireless routers is this: if you’re not using wi-fi, turn it off.  It’s one less security hole to worry about.

I know that a good password is hard to remember. Well, fear not. You can save your passwords in an encrypted file by using KeePass. This is a portable, cross-platform password manager that uses very strong encryption to protect your passwords. The program uses a master password to provide access to the encrypted contents. Once the master password is set and the password file is opened, you can start to create a set of credentials for every website or application that you use. This allows you to use a different password for every site that you go to.  And believe me, you will want to use a different password at every site.

Why?  Because all it takes is one slip to fall.  If you’re using the same username and password at every site you go to, even for the bank, then anyone who knows your credentials can try them out everywhere.

I like to use at least a different password for every website that I go.  For financial sites, I don’t really even use a “name”.  Instead, I like to make everything hard to guess.  KeePass allows me to do this with a very good password generator.  KeePass also allows me to copy the username and password into a website. And it allows me to automatically enter the username and password into a website. Don't worry, KeePass will automatically erase the contents of the Windows and Linux clipboards after 30 seconds for security by default, but you can set that for as long or short as you want.

Remember the news about how Sarah Palin's Yahoo account was hacked? She was hacked because she used answers to secret questions that were easy to guess by someone who knew her or her history. A secret question or security question is a question that only you know the answer to, so that if you forget your password, you can recover your password by answering the questions. Instead of using the secret question to answer a question only you know, this is another chance to use a strong password to further secure your accounts if need be.

But I digress. Back to the router. Once you have set up the router, you will also want to set up DNS on the router, too. DNS is the Domain Name Service, which is a service that translates the Internet address you know, like, into an IP Address, like (verified with the ping command). DNS is part of the backbone of the Internet. Without this service, you would have to remember the IP addresses of all your favorite websites. This service creates the convenience of allowing us to use names rather than numbers to get where we want to go on the Internet.

Most computers set up your IP address and DNS automatically when they start up. They will get that information either from your ISP or from your router, depending on your setup. In Windows, it's fairly easy to setup your own DNS, too. And most routers will allow you to use another DNS other than the one provided by your cable or phone company.

There are two alternatives I like to use: OpenDNS and Google DNS. OpenDNS provides a great safety service for your Internet connection. OpenDNS does a lot of research to see where the malware, porn and criminal activity is coming from and helps you to steer clear of it. I use the service so that if I should happen to type the wrong address, I can be safely routed away from rogue sites that are serving unwanted content.

Google offers a similar service to OpenDNS, but on a much, much larger scale. Google crawls millions of sites every day looking for sites that dispense malware and putting them on blacklists to keep people away from them. They also report back to website owners when their site has been compromised. Both OpenDNS and GoogleDNS will help to protect you as you browse the web.

Another very good too is the Netcraft Anti-Phishing Toolbar, for Internet Explorer, Firefox and Chrome (the toolbar runs in Chrome and Firefox on Linux, too). This toolbar provides information on every website you visit. First, they give you a risk rating with a colored bar that indicates the risk associated with a website. If it's red, you'll want to go elsewhere. If it's green, then you should be fine. They also tell you how long the site has been there, and the rank in terms of popularity. Along with that, you get the location by country with a nice little flag to denote the nation and the name of the hosting service where the site is maintained.

To give you an example of how this works, imagine for a moment that you've received an email from Bank of America. They're telling you that you need to update your account information because it has not been updated in a while and they're concerned about the accuracy of their records. They kindly provide you with a link to their site. So you click on it. The Netcraft Toolbar reveals that the site is located in Russia and was only created a month ago. Hmmm. Time to close the browser, open a new one and go somewhere else.

In summary, I'm using layers of protection, with each layer providing protection in different ways. Here is a point list summary:

  • Never run as admin on your computer, unless you’re performing maintenance, software installs, hardware upgrades or updating Windows.
  • Run Windows Updates on a weekly if not monthly basis.
  • Install and maintain antivirus that updates without admin support.
  • Install and maintain some sort of anti-spyware.
  • Install and maintain a personal firewall.
  • Install and configure a router (not much maintenance is required for this).
  • Use a secured password manager to manage your passwords (don't leave your credentials on pieces of paper, sticky notes on your monitor or in a spreadsheet on your computer).
  • Use GoogleDNS or OpenDNS for a safer browsing experience.
  • Use the Netcraft Antiphising Toolbar so that you can find out if the site you're on is safe.
Here, I have 9 layers of security to prevent my computer and/or my identity from being compromised. You may want to implement a few or all of them depending on your security needs and desires.  But you should do something so that you can rest easier knowing that at least you’re a bit more secure than before.

