Wednesday, October 27, 2010

Making Easy Money


Even after last year's service cuts and a 17 percent fare increase on 30-day MetroCards, the nation's largest mass transit system is still imperiled by chronic budget problems. A $500 million deficit is project for next year and in four years deficits will grow to $1.5 billion.



It's every-day New Yorkers that usually bear the burden of these budget gaps. Naturally, voters want to know: which candidate for governor will finally bring the MTA's finances under control?



Unfortunately, all they've heard from the Democratic and Republican candidates is outdated rhetoric. Cuomo has said he would roll back the mobility tax, a source of $1.5 billion in annual transit revenue, while Paladino has pledged to "take apart" the transit authority "piece by piece." But does anyone have a plan to put the MTA back together again?



Both Cuomo and Paladino have made reform of Albany the central message of their campaigns. When it comes to transit, Albany certainly needs reform, but it shouldn't come via baseball bat. And threatening to end the mobility tax tells voters that racking up political points matters more than making the tough choices necessary to save mass transit.



The last thing New York needs is a continuation of the policies that have led to the MTA's grim situation: starving the transit system of vital revenue and then blaming MTA executives and MTA employees for service cuts. The fact is, the governor and state legislature are most responsible for the MTA's finances.



Recently the state legislature has gone so far as to take $160 million in dedicated revenue from transit, a decision that led to last year's service cuts. For the sake of New York's economy, and for the 2.3 million New Yorkers that rely on mass transit every day to get to work, Albany's neglect of mass transit must end.



Real reform means making smart investments in the transit system that will drive economic growth, create good jobs, boost the state's competitiveness, and save taxpayers money in the long-term. Albany's mismanagement of MTA finances has saddled the authority with a $31 billion debt burden. This excessive borrowing comes at a cost. This year the MTA will pay $1.8 billion just for past borrowing, and this figure will grow to $2.7 billion a year by 2017.



Earlier this month, the Drum Major Institute for Public Policy and Transportation Alternatives released a five-step plan to help the next governor put the MTA on sound financial footing. One recommended step in the plan is fully embracing congestion pricing or bridge tolls to fund mass transit. After all, drivers greatly benefit from the congestion reduction that transit provides. Without transit, there would be 8.5 million more car trips on the region's roads every day.



Another recommended step for the next governor is to partner with New York's congressional delegation to secure more federal funding for transit. Transit is a top priority for the Obama administration and an important new transportation bill will be introduced next year. After vigorous campaigning by Mayor Antonio Villaraigosa, Los Angeles will receive a $540 million federal loan for transit. The next governor of New York should make a case in Washington for more federal funds for state transit projects. After all, the New York City metro region produces $1.2 trillion in economic activity every year. But there is no indication yet that the candidates would expend as much energy on transit as other national leaders.



Instead, there is a knee-jerk fixation on cost-cutting to solve the MTA's budget mess. It won't work. MTA chief Jay Walder has already found $700 million in annual savings through cost-cutting and other efficiencies and has plans to find more. But no amount of cost cutting will fill the $9 billion hole in the MTA's capital budget, or pay down the $31 billion in debt.



There will be no easy answers. But one thing is clear: The state's greatest revenue generator, New York City, depends on transit. And communities upstate will look for new transit options as gasoline gets more expensive. Other cities across the globe are ambitiously building transit systems with the intent of supplanting New York's dominance. The next governor cannot create a competitive twenty-first century transit system via cuts and quick fixes. Reinvestment is crucial.



John Petro is an urban policy analyst at the Drum Major Institute for Public Policy. Noah Budnick is deputy director at Transportation Alternatives.







Liar, Liar, Sheep on Fire


Glenn Fleishman is a Seattle journalist who started one of the first Web-hosting companies in 1994, worked for Amazon in 96-97, and then decided he wanted a life. He writes for The Seattle Times, The Economist, and TidBITS, among other publications.






