Wednesday, December 22, 2010

Tutorial: PC Security, Revisited

Now that the Christmas shopping season is in full swing, most of us are going to shop online at some point or another.  Some of us may even buy a new computer, too.  The blogs and pundits are abuzz about computer security with a lot of talk about password management. Password management is just one aspect of security. Today, we’re going to review security as layers of protection rather than attempting to use just one solution for protection.  The ideas I will present here will show how to provide a decent gauntlet for security threats before they can take over a computer.

A little history about me is in order here. I have had the opportunity to watch the Internet grow from the early days in 1991. I got my first email address that year with a BBS (Bulletin Board System) called the 0x0 Republic. With my first email correspondence, I was fascinated with the notion that I could exchange emails with someone across the world. Maybe more than a few of you are old enough to remember those days of the BBS, Compuserve and the 14.4k Modem.

Back then, I had a humble Commodore Amiga 500 computer. No, it didn't run MS-DOS, it ran the AmigaDOS. As you can see from the screenshot for the Amiga 500 in the preceding link, this computer didn't run Windows, either. The AmigaOS borrowed many ideas from UNIX, allowing the use of a command line or windows and icons for operation of the computer. Their user interface was very advanced compared to the Mac and the PC at the time. Unfortunately, through their own management errors, Commodore eventually went into bankruptcy.

Around the time that I was an Amiga user, computer security wasn't really an issue for consumers like it is now. Most personal computers were still single user, general purpose computers and apparently, only a few people bothered to write a virus for the Amiga. Back then, very few people even connected their home computer to another network let alone the Internet.  I can remember reading about the Ethernet connection and wanting to know how I could get one for my computer.  Commodore was a very proprietary company and that made it hard to find a standardized component that would connect my computer to the Ethernet, whatever that was.

Eventually I got an Apple PowerBook 140b. It was with this computer that I first got a taste of the World Wide Web around 1994-5. It was a slow, stodgy, black and white experience, built onto a dial-up connection. But it was enough for me to do my research at the time. Back then, Alta Vista was the search engine of choice and they were considered to be the fastest search engine of the time.

In 1997 I got my first Windows laptop in 1997. I can remember shopping for Windows software for the first time and laughed when I realized what I had been missing while working on the Mac. I found a nice dialup ISP to work with, too. From there, I started to really get a sense of what could be found on the Internet. For years, I went without antivirus, not completely oblivious to the dangers - but just being careful not to open attachments from strangers.

In 1999, I got a computer with Windows 2000 Professional. Around that time I had moved into a place with cable access to the Internet. I went from a 56k modem to 1.5 Mbs in speed. I had taken some classes on Windows and learned something about the security built into it. I started to read the tech news every day and noticed that more and more, viruses and trojans were making the news. So I got some Antivirus software.

I started out with Norton Antivirus and eventually moved on to ESET's NOD32. While working with the antivirus software, I remembered something that my Dad taught me in terms of strategy: no defense can anticipate all attacks. So I started collecting tools and programs in an effort to build a secure environment for myself.  This combination of software tools is what I'd like to share with you. It is built from years of experience and through more than 14 years of running Windows. Because of this training, learning and vigilance, I've only had to rebuild a computer once due to a virus.  

Keep in mind also, that no software can stop you from doing something that you know you shouldn’t do. If you open an email attachment from someone you don't know, you're only asking for trouble. If you click on a link in a spam message that takes you to a site harbouring malicious software, your computer is likely to be toast, even with the best defense available.  Such a site is just waiting for you, and the authors of the site have anticipated the most likely defenses your machine will offer.  So let’s look at the layers of defense you can use to protect your computer.  

First and foremost, if you're running Windows, you're likely to be running as an administrator. An administrator account can do *anything* to your computer, and that includes damaging it. On the other hand, you can also use a "limited" account (XP/Vista) or “standard” account (Windows 7). This is a regular user account that can do very little, if any damage to the computer. To put it simply, admin accounts should only be used for maintenance, upgrades and software installation/removal. Limited user accounts should be used for everything else. A limited user can be used for your daily computing tasks like web browsing, email, playing games, writing correspondence, online banking, etc.

You’re probably asking why you didn’t know about the difference between accounts. Microsoft has slowly but surely been improving the way they educate their users.  However, Microsoft still tends to favor convenience over security and so they tend to leave that part about administrator rights in the education they provide to users.  

