Kentucky Governor blocks state employee access to critical blogs

Gov. Ernie Fletcher (R-KY), embroiled in scandal, has had the state block access to blogs reporting on the scandal, including the BlueGrassReport. The blocking was apparently put into place the day after the New York Times mentioned the BlueGrassReport blog. The list of blogs known to be blocked:

BlueGrassRoots
http://www.bluegrassroots.org/

The Compassionate eCommunity (Jonathan Miller)
http://compassionatecommunity.blogspot.com/

Kentucky Progress (David Adams)
http://kyprogress.blogspot.com/

Kentucky Republican Voice
http://kyrepublicanvoice.blogspot.com/

The Kentucky Democrat (Daniel Solzman)
http://kydem.blogspot.com/

Fletcher's administration is currently facing 15 indictments, including three misdemeanor charges against Fletcher himself for his role in a patronage scheme, forcing Democrats out of state civil service jobs and giving the jobs to his cronies. In the process he's lost 6 of his 9 cabinet members and is on his sixth press secretary since his 2003 election.

Content providers and ISPs: who really has the stronger hand?

George Ou points out a case where the content provider is already offering content only to the ISPs who enter into agreements with the content provider, rather than an ISP only allowing connectivity to content providers who enter into agreements with the ISP. While there are lots of examples of content providers making arrangements with individual users, it has been relatively rare that the arrangements are made on the part of an entire ISP. This is extremely common, however, in the cable industry, where there have frequently been disputes between content providers and cable companies which have led to content providers denying the use of certain popular channels unless the cable companies agreed to per-user fees or to carry other additional channels. A similar dust-up occurred in March 2004 in the direct broadcast satellite business, when Viacom and EchoStar (Dish Network) could not reach an agreement to carry some additional Viacom channels. So Viacom pulled local CBS channels it owned, MTV, Comedy Central, Nick at Night, BET, and other channels, until EchoStar budged.

In this case ESPN360 only makes its video content available to selected ISPs (including Adelphia and Verizon) but not to others (such as Cox, Comcast, Time Warner, and SBC). ESPN has regularly behaved similarly with respect to cable companies.

Proposed network neutrality regulations have had nothing to say about the inability of users to obtain content because content providers block their ISPs, or surcharges on ISPs by content providers for their users to have access to premium content. And this is even though there are often real monopolies on content (only a single provider owns it, and may completely control who has access to it, at least until it gets out to P2P networks), while there aren't any real monopolies on Internet access (though some network neutrality advocates have endorsed nationalization of "backbone," which would create a government monopoly).

I think that in general, the ISP does have more overall power and influence than the content provider, but there are exceptional cases where content providers like ESPN360 may have a stronger hand against ISPs. Overall, there's a lot more money spent on communications than there is on content (as Andrew Odlyzko's 2001 "Content is Not King" essay explained), and the real drivers of that spending are business and peer-to-peer communications, not content providers.

Digital camera blocking technology

Researchers at Georgia Tech have come up with a technology for preventing video cameras from working. The setup uses sensors to detect cameras from the reflectivity and shape of CCD sensors (or is it actually detecting the lens?), then directs a beam of light (potentially a laser) at the CCDs to prevent it from recording images. The prospective uses they suggest include prevention of piracy in movie theaters and as a countermeasure against espionage. Their small-area technology is apparently close to ready for commercialization, but the large-area version still has a ways to go.

The camera-neutralization technology "may never work against single-lens reflex cameras."

Let's hope it doesn't become a technology used to prevent the documentation of abuses, governmental or otherwise.

More details on apparent NSA interception at AT&T

Salon.com has a new article on a room in an AT&T facility in Bridgeton, MO (a St. Louis suburb) that may be an NSA interception facility. The room is protected by a man trap and biometric security, and the AT&T employees who are permitted to enter it had to get Top Secret security clearances. The work orders for setting up a similar room in a San Francisco AT&T office, reported by former AT&T worker Mark Klein, came from Bridgeton.

The Electronic Frontier Foundation has an ongoing class-action lawsuit against AT&T over its involvement in illegal NSA wiretapping.

Who's been using "pretexting" to get your phone records?

Back on January 8, I wrote a posting titled "Cell phone call records available online." In that post, I wrote about sites on the Internet where you can pay a fee and get the calling records for cell phones and long distance call records for land lines. The companies providing these services are typically private investigators who use "pretexting"--pretending to be the legitimate owner of the phone--in order to con phone companies into turning over the data. Some also used social engineering or exploited server security flaws to gain access to phone provider online web portals.

Subsequent to the publicity around that story, there was a brief attempt to pass a law making "pretexting" illegal for telephone records as it already is for financial records. Frankly, I think unauthorized use of someone's phone provider web portal account should already be illegal under most state computer crime statutes, and obtaining phone records through misrepresentation should constitute theft by deception or violation of identity theft statutes, but I am not a lawyer.

Now, we are learning who some of the major users of these services are: various offices of the Department of Homeland Security and the Department of Justice, including the FBI; police departments in California, Colorado, Florida, Georgia, and Utah, and most likely hundreds of other police departments. These agencies are bypassing legal processes to obtain private phone records without warrants from private companies engaged in highly unethical if not illegal activity.