Photo: Prasad Kholkute



Firesheep should freak you out, at least for a moment. It's a Firefox extension that lets any normal human being--I'm not talking about you, BoingBoing readers--install the add-on and then steal the active sessions of people using unencrypted browsing sessions with popular online services on the same Wi-Fi network. This involves no Wi-Fi foolery, because the necessary network traffic is openly available.



Walk into any busy coffeeshop, fire up the 'sheep, and a list of potential identities to assume at any of two dozen popular sites appears. Double-click, and you snarf their identifying token, and log in to the site in question as that person.



Firesheep is a business-model tour de force, not a zero-day technical one. It's a proof of concept that repackages and expands on earlier security research to expose a failure in the risk profile adopted by Web sites on behalf of their unsuspecting users. There's no money to be made by a Web site in fixing this problem for its customers or readers. Thus, only a security-conscious CIO might be able to push through the budget item necessary to bump the back-end systems up to the level needed.



Firesheep is a public relations exploit, too; it's so easy to use and to demonstrate that it shot round the world. Previous demonstrations spread the word in the tech community, and a little beyond. Firesheep is telegenic.



The add-on is the latest effort to lay bare a well-known problem in how major (and minor) Web sites identify users after login. Even if you log in using a secure SSL/TLS connection, a reliable method of end-to-end encryption, many sites still hand you back to plain old HTTP. In the process, sites brand you with a token that stands in for the login process you completed. This is a separate issue from involuntary ad tracking or the undeletable evercookie. (BoingBoing is a practitioner of tokens for both commenting and the Submitterator, which arguably means that someone could post nonsense under your name from a coffeeshop, but don't do that already?)



Because the open Web is stateless, a sequence of pages viewed by the same browser might as well be pages viewed by entirely different browsers. A login token placed in a cookie glues a binding on the edge of those pages, creating a session. The token doesn't let a third party sniff your user name or password, but it does let a browser lay claim to your identity for a set period of time. (HTTP does have a stateful account-based authentication system, but it has weak cryptographic elements, and browsers have unchangeable interface elements for handling failed logins, lost passwords, or add-ons, like a CAPTCHA.)



The developer of Firesheep, Eric Butler, traces the understanding back to 2004, but 2007 is when knowledge went over the top. Robert Graham of Errata Security coined the term in 2007 in a Black Hat presentation. He created a proof-of-concept not much different in intent or function than Firesheep, but without the click-to-install simplicity, the long list of sites to snarf, and browser integration.



Of the large firms with this flaw, I'd argue that Google took this most seriously. In the intervening three years, Google has been layering SSL/TLS on ever more of its services. Gmail even added an option to kill other sessions. (Scroll to the bottom of the Gmail screen, and click Details at the end of the "last account activity" line to view the option.)



Many other sites have let the problem remain, though, beefing up security through the sop of offering secure logins, as noted above. It's quite rare to find any major site allowing an unencrypted login, which is a big improvement over a few years ago. Firesheep comes with 26 prefabricated sidejacking tools for sites like Facebook, Amazon, and bit.ly. Amazon and other sites that have a mix of plain HTTP and SSL/TLS-protected pages require re-authentication and SSL/TLS when you move into making a purchase, canceling an order, or other account-based activities. But you can place a 1-Click order without logging in again.



Less-visited sites in the millions have this sheepish problem, and some use identical software (and thus token names in the browser) making a mass-exploit via a Firesheep update the work of minutes. But it's far less likely a random coffeeshop ne'er-do-well would sidejack such a session, or get anything out of it.



The remaining question is, of course, what can you do to prevent your credentials from making you go baaaaaaaaaa? Lots.



* Firefox users should install HTTPS Everywhere, a joint effort of The Tor Project and the Electronic Frontier Foundation. This forces SSL/TLS connections for sites that offer, but don't require, continuous secured browsing, including content sites like the New York Times and Wikipedia. You can use the Tools > Add-Ons option to disable specific sites if you have trouble.