It all starts when you booted your computer for the first time.  When you start Windows up for the first time, you're prompted to provide at least one user name and additional names for other people who might use the computer.  You will also be given an option to create passwords for each of these users.   Neither Windows XP, Vista or 7 give you much of an explanation for the differences in user accounts, either. So, unless you're informed, you create one or more admin accounts to use on your computer.  Most people run with the original account that they created from that first day that they started using their computer. Many of them set up that one account to automatically login without any password security. And most of them are hardly aware of the dangers of using that account.

As a rule, you should never be running as admin unless you need to install a printer, software, remove software and the like. For anything else, operate your computer as a limited user. To put this in perspective, analysts estimate that more than 95% of the problems with Windows security goes away if you're not running as admin.

The reason for this is simple, but not very well understood by the general public. You see, most of the latest viruses and trojans install on your computer silently. Virus writers realize that most people will trash emails with attachments from people they don't know (and even from people they do know if they were not expecting that email). So the virus writers use stealth.

When your computer is being attacked, you will get no clue that new software is being installed - when you are running as an admin. Windows 7 can help this in some ways, but W7 also has a very similar programming philosophy to Windows XP: convenience over safety. Yes, you can still get warnings that software is trying to install, but a determined piece of malware can work around that and trash your computer - if you are running as administrator. You can even turn off the security warnings that you would usually get from Windows if you want to.

After a successful attack, you won't really notice much other than that your computer is running a bit slower - maybe even a lot slower - than before. Malware tends to change the computer for its own benefit at the expense of other functions.  Why is it running slower Because when it’s infected, it’s shipping spam by the thousands, hosting a web site, participating in Denial of Service attacks or even offering up more viruses to other people.

Now if you're running as a non-admin or limited user, and you click on a drive by download, you're going to get a message indicating that “you do not have permission to install this software - please contact your administrator!” If, at this point, you were not planning on installing any new software, it's time to leave quietly and never come back to that site. Ever.

So, if you have not done so already, create another admin account. Be sure to give it a password (and don’t lose that password - you’ll need it later). An admin account with no password is an open target for malware.  Then take the account that you've been using from the beginning and turn it into a limited account.  This way, you’ll still have access to your favorites, all your settings, and your documents. Whenever you need to add something to the computer or to do maintenance, log in to your admin account. For everything else, it's Visa, er, Vista, I mean...um...your limited account.

So that's the first step. Just changing the type of account you use for daily computing is a big step towards preventing infection from a virus or trojan.  Remember, over 95% of the vulnerabilities go away when you’re not running as admin.

Windows Update. Whatever you do, once a week, run Windows Update, or at the very least, run it when you see a Windows Update notification. It’s also very important to run Windows Update on the day they are issued, the first Tuesday of every month.  The reason why is that most malware is designed by reverse engineering the latest updates to find the security holes and then targeting new attacks there. Malware engineers are expecting people to be lazy in running their updates.  Running updates for Windows on a regular basis, (and any other operating system for that matter, including MacOS and Linux) will further limit your chances of infection.  If you see a notification for updates on your computer, it’s time to get them done.

It should be noted that Windows 7 has a couple of new features that I’ve never seen before except in Linux and MacOS.  Windows 7 allows you to send notification to non-administrator users that new updates are available.  This allows standard (or limited) user accounts to see them and install them.  You might recall that in XP, Windows will reveal a little yellow badge with an exclamation point on it in the task bar on the lower right-hand corner of your screen. That is the Windows Update notification.  In XP, that is only revealed to administrators on the computer. With Windows 7, even if you’re not an administrator, you can see that too, if you can set yourself up for it.  And when updates are available, you can install them, too.  With this setup, installing updates is the only administrative task you can do as a non-administrator.

Note also, that on April 8th, 2014, Microsoft will no longer release updates for Windows XP. If you don't want to upgrade to the next version of Windows, consider alternatives like Linux Mint, Ubuntu Gnome and Fedora. They are all much more secure than Windows and they will extend the life of your computer by using fewer resources than Windows did. This is great for your kids' career prospects since Linux skills are still hard to find, and when they don't know much about Linux, it's rather difficult for them to mess up their computer by installing a "happy mouse" program they downloaded from some unscrupulous website.


The nice thing about the Windows update notification for non-admins is that you’re not running as administrator all the time, you’re still notified of updates and you can install them without logging out and logging in as an administrator.  This makes it easier to update your computer, and that means your computer will be kept up to date even when you run on a non-administrator account.

