Archive by Author

And Now, A Little Trabant Joke

TrabantThe Trabant (1949 to 1989) was the GDR’s answer to the Volkswagen. Intended to be economical, convenient and ubiquitous, it succeeded in being only the latter.

Despite production times from hell (the average Trabant owner waited nine years to get their lemon), the Trabi, as it was affectionately dubbed, is still one of the most common cars on the road in Eastern Germany.

Each Trabi took so long to build because its plastic pieces (most of the vehicle’s parts, aside from the frame, hood and other necessarily strong sections, were plastic) were molded by workers running hand-operated molding systems.

A plastic car, you say, with a two-stroke engine that you had to wait two years to own?

That reminds us of a little joke.

A Texas oil man heard that there were cars in East Germany so popular that buyers had to wait years to take delivery of one. He immediately sent a check to the Trabi factory.

The directors, sensing a propaganda coup in the making, arranged to send him the very next car off the line.

Two weeks later the oil man was in a bar, speaking with some friends.

“Ah ordered me one o’ them Trabis them folks over there in East Germany wait 12 years to get,” he drawled.

“And you know what? Them East Germans are so efficient. Wah, just last week they sent me over a little plastic model so I can know what to expect!”

 

____________________________

This (minus the graphic) appears on page 250 of Lonely Planet’s Germany travel survival kit.

And free hotspots for all

Because many cities and towns around the world have begun providing publicly-accessible wireless APs, how is a reasonable computer user supposed to know that an unprotected network is not there specifically to allow him to access the Internet? All stores in the Panera Bread chain offer Wifi Internet access that’s as free as the air. A visitor to downtown Albany will find himself in a brightly- “lit” environment which has so many free wireless access points that it’s hard to find an area in which you can not connect.

So imagine the surprise in early July, 2005 when police in St Petersburg, FL, picked up a man for accessing an AP on a residential street, connecting to the Internet and checking his email. Benjamin Smith III was arrested and charged with unauthorized access to a computer network.

He might well get off. After all, if all he did was access the Internet to check his email, who’s to say it’s unreasonable for Smith to assume this was kosher? The AP was wide open. If Smith didn’t attack any of the other machines on the local network, he may have been perfectly reasonable to assume that the network was meant for him to use.

While not endorsing the practice of the unauthorized use of someone else’s wireless signal, in this day and age, it can be hard to tell when you’re not supposed to log on and surf the web.

We believe that anyone who sets up a Wireless Access Point and does not follow the installation wizard’s advice to change the ESSID and password and set up encryption should be presumed to be providing publicly accessible wireless at no cost.

There is, however, a vast difference between hopping on an open access point and intruding into someone else’s network for nefarious purposes.


Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all


An Autobahn Experience

With the dollar so far down against the Euro, it feels as if the only favorable exchange rate left to Americans is one of distance: you still get 1.6 kilometers for every mile.

When the crowds of the Oktoberfest have taken their toll, and you’ve just about overdosed on museums and local sights, it’s time to head out on your own.

The famous autobahns, the freeways that make up Germany’s wonderful highway system, and the country’s compact size mean that within a half-hour of Munich’s center you can be driving through rolling green hills with the Alps practically at your feet.

And when you consider that Chiemsee, Salzburg, Vienna, Baden-Baden and Strasbourg are all within day-trip reach, the proposition gets even more attractive.

But while Americans are among the world’s most dynamic drivers, covering incredible distances each year by car, many here find themselves facing a whole new set of baffling rules and practices that amount to an entirely different driving culture.

Passed At 110
“I was going about 110 mph – fast enough to be dragged away in handcuffs at home,” said Mark Walsh, a Chicago native living in Munich, “and I got passed by a guy on a motorcycle with a passenger!”

An American driving on the autobahn is very likely to have just that sort of disconcerting experience 10 or even 15 times during an hour’s drive. On U.S. highways, getting from Point A to Point B may be the primary objective, but in Germany, it’s not just getting there, but how fast you can possibly do it.

Here’s How It Can Be
A black Mercedes appears in my rear-view mirror. It wasn’t there when I looked a second ago, and now it’s bearing down on me with great vigor. An angry flash of headlights – it’s almost on my rear bumper! I swerve frantically into the right lane and the black beast accelerates past me as if I were standing still, leaving swirling exhaust fumes and a turbo whine in the air. I glance at my speedometer: It reads 180 km/h – 113 miles per hour.

“Every German driver is convinced of two things,” says Munich native Oliver Bengl. “First, that they are an excellent driver, and second, that everyone else on the road is an execrable one.”

Bengl is exceptionally qualified to comment – he’s been a professional driver on Germany’s roads and autobahns for 10 years, in everything from Munich taxis to long-distance freight trucks, from film company vans to one of Bavaria’s most beloved vehicles, beer delivery trucks.

Wind in the Hair
Bengl suspects that Germans, who behave extremely conservatively in everyday life and business, simply need the release of high speed and feeling the wind in their hair – even if that wind is just the light puff of their car’s air conditioner.

“The average German,” he says, “spends his day in close contact with very conservative people. When he gets into his big car at the end of the day, he reverts to a Stone Age hunter mentality – he’s King of the Road.”

This assertive on-road demeanor has resulted in gesticulation (at best) and sometimes even physical fights at the roadside. It is for that reason that it is now a misdemeanor in Germany to “gesture obscenely or shout insults” at other drivers, punishable by a large fine.

Speed aside, driving on the autobahn is a very enjoyable mode of transport that can even be cheaper than public transportation if you’re traveling with someone. And contrary to public belief, there are speed limits on about 85 percent of the autobahns.