* Engage in no unsecured Web logins when working on an untrusted network, public or otherwise. This is my primary approach after HTTPS Everywhere. It's easier than it sounds. If I can't use SSL/TLS through a session, I don't do it unless I use a VPN (see below).



* Secure all the services you use. Most email hosts offers SSL/TLS protected POP, IMAP, and SMTP sessions. FTP is absolutely in the clear; use SFTP (an SSH-based variant) or FTPS (FTP with SSL/TLS encryption). Check the box for SSL/TLS anywhere it's available. Twitter's API for third-party clients defaults to unprotected transactions; Echofon, at least, has a "use SSL" box I check.



* Use a VPN. A virtual private network connection creates an encrypted tunnel for all your data between your computer or mobile and a server somewhere else on the Internet. That's typically more than enough to protect you from sniffing on the local link. I've used WiTopia for years, which is a fee-based service offering PPTP and SSL VPN connections. AnchorFree offers Hotspot Shield at no cost.



* Instead of a VPN, set up an SSL/TLS Web proxy through which all your browsing is rerouted. That also protects the local link, and can be easier if you have a server elsewhere that you can set this up, or use a paid service.



Eric Butler has complementary advice in a post on his site about the day after releasing Firesheep that he wrote with co-presenter Ian Gallgher. Read that for more on what does not work, too.



Firesheep is named after the famous Wall of Sheep at Defcon, which displays selected details of unencrypted logins and other sessions over the event's Wi-Fi network from people who, by attending Defcon, should know better than to ever send anything unencrypted over a public Wi-Fi network. If Firesheep succeeds, the whole world becomes a Wall of Shame, with the shame reflecting on the sites that haven't updated their costs and systems to reflect the current reality of basic security when their users surf in public.



Glenn Fleishman contributes continuously to the Economist's Babbage blog, and is a senior editor at the Mac journal TidBITS.



Lujiazui Breakfast: <b>News</b> And Views About China Stocks (Oct. 27 <b>...</b>

Investors and traders in China's main financial district are talking about the following before the start of trade today: Shares in automaker Hong Kong-listed BYD tanked by 9% after the company said profit fell by 99% in the third ...

BREAKING <b>NEWS</b>: James Cameron&#39;s Next Films Are &#39;Avatar 2′ &amp; &#39;3′ For <b>...</b>

BREAKING NEWS: James Cameron's Next Films Are 'Avatar 2' & '3' BREAKING NEWS: James Cameron's Next Films … TV Pitch Season Coming To An End � Official: 'The Hobbit' Stays In New Zealand � Michael Jackson Song 'Thriller' In Center Of Pic ...

ABC <b>News</b> for iPad adds 2010 Election Results | iLounge <b>News</b>

iLounge news discussing the ABC News for iPad adds 2010 Election Results. Find more iPad news from leading independent iPod, iPhone, and iPad site.


apartment property management companies

Lujiazui Breakfast: <b>News</b> And Views About China Stocks (Oct. 27 <b>...</b>

Investors and traders in China's main financial district are talking about the following before the start of trade today: Shares in automaker Hong Kong-listed BYD tanked by 9% after the company said profit fell by 99% in the third ...

BREAKING <b>NEWS</b>: James Cameron&#39;s Next Films Are &#39;Avatar 2′ &amp; &#39;3′ For <b>...</b>

BREAKING NEWS: James Cameron's Next Films Are 'Avatar 2' & '3' BREAKING NEWS: James Cameron's Next Films … TV Pitch Season Coming To An End � Official: 'The Hobbit' Stays In New Zealand � Michael Jackson Song 'Thriller' In Center Of Pic ...

ABC <b>News</b> for iPad adds 2010 Election Results | iLounge <b>News</b>

iLounge news discussing the ABC News for iPad adds 2010 Election Results. Find more iPad news from leading independent iPod, iPhone, and iPad site.