And now for antivirus. This is part of what is known as the Windows Tax. The first part of the Windows Tax is that you pay for the Windows license no matter where you buy your computer, even if you don’t want to use Windows. That is the Microsoft way. Then you pay for the antivirus and other security software. Most good antivirus programs are going to cost $40-60 for the first year, and 20-30 bucks thereafter for maintenance. The best antivirus will do a complete update of signatures without user intervention. Norton Antivirus was not one to do that when I was using it (though it’s been a few years and perhaps things have changed with Norton).  As an alternative, I heartily recommend ESET NOD32 simply because the updates occur automatically without you being an logged in as admin. Version upgrades will require admin access, but that is a fairly rare occurrence (once or twice a year).

I don't recommend Symantec/Norton for a couple of reasons: they are a big, fat, complacent company with a huge market share. Try getting a hold of customer service there and you’ll see what I mean. On the other hand, ESET is hungry for your business. I can easily get a hold of their techs without cycling through their entire music on hold playlist. While their songs are interesting, they’re not compelling, and they do offer good tech support.

Yes, there are others to consider, such as the free version from AVG. But you do, in a sense, get what you pay for. Caveat Emptor.

Remember what I said about how no defense can anticipate all attacks? Well, even NOD32 isn't perfect. So I strongly recommend antispyware as well. SuperAntiSpyware or AdAware are both great products that can find a lot of stuff like cookies that you don’t want on your computer.  Cookies can be used to track your movements around the web and send that information back to the Mother Ship. They make a good complement to your antivirus software.

It's worth noting here, that a fellow IT guy told me the following: ESET (NOD32) recommended SuperAntiSpyware as a complement to their own product. I asked ESET about this by phone and they acknowledged that their product won't catch *everything*. That is a very humble and honest statement to make, and heartening for me to hear. I've had similar experiences first-hand myself, so it's nice to hear it from someone else. That is why I like ESET.

So, we've covered the user accounts, the antivirus and the antispyware. You're also going to want a personal firewall. This is useful for stopping malicious software that is trying to call home, you know, to the Mother Ship. I have experience with two products for this purpose: ZoneAlarm and ESET's Security Suite w/NOD32. They are both highly recommended with full acknowledgement of other products out there.

They both provide security for those loose cannons known as "open ports". You can learn something about this, here. Gibson Research Corporation has helped me to understand the open ports issue and inspired me to try ZoneAlarm. Personal firewalls allow you to see when software is trying to call home and gives you a chance to block transmission of sensitive information back to the Mother Ship!

There's another kind of firewall known as a router. This is a physical firewall device that you will know as a sort of switch that allows you to share the Internet connection with more than one computer. Common brand names for routers include Linksys, Netgear, and D-Link. These are all top brands and they all provide an extra level of security. But that security only works if you enable it and configure it properly.  

You can think of the router as the bouncer.  The router uses a public IP address to connect to the world, and gives all of your computers a private IP address that isn’t recognized by the rest of the world.  The router checks each packet or message that comes to it.  When you click on a link in a web page, a request for information behind the link is sent to the inside port of the router.  The router inspects the message, notes it’s destination and then waits for information to come back.  The router then sends the message out to the destination server, which then responds by sending information back to you, through your router.  The router checks to see if the information is “invited”.  If that information is not on the list, it’s not getting in.  But if you made a request for the information, the router will let it in.  That’s what a bouncer is supposed to do.

All routers require some form of administration to enable security. Nowadays, all consumer routers come with a CD you can run to walk you through the steps of configuring the router. This is especially important if you're using a wireless router. On any router, you want to make sure that remote administration of the router is disabled - this is usually the default setting. You will also want to reset the admin password which is usually "admin", by default. If you do not reset the password, someone else can do it for you, as well as reconfigure the router to their liking rather than yours. Check the CD and the online manual for your router for details.  

If you’re not sure how to configure your router, it is highly recommended that you consult an experienced friend or professional you can trust to do the job for you.  If you do consult someone else, make sure he clearly documents the setup so that you know what he did and you can convey that information to someone else if you need to.

If you're using a wireless router, you must also set the passcode for access to your wireless network. Otherwise, your network will be "open" and anyone can freeload on your cable or DSL Internet access. They can also see your computer and the resources on it. It's important that you use very strong passwords to secure your devices and accounts. Words that are easy to remember are also subject to the dictionary attack on passwords. A strong password is a series of characters that doesn't make any sense and is comprised of at least upper and lower case letters and numbers. You should also use non-alphanumeric characters (i.e., !@#$%^&*(_+) as part of your very strong password. The last word on wireless routers is this: if you’re not using wi-fi, turn it off.  It’s one less security hole to worry about.