Speed limit signs are red-ringed circles containing a number. On autobahns it will usually be 110 or 120 kilometers an hour (70-75 mph). Speed traps occur rarely, but they do happen. If you don’t see a sign, there’s probably no speed limit.

All other road signs are international symbols and almost always instantly understandable.

One key exception is the puzzling circle containing a striped black slash over a blank white background.

This means, basically, “Any sign telling you not to do something before you saw this one is now overruled.” For example, the “slash” sign can end a no-passing zone.

The Kreuz
The Kreuz – the German version of a cloverleaf interchange – can be very confusing, too, even to veteran German drivers.

Modeled after, it would seem, Los Angeles’ most confusing transfer points, a Kreuz connects several highways. Signs are not what they could be, and it’s best to slow down and pay attention: Exits come up fast, and if you miss yours, it’s usually a long drive to get to where you can turn around and try again. The best strategy is to stay in the middle lane until you can figure out which way is off, then get there fast.

And Bengl adds one warning: “No matter how fast you go, someone’s going to be faster; no matter how clear your rear-view mirror is, check again… . There’ll be someone there.”

While traffic is outwardly more orderly than in the States, there’s vicious competition for passing lanes, usually from taxis.

The best bet for inexperienced drivers is to stick to defensive tactics, staying slow and safe and letting the taxis do what they wish.

There will be a far higher number of bicyclists on the streets than you may be used to, and while they usually have a separate lane, be on alert. Motorcycles and scooters are also more popular than in the States, and it’s considered very bad form indeed to sideswipe any of them.

Finally, remember that there is no right on red law in Germany.

An American Pilot In Europe

Flying over the verdant rolling hills of the Italian countryside, circling the ancient hilltop village of Urbino (birthplace of the painter Raphael), I looked at my wife, Corinna, and remembered just what it was that made me want to get that licence in the first place.

Every year, while thousands of licensed American pilots vacation abroad, few think of exploring the European skies. But in much of Europe, US pilots can easily rent a plane and make daytime VFR flights as Pilot In Command.

The linguistically challenged will be able to communicate: ATC, rental companies, instructors and even ATIS and AWAS all communicate in English.

A walletful of greenbacks doesn’t hurt. Anyone who’s ever filled up in a European gas station knows fuel prices over here are out of Mad Max: avgas runs about US$5.25 (you read that right, over five bucks a gallon). Hourly prices for plane rental can be almost double what they are in the States.

But what’s the price tag on an aerial trip up the Rhine, over Stonehenge, or around a castle? It’s the trip of a lifetime.

GETTING THE BASICS
The ICAO Chicago Convention says licensees from contracting states (including all European nations and the USA) are permitted to fly in other contracting states. The issue of national sovereignty is touchy in Europe, but if you have a valid FAA PPL and current medical certificate, you’re generally permitted to make daytime VFR flights.

In the UK and Holland, you can walk in to any flight school or Aero Club (as they’re called here) and after a checkout, rent a plane and zoom off into the sunset (though one zooms slightly differently over here. See Tips, below).

More rigidly legislated countries (like Germany, France and Spain), have red tape worthy of a Maastricht Treaty, but some advance work on your part can clear the way, at a minimum of fuss and expense, to recognition of your American PPL.

And good news: a certificate of recognition from any European Union member state is honored in all others.

So if you’re visiting, say, Germany, Spain and Italy, a certificate from one will be honored in any other. And best of all, the renter – usually a flight school or aero club that’s dealt with this situation before – will often assist with the paperwork as part of the rental fee. They will guide you through the process of getting a locally recognized “holiday license”.

You’ll usually need to send notarized copies of your PPL, medical, recent pages from your logbook, and your passport. Some countries, like Spain, also require a passport photo, so check whether you’ll need to send those.

Bring all of those items on your trip, too. And while we’re on what to bring, remember this: most planes here come equipped with just two headphones, so bring extra headphones if you’ll need them.

If you’re headed to the UK, Holland or Germany you can start checking into rentals and making reservations as little as a week before you arrive, but if you’re off to other countries start about six weeks in advance.

RENTALS
Renting a plane is almost as easy as it is in the USA, but there are differences. The best bet is to research using the search engines at flying websites, or by picking up flying magazines from the UK, such as Flyer (http://www.flyer.co.uk) or Pilot (http://www.hiway.co.uk). The back of these mags are packed with ads for flying schools, which almost always rent their airplanes.

Shop around! On a recent check of airports around Europe, I found major differences in rental prices, even in the same country. For example, I called Wycombe Air Centre (tel 011-44-149-444-3737), about 20 miles from Central London, and was quoted a price of 126 pounds (US$196) for a C-152 with an instructor, and 97 pounds (US$155) an hour for just the plane, wet, timing from brakes off to brakes on, including VAT (the notorious Value Added Tax). It was about US$10 extra for a C-172 with or without an instructor.

But a call to Andrewsfield Aviation Ltd (tel 011-44-137-185-6744), about 10 miles from London’s Stansted Airport, got quotes of 89.50 pounds (US$143) with an instructor and 75 pounds (US$120) without for a C-152, and 102 pounds (US$163) with and 93 pounds (US$149) without for a C-172, on the same terms.

The Pesaro Aero Club in Fano, Italy (tel 011-3907-2180-3941), demanded the most I’ve ever laid out: US$210 for an hour and 40 minutes of flying, including 40 minutes with the instructor for the checkout, in a C-152.

The Aerodrome Chateauroux Villers, in Saint Maur, France, (tel and fax 011-33-2-5436-6813) wanted 900 francs (US$138) with a (French language) instructor, and 744 francs (US$114) without one for a C-172.

