Blue Christmas

'Tis the season to be generous. That means lots folks are logging on to the web sites of non-profits like CARE and the Red Cross to make donations, either for themselves or as gifts to friends and family who already have all the electronic gizmos and consumer crud they need.

Unfortunately, some of those good-hearted souls are going to find a lump of coal in their Christmas stockings in the form of stolen email addresses and passwords. As reported in Computerworld on November 28th the FBI is investigating a data breach at Convio Inc., a firm that specializes in recruitment and fund raising software and services for the non-profit sector. According to the report, criminal hackers managed to lift information on 92 non-profit organizations (including The Red Cross and CARE) and were preparing to help themselves to data on another 62 when Convio discovered the leak in their data dike and plugged it.

How did this happen? Here's a Convio spokesperson, as quoted in Computerworld:

The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating".

Those of you who read my earlier blog entry on the importance of keeping your PCs secure will not be surprised to discover that I rolled my eyes as I read that. A chain is only as strong as it weakest link. A company's data is only as secure as its most clueless employee's PC. Your personal data is only as secure as your own PC. Why is it so hard for some people to comprehend this?

The situation isn't going to get any better. Cybercrooks are getting smarter as operating systems become more secure. Windows and OS X are too locked-down to be easily exploited? No problem - there are plenty of individual applications (like QuickTime, Windows Media Player, Firefox and - of course - Internet Explorer) with vulnerabilities. The corporate love affair with outsourcing application development to countries (such as China, Brazil and Russia) that are havens for cyberthieves, combined with the tendency for developers to consider security as less important than bells and whistles, provides fertile ground for a bumper crop of exploits. And, of course, good old-fashioned social engineering, phishing, and other techniques based on the notion that there's a sucker born every nanosecond will continue to be useful to what The Saint referred to as “The Ungodly”.

But don't take my word for it. Take a look at the SANS Institute's Top 20 2007 Security Risks report. According to them, “[t]he number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.” If computer security is an arms race (which it is), the Bad Guys are 'way out in front.

With apologies to The King: You'll be doin' all right with your Christmas of white, but security pros will have a blue, blue Christmas.

Absolutely Free

Well, it's now official: there will be no free wireless Internet access for the city of St. Louis. Originally conceived as a city-wide service, municipal Wi-Fi (wide-are wireless service) will now be confined to a downtown-only “pilot project”.

In the technology business, “pilot project” is often a euphemism for “consolation prize” - although in this case it might just be a realistic alternative for the near term. Condo developments are sprouting like dandelions in downtown St. Louis right now (see the Urban St. Louis site for some examples ), so a municipal Wi-Fi network there might actually be profitable.

There's no need to go into the gory details behind the failure of the original plan as they're available on line, although it is rather surprising that it took so long for somebody to notice that there's no power running to city street lights in the daytime - thereby killing the plan to mount Wi-Fi antennas on them. Anyone who has spent any time in the city after dark has surely noticed that lights go on or off in blocks rather than individually.

St. Louisans need not feel stigmatized by the evaporation of this particular techno-mirage, though. As The Economist magazine noted in an August 30th article, “many municipal Wi-Fi projects have since been hit by mounting costs, poor coverage and weak demand”. Chicago has killed its muni Wi-Fi project, as has Springfield (IL) and even San Francisco. Meanwhile, existing networks, from Tempe (AZ) to Taipei, have failed to fully live up to expectations.

Some of the problems are technological. The outdoor transmitters don't generally have the power to penetrate walls effectively, or examples, so indoor coverage is spotty. But the main barriers to the spread of municipal Wi-Fi networks appear to be economic.

Building the basic infrastructure that would provide seamless, wireless Internet access is expensive. A 2005 Jupiter Research paper estimated that price at $150,000 per square mile. An October 27th, 2007, article in the St. Louis Post-Dispatch estimated the cost at closer to $200,000. Even in a relatively small geographic area like the city of St. Louis (62 square miles), that's a lot of money invested up front with no real guarantee of a profitable return.

One solution, as municipal WiFi advocate Esme Vos suggests in a recent interview, might be for cities to provide the basic network access infrastructure - the wireless transmitters and related back-end hardware and software - in much the same way they now provide physical infrastructure such as roads and sewer systems. They could open up these networks to the Internet service providers, who would sell the actual Internet access to subscribers just as they do now over existing telephone lines. Cities could pay for the network investment via a combination of taxes and payments from the Internet carriers.

This might also have the advantage of making the hurdles lower for ISPs who might want to sell to the folks connecting to the municipal network. As Vos points out, this is what has happened in “Nordic countries” where this “socalist” approach has actually resulted in more consumer choice than here in the USA, where our options are usually limited to either the cable monopoly or the telecom monopoly.

That's because free-for-all capitalism tends to devolve into a small group of non-competing monopolies. But that, I suppose, is another blog post.