I know that a good password is hard to remember. Well, fear not. You can save your passwords in an encrypted file by using KeePass. This is a portable, cross-platform password manager that uses very strong encryption to protect your passwords. The program uses a master password to provide access to the encrypted contents. Once the master password is set and the password file is opened, you can start to create a set of credentials for every website or application that you use. This allows you to use a different password for every site that you go to.  And believe me, you will want to use a different password at every site.

Why?  Because all it takes is one slip to fall.  If you’re using the same username and password at every site you go to, even for the bank, then anyone who knows your credentials can try them out everywhere.

I like to use at least a different password for every website that I go.  For financial sites, I don’t really even use a “name”.  Instead, I like to make everything hard to guess.  KeePass allows me to do this with a very good password generator.  KeePass also allows me to copy the username and password into a website. And it allows me to automatically enter the username and password into a website. Don't worry, KeePass will automatically erase the contents of the Windows and Linux clipboards after 30 seconds for security by default, but you can set that for as long or short as you want.

Remember the news about how Sarah Palin's Yahoo account was hacked? She was hacked because she used answers to secret questions that were easy to guess by someone who knew her or her history. A secret question or security question is a question that only you know the answer to, so that if you forget your password, you can recover your password by answering the questions. Instead of using the secret question to answer a question only you know, this is another chance to use a strong password to further secure your accounts if need be.

But I digress. Back to the router. Once you have set up the router, you will also want to set up DNS on the router, too. DNS is the Domain Name Service, which is a service that translates the Internet address you know, like www.google.com, into an IP Address, like 208.67.219.230 (verified with the ping command). DNS is part of the backbone of the Internet. Without this service, you would have to remember the IP addresses of all your favorite websites. This service creates the convenience of allowing us to use names rather than numbers to get where we want to go on the Internet.

Most computers set up your IP address and DNS automatically when they start up. They will get that information either from your ISP or from your router, depending on your setup. In Windows, it's fairly easy to setup your own DNS, too. And most routers will allow you to use another DNS other than the one provided by your cable or phone company.

There are two alternatives I like to use: OpenDNS and Google DNS. OpenDNS provides a great safety service for your Internet connection. OpenDNS does a lot of research to see where the malware, porn and criminal activity is coming from and helps you to steer clear of it. I use the service so that if I should happen to type the wrong address, I can be safely routed away from rogue sites that are serving unwanted content.

Google offers a similar service to OpenDNS, but on a much, much larger scale. Google crawls millions of sites every day looking for sites that dispense malware and putting them on blacklists to keep people away from them. They also report back to website owners when their site has been compromised. Both OpenDNS and GoogleDNS will help to protect you as you browse the web.

Another very good too is the Netcraft Anti-Phishing Toolbar, for Internet Explorer, Firefox and Chrome (the toolbar runs in Chrome and Firefox on Linux, too). This toolbar provides information on every website you visit. First, they give you a risk rating with a colored bar that indicates the risk associated with a website. If it's red, you'll want to go elsewhere. If it's green, then you should be fine. They also tell you how long the site has been there, and the rank in terms of popularity. Along with that, you get the location by country with a nice little flag to denote the nation and the name of the hosting service where the site is maintained.

To give you an example of how this works, imagine for a moment that you've received an email from Bank of America. They're telling you that you need to update your account information because it has not been updated in a while and they're concerned about the accuracy of their records. They kindly provide you with a link to their site. So you click on it. The Netcraft Toolbar reveals that the site is located in Russia and was only created a month ago. Hmmm. Time to close the browser, open a new one and go somewhere else.

In summary, I'm using layers of protection, with each layer providing protection in different ways. Here is a point list summary:

  • Never run as admin on your computer, unless you’re performing maintenance, software installs, hardware upgrades or updating Windows.
  • Run Windows Updates on a weekly if not monthly basis.
  • Install and maintain antivirus that updates without admin support.
  • Install and maintain some sort of anti-spyware.
  • Install and maintain a personal firewall.
  • Install and configure a router (not much maintenance is required for this).
  • Use a secured password manager to manage your passwords (don't leave your credentials on pieces of paper, sticky notes on your monitor or in a spreadsheet on your computer).
  • Use GoogleDNS or OpenDNS for a safer browsing experience.
  • Use the Netcraft Antiphising Toolbar so that you can find out if the site you're on is safe.
Here, I have 9 layers of security to prevent my computer and/or my identity from being compromised. You may want to implement a few or all of them depending on your security needs and desires.  But you should do something so that you can rest easier knowing that at least you’re a bit more secure than before.