But it can be cheaper (just a bit more than in the USA): Munich Flyers at Augsburg Airport, 45 minutes outside Munich (tel 011-49-89-6427-0761), gets DM240 (US$126) for a C-172 with an instructor, and DM 177 (US$95) without, including fuel, from wheels up to wheels down.

THE CHECKOUT
On that trip I took to Italy, I literally followed the low-flying planes I saw from the coastal road to the Pesaro Aero Club, on a grass strip just south of the city of Rimini. Showing my PPL and Medical at the flight school office, a teacher and I set off on a 40-minute checkout (really more of a brush-up on soft field landings and a lengthy description of the local airspace) and then I was off on my own, for a one-hour tour of the whole area.

A German instructor named Tom told me that he checks out people all the same way, even if it’s obvious they’ve been flying for years or are newly licensed.

“We do two traffic patterns,” he said, “to check their radio skills and landings, and then head for our practice area, where we do power-off and power-on stalls and steep turns. If they handle all that right, they’re on their own – and if not, they do an hour or two of brush-up lessons.”

I enjoy the rental checkride as much for the local air tour I get as I do for learning the different ways people teach flying in different countries (for example, in Germany, Tom wanted to see just the barest hint of an impending power-on stall, while my Italian instructor demanded – and demonstrated – something out of Snoopy and the Red Baron!).

The rental checkride is so important here because local regulations are dictated by many more idiosyncrasies and customs than in the USA. In the UK for example, noise abatement is so strict that procedures like, “On takeoff, make a right turn at 300 feet and head for the treeline before ascending,” and, “On downwind, approach from south of the village and then scoot round the village to the right and turn left again when you see the pub,” are more common than not.

And in Germany, where takeoffs and landings even on privately owned farms require clearance, strictly – even Germanly – regimented exits and entrances to the airport vicinity are required, using map points with names like Whiskey One and Echo One, as well as local conventions that aren’t even marked on the maps (see the box)!

The rental checkride’s good for learning all these, but even better is a visit to the tower. If you plan ahead, you can make the visit when you arrive – get off the commercial flight and head upstairs for a half-hour chat with the controllers. They’ll fill you in on restrictions, give you local flying tips, telephone numbers for weather forecasts, useful web addresses and tell you where you can buy charts of the area locally.

LANDING FEES
Most Americans are horrified to learn that practically every single airfield in Europe charges some sort of landing fee. In most airports it’s waived if you’re taking a local flight, but if you take a day trip to somewhere, be prepared to fork over anywhere from US$10 to US$25 in landing fees at the destination airport.

SOME TIPS
“The airspace is fairly restricted here compared to the USA,” said Carol Cooper, Chief Flying instructor at Andrewsfield Aviation.

“For your own sake, study the map, and the airspace where you can and can’t go – which is much different around here.

“Experience obviously matters, and radio navaids can help, but England’s a small place, and you’ve got to watch your proximity to Stansted, Heathrow and Gatwick,” she continued, referring to the fact that all those airports’ airspace is completely off-limits to VFR pilots in single-engine planes without a special VFR clearance.

Which you almost certainly won’t get!

Noise abatement rules dictate that you avoid town centers and other populated areas.

Radio work is also different, and Europeans seem to think the American practice of repeating the last three registration numbers as acknowledgment of an ATC directive just a bit too, well…American! You’re expected to repeat all the instructions given you by ATC, each and every time.

And finally, if you’ll be travelling outside larger cities, brush up on your soft-field landings and takeoffs: many airports have grass strips.

MORE INFORMATION
Note that anywhere in Europe your American license gives you the same rights at you have at home if you are flying in an N-registered (US-owned and registered) aircraft. Regardless of registration, you need no holiday license or any additional paperwork other than your valid PPL, valid medical and pilot’s logbook to fly as PIC from the UK or the Netherlands (Holland) – even if you land in another country.

For other countries you will often need a holiday license, recognizing your American license. The most straightforward agency to deal with in Europe is Germany’s Regierung Oberbayern Luftamt Suedbayern, Maximillianstrasse 39, 80538 Munich (tel 011-4989-2176-2523). Send them a letter, telling them the dates of your travel in Europe, a request for a Holiday License and photocopies of your PPL, Medical Certificate and the most recent page of your logbook, along with a copy of the data pages of your passport. The holiday license they will send you (Bescheinigung ueber die Allgemeine Anerkennung eines auslaenden Lueftfahrerscheins; allow four weeks for processing) is good for six months and costs about US$30. It is valid everywhere in Western Europe, allowing you to rent nationally registered planes.

In France, contact Direction Generale de l’Aviation Civile (tel 011-331-5809-4321, fax 011-331-5809-3636), License Office, 50 rue Henri Farman, 75015 Paris

Andrewsfield Aviation Ltd (tel 011-44-137-185-6744), Saling Airfield, Stebbing, Dunmow, Essex CM6 3TH England

Munich Flyers Flugschule, GmbH, (tel 011-49-89-6427-0761) Hochederstrasse 2, 81545 Muenchen, Germany

Pesaro Aero Club (tel 011-3907-2180-3941) Via Dela Colonna 130, Fano, Italy 61032

Aerodrome Chateauroux Villers (tel and fax 011-33-2-5436-6813), 36250 Saint Maur, France

All I Want Is A Combo WiFi/GSM/CDMA Device. In Black.

Despite a predilection for triple-shot lattes, it wasn’t just caffeine that had me spending hours a day in coffee bars across America recently, shouting into my mobile phone above the din of the grinders. Mostly, it was the Wi-Fi connection.

