An Introduction to Net Neutrality: What It Is, What It Means for You, and What You Can Do About It

clip_image002

Net Neutrality.

You may have heard about it on the news. You may not entirely understand what it’s all about. Here’s a primer on what net neutrality is, how it might affect you, and what you can do about it.

What is Net Neutrality?

As its name indicates, net neutrality is about creating a neutral internet. The basic principle driving net neutrality is that the internet should be a free and open platform, almost like any other utility we use in our home (like electricity). Users should be able to use their bandwidth however they want (as long as it’s legal), and internet service providers should not be able to provide priority service to any corner of the internet. Every web site (whether it’s Google, Netflix, Amazon, or UnknownStartup.com) should all be treated the same when it comes to giving users the bandwidth to reach the internet-connected services they prefer. Your electric company has no say over how you use your electricity—they only get to charge you for providing the electricity. Net neutrality aims to do something similar with your internet pipes.

Those against net neutrality—commonly including internet service providers (ISPs), like Comcast or AT&T—believe that, as providers of internet access, they should be able to distribute bandwidth differently depending on the service. They’d prefer, for example, to create tiers of internet service that’s more about paying for priority access than for bandwidth speeds. As such, in theory, they could charge high-bandwidth services—like Netflix, for example—extra money, since their service costs more for Comcast to provide to its customers—or they could charge users, like you and me, extra to access Netflix. They can also provide certain services to you at different speeds. For example, perhaps your ISP might give preferential treatment to Hulu, so it streams Hulu videos quickly and for free, while Netflix is stuck running slowly (or we have to pay extra to access clip_image005it).

What are the Arguments For Net Neutrality?

Proponents of net neutrality don’t want to give the ISPs too much power because it could easily be abused. Imagine that Verizon or AT&T don’t like the idea of Google Voice, because it allows you to send text messages for free using your data connection. Your cellphone carrier could block access to Google Voice from your smartphone so you’re forced to pay for a texting plan from them. Or, they see that a lot of people are using Facebook on their smartphone, so even if they have the bandwidth to carry that traffic, they decide to charge you extra to access Facebook, just because they know it’s in high demand and that they can make a profit.

Similarly, Comcast recently got in a tiff with Netflix over its streaming video offerings, essentially telling Netflix’s partners that they’d need to pay if they wanted their content delivered on their network. Comcast argued that streaming Netflix is a huge traffic burden, and if they’re going to provide that service they’ll need to update their infrastructure. Netflix’s argument was that Comcast provides the internet, and its Comcast’s users that have requested that extra bandwidth for the services they want.

Another way to look at it: Comcast also has their own On Demand service which directly competes with Netflix—and if Comcast is allowed to divide up their service as they please, the option to give preferential treatment to their own service isn’t exactly fair just because they’re the internet provider. And, with Comcast and NBC looking to merge, the waters can get even murkier. The resulting superpower could give preference to all of NBC’s content too, thus leaving other content providers out in the cold.

Another problem here is that while big services like Netflix could, in theory, afford to pay Comcast for using extra bandwidth, the small, lesser-known services—that could be big one day but aren’t yet—can’t. Really great web sites or internet services might never gain popularity merely because ISPs would have control over what kind of access users like you and me have to that service. That could greatly stifle innovation, and we’d likely miss out on a lot of cool new services.

What are the Arguments Against Net Neutrality?

Anti-net neutrality activists argue that internet service providers have a right to distribute their network differently among services, and that in fact, it’s the ISPs that are innovating. They argue that giving preferential treatment to different services isn’t a bad thing; in fact, sometimes it’s necessary. In the recent Comcast/Netflix debate, they point out that if Netflix is sucking up all their bandwidth, they should be the ones to pay for the necessary updates that Comcast’s systems will require because of it.

Many free market proponents are also against the idea of net neutrality, noting that Comcast and AT&T are companies like any other that should be able to compete freely, without government regulation. They themselves aren’t "the internet"—they’re merely a gateway the internet, and if they’re each allowed to manage their networks differently, you’re more likely to have competition between service providers which ultimately, they claim, is better for the users. If you don’t like the fact that Netflix is slower on Comcast than it is on AT&T, you can switch to AT&T.

The problem, however, is still that ISPs could always favor their own services over others, leaving services with no connection to the ISP out in the cold. Furthermore, most people don’t have much choice in who their ISP is, since in any given location there may be only one or two ISPs providing internet.

What are the Current Laws?