The Internet has given us a sort of freedom never before experienced in human history.  The freedom to share ideas, learn new ideas and to grow from the experience.  The price of freedom is eternal vigilance.  But, by practicing the techniques shown above, you can reduce the cost of freedom to just a few pennies and minutes a day once it has been implemented. An ounce of prevention is worth a pound of cure.

I hope you all find this information helpful and can put it to good use.  Have a safe shopping experience while you prepare for Christmas. Be well.

Sunday, December 05, 2010

Net Neutrality is a Ruse

I've been following the debate concerning Net Neutrality and I've noticed something. The original decision (which you can find here) to classify ISPs as "information services" rather than as "telecommunications services" is missing something really important. Before I go on, I also want to point out that while I might use Comcast as an example here, the concepts I detail below can be applied to any ISP and/or common carrier.


First, in classifying cable modem services as information services rather than as telecommunications services the FCC attempts to ignore the behavior of the cable companies. The decision ignores the fact that companies like Comcast are common carriers because Comcast is acting like a telecommunications company rather than an information service. Comcast owns the lines, and is agnostic about the content it carries. Or at least it was until it realized that it could favor it's own content.

Second, just because the FCC bestows a service with the classification of an information service dosen't necessarily mean that it is. Anyone here remember Compuserve? How about GEnie from GE? I’m sure some of you old-timers out there remember the humble Bulletin Board Services with your 14.4k modems. I used to use the 0x0 Republic BBS for my first venture onto the Internet - that is where I got my first email address. All of the BBSs, Genie and Compuserve needed a phone line for a connection. And all of them were information services. They didn't own the lines, they were simply carried by the telecoms.

It should also be noted that here in Utah, we have a service called the Utah Open Infrastructure Agency (UTOPIA). UTOPIA is a municipal broadband service and as such, acts as a common carrier. They resell their service to Internet Service Providers (really more properly labeled as “Information services”) such as Xmission, Connected Lyfe and Prime Time Communications. They all compete to provide access to the same network on an open access network (more on this below). The UTOPIA resellers are indeed “information services” rather than telecommunications services to the extent that they do not own the infrastructure. All they’re doing is reselling service on a network they don’t own, but they manage the service they provide with billing and customer service. That’s what makes them an information service. UTOPIA is the ISP.

Comcast on the other hand acts like a common carrier as an Internet Service Provider. Comcast simply carries the bits from the public network across their own network to their own customers. The fact that they connect to the public network, such as their connection to Level 3 Networks, makes them a common carrier. Level 3 is a common carrier, too. Why? If L3 carries *none* of it’s own data, then it carries data for others.

I also want to put the lie to the claim that Comcast has a private network. As long as they connect to the public network and carry bits to their customers from the public network, they are part of the public network. That creates a public interest in their service. Unless and until they completely cut themselves off from all public networks and provide their own content to their own customers, they will remain a common carrier. While they may be tempted to do that given their resources, they would have to overcome the blowback from their customers. They would also have to pay back all the goodwill they received with cheap or free easements across property all over the country that they received along the way to becoming the largest ISP. That might be in the form of rent they pay the landowners, or they might lose the easements altogether.

Comcast is different from L3 in another major respect: it has an incentive to favor it’s own data sources. Even it’s partners’ data sources provide an incentive to favor its own traffic over others. In fact, the latest conflict between the two is about L3’s contract with Netflix to carry traffic to Netflix customers many of which subscribe to Comcast. Comcast, it seems, would prefer to run a toll booth rather than to play fair. They seem to have forgotten that their customers are already paying for Netflix traffic as Comcast subscribers. Implicit in their actions is the goal of making their own product more competitive with Netflix by making Netflix more expensive. Comcast doesn’t seem to mind that their customers are paying for Netflix content *twice*. And they certainly don’t want to mention that their costs per byte for connecting to L3 have gone down while the rates they charge to their customers continue to increase at a rate higher than inflation.

The original decision to brand cable modem service providers as information services also had the effect of forcing the phone companies to share their lines while the cable companies did not have to. This created an uneven playing field that allowed an enormous consolidation of resources by the cable companies. During this time, cable companies were allowed to bundle their TV services with their ISP services and eventually they were providing voice services to compete with the phone companies. Phone companies didn’t have content to bundle, so they were at a definite disadvantage with the cable companies to compete.