Even after last year's service cuts and a 17 percent fare increase on 30-day MetroCards, the nation's largest mass transit system is still imperiled by chronic budget problems. A $500 million deficit is project for next year and in four years deficits will grow to $1.5 billion.



It's every-day New Yorkers that usually bear the burden of these budget gaps. Naturally, voters want to know: which candidate for governor will finally bring the MTA's finances under control?



Unfortunately, all they've heard from the Democratic and Republican candidates is outdated rhetoric. Cuomo has said he would roll back the mobility tax, a source of $1.5 billion in annual transit revenue, while Paladino has pledged to "take apart" the transit authority "piece by piece." But does anyone have a plan to put the MTA back together again?



Both Cuomo and Paladino have made reform of Albany the central message of their campaigns. When it comes to transit, Albany certainly needs reform, but it shouldn't come via baseball bat. And threatening to end the mobility tax tells voters that racking up political points matters more than making the tough choices necessary to save mass transit.



The last thing New York needs is a continuation of the policies that have led to the MTA's grim situation: starving the transit system of vital revenue and then blaming MTA executives and MTA employees for service cuts. The fact is, the governor and state legislature are most responsible for the MTA's finances.



Recently the state legislature has gone so far as to take $160 million in dedicated revenue from transit, a decision that led to last year's service cuts. For the sake of New York's economy, and for the 2.3 million New Yorkers that rely on mass transit every day to get to work, Albany's neglect of mass transit must end.



Real reform means making smart investments in the transit system that will drive economic growth, create good jobs, boost the state's competitiveness, and save taxpayers money in the long-term. Albany's mismanagement of MTA finances has saddled the authority with a $31 billion debt burden. This excessive borrowing comes at a cost. This year the MTA will pay $1.8 billion just for past borrowing, and this figure will grow to $2.7 billion a year by 2017.



Earlier this month, the Drum Major Institute for Public Policy and Transportation Alternatives released a five-step plan to help the next governor put the MTA on sound financial footing. One recommended step in the plan is fully embracing congestion pricing or bridge tolls to fund mass transit. After all, drivers greatly benefit from the congestion reduction that transit provides. Without transit, there would be 8.5 million more car trips on the region's roads every day.



Another recommended step for the next governor is to partner with New York's congressional delegation to secure more federal funding for transit. Transit is a top priority for the Obama administration and an important new transportation bill will be introduced next year. After vigorous campaigning by Mayor Antonio Villaraigosa, Los Angeles will receive a $540 million federal loan for transit. The next governor of New York should make a case in Washington for more federal funds for state transit projects. After all, the New York City metro region produces $1.2 trillion in economic activity every year. But there is no indication yet that the candidates would expend as much energy on transit as other national leaders.



Instead, there is a knee-jerk fixation on cost-cutting to solve the MTA's budget mess. It won't work. MTA chief Jay Walder has already found $700 million in annual savings through cost-cutting and other efficiencies and has plans to find more. But no amount of cost cutting will fill the $9 billion hole in the MTA's capital budget, or pay down the $31 billion in debt.



There will be no easy answers. But one thing is clear: The state's greatest revenue generator, New York City, depends on transit. And communities upstate will look for new transit options as gasoline gets more expensive. Other cities across the globe are ambitiously building transit systems with the intent of supplanting New York's dominance. The next governor cannot create a competitive twenty-first century transit system via cuts and quick fixes. Reinvestment is crucial.



John Petro is an urban policy analyst at the Drum Major Institute for Public Policy. Noah Budnick is deputy director at Transportation Alternatives.







Liar, Liar, Sheep on Fire


Glenn Fleishman is a Seattle journalist who started one of the first Web-hosting companies in 1994, worked for Amazon in 96-97, and then decided he wanted a life. He writes for The Seattle Times, The Economist, and TidBITS, among other publications.