The Internet has given us a sort of freedom never before experienced in human history.  The freedom to share ideas, learn new ideas and to grow from the experience.  The price of freedom is eternal vigilance.  But, by practicing the techniques shown above, you can reduce the cost of freedom to just a few pennies and minutes a day once it has been implemented. An ounce of prevention is worth a pound of cure.

I hope you all find this information helpful and can put it to good use.  Have a safe shopping experience while you prepare for Christmas. Be well.

Sunday, December 05, 2010

Net Neutrality is a Ruse

I've been following the debate concerning Net Neutrality and I've noticed something. The original decision (which you can find here) to classify ISPs as "information services" rather than as "telecommunications services" is missing something really important. Before I go on, I also want to point out that while I might use Comcast as an example here, the concepts I detail below can be applied to any ISP and/or common carrier.

First, in classifying cable modem services as information services rather than as telecommunications services the FCC attempts to ignore the behavior of the cable companies. The decision ignores the fact that companies like Comcast are common carriers because Comcast is acting like a telecommunications company rather than an information service. Comcast owns the lines, and is agnostic about the content it carries. Or at least it was until it realized that it could favor it's own content.

Second, just because the FCC bestows a service with the classification of an information service dosen't necessarily mean that it is. Anyone here remember Compuserve? How about GEnie from GE? I’m sure some of you old-timers out there remember the humble Bulletin Board Services with your 14.4k modems. I used to use the 0x0 Republic BBS for my first venture onto the Internet - that is where I got my first email address. All of the BBSs, Genie and Compuserve needed a phone line for a connection. And all of them were information services. They didn't own the lines, they were simply carried by the telecoms.

It should also be noted that here in Utah, we have a service called the Utah Open Infrastructure Agency (UTOPIA). UTOPIA is a municipal broadband service and as such, acts as a common carrier. They resell their service to Internet Service Providers (really more properly labeled as “Information services”) such as Xmission, Connected Lyfe and Prime Time Communications. They all compete to provide access to the same network on an open access network (more on this below). The UTOPIA resellers are indeed “information services” rather than telecommunications services to the extent that they do not own the infrastructure. All they’re doing is reselling service on a network they don’t own, but they manage the service they provide with billing and customer service. That’s what makes them an information service. UTOPIA is the ISP.

Comcast on the other hand acts like a common carrier as an Internet Service Provider. Comcast simply carries the bits from the public network across their own network to their own customers. The fact that they connect to the public network, such as their connection to Level 3 Networks, makes them a common carrier. Level 3 is a common carrier, too. Why? If L3 carries *none* of it’s own data, then it carries data for others.

I also want to put the lie to the claim that Comcast has a private network. As long as they connect to the public network and carry bits to their customers from the public network, they are part of the public network. That creates a public interest in their service. Unless and until they completely cut themselves off from all public networks and provide their own content to their own customers, they will remain a common carrier. While they may be tempted to do that given their resources, they would have to overcome the blowback from their customers. They would also have to pay back all the goodwill they received with cheap or free easements across property all over the country that they received along the way to becoming the largest ISP. That might be in the form of rent they pay the landowners, or they might lose the easements altogether.

Comcast is different from L3 in another major respect: it has an incentive to favor it’s own data sources. Even it’s partners’ data sources provide an incentive to favor its own traffic over others. In fact, the latest conflict between the two is about L3’s contract with Netflix to carry traffic to Netflix customers many of which subscribe to Comcast. Comcast, it seems, would prefer to run a toll booth rather than to play fair. They seem to have forgotten that their customers are already paying for Netflix traffic as Comcast subscribers. Implicit in their actions is the goal of making their own product more competitive with Netflix by making Netflix more expensive. Comcast doesn’t seem to mind that their customers are paying for Netflix content *twice*. And they certainly don’t want to mention that their costs per byte for connecting to L3 have gone down while the rates they charge to their customers continue to increase at a rate higher than inflation.