For three months I’ve lived a salesman’s life away from my Munich home. I travel by single-engine airplane across America, pitching my company’s services to airport businesses. Contact with the office (and my wife and son) is through e-mail and mobile phone calls.

Every day I find the nearest Starbucks or Borders books, where a T-Mobile HotSpot provides a high-speed 802.11b, or Wi-Fi, Internet connection. I download dozens of e-mails and swap sales presentations with co-workers.

There are niftier alternatives to Wi-Fi, some argue, but I hate reading e-mail on my mobile phone’s tiny screen, and I refuse to click four times for an “s” or quibble with the phone’s dictionary over whether mañana is an English word. Nor will I spend $400 for a Blackberry device that does little more than e-mail.

Full-blown personal digital assistants permit me to open simple presentations and, with an added folding keyboard, type documents. But at their best, mobile data services in the United States merely double the dial-up speed. The average presentation is well over a megabyte; that can be a battery-sucking 20-minute download.

PDA’s like Hewlett-Packard’s iPAQ h5500 have integrated Wi-Fi but don’t connect to mobile networks without more than $300 in add-ons.

Most PDA-phone hybrid devices offered by U.S. mobile providers, like the Kyocera 7135, Samsung SPH-i330 and T-Mobile’s Pocket PC Phone, let you do e-mails and limited Web surfing, but they have few or no expansion capabilities.

Geeky friends say, “Just set your PDA’s Bluetooth to use your mobile phone as a modem.” Oh, good: a new device, dependent on an existing one, to provide a mediocre connection. With all this on my belt, I’ll look like Batman. Why is this all so clunky? Where is the single handheld device that lets me connect to e-mail and voice via mobile and high-speed Internet via Wi-Fi – for under $1,000?

While I’m at it, my device should, when connected to a Wi-Fi hotspot, let me make calls using voice over Internet protocol, or VOIP. Apart from the Wi-Fi fee and perhaps a service charge to the VOIP provider, the calls would basically be free.

Wi-Fi is here today, typically offering connection speeds faster than even the best 3G network will offer – when 3G gets here.

It’s not just me. Mobile professionals – sales people, journalists, investment bankers and other early-adopter types – all want this $1,000 dream device. We are a clear market segment, and we’re willing to pay.

Don’t tell me the technology isn’t here: Miami-based Calypso Wireless developed the C1250i Wi-Fi-enabled cellular phone and announced a deal for $500 million with China Telecom to begin delivering phones this year. If tiny Calypso can do it with a phone, can’t somebody do it with a PDA?

“We know that’s the right solution,” said Brant Jones, a marketing manager for the iPAQ pocket PC at Hewlett-Packard, “but we just can’t do it yet for the technically intolerant.”

Wi-Fi, with spotty coverage and the fact that there is no widely available way to roam between networks, is far from perfect. But Wi-Fi use is rising. Most new notebook PC’s and many new PDA’s have integrated Wi-Fi.

Increased demand for hotspots has already initiated a fundamental shift in how operators intend to provide Wi-Fi services. Big players like AT&T, British Telecom, Virgin, IBM, Vodafone and Intel are realizing that sharing infrastructure makes more sense than having each company build its own.

For example, T-Mobile HotSpots provides wireless Internet connections at more than 2,000 Starbucks locations. But their business model is a classic “walled garden.” To use it, you need a U.S. T-Mobile HotSpot account. A British T-Mobile account won’t work. That’s silly.

A better way of getting more people to use more hotspots is more democratic. “Neutral hosts” let multiple providers share the same hotspots. They install hotspots in retail stores, airports and train stations. They then go to operators and say: “We’ve got 5,000 hotspots in retail stores around the country. We’ll let you use them to give your customers access; they pay you, and you pay us a percentage of the take.”

So as an end user, you log in with your existing credentials rather than opening a new account. If you use BT Openworld for Internet access at home, you’ll use BT Openworld when you’re in Paddington Station in London.

It’s self-propagating, too: Once a neutral host has cut deals with several operators, it can walk into a supermarket chain and say, “We’ve got 4.5 million customers who want Internet access; we can bring them into your stores if you give us permission to set up a wireless network in each one.”

It’s an elegant solution to a big problem. “People don’t want different bills,” said Magnus Mcewen-King, chief executive of Broadreach Networks, a neutral host operating Wi-Fi hotspots for Virgin and BT Openworld. “They want one account spanning access methods – cellular, Internet and voice.”

“Neutral hosting shows greater promise than roaming to succeed in offering end users easy access to public Wi-Fi,” said Bjorn Thorngren in a report for the wireless investment firm BrainHeart Capital. Thorngren forecast that providers that used the walled-garden approach to Wi-Fi billing will not survive: “They will have to change strategy or vanish.”

Cometa Networks, a neutral host backed by Intel, IBM and AT&T, plans more than 20,000 hotspots across the United States by 2004. The company’s plan is to “sublet” to brand-name Internet service providers like AT&T and IBM. This approach should bring Wi-Fi coverage up to mainstream levels – within a five-minute walk or drive for most people.

A Warm Welcome In The Russian Far North

Though it’s been open to foreigners for a while, getting travel information on Russia’s Arctic Kola Peninsula remains a little tricky.

Bureaucrats walk an unfamiliar line. Trained by Soviets, they’re unwilling to divulge information, but a desperation for foreign visitors and their cash requires openness. The results are often amusing.

“Camping,” booms Vladimir Loginov, chairman of the Murmansk Regional Sports Committee, “is legal anywhere on the Kola Peninsula. Except in the places in which it is not.”