Photo: Prasad Kholkute



Firesheep should freak you out, at least for a moment. It's a Firefox extension that lets any normal human being--I'm not talking about you, BoingBoing readers--install the add-on and then steal the active sessions of people using unencrypted browsing sessions with popular online services on the same Wi-Fi network. This involves no Wi-Fi foolery, because the necessary network traffic is openly available.



Walk into any busy coffeeshop, fire up the 'sheep, and a list of potential identities to assume at any of two dozen popular sites appears. Double-click, and you snarf their identifying token, and log in to the site in question as that person.



Firesheep is a business-model tour de force, not a zero-day technical one. It's a proof of concept that repackages and expands on earlier security research to expose a failure in the risk profile adopted by Web sites on behalf of their unsuspecting users. There's no money to be made by a Web site in fixing this problem for its customers or readers. Thus, only a security-conscious CIO might be able to push through the budget item necessary to bump the back-end systems up to the level needed.



Firesheep is a public relations exploit, too; it's so easy to use and to demonstrate that it shot round the world. Previous demonstrations spread the word in the tech community, and a little beyond. Firesheep is telegenic.



The add-on is the latest effort to lay bare a well-known problem in how major (and minor) Web sites identify users after login. Even if you log in using a secure SSL/TLS connection, a reliable method of end-to-end encryption, many sites still hand you back to plain old HTTP. In the process, sites brand you with a token that stands in for the login process you completed. This is a separate issue from involuntary ad tracking or the undeletable evercookie. (BoingBoing is a practitioner of tokens for both commenting and the Submitterator, which arguably means that someone could post nonsense under your name from a coffeeshop, but don't do that already?)



Because the open Web is stateless, a sequence of pages viewed by the same browser might as well be pages viewed by entirely different browsers. A login token placed in a cookie glues a binding on the edge of those pages, creating a session. The token doesn't let a third party sniff your user name or password, but it does let a browser lay claim to your identity for a set period of time. (HTTP does have a stateful account-based authentication system, but it has weak cryptographic elements, and browsers have unchangeable interface elements for handling failed logins, lost passwords, or add-ons, like a CAPTCHA.)



The developer of Firesheep, Eric Butler, traces the understanding back to 2004, but 2007 is when knowledge went over the top. Robert Graham of Errata Security coined the term in 2007 in a Black Hat presentation. He created a proof-of-concept not much different in intent or function than Firesheep, but without the click-to-install simplicity, the long list of sites to snarf, and browser integration.



Of the large firms with this flaw, I'd argue that Google took this most seriously. In the intervening three years, Google has been layering SSL/TLS on ever more of its services. Gmail even added an option to kill other sessions. (Scroll to the bottom of the Gmail screen, and click Details at the end of the "last account activity" line to view the option.)



Many other sites have let the problem remain, though, beefing up security through the sop of offering secure logins, as noted above. It's quite rare to find any major site allowing an unencrypted login, which is a big improvement over a few years ago. Firesheep comes with 26 prefabricated sidejacking tools for sites like Facebook, Amazon, and bit.ly. Amazon and other sites that have a mix of plain HTTP and SSL/TLS-protected pages require re-authentication and SSL/TLS when you move into making a purchase, canceling an order, or other account-based activities. But you can place a 1-Click order without logging in again.



Less-visited sites in the millions have this sheepish problem, and some use identical software (and thus token names in the browser) making a mass-exploit via a Firesheep update the work of minutes. But it's far less likely a random coffeeshop ne'er-do-well would sidejack such a session, or get anything out of it.



The remaining question is, of course, what can you do to prevent your credentials from making you go baaaaaaaaaa? Lots.



* Firefox users should install HTTPS Everywhere, a joint effort of The Tor Project and the Electronic Frontier Foundation. This forces SSL/TLS connections for sites that offer, but don't require, continuous secured browsing, including content sites like the New York Times and Wikipedia. You can use the Tools > Add-Ons option to disable specific sites if you have trouble.