The original decision to brand cable modem service providers as information services also had the effect of forcing the phone companies to share their lines while the cable companies did not have to. This created an uneven playing field that allowed an enormous consolidation of resources by the cable companies. During this time, cable companies were allowed to bundle their TV services with their ISP services and eventually they were providing voice services to compete with the phone companies. Phone companies didn’t have content to bundle, so they were at a definite disadvantage with the cable companies to compete.

Line sharing, as the phone companies had to do, is also know as “open access” and has, with the exception of the United States, proved to be wildly successful wherever it has been implemented. Japan is probably the best known source of empirical evidence for the success of Open Access rules for distribution of internet service. In Japan, the government bankrolled the financing of the infrastructure in a partnership with NTT. NTT builds the infrastructure and is required to resell the use of that network at wholesale to it’s competitors. As a consequence there are thousands of ISPs all competing in the same market. In Japan, you can get a 60 mbs connection for around $35 a month. Of course, Comcast would prefer to have none of that since their business model is centered on creating scarcity in the market rather than abundance. And they want the entire market to themselves if they could get it. I guess to them, a private monopoly is much better than a public one.

So now we come to Net Neutrality. Net Neutrality is a ruse, pure and simple. Why? Because it assumes that the ISPs have rights that they really don’t have. Even ISPs like Comcast don’t have the right to favor traffic, shape traffic or to discriminate against traffic by charging a higher price based on the source of the traffic. The term Net Neutrality assumes that the ISPs have those rights, when they don’t. If they weren’t common carriers, they would have those rights, but they are most definitely common carriers. No matter how the FCC classifies them, they still act and walk like common carriers. Comcast and AT&T are common carriers, by their action rather than their classification.

I’m actually surprised that no one has sued the FCC to reclassify the cable companies as telecommunications companies by now. It’s important to reiterate here that telecommunications companies (the common carriers) are distinct from information services as they have *no content* to offer their customers. They are only carriers, and as such, must remain agnostic about the content they carry.

It should be plainly obvious by now that Comcast (and other content providers who own the pipes like them) have a conflict of interest to resolve. They cannot remain agnostic about content while acting as common carriers at the same time as the temptation to favor their own content is too great to resist. This is true for any company that offers Internet access and their own content at the same time. That makes it nearly impossible to separate the incentive to provide access to content from everyone else and their own.

This conflict of interest requires that any company that offers Internet access and content to be split. In the case of Comcast, the Internet access service must be separated from the entertainment content service. The best way to separate these services is to require the company to be split into two entities: one for carriage and one for content. That is the best way we can be sure that they will act as common carriers. As we have seen by recent examples of their behavior, we cannot trust them to do so.

The solution I offer is simple to state, but is rather difficult to implement without a big fight. Unfortunately, this is what I think we will need to do in order to remain competitive in world markets.

First, we need to separate content from carriage. To avoid the conflict of interest as shown above, we need to make sure that carriers and content providers are separate. This will ensure that common carriers act like common carriers with no incentive to discriminate against traffic of any kind.

Second, we need to ensure proper classification. A common carrier owns the pipes, content providers do not. We can’t even allow a member of the board of directors for the content company to sit on the board of directors for a carriage company. Separation of interests and duties is very important to remove any conflict of interest.

Third, we need to enforce the open access rules of common carriers. Common carriers own a resource that is the network. It makes no sense to dig up the streets to build a duplicate network and wait years for the deployment to happen - you know, like with power transmission and water service, right? Better to create one really fast network for everyone and let the content providers share the network. This will improve network maintenance and upgrades as well. I think in the long run, this will have to be a strictly regulated utility, like the power company is. UTOPIA promotes this idea as many municipalities around the country and around the world have done. Even Google, which is becoming the 2nd biggest ISP by it’s consolidation of networks and the sheer volume that it moves, is promoting the idea of open access networks.