Line sharing, as the phone companies had to do, is also know as “open access” and has, with the exception of the United States, proved to be wildly successful wherever it has been implemented. Japan is probably the best known source of empirical evidence for the success of Open Access rules for distribution of internet service. In Japan, the government bankrolled the financing of the infrastructure in a partnership with NTT. NTT builds the infrastructure and is required to resell the use of that network at wholesale to it’s competitors. As a consequence there are thousands of ISPs all competing in the same market. In Japan, you can get a 60 mbs connection for around $35 a month. Of course, Comcast would prefer to have none of that since their business model is centered on creating scarcity in the market rather than abundance. And they want the entire market to themselves if they could get it. I guess to them, a private monopoly is much better than a public one.

So now we come to Net Neutrality. Net Neutrality is a ruse, pure and simple. Why? Because it assumes that the ISPs have rights that they really don’t have. Even ISPs like Comcast don’t have the right to favor traffic, shape traffic or to discriminate against traffic by charging a higher price based on the source of the traffic. The term Net Neutrality assumes that the ISPs have those rights, when they don’t. If they weren’t common carriers, they would have those rights, but they are most definitely common carriers. No matter how the FCC classifies them, they still act and walk like common carriers. Comcast and AT&T are common carriers, by their action rather than their classification.

I’m actually surprised that no one has sued the FCC to reclassify the cable companies as telecommunications companies by now. It’s important to reiterate here that telecommunications companies (the common carriers) are distinct from information services as they have *no content* to offer their customers. They are only carriers, and as such, must remain agnostic about the content they carry.

It should be plainly obvious by now that Comcast (and other content providers who own the pipes like them) have a conflict of interest to resolve. They cannot remain agnostic about content while acting as common carriers at the same time as the temptation to favor their own content is too great to resist. This is true for any company that offers Internet access and their own content at the same time. That makes it nearly impossible to separate the incentive to provide access to content from everyone else and their own.

This conflict of interest requires that any company that offers Internet access and content to be split. In the case of Comcast, the Internet access service must be separated from the entertainment content service. The best way to separate these services is to require the company to be split into two entities: one for carriage and one for content. That is the best way we can be sure that they will act as common carriers. As we have seen by recent examples of their behavior, we cannot trust them to do so.

The solution I offer is simple to state, but is rather difficult to implement without a big fight. Unfortunately, this is what I think we will need to do in order to remain competitive in world markets.

First, we need to separate content from carriage. To avoid the conflict of interest as shown above, we need to make sure that carriers and content providers are separate. This will ensure that common carriers act like common carriers with no incentive to discriminate against traffic of any kind.

Second, we need to ensure proper classification. A common carrier owns the pipes, content providers do not. We can’t even allow a member of the board of directors for the content company to sit on the board of directors for a carriage company. Separation of interests and duties is very important to remove any conflict of interest.

Third, we need to enforce the open access rules of common carriers. Common carriers own a resource that is the network. It makes no sense to dig up the streets to build a duplicate network and wait years for the deployment to happen - you know, like with power transmission and water service, right? Better to create one really fast network for everyone and let the content providers share the network. This will improve network maintenance and upgrades as well. I think in the long run, this will have to be a strictly regulated utility, like the power company is. UTOPIA promotes this idea as many municipalities around the country and around the world have done. Even Google, which is becoming the 2nd biggest ISP by it’s consolidation of networks and the sheer volume that it moves, is promoting the idea of open access networks.

While this is a long post with lofty ideals, we know that the devil will be in the details, and we can be sure that the incumbent service providers would rather have a captive audience than to have to deal with competition. They are going to throw up blocks at the legislature, in the courts and in the press to show what angels they really think they are and how they’re doing us such a big favor by fighting for the status quo.

The last ten years of the status quo have lost us our lead in Internet access, provided consolidation in the industry that eliminated much of the competition, left us with media giants snarling over their turfs and helped to expand or maintain the digital divide. That leaves us with very little power over a resource that started out as a source of entertainment and has grown into an irreplaceable utility: the Internet. If we fail to act now, the power of the incumbent service providers will only grow until we are left with nothing more than a walled garden that leads only to their coffers.

Now is the time to reclassify the ISPs as common carriers and secure our future in a competitive global economy by recognizing Internet access as utility that we can all use. I urge you to discuss this issue with your local, state and federal representatives to preserve our freedoms on the Internet.