Hat tip: Ed Brayton at Dispatches from the Culture Wars.

Update on Cox blocking of Craigslist

The original claim of a Cox "blacklist" originated from a statement by Tom Foremski at Silicon Valley Watcher. Foremski originally wrote:

Back on February 23rd Authentium acknowledged that their software is blocking Craigslist but it still hasn't fixed the problem, more than three months later. That's a heck of long time to delete some text from their blacklist.

Now, he says (quoted by George Ou at ZDNet):

I assumed there was a blacklist - I have no idea how Craigslist is being blocked

In fact, we know now that it's a combination of a bug in a firewall driver produced by Authentium software and unusual (but not incorrect) behavior by the Craigslist webserver setting the initial TCP window size to 0. The facts of the problem came out (at least between Craigslist, Cox, and Authentium) at the time the problem was first reported, was fixed in a beta release within weeks, and has only affected Cox customers who use Authentium's security suite.

BTW, I disagree with Richard Bennett and George Ou's remarks which attribute the problem entirely or largely to Craigslist--the behavior of the server is not contrary to the RFC. The initial SYN packet from the client to Craigslist is responded to by Craigslist with a SYN-ACK packet with window size of zero, which means don't send me any data, only an ACK. The client then sends an ACK (completing the three-way TCP handshake), at which point Craigslist sends an ACK packet with a larger window size which the pre-fix version of the Authentium software fails to process. The initial response of the Authentium software to slow down is a reasonable and apparently desired response by Craigslist--they want new clients to hold off transmitting data (an HTTP request) until they give the OK. Authentium took full responsibility for the problem, and they were right to do so.

The story from Foremski was uncritically repeated by Matt Stoller at MyDD, Timothy Karr at Save the Internet (and a couple of other blogs), and now in a Wall Street Journal op-ed piece by Sen. Ron Wyden (D-OR), in a lapse from his normally good judgment about Internet-related matters (e.g., the Cox/Wyden Internet Freedom Act of 1995 and the Cox/Wyden Internet Tax Freedom Act of 1998).

Stoller and Karr went on to repeat the "blacklist" claim even after having the full story, and I don't believe either of them has retracted the claim that this issue is relevant to the network neutrality debate.

Craig Newmark complains that he didn't get good responsiveness from Authentium, which Authentium disputes, but he has indicated satisfaction with Cox.

The story has been picked up by George Ou at ZDNet (here and here) and by Glenn Harlan Reynolds at Instapundit (here, here, and here).

This issue was a user software application issue that had no more to do with network neutrality than a browser incompatibility issue, a webserver disk failure, or a fiber cut. Each of these things can prevent a user from reaching some specific content, but none is imposed by the network provider or remedied by act of Congress or the FCC. Those who continue to treat it otherwise even after knowing the details are demonstrating questionable judgment and integrity.

UPDATE: Craig Newmark has now stated that there was no deliberate blocking here and the Authentium explanation is correct. I've exchanged a few emails with him asking whether the behavior of the Craigslist.org webserver is specifically intended to regulate the rate of new HTTP connections (and whether the behavior is coming from something like an application-layer switch negotiating the TCP handshake); he said he's passed that on to his technical team and I'll report here if I get confirmation or refutation on that point.

One puzzling paragraph of his latest blog post is this one:

One good outcome of this is that we flushed out a swiftboater (in the generic sense), and this helps me understand the way disinformation gangs operate. Unfortunately, in some blogs, a good guy has been linked with the swiftboater, which isn't fair, and hopefully, we can do something about that.

I'm not sure who he's calling a swiftboater, who he's calling a good guy, and who he's calling a disinformation gang. So far as I can see, the disinformation gang in this incident has been the "Save the Internet" crowd, who still have yet to admit the clear facts of the matter. I asked for clarification, but Craig declined to identify who he's referring to (except that he's not referring to Matt Stoller or Timothy Karr).

UPDATE: July 12, 2006: The Craigslist.org webserver has changed its behavior and no longer sends a SYN-ACK packet with a window size of 0; it now gives a window size of 4380. This change by Craigslist.org works as a fix to the Authentium issue. I wonder why they only made the change now.

China's mobile death vans

BLDGBLOG has some photos and information about China's mobile execution chambers, used to bring state lethal injection capability to poor localities that can't afford to build their own execution facilities. Amnesty International says they have evidence that Chinese police, courts, and hospitals are engaged in the organ trade, and suggest that the mobile death vans may be involved.

BLDBLOG cites USA Today reporting that there are 68 different crimes punishable by death in China, more than half of which are non-violent offenses such as tax evasion and drug smuggling. All executions are recorded on audio and video, and shown live to the local law enforcement authorities.

The only other country which had mobile death vans that I'm aware of was Germany under Adolf Hitler. The Einsatzgruppen's mobile killing units were known as "death vans," which used carbon monoxide gas for execution.