While this is a long post with lofty ideals, we know that the devil will be in the details, and we can be sure that the incumbent service providers would rather have a captive audience than to have to deal with competition. They are going to throw up blocks at the legislature, in the courts and in the press to show what angels they really think they are and how they’re doing us such a big favor by fighting for the status quo.

The last ten years of the status quo have lost us our lead in Internet access, provided consolidation in the industry that eliminated much of the competition, left us with media giants snarling over their turfs and helped to expand or maintain the digital divide. That leaves us with very little power over a resource that started out as a source of entertainment and has grown into an irreplaceable utility: the Internet. If we fail to act now, the power of the incumbent service providers will only grow until we are left with nothing more than a walled garden that leads only to their coffers.

Now is the time to reclassify the ISPs as common carriers and secure our future in a competitive global economy by recognizing Internet access as utility that we can all use. I urge you to discuss this issue with your local, state and federal representatives to preserve our freedoms on the Internet.

Friday, November 26, 2010

On Software Patents - Open Letter to Orrin Hatch

Mr. Hatch,

This is one more letter to explain the problem with software patents. As you can see, I've put this in the category of "ethics" because there have been a lot of difficult and thorny issues related to patents, and particularly with software patents. Today, I offer you an example of a patent granted to a patentee that is based on someone else's work. Check out this link here:

Here, we have an open source software developer who posted code to an open source project, only to find that it had been copied, step-by-step into a patent application. This is an abomination and characteristic of people who oppose open source software, for they are seeking to destroy open source software with patents.

As a member of Congress, you are likely to be aware of how much the US government relies upon open source software. The developers of the website for the White House use open source software. The defense department has their own sourceforge site for hosting projects. Even the NSA has their own version of the Linux kernel.

The behavior cited in the website linked above is a perfect example of why the bar for patent defenses needs to be lowered to allow for easier invalidation of patents. Even Microsoft is petitioning the Supreme Court to lower the bar as seen here:

The argument is that the patent office is not perfect. They cannot know everything, and if patent applicants are going to steal whatever they can from other sources, then the presumption of validity needs to be re-examined. This is particularly so when patentees steal from the open source software community, a wellspring of innovation that does not seek patent protection, except only as a defense against patent trolls. They will not prosecute patents against others, but they will use their patents to defend themselves from other patentees. A good example is Google. We don't read headlines in the paper every day of Google suing someone. But Apple, Microsoft, Oracle and others have been pursuing claims against open source enterprises such as Google. Google runs all of their servers on Linux. They make their own databases. That's innovation.

For a rather humorous examination of the problems of software patents insofar as they relate to open source software, see this brief speech by Eben Moglen:

I also think that there need to be civil penalties when patentees knowingly and willfully attempt to patent common knowledge or similarly unpatentable material. That means that they need to check their sources and provide all prior art available. This example would be obvious as open source software commits are available worldwide and anyone with a browser and a search engine could find it.

I hope you find this letter enlightening on the subject of patents and consider this information as you and your fellow Congressmen draft legislation to improve the patent system.

Thank you.

Scott Dunn

Sunday, October 17, 2010

Mr. Hatch, tax cuts aren't going to do any good...

This is a letter I wrote to Orrin Hatch, our esteemed senator:

Mr. Hatch,

A few days ago, I read this article and I haven't been able to stop thinking about it since. You can find it here:

The article makes a startling assessment of the economy with the following statement: 85% of all the wealth is owned by the top 20% earners in the nation. With all this talk about how extending the tax cuts of the Bush Administration is going to help the economy, little notice is taken of this evidence. It is also worth noting that corporate America is sitting on a $2 Trillion pile of cash and they're not hiring.

What this shows is that for at least the last ten years, the rich have not been spending their money, they've been hoarding it. This confirms Robert Reich's statement that, "Giving tax breaks to rich people to get them to spend their money doesn't work. They've already spent all the money they want to spend."

So, I ask you, what makes you think that extending the tax cuts is going to help the economy?