The Kola Peninsula is an enormous knob of tundra, forest and low mountains between the White and Barents seas. It is one of the most ruggedly beautiful, unspoiled and desolate areas on the planet – an adventurer’s destination that’s accessible to everyone.

Travel to St. Petersburg and Moscow has become commonplace, but the Russian wilderness, the stuff out of Dr. Zhivago, remains mysterious and alluring. Such is the attraction of the Kola Peninsula with its herds of wild reindeer, dramatic mountain formations and fishing villages.

Its first tourists were Lapp herders, but the discovery of a northern sea route in the 16th century turned the tiny settlement of Kola into an arctic trading post.

Thanks to an eddy from the Gulf Stream, the Kola Inlet from the Barents is ice-free year-round, making it the ideal site for the port of Murmansk, and now, at nearby Severomorsk, for the Russian Northern Fleet’s home base.

I arrived in Murmansk with feelings of both elation and dread: elation that I would be among the first post-Soviet Western travel writers to explore the peninsula and some of its tiny towns, and dread because, though the temperature had dipped below freezing (this was in August), the famous arctic mosquitoes were huge and dive-bombing.

Location, Location
Perhaps the most novel thing about Murmansk is its location – halfway between Moscow and the North Pole, and 125 miles north of the Arctic Circle. Because of the Gulf Stream, temperatures are more moderate than you’d think, ranging from 8 to 17 degrees in January; 46 to 57 degrees in July.

Despite the isolation, Murmansk and many other cities in the region are remarkably bustling and modern. Because of its military importance, Murmansk was always a privileged city in terms of supplies and consumer goods. But today the entire area is swimming in Western-made foods and goods.

Murmansk’s suburbs tower above the city. No suburban sprawl here. Instead, large, colorful and clean apartment buildings are built on the mountainsides. The city center, where Prospekt (Avenue) Lenina meets with Five Corners (Pyat Ugla), teems with bundled shoppers. Stores have names like Northern Lights, 69th Parallel, Penguin and Polar Star.

The winter cold isn’t as bad as the darkness – “polar night” means non-stop dusk through December and most of January, though locals say they feel the impending gloom by the end of October. Outside the city there is just tundra; little wonder that the population turnover is 20 percent a year. People leave because of the darkness and cold, and new ones arrive seeking the higher wages that those conditions bring.

Sightseeing
What’s a tourist to do in Murmansk” See the harbor, St. Nicholas Church (Svyato-Nikolskaya Tserkov, named for the patron saint of sailors) and the new Fine Arts Museum and go for a swim in the municipal pool.

The best harbor tour, weather and sea permitting, is on the Kola Inlet. You’ll go south toward Kola (you won’t see the Northern Fleet but you will see the city). Mostly you see shipyards and tundra. Go to the Passenger Ferry Terminal and hop a ferry to Mishukovo. Ferries leave six times daily, and the 30-minute journey is about 75 cents each way.

St. Nicholas Church would be impressive enough, even if it didn’t have such a colorful history. In 1984, the congregation from the little wooden church that was on the site decided to build a cathedral, and began doing so in secret. It’s hard to hide a cathedral, and when the government found out about it in 1985, miners were sent in with orders to blow it up. This raised a holy stink, and demonstrators sat around the site, blocking the miners; simultaneous protests were held in front of the Moscow city executive committee.

The government capitulated to some extent, letting the part of the church that had been built stand but forbidding any further work on it. After perestroika greased the country’s religious wheels, construction resumed in 1987 and continued over the next five summers.

Today St. Nicholas Church is the Kola Peninsula’s religious administrative center. To get there from the railway station, take trolleybus No. 4 for four stops, walk past the pond and up the stairs, then along a dirt trail to the main road. The cathedral is on the right. Services are held Monday, Saturday and Sunday at 8 a.m. and 6 p.m.

The new Fine Arts Museum at ulitsa Kominterna 13 finally got a permanent collection two years ago. The small but interesting collection includes graphic arts, paintings, decorative applied arts and bone carvings, all on an “image-of-the-north” theme. Admission is about 50 cents for foreigners, 25 cents for Russians and students. Hours are 11 a.m. to 6 p.m. Closed Monday.

It’s hit or miss, but in the summer there’s a chance to see one of the Murmansk Shipping Co.’s four atomic-powered ice-breakers at the dock (they’re enormous and very orange).

Photography, except in the port itself, is legal now, and you can photograph anything you see from the railway and passenger sea terminals or on board the ferries.

Murmansk’s municipal swimming pool, at Ulitsa Chelyuskintsev behind the central stadium, is just amazing: 50 meters (55 yards) long, with three-, five-, seven- and 10-meter diving boards. There are two kiddie pools downstairs plus a banya or two (steam baths, see accompanying story). It’s open June to October from 7 a.m. to 10 p.m. Admission is about $1.

Lappland Nature Preserve
Buses and trains from Murmansk to towns along the peninsula’s western corridor are cheap and frequent. Heading south, our first stop was the Lapland Nature Preserve near the ecologically devastated city of Monchegorsk.

This UNESCO-protected preserve consists of 1,860 square miles of almost pristine wilderness. About half of it is virgin tundra; the rest, alpine grasslands, marshes, rivers and lakes. It was founded in 1932 to protect the area’s reindeer herds, still among Europe’s largest.

The park can be visited by individuals or small groups (fewer than 12 people) under limited conditions by advance arrangement. You can trek through the wilderness or traverse it on cross-country skis or snowshoes. Costs vary but are generally very low. The preserve is run by a non-profit organization.

Apitity
We continued south to Apatity because some Swedes living there had offered to show us the area. When we arrived, we found them running the godsend-to-tourism Scandinavian Study Center, which acts as liaison to Western groups and individuals who want to explore the area.