Ann Coulter on no evidence for evolution, refuted

P.Z. Myers at Pharyngula has put together an excellent starting point for anyone who would like to see the overwhelming evidence that supports evolution, contrary to Ann Coulter's claim in her new book, Godless, that there is no evidence to support it. 20 science journal articles published per day, a new book published every other day, statements from scientific societies, online tutorials, blogs by scientists, and more.

He also requests that if you can find a single paragraph anywhere in chapters 8-11 of her book that is at all competent or accurate in its description of science, to send it to him.

Matt Stoller lies about site blocking

Matt Stoller has a post up at MyDD dated June 14 titled (with ironic accuracy) "Please lie to me about Net Neutrality" in which he gives the following as an example of unwarranted site blocking that shows the need for net neutrality regulations:

There's a pervasive myth that there has been no discrimination on the internet against content companies. That is simply untrue. For one, Craigslist has been blocked for three months from Cox customers because of security software malfunctions.

Back on February 23rd Authentium acknowledged that their software is blocking Craigslist but it still hasn't fixed the problem, more than three months later. That's a heck of long time to delete some text from their blacklist. And this company also supplies security software to other large ISPs.

Without net neutrality protections, cable and telecom companies will have no incentive to fix these kinds of problems. Already, it's quite difficult to even know that this is happening because they are quite easy to disguise.

However, Ray Dickenson, the VP of Product Management at Authentium, the company which makes Cox's software firewall, had already explained this problem in a post on MyDD back on June 9 when Stoller first brought this up, and it has nothing to do with a software "blacklist":

I'm SVP Product Management at Authentium, Inc. We make the branded security suites that many Internet Service Providers, including Cox Communications, offer to their subscribers. I'd like to take this opportunity to set the story straight on the Craigslist issue that some Cox subscribers have experienced.

In February, we started receiving support calls from users of our branded ESP security suite at ISPs like Cox Communications and Patriot Media. These users had problems accessing the Craigslist.org web site.
Our engineers investigated the issue and found a glitch in our firewall driver that made the Craigslist site very slow to load, or not load at all. (Technical details below)

We contacted Craigslist to learn why only the Craigslist web site was affected and also had our engineers fix the firewall driver. The fixed driver is in QA and will be part of a new release this summer. Our support team has been offering the beta firewall driver to customers who call in and are willing to try it. The support team also assists users uninstalling the software if necessary.

Authentium is dedicated to providing the best possible Internet experience for all users of our security suite, which appears under many brand names. We applaud the efforts of ISPs that go the extra mile to provide free security software to their subscribers and will continue our efforts to make the Internet experience safer and easier.

Technical details:
We found that the Craigslist.org web site sends a TCP packet with a zero-length window. A zero-length window indicates the server is experiencing congestion and cannot handle more data. Our firewall driver responds by sending data only one byte at a time, even after the server increases the TCP window size. This is the glitch we have fixed and are QA testing. Any changes to network drivers must be made carefully, tested thoroughly, and certified before general release.

Authentium's initial response to the Craigslist.org webserver is exactly as specified by RFC 793 (which describes TCP) about the proper behavior when a host to which you initiate a TCP connection specifies a window size of 0, as others have pointed out at the Save the Internet blog:

Flow Control: TCP provides a means for the receiver to govern the amount of data sent by the sender. This is achieved by returning a “window” with every ACK indicating a range of acceptable sequence numbers beyond the last segment successfully received. The window indicates an allowed number of octets that the sender may transmit before receiving further permission.

The bug here is that when the Craigslist.org host later attempts to increase the window size, the Authentium software fails to do so.

It's a bug in Authentium, but it's also arguably a bug in Craigslist.org, which also had the capability of offering a fix but has failed to do so. To characterize this as an example of discriminatory website blocking by Cox is dishonest, and to repeat the claim that this was caused by "text" in their "blacklist" after being informed otherwise is a lie.

Coming on the heel's of Stoller's YearlyKos admission of not understanding the issues and calling for personal vilification of his opponents, this makes a solid case that he's in way over his head and should not be relied upon as a source of information in the net neutrality debate.

UPDATE: Timothy Karr of Save the Internet has jumped on this bogus bandwagon on his Media Citizen blog as well as on the Save the Internet blog (already linked above with the "others have pointed out" text) and at the Free Press Action HQ blog. At the last source, Karr was clearly already informed of the cause of the issue, as he links to this fairly clear explanation from Authentium, in which the Authentium CEO, John Sharp, says that they immediately contacted Craigslist.org and made a beta fix available to their customers (including Cox customers) within a couple of weeks. For no reason I can see, Karr describes this by saying that "The CEO at the 'security software' company in question is equally opaque about the Craigslist blocking." What's opaque about the explanation, and why does he put "security software" in quotes--to suggest that this is malicious blocking?

Graph of Phoenix Housing Inventory

I plugged all the previous data into Excel and generated this graph:


I wonder what happened in December and early January. The trend is amazingly linear, otherwise.

When do we start considering Phoenix a buyer's market? Now? When inventory hits 6oK? When the trend shows clear signs it has reversed? As I said in the comments to the previous housing inventory post, I think I want to start making lowball offers when I get back there!