The Federal Communications Commission (FCC) released a new set of net neutrality rules on December 21, 2010 for internet service providers. Here’s the state of net neutrality regulation as of right now:

Transparency

First and foremost, the FCC requires that ISPs publicly disclose all their network management practices, so that users can make informed decisions when purchasing internet service. That means they’d have to say what speeds it offers, what types of applications would work over that speed, how it inspects traffic, and so on. It does not necessarily mean that those disclosures will be understandable by non-tech savvy individuals—in fact, we’ve already seen how ISPs try to spin their "what you’ll get" charts to you purchase the most expensive internet (see the misleading image above)—so this rule doesn’t necessarily mean a lot to the average consumer.

No Blocking or Unreasonable Discrimination for Wired Internet

Wired ISPs—that is, providers of the internet in your home—are not allowed to outright block any legal web content, applications, or services. The FCC also notes that they aren’t allowed to slow down traffic either, as this often renders a service unusable and thus is no different from outright blocking. For example, Comcast has always throttled BitTorrent downloads, but it didn’t block them completely—it just slowed them down to a crawl. Under these new rules, that wouldn’t be allowed either.

The new rules also do not allow wired ISPs to discriminate against legal network traffic. This means that Comcast cannot, in fact, discriminate against competitive services like Netflix or stifle free speech (by, say, discriminating against political outlets that have views different from the ISP or its parent company).

Your Smartphone Doesn’t Count

Mobile ISPs, on the other hand, are not subject to the same rules. The FCC believes mobile broadband—that is, the data plan you have on your cellphone—is still young enough that it may need heavier network management than wired broadband. As such, they haven’t made any broad net neutrality rules as of yet. Mobile ISPs are still prohibited from blocking services on the web that compete directly with their own, but they can continue to discriminate—which means that at any given point, you could find an internet service blocked or deliberately slowed down when accessing it from your smartphone. Furthermore, if the ISPs so choose, they could charge you extra to access certain services, like Facebook or Netflix. App stores are exempt from these rules, so the App Store and Android Market can be as closed as they want to be. So, if Apple decided that they no longer wanted Google Voice to be available in the App Store, they could remove it—even though it’s a service that directly competes with AT&T.

The other groups exempt from the rules are managed services—services that companies pay extra for, and thus require a higher level of service. A good example is AT&T’s IPTV service—they provide television and on demand services through the internet instead of over cable or radio frequencies, and they dedicate a certain amount of their bandwidth for just those services, leaving less bandwidth for everything else. Again, this isn’t intrinsically bad, but giving ISPs unlimited power to do this can lead to dangerous territory.

So Why the Fuss?

The rules as we’ve laid them out above offer a pretty condensed summary of the main points in the FCC’s latest release, and while they seem like a big step forward (namely the neutrality rules in place for wired connections), a lot of net neutrality proponents are still unhappy. The exception for mobile broadband is a pretty big complaint, as are the exceptions for managed services. A lot of folks also argue that loopholes abound in the new rules, like the fact that all the rules are subject to "reasonable network management", which isn’t very well defined. To be fair, neither—this is to be expected in such a heavily debated issue. Proponents think the rules aren’t strict enough and that the ISPs have gotten "exactly what they wanted", while the anti-net neutrality camp think that the internet companies are being too heavily regulated.

In the end, it’s all about the control you, as a user; have over how you use the internet. While net neutrality’s opponents argue that tiered service creates more control for the user, most of us don’t see it that way—we’d like to be able to access all internet services equally, instead of having certain services given preferential treatment. After the passing of these rules, the wired internet in our homes is a bit safer, but the internet we access from our smartphones isn’t. ISPs could still block, discriminate against, or charge extra for web sites and services we get on-the-go, taking control out of your hands.

If you really want to argue about the finer points, you’ll want to dig into the actual FCC release, as this or any other summary isn’t going to provide the nuances and specifics nearly well enough. But in general, this should give you a good idea of where we are now.

What Can I Do to Get Involved?

If you’re reading this and foaming at the mouth in anger, there are a few things you can do. The FCC has a complaint system set up for citizens to voice their issues on communications-related topics.clip_image015

Submit an Informal Complaint

Submitting an informal complaint is easy, as it’s all done online, and anyone can do it. Right now, the form isn’t exactly friendly—there don’t seem to be any specific sections about the new net neutrality rules—but the FCC says they’ll be making resources available for net neutrality-specific complaints. For now, Ars Technica recommends hitting "Internet Service and VoIP", then heading to "Billing, Service, Availability" and going to the online form from there.

Submit a Formal Complaint

End users can’t submit formal complaints, but if you’re a company or public interest group that’s very concerned about the new rules (and you’ve got $200 to spend on the filing fee), you can file a formal complaint, which is often like a court hearing. You’ll probably need a lawyer, and for most of us, the informal route is the best bet. But Ars has more information on formal complaints if you’re interested.