“This is one of the most beautiful areas in the north,” says Peder Axenstein, who has lived in the area on and off for four years. “We just hope that people will come and see what’s here, and not be afraid to explore the wilderness outside the cities.”

Indeed, Apatity, the Kola Peninsula’s second-largest city, founded as a geological studies center in 1966 on the site of a former gulag, isn’t very attractive to those outside scientific circles.

But it’s an excellent jump-off point for hiking, climbing and skiing expeditions in the nearby Khibiny mountains, and for hunting trips. Who knows, you may even get a chance to see Yeti, the Bigfoot-like creature who locals say pops into the region now and again (16 1/2-inch footprints have been found).

Apatity is also a cultural center for arts and crafts. The wonderful Salma Art Salon, at Ulitsa Dzerzhinskogo 1, is a true cooperative venture: It’s privately owned by, and shows and sells the work of, more than 200 Kola Peninsula artists. Prices are low, and the management can arrange for customs papers to get the merchandise out. And musicians and music lovers from all over the region gather for the free bi-weekly concerts and recitals held here.

Kirovsk
There’s not much to do in Kirovsk, 17 miles east, except ski, but the skiing is the finest in northwest Russia. The city hosts the annual All-Europe Downhill Freestyle Competition.

Kirovsk and its suburb, known not by its Russian name but simply by the moniker “Kirovsk-25” (signifying its distance in kilometers from Apatity) are nestled in the Khibiny mountains, separated by a winding mountain road. The center is tiny and easy to navigate, and all the skiing takes place near Kirovsk-25.

The slopes may look easy but those mountains sure are steep. The 17 lifts are mainly tow ropes, and lift tickets are 50 cents per ride, or $4.50 for a day pass. There are eight trails, as well as a children’s trail and lift.

The Kazanskaya Church, just outside Kirovsk-25, was built on the site of another church that had been moved from Kirovsk. The inside is lovely, with an impressive iconostasis and the reputedly miraculous Icon of St. Nicholas. On the night of May 21, 1994, the icon incredibly restored itself, and now works its miracles Monday to Friday from 9 a.m. to 6 p.m. with a break between 2 and 3 p.m.

Take bus No. 1, 12 or 105 from Kirovsk center toward Kirovsk-25, and ask for the church. From the bus stop, walk west (back toward Kirovsk), turn south (left), then turn east (left again) and the church is 600 feet on the right side of the road.

The best sight here, at the northern end of Kirovsk-25, is the surrounding mountains, or rather the lack of half of them. (They look like those models you used to see in school of a cutaway section of a volcano).

Local scientists insist this was accomplished by the use of earth movers and heavy equipment (though some say it would have taken a nuclear blast).

Portions of this piece were extracted from Lonely Planet’s Russia, Belarus & Ukraine guide, with permission from the publisher.

A Stock Index Primer

With stock markets merging and European Monetary Union a reality, European indexes – especially the sector-specific ones like our Tornado European Technology Index – will play a role more important then ever before.

Indexes help you decide whether or not a given stock is performing well. When you are deciding whether or not to buy a particular stock, you might want to compare it to other stocks of its kind. Indexes allow you to do this, because they provide an average of how, for example, a telecommunications company is performing compared with a group of telecommunications stocks on a specialized index.

Since 1998, Europe has seen the creation of dozens of new indexes, from market leaders such as Dow Jones, FTSE and MSCI (the world’s leader in institutional benchmarks), to newcomers such as TORNADO-INVESTOR.COM. And more are on the way.

“Fabulous,” says the investor, “but would someone mind telling me what all that means, why I should care, and more important, should I buy T-online?”

T-online? Maybe – check its performance against other telecoms on the Tornado New E300 to find out.

“I think Europeans will no longer look at investment as being national, but rather as regional or global,” said Mark Makepeace, Managing Director of FTSE. “You can no longer pigeonhole a company and call it, say, `British’ – look at Vodafone’s structure and you’ll see it’s truly a multinational corporation, so saying it’s a UK company just no longer makes any sense.”

As national indexes like the FTSE 100 and the CAC 40 become increasingly irrelevant, what is needed are indexes that allow the investor to gauge performance of entire sectors, in addition to indexes that track shares on a regional level.

To quickly ascertain the performance of high-tech companies across Europe, the investor can glance at the broad Tornado European Technology Index and see whether it’s up or down. But she can also then look at specific sub-sectors, such as computer hardware or mobile telephony, and examine the performance of companies engaged solely in those activities.

For the investor seeking an indication of stocks trading on a regional level, for example “all of EMU Europe”, an index like the DJEuroStoxx 50 gives a quick indication of the performance of Europe’s 50 largest publicly traded companies.

Who Uses Indexes?

Organizationally speaking, the DJ Stoxx, MSCI and Tornado European Technology indexes work broadly in the same way: they start on a humongous scale (“Most of what’s in Europe”, “Everything in the World”, “All Pan-European Technology Stocks”) and then break out individual sectors and regions as need be.

It’s a handy capability – want to see the average performance of shares from Belgian, Luxembourgish and Hawaiian companies involved in manufacturing for the bio-medical industry? Or the top pan-European companies in data networking? Poof! It’s as easy as asking.

There are literally hundreds if not thousands of indexes, and a fair question at this point is, “Why so many?” The answer is, for the most part, to serve as a benchmark for index-tracking mutual funds.

Among other things, index tracking funds have tremendous appeal to retail investors not yet comfortable with investing all their money on individual stocks, which result in high transaction costs and require rather subtle timing.