Scott Dunn

Wednesday, August 18, 2010

A letter to Sen. Hatch on Common Carriers

Mr. Hatch,

I am aware of the Republican sentiment regarding "Net Neutrality", a sentiment I happen to disagree with. This whole notion of "the government taking over the internet" flies in the face of efforts by the NSA to monitor communications. It has been well documented that during the Bush Administration, the Republican Party was insistent (and spent billions) on complete surveillance of American citizens through internet monitoring. If the Republicans desire complete surveillance of communications in the name of "national security" then Net Neutrality should be no problem.

Few people understand the issue, and even fewer are informed of what is at stake here. To help people understand the issue more clearly I offer the following:

If you are a private entity providing internet service and you pass information from the public internet to your customers, you are a common carrier. If you are a private entity and you connect to your customers, but do not connect to the public internet, then you are not a common carrier. To put it more simply, if you are a closed, self-contained network, providing customer access to that network and do not accept or pass through any outside information, you are not a common carrier.

It's that simple. If you provide customer access to a public network, you're a common carrier. If not, you're not a common carrier.

What are your thoughts? Do you think that the situation is more complex than that? If so, how do you justify your position?

Scott Dunn

Sunday, July 04, 2010

Corporate Compensation Tax, On a Curve

As we have seen in the current great economic crisis, aka The Great Recession, executives of very large corporations have proven to be quite willing to take risks that can endanger their organization and the national economy. They must have figured out that they have enough personal net worth to weather the recession and that everyone else will be willing to work for less after that. 

In this situation, there are at least two main incentives that govern the will to take risks: limited liability and rapid wealth accumulation. It should be clear at this point that this kind of behavior should be discouraged. Unfortunately, no amount of regulation will stop it until the financial rewards of flouting the laws are removed. Perhaps this is evidence of the sub-clinical psychopathy induced by the lure of all that free money.

Corporations, as their structure suggests, have limited liability which means that when a corporation makes a mistake, they are only liable for the value of their stock. Only in very rare, extreme cases are officers and shareholders of corporations held personally liable for damages in the event of mistakes or transgressions. It has not always been that way. In the olden days, the following restrictions were set upon corporations (depending upon the state that chartered them):

1. They had a limited term of 20-30 years.
2. Could only deal in one commodity.
3. Could not own shares of other corporations.
4. Their property holdings were limited to only what they needed to get the job done.
5. In most states, it was a criminal offense for a corporation to make a political contribution.

It has been well documented that corporate compensation has shot up dramatically in the last 30 years, particularly so in the last 10 years. The argument for this increase in compensation has been that very high compensation is required to attract the talent needed to maximize profits. Given the track record of the captains of industry in the last 4 years, this argument fails on the merits. If you were watching the news around September 30th, 2008, you would know that the captains of industry didn't have a clue about the economy. Or maybe they did and they were keen on executing one of the largest transfers of wealth in our lifetime.

How did this happen? One factor that gets little press is the humble individual retirement account. Since the time of the adoption of the individual retirement account, corporations have found ways to create vast pools of capital that can be used to implement new methods of making money. This is because the market capital available to corporations has grown dramatically as the use of individual retirement accounts became popular.

While it can be fairly said that there have been great improvements in our standard of living during this time, there has also been a dramatic concentration of power among the most popular corporations with the most widely held stocks. Over time, it appears that corporations have devised methods of separating the common shareholder from the profits of the corporation. It can even be said that corporations have created a sort of private socialism. They privatize the profits while socializing the risks and liabilities.

I might be called a cynic if I said that the original intention of a corporation was to create a system of private socialism. That is not the case as corporations were already acknowledged as sources of evil known as the "moneyed interests" at the time that our country was founded. Of late, the empirical evidence provides strong indications of that evil. In the last 30 years, there has been substantial evidence to show the greatest concentration of income generating power has accumulated among a fraction of the top 1% of income earners in the United States. Almost all of that activity is through the (ab)use of corporations.

To summarize the status of corporations, they provide a way to generate wealth while externalizing costs, limiting liability and concentrating and confining income growth, especially passive income, to the executives of the corporation.

To create a countervailing force to the current trend, it is time to consider taxing corporate officers on a curve. And to prevent circumvention of this force, this new legal regime would apply to all for-profit, limited liability organizations. We must recognize that incorporating a business is a privilege and should be taxed like any other privilege to the point of discouragement. This means that you *don't* have to incorporate. You're not required to do it. 