Spread the Word

Net neutrality’s a complicated issue, and a lot of people still aren’t informed about what’s going on. Explain the issue to your friends and family—the more people know about it, the more people that might be affected and might speak out. You can also check out each side’s respective organization, SavetheInternet.com for pro-net neutrality voices and HandsOff.org for anti-net neutrality voices. They’ve each got a ton of links to other ways you can talk to your congresspeople, write letters and sign petitions to make your voice heard.

The Heartbleed SSL Bug

Just days ago one of the largest Internet security flaws in recent history was discovered: the Heartbleed bug.

While you’ve probably heard on the news about this bug, this cartoon is probably the simplest explanation yet.

The Heartbleed bug tricks a server into spilling out extra information from its memory. A server’s memory often includes sensitive personal information, such as your passwords, credit card numbers, and other data you wouldn’t want anyone else to see.

This information is usually encrypted, which means its translated to an indecipherable code when it’s transferred between servers, but Heartbleed can decode this encryption and store the codes used to protect your data. That’s because Heartbleed takes advantage of a vulnerability in OpenSSL, a popular encryption standard used to power a giant chunk of the Web.

Popular web comic XKCD has broken down how Heartbleed works through this cartoon.

Heartbleed attacks a vulnerability in OpenSSL called Heartbeat, which is a means of calling out to a server to make sure the connection is secure. The Heartbeat message usually contains arbitrary data and a length field denoting how many bytes of data are in the message. The server would then spit that exact message back to the original sender to prove that the connection is secure. The Heartbleed bug involves an issue with the server reading the length field incorrectly, which in turns tricks your server into spitting out more data than it should without realizing it.

Most websites have now patched the offending version of OpenSSL which contained the bug. Although not required, it is recommended to change your passwords.

In cartoon form, it looks like this:

Are you still there, server? It's me, Margaret

Cryptolocker: How to avoid getting infected and what to do if you are

There’s a big threat wiling around on the Internet right now: A particularly nasty piece of ransomware called Cryptolocker. Many, many organizations are being infected with this malware, but fortunately, there are surefire ways to avoid it and also ways to mitigate the damage without letting the lowlifes win.

What is Cryptolocker?
Cryptolocker comes in the door through social engineering. Usually the virus payload hides in an attachment to a phishing message, one purporting to be from a business copier like Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS orFedEx offering tracking information or from a bank letter confirming a wire or money transfer.

cryptolocker

Cryptolocker’s ransom note to infected users.

The virus is, of course, an executable attachment, but interestingly the icon representing the executable is a PDF file. With Windows’ hidden extensions feature, the sender simply adds “.pdf” to the end of the file (Windows hides the .exe) and the unwitting user is fooled into thinking the attachment is a harmless PDF file from a trusted sender. It is, of course, anything but harmless.

Once Cryptolocker is in the door, it targets files with the following extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files. It then prompts the user that his or her files have been encrypted and that he or she must use prepaid cards or Bitcoin to send hundreds of dollars to the author of the malware.

Once the payment has been made, the decryption usually begins. There is typically a four-day time limit on the payment option; the malware’s author claims the private key required to decrypt files will be deleted if the ransom is not received in time. If the private key is deleted, your files will essentially never be able to be decrypted — you could attempt to brute force the key, but as a practical matter, that would take on the order or thousands of years. Effectively, your files are gone.

Currently, the only versions of Cryptolocker in existence target files and folders on local drives and mapped drives. The malware does not currently attempt to perform its malfeasance over network-based universal naming convention paths, although one would surmise this would be a relatively simple change for the author of the ransomware to make.

Antivirus and anti-malware programs, either running on endpoints or performing inbound email message hygiene, have a particularly difficult time stopping this infection. Unless you have a blanket email filtering rule stripping out executable attachments, and that tool is intelligent enough to do so without allowing the user to request the item’s return from quarantine, you will see your users getting these phishing messages attempting to introduce Cryptolocker. It is only a matter of time.

Prevention: Software Restriction Policies and AppLocker
As of now, the best tool to use to prevent a Cryptolocker infection in the first place — since your options for remediating the infection involve time, money, data loss or all three — is a software restriction policy. There are two kinds: Regular software restriction policies, and then enhanced AppLocker policies. I’ll cover how to use both to prevent Cryptolocker infections.

There is a new tool available from FoolishIT called CryptoPrevent that adjusts the settings on your computer to help prevent the current version of the Cryptolocker ransomware. But that is just it, the current version. Please make sure you have current backups and they are disconnected from the system, so they are not infected as well.
This is serious folks. If you get this, you will probably lose your data, or be out $300. Be careful.

From Computer World Article
Additional information can be found:
Reddit Thread in /r/sysadmin
Full Bleeping Computer Information
Wikipedia article

Older posts «