“For the retail investor, an index-tracking fund allows you to buy a basket of stocks in a sector or a region all at once,” Carsten Hilck, Fund Manager at Union Investment Bank in charge of the €4.3 billion UniEuroStoxx50, an index-tracking fund benchmarked to the DJ EuroStoxx 50.

“Stocks in Europe are primarily retail money,” said a senior Merrill Lynch official, “when you see all these funds out there, the end user is most often the retail guy, and at this stage in Europe, the retail guy’s concerned about some pretty basic things: knowing the names of the companies on the index, and of course how this index performs against other indexes.”

How the fund managers select specialized indexes on which to base their funds comes down to investment trends and fashion. For example, when Japanese automobiles were all the rage, marketing departments of banks and brokerages had a look and said, “Hey, let’s create a Japanese Auto Mutual Fund.”

They then went looking for an index that covered automobiles and had a sub-sector of Japanese auto makers, and use that index as the fund’s benchmark, buying stocks in precisely the same proportions as the index itself – index goes up, fund goes up. And, er, vice-versa.

“What’s especially appealing,” said Hilck, “is that all these funds allow individuals to diversify and invest in companies throughout a sector, with tremendous economies of scale There are very low transaction fees because the fund gets special conditions with brokers, and because we’re always 100% invested we have a fund that’s very close to the index itself – almost exactly a 1:1 ratio.”

The index authors reap licensing fees from the use of their indexes as fund benchmarks, so the more funds there are based around an index, the better the indexing company does. And the more funds and money invested in an index, the greater the accuracy of the index as a window on the conditions of the market must be.

The EMU Factor

Before European Monetary Union, European investors and funds were generally limited to stocks within their national markets, and the indexes that followed them – such as the German DAX 30, the French Cac 40, the UK’s FTSE 100 and Spain’s IBEX 35.

EMU’s single currency, the merger of national stock exchanges and the possibility of the UK and even Switzerland joining EMU, brings up the specter of rendering irrelevant such revered benchmarks as the FTSE 100 and the DAX.

That trend, linked with the technology to trade more efficiently, means that the intermediaries being squeezed, and that is precisely what is causing not just the stock exchanges, but also the investment banks to merging as quickly they can.

In the US, the benchmark index to the average retail investor is the Dow Jones Industrial Average. In Europe, though, investment cultures change and stock exchanges pop up everywhere you turn, and the attempt to find a clear “Pan-European benchmark” is difficult even a year and a half into monetary union.

“When you look at who will be ‘the’ pan-European benchmark,” said the Merrill Lynch official, “you’ve got to discriminate between the institutional side, which tends to favor MSCI, and the retail side, which is rapidly emerging to be the EMU-based EuroStoxx 50, which has seen tremendous growth.”

The DJ EuroStoxx 50 is a part of the Dow Jones Stoxx family of indexes, which also include Stoxx, a broad, pan-European selection of 600 companies as well as smaller sector indexes. Because of its relative simplicity and the fact that it follows only blue chips, the DJ EuroStoxx 50 has become hugely popular with retail investors, and is gaining some ground with European institutional investors.

Union Investment Bank’s Hilck says that they chose the EuroStoxx because his company felt that the EuroStoxx 50 achieved better performance recently than did the MSCI Europe – “Last year the DJ EuroStoxx 50 was the index to beat, so we’re sure that the investor really gets the highest benchmark out there,” he said.

Currently Dow Jones estimates that index tracking funds, which are particularly attractive to both retail investors and fund managers, have invested Euro15 to 20 billion in funds that track DJ Stoxx indexes in Europe.

But in the institutional arena, where the money really moves, DJ Stoxx has got competition aplenty from Morgan Stanley Capital International’s family of indexes, the belles of the ball when it comes to global indexes: about US$1.5 trillion is benchmarked to MSCI indexes around the world.

For its part, FTSE, inundated with pressure from the UK and abroad to emerge dominant in the London and Frankfurt Exchange merger, denies that its beloved FTSE will soon be irrelevant. “Clearly some new index is needed, but It’s just too early to tell what shape that will take,” said FTSE’s Makepeace, who added, “We’ll be introducing a series of technology indexes soon.”

TORNADO-INVESTOR.COM’s index is the first index to specifically address the pan-European high tech market. American investors have enjoyed the convenience of the Nasdaq, an index which lists high-tech, high-growth stocks in the USA, but until the Tornado European Technology Index, no truly Pan-European index solely devoted to technology existed.

The Tornado European Technology Index follows the 300 most important high-tech companies in Europe, and then subdivides then into 15 sub-sector indexes so that investors can see the movement of software, computer, mobile telephony companies and so on. Taken together, these companies have a more even momentum than individual share prices.

Weighting

Indexes proffer a benchmark for a “basket” of stocks which have something in common with one another. Weighting, or balancing the impact that companies within the list may have on the index as a whole, is the key to building an index that is useful as a benchmark.

In its humble pure form an index tracks the stock prices of a group of companies chosen because of the total value of their market capitalization. Weighting ensures that companies with high market values affect the index more than those with smaller market values. The index must account for the fact that the value of a 10% move on the price of the stock of a tiny company whose share price is €200 per share would be greater than a 10% move on an enormous company whose share price is €10, but that the effect of a 10% move on the stock of a large company would reflect market conditions far more accurately than the move on the small firm.

Put another way, a small move up or down by a listed giant such as Nokia would affect an index more than a large move up or down by a smaller company like Vaisala.

Of the major pan-European indexes, at least in Euroland (EMU Europe), the winner of the title of “pan-European benchmark index for the retail investor” has not yet emerged, but if you had to make a bet, the smart money would be on Dow Jones’ EuroStoxx50, which follows 50 Euroland “Blue Chips” – the largest companies by market capitalization.