In 1980, the average corporate executive earned about 30 times the income of the lowest paid employee. At that time, America was considered a world economic power. Now, corporate executives often earn more than 300 times the income of the lowest paid employee - and we have been humbled by an economic crisis. That's an extreme concentration of power. 

Since that time, there has been no concurrent rise in skill, intelligence or ethics for executive positions. In fact, it can be shown, just looking at the games played by executives, that ethics has less consideration now that it did 20 years ago. The only other thing that has changed is the amount of capital flowing to the largest corporations. Perhaps being an executive is nothing more than a video game where the goal is to rack up the points and destroy the competition while locking the customer in.

Here, I propose a new way of thinking about taxation. The goals of this tax structure are designed to return earning power to people who are willing to stand behind their actions. What I mean by that is that they are willing to put their assets at risk by organizing with full liability. Therefore, this tax structure does not apply to independent contractors, sole proprietors - essentially any entity that assumes strict liability for the services they offer will be unaffected. The idea is to reward those who are willing to offer their services naked of the protection offered by a corporation.

The second goal is to provide some form of equalization. This is not to prevent winners, this is to prevent winner-take-all economics and the monopolies they create. When the winner takes all, all other movers in the market are discouraged, reducing or eliminating competition in the markets, and concurrently, consumer choices.

There is empirical evidence to support this proposed model of taxation. It is known as the Board of Equalization - every state has one. Their primary purpose is to provide for the equalization and redistribution of tax funds for all jurisdictions within a state. We need something like that for income to prevent the winners from taking it all and creating monopolies to perpetuate their status.

Some conservatives may recoil at this idea. Fine. Put your best idea out there. And while you're doing that, consider that all that railing against government monopolies completely ignores the dangers of a private monopoly. It is beyond me why conservative pundits seem to think that private monopolies are better than public monopolies since both derive their power from government sanctions.

Here is what I propose:

All limited liability entities are required to pay a marginal tax on all non-hourly employees and executives within the organization. The rate structure is based on the measure of the federal minimum wage in multiples. Here is a simple schedule for the tax rates, where x is the minimum wage:


As an example, any income up to and above 30x the minimum wage is taxed at 30%, above 60x, 60%. Clearly, the incentive to try to earn much more after 100x the minimum wage is discouraged. But at 300x, the incentive is almost completely decimated. While lawyers are likely to find a way to work around this, or even to write loopholes into the law for this, with crowdsourcing, abuse of the law can be much more easily deduced and publicized. If you don't believe me, one only need look to Groklaw for evidence that this works.

The point of this tax schedule is that beyond 60x, the public benefits little from the compensation paid for publicly held corporations. Even for privately held corporations, it is hard to see how additional compensation could be helpful in terms of attracting talent or justifying the intelligence, skill and experience any human being can bring to the job. There simply is no "superhuman" qualified to earn that kind of income.

This equalization may sound like communism. But it's important to remember that for a significant fraction of the history of the United States income tax, the maximum marginal tax rate for income was above 90%. And during that time, this country was well reputed as an economic power. The intent of this proposal is to pay people appropriately for their effort for non-hourly employment.

By now you may have noted that I didn't say anything about the income of the corporation. That can be dealt with by instituting the old rules for the corporation, which I'm happy to repeat here:

1. They have a limited term of 20-30 years.
2. Can only deal in one commodity.
3. Cannot own shares of other corporations.
4. Their property holdings are limited to only what they need to get the job done.
5. Make it a criminal offense for a corporation to make a political contribution or to lobby.

I would like to add a few more for good measure:

6. To prevent interlocking directorates, a member of the board of directors of any corporation cannot sit on another board of directors for any other corporation.
7. Their charter can be revoked by referendum within the jurisdiction of their creation regardless of the location of any of their offices.
8. They are not "persons" under the law, except that they can conduct business, can sue and be sued, and must pay taxes.

This will also help to put an end to risk taking for that great executive lottery for the Ritz-Carlton Lifetime Retirement prize - paid for by the rest of us.

Radical though it may seem, that is what I propose. Your thoughts are welcome.