Maybe just because it does work pretty well, you’re seeing it more and more often: public WiFi, usually free as well. I’m not even talking about people sharing their network, but about stores and offices offering some sort of public access. And yes: it does work pretty good; no cables, no dongles or other ‘mobile solutions’ are necessary to use the internet when you’re outdoors, this way. It even works so well that we’re usually forgetting about the security issues that come up when using a Wireless LAN. Time for a more structured and standardized approach for offering this type of access?

Asking the question if it isn’t right about time for some sort of standardized approach to offering WiFi access actually misses one of the biggest problems: it’s not all that easy to secure a public network like that. Even so, it still seems odd that you can offer your visitors free WiFi as a teaser or extra service and do not have to provide even the most basic means of information about possible risks involved. Of course: users should be aware of the risks involved with using any computer service, but often they are not. Having these visitors or customs use a wireless LAN sounds quite nice, but they might be in for an unpleasant surprise later on. Not too long ago I was asking myself if we shouldn’t set up some sort of code of conduct for venues offering WiFi.

Clear information is necessary

Don’t take me wrong: I love free WiFi, but now that the number of venues offering such a service and numbers of people using it are increasing it would be wise to set up a standard set of information that venues can offer. For all you geeks and nerds it might be blasphemy, but the time when users could be expected to make a fair judgement about risks involved with certain services is over. On the other hand the fact that we can’t really protect people from themselves in this case makes it very clear that we will have to choose for providing information, rather than putting up some fences here and there. This is why the Dutch ‘consumers society’ has started it’s ‘Don’t get yourself hacked’ campaign, to point people at the risks that are involved when using a hotspot.

The dangers

Perhaps the easiest thing to set up and therefore perhaps the most dangerous thing: just an access point. Say, I’m going to some store, I turn on my laptop and set up an internet connection. I turn this computer into an access point and call it ‘free WiFi’ or something like that. Maybe I’d like to add the store name as well. Everyone that is consequently use my access point to get internet access can be sure that I will, at least, listen in to the network traffic. Even better would be setting up an access page, like one can see at hotels. I would set up a small web page that you see first and have it display: web access is 1 Euro per hour, payable by credit card. Inexperienced users might easily fall for this and send me their credit card data! The WiFi-alliance is already warning the public for these kind of ‘rogue access points’. This means it’s very important to know if a venue is offering public WiFi in the first place.

A normal public wireless LAN, that has been set up with the best intentions by a store owner, is far from safe as well. Besides rogue access points, the largest risks on a public WLAN that users run are the possibilities for fellow users to listen in to traffic. On Security Focus one can find this old (2006!) article about the use of ‘Coffeeshop WiFi’ that is still relevant. The safest thing to assume is that someone can listen in to anything you send over a public WiFi any time. So be sure to only use safe connections when logging in to a website or other services, especially if you know you’re using the password elsewhere. This means using only web mail services that use https, and be sure to use a firewall. Lifehacker came up with up some basic advice and rules, at the beginning of this year. The safest thing to do is using a VPN (virtual private network), for example by setting up one at home. This being something most people would only use in a work related environment, I don’t think this will be a realistic option, ‘safe surfing’ is a good start though.

A consumer WLAN-label

At the risk of creating an illusion of safety even more, I would propose to set up a ‘consumer WLAN-label’ that a company or organization can use to give better information right at the door. This way people will always know if they can expect some sort of WiFi, and if so: what type. As a start one would have to provide the exact name of the network. In addition, one could come up with extra labels. For now, I’ve come up with the following set of labels:

1. Network Name (SSID)
2. Network Type
   • Open: free, open, public network
   • Closed: network requires a login
   • Monitored: this organization is actively monitoring traffic on the network
   • Restricted: the organization only allows certain internet activities, for example: you can only visit a limited number of websites

This way, one could set up a basic system of labels, where a combination of label 1 with several label 2 options is of course possible. For example, a network can have Name + Open + Restricted. This obviously doesn’t give any security per se, but at least users have a better idea of what they can expect from the network. It sets the parameters that the legitimate network in this area has. Maybe an extension of this system is possible, with the option that using the restricted and monitored labels is limited to an organization that holds up certain standards for its WLAN.

Listening in to network traffic and other attacks like the ‘Man in the middle’ attack are still possible, but at least we can now direct our visitors to the proper network, after which they can take their own extra security measures. Besides the proposed labels and extensions, one could think of many more, and maybe I’m forgetting other security issues or –solutions. What do you thing so far?

This article is a liberal translation of an earlier article (in Dutch) that I’ve written for marketing blog bijgespijkerd.

I can definitely see the advantages of plain text emails. In fact I like these way better than, for example, getting an email written in comic sans. But just as with simply choosing a nice font for your email, or designing a full fledged HTML mailing there might be some things that you want to think about. Just this morning I found an email in my inbox, coming from the good people of ESOMAR. Now, this is nothing about ESOMAR in particular, but it’s a good example of what I’m trying to tell here.

The point is that plain text emails don’t go all that well with links that go beyond just linking to a website. We’ve already seen this with email lists, but as websites want to pass more and more variables in a link for tracking and other uses, they tend to get quite long.