A sample network access policy

In order to protect our network, computers and the confidential data of our clients, [Firm Name] (the “Firm”) has instituted this Network And Computer Access Policy. We’re protecting against not just the damages and liability created when unauthorized access occurs, but also against viruses and physical damage to our systems.

Introduction
This document sets forth standards which must be adhered to by all employees, contractors and any user granted access to any machine on the Local Area Network (LAN) at any time, whether physically present at the Firm or via remote access.

Failure to comply with the policies set forth in this document will result in disciplinary action, and may result in termination of employment.

Definitions
For the purposes of this document, an “Employee” is any employee, contractor, agent, temporary worker, vendor and any other person in a position to know or obtain information about computers or devices on the LAN.

The firewall is a hardware or software device which protects the ports of computers on the LAN. For the purposes of this document, “Remote Access” shall mean access to the Local Area Network from any location outside the firewall by any method, including but not limited to Virtual Private Network (VPN), dial-in modem, frame-relay, SSH, cable-modem and any other method of accessing the LAN from outside the firewall.

Policy Scope
The Policy applies to any person granted authorization to access any computer or device on the Firm’s LAN (an “Authorized User”). This includes but is not limited to contractors, temporary workers, vendors, sub-contractors, employees, attorneys and partners authorized to access any of the Firm’s computers, locally or via Remote Access, for any reason, including email and Internet or intranet web browsing.

Physical Security
All computers and devices on the LAN must be physically secured when leaving them unattended. All servers must be additionally secured with locking devices such as keyboard locks.

Any notebook or laptop computer, Personal Digital Assistant (PDA), Internet-capable cellular device, Wi-Fi-enabled device or other device capable of connecting via Remote Access to the LAN (A “Mobile Device”) must be secured with a BIOS password, and user authentication. Any Mobile Device must run up-to-date anti-virus protection and properly configured software firewall (see __ below).

Any Authorized User must take reasonable steps to ensure that any Remote Access to the LAN is treated with the same security approach as a connection made within the Firm.

Information Security
It is essential that each Employee be instructed never to tell even the most seemingly innocuous detail about the Firm’s Information Technology (“Sensitive Information”) to a third party. While it may seem inconvenient or rude, all Employees – from temporary receptionist to senior Partner – must treat as suspicious any request from any third party person not personally Known to that Employee. Private detectives and others who specialize in information retrieval may call several people in a firm, asking each for a seemingly innocuous detail, which combined can result in a breach of the Firm’s security. Employees must jealously protect any information about the Firm’s Information Technology, including but not limited to:

  • Never telling a caller any details including but not limited to server names, Internet Service Providers, telephone provider, email server information (including email server name), printer type, computer brand, router type or brand;
  • Never telling a caller the name of your Information Technology specialist, whether that Information Technology person is in-house or contracted;
  • Never telling a caller the name of any Wireless Access Point (WAP) SSID; never confirming the presence of a Wi-Fi WAP;

Any caller not personally known to the Employee who requests Sensitive Information must be referred to the appropriate department head or Partner, without giving such person the name of such appropriate department head or Partner. If such referral is not possible or practical, then the Employee must request from the caller a callback number, to be given to the appropriate department head or Partner, without giving such person the name of such appropriate department head or Partner.

Password Security
All Authorized Users must use strong passwords. Unacceptable passwords include but are by no means limited to,

  • first or last names, or combinations thereof;
  • names of an Authorized User’s children or pets;
  • words found in a dictionary, combinations of dictionary words with a sound alike digit (second2, etc);
  • use of the words or variants on the word password, admin, update, access, login, computer, terminal, workstation, work, home, etc.

Strong Passwords are a string of at least eight characters of upper and lower case letters and numbers.

Authorized Users should change their password regularly.

No Employee may leave a password written down in proximity to the computer or device which the password accesses.

No Employee may ever provide their login or email password to anyone, including family members.

Acceptable Use
Authorized User may access the Internet for Firm business or personal information provided that they:

  • do not jeopardize the security of any Firm or confidential client information which may be present on the computer being used to access the Internet;
  • do not violate any of the Firm’s policies;
  • do not engage in illegal or prurient activities;
  • do not engage in outside business interests;

Wi-Fi Security
Any Wi-Fi Access Point (WAP) must be configured to comply with the four-step Proposed Standard of Reasonable Wireless Network Security in Law Firms available at http://www.delmaropensource.com/standard.htm. This proposed standard provides four steps to securing a WAP, which includes:

  • Changing the WAP defaults (administration password, router name, router IP address, SSID name, etc);
  • Encrypting the signal using the best available encryption method, in order from most to least desirable, WPA2, WPA, 128-bit WEP;
  • Requiring VPN access into the LAN from anywhere outside the Firewall;
  • Implementing a written access policy, such as this one

Wireless (Wi-Fi) Access
Any access to any computer or device on the LAN behind the firewall must be via VPN. Any Authorized User accessing the LAN via VPN from their home or other WAP (a, “Remote WAP”) must apply all four steps above to the Remote WAP.

Remote Devices
Any Employee using any Remote Device must ensure that such device is updated with the most recent security patches for their Operating System.

All machines on the LAN and any Remote Device must run current versions of anti-virus software with regularly updated virus definitions. Note that new viruses are introduced every hour; “regularly updated virus definitions” means at a minimum of once each week. It could be argued it is reasonable to update every 24 hours.

Any Remote Device must be running a properly-configured firewall program such as Zone Alarm or Computer