* Engage in no unsecured Web logins when working on an untrusted network, public or otherwise. This is my primary approach after HTTPS Everywhere. It's easier than it sounds. If I can't use SSL/TLS through a session, I don't do it unless I use a VPN (see below).



* Secure all the services you use. Most email hosts offers SSL/TLS protected POP, IMAP, and SMTP sessions. FTP is absolutely in the clear; use SFTP (an SSH-based variant) or FTPS (FTP with SSL/TLS encryption). Check the box for SSL/TLS anywhere it's available. Twitter's API for third-party clients defaults to unprotected transactions; Echofon, at least, has a "use SSL" box I check.



* Use a VPN. A virtual private network connection creates an encrypted tunnel for all your data between your computer or mobile and a server somewhere else on the Internet. That's typically more than enough to protect you from sniffing on the local link. I've used WiTopia for years, which is a fee-based service offering PPTP and SSL VPN connections. AnchorFree offers Hotspot Shield at no cost.



* Instead of a VPN, set up an SSL/TLS Web proxy through which all your browsing is rerouted. That also protects the local link, and can be easier if you have a server elsewhere that you can set this up, or use a paid service.



Eric Butler has complementary advice in a post on his site about the day after releasing Firesheep that he wrote with co-presenter Ian Gallgher. Read that for more on what does not work, too.



Firesheep is named after the famous Wall of Sheep at Defcon, which displays selected details of unencrypted logins and other sessions over the event's Wi-Fi network from people who, by attending Defcon, should know better than to ever send anything unencrypted over a public Wi-Fi network. If Firesheep succeeds, the whole world becomes a Wall of Shame, with the shame reflecting on the sites that haven't updated their costs and systems to reflect the current reality of basic security when their users surf in public.



Glenn Fleishman contributes continuously to the Economist's Babbage blog, and is a senior editor at the Mac journal TidBITS.




Money Making Made Easy...Go Young Entrepreneurs. by MyBnk


Lujiazui Breakfast: <b>News</b> And Views About China Stocks (Oct. 27 <b>...</b>

Investors and traders in China's main financial district are talking about the following before the start of trade today: Shares in automaker Hong Kong-listed BYD tanked by 9% after the company said profit fell by 99% in the third ...

BREAKING <b>NEWS</b>: James Cameron&#39;s Next Films Are &#39;Avatar 2′ &amp; &#39;3′ For <b>...</b>

BREAKING NEWS: James Cameron's Next Films Are 'Avatar 2' & '3' BREAKING NEWS: James Cameron's Next Films … TV Pitch Season Coming To An End � Official: 'The Hobbit' Stays In New Zealand � Michael Jackson Song 'Thriller' In Center Of Pic ...

ABC <b>News</b> for iPad adds 2010 Election Results | iLounge <b>News</b>

iLounge news discussing the ABC News for iPad adds 2010 Election Results. Find more iPad news from leading independent iPod, iPhone, and iPad site.


Lujiazui Breakfast: <b>News</b> And Views About China Stocks (Oct. 27 <b>...</b>

Investors and traders in China's main financial district are talking about the following before the start of trade today: Shares in automaker Hong Kong-listed BYD tanked by 9% after the company said profit fell by 99% in the third ...

BREAKING <b>NEWS</b>: James Cameron&#39;s Next Films Are &#39;Avatar 2′ &amp; &#39;3′ For <b>...</b>

BREAKING NEWS: James Cameron's Next Films Are 'Avatar 2' & '3' BREAKING NEWS: James Cameron's Next Films … TV Pitch Season Coming To An End � Official: 'The Hobbit' Stays In New Zealand � Michael Jackson Song 'Thriller' In Center Of Pic ...

ABC <b>News</b> for iPad adds 2010 Election Results | iLounge <b>News</b>

iLounge news discussing the ABC News for iPad adds 2010 Election Results. Find more iPad news from leading independent iPod, iPhone, and iPad site.

















No comments:

Post a Comment