This mailing here even seems to obfuscate the information in the links a bit. (as I didn’t feel like figuring out what they are passing there I just blurred it all, but this is the actual extend of the links) Now, I do think that ESOMAR is giving quite decent information in the actual text of this email, the links make it almost unreadable. So yes, I think in the end the “If you cannot read this message” is applicable to me here.

What do you think: are links like these OK in plain text emails, or should we focus on the text and minimize the length of the links in such cases?

Even though you can find some nice sharing options for ‘social media’ sites on the bottom of each post here already I’ve decided to experiment with a new one: the new facebook ‘like’ button. (To the right of this post) Clicking on this button will immediately post the article to your facebook profile as a ‘like’, if you’re logged in, and it displays a nice overview of how many people liked the article. In addition, I’ve ‘liked’ my own online persona, the fan page that Levi Boitelle made for me earlier, and put the accompanying Facebook ‘like box’ on the home page of my website.

If you’re wondering how you could add a similar thing to your own website; here is a very quick walk-through. As most of it is lined out very neatly on the FB pages, I will refer to those for most part, in fact, Facebook provides you with a nice how-to here on their Like Button page.

First you will need to decide where to place the button, so open your CMS/Wordpress and find the place where you want to include code for the like button. (Usually you’d want it per post so in wordpress you have to add it per single post.)

Then you can fill in the variables on the ‘Like Button’ page Facebook has (see above) and fill in some preferences, hit ‘get code’ and you immediately get some code that you can enter at the spot that you’ve chose. (Depending on your site’s setup you will need almost no to a bit more html or php knowledge to do this in a good way.)

As you may notice you get the option of directly usable code or a single line of code that uses Facebook’s own markup language ‘XFBML’, which basically uses a Javascript library to generate the appropriate code for you.

As this latter option looks much neater I’ve chosen this one. For this you do need the code that includes the Javascript SDK, which you can find here. You will probably want to include this in your header file. After you’ve used this in your site you can easly add like buttons, boxes and more for integration with facebook by just adding single lines of code, adding a simple ‘like button’ will be as easy as adding ‘<fb:like width=”200″></fb:like>’ to your code somewhere. If you’re planning on including more FB integration, like the box on my home page, I would recommend adding this Javascript SDK in your header file, or a similar place, so you can just do the rest with simple lines of code.

Additional thoughts

Is Facebook the future? Well, this depends on how far you want to look into the future. It seems like Facebook will definitely dominate the near future, so in that sense it may be a good idea to add FB integration like this on your blog/website. However, just like me you may have nice ‘social media’ integration buttons with your posts already. I’ve already got an extra retweet button, and now these like buttons to add to it?! You should be aware that it makes your page even more ‘full’ than it already is, and always be careful not to make your site the visual equivalent of a pinball game! Facebook seems like a good thing to be a bit more present than other sites, but you may want to rethink adding yet another button if you think your audience is not on Facebook to begin with.

Maybe you are familiar with the fact that a webserver can see which browser version you’re using and for example also how big the window is you’re using to view that website. In itself that is interesting enough for some statistics on the visitors of your website.

But there is more, way more and that is where thoughts of privacy, but also of marketing and research potential come in to play. The Electronic Frontier Foundation (EFF) has made a website to show a bit of what is possible. (Go support them here, by the way.)

Panopticlick is of course a very clever name in itself, but what does it do? It tests your browser to see how unique it is based on the information it will share with sites it visits. as it turns out, that is often very unique! So someone with access to multiple, if not a lot, websites could, at the cost of quite some server load, potentially track you on your merry way across the internet. This might be heaven for marketeers in some way, but even in this industry tracking to this extend seems to be frowned upon. Cross site tracking cookies have been the topic of much debate, even amongst not so ‘privacy focused’ people, although their existence might prove there is still quite some demand.

Installing a lot of fonts of my system might not have helped for me; when testing it turned out I am very unique. (That is bad if you dislike being traced or tracked, good if you like targeted ads.)

Your browser fingerprint appears to be unique among the 222,512 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 17.76 bits of identifying information.

This is one of those things that you know about, somewhere in the back of your mind, but may have never really considered as an option. You know about browsers being able to detect if you have a certain font on your computer etc. but how could that all fit together with other statistics? That is one of those things you might not always think about.

Thus the topic might well be; are people aware of the (theoretical) possibilities and are they going to be used? Of course the question still remains; how effective can this type of tracking be? This is exactly one of the reasons for starting this project. The EFF wants to try to get your information and add it to their database. That sounds evil enough, though fortunately we might want to believe the EFF about that “anonymous” thing and them not tracking us, of course. Hopefully, this will help evaluate the capabilities of Internet tracking and advertising companies, a goal which in the end can be beneficial regardless of which side you’re on.

It’s that time again; once every for years geeks from all over the globe come down to the Netherlands for a Hackercon. This year it’s HAR; “Hacking at Random“. I will be there as well to watch, learn, do and have fun! I’ve written a bit about this event on Dutch blog Retecool (so yes it’s in Dutch), as it came up a bit earlier this year as well. They will try to provide you all with streams of the talks (Dutch article), so you can all enjoy the latest news on tech and security related issues. You can find the program here. I will try to follow some cool stuff myself, of course and will write a bit about it later on, hopefully as soon as next week. I will try to be at “My BREIN hurts! ” and “Panel discussion with Brein and HAR” so you will definately hear from this and possibly some GSM network related stuff that I will try to cover with a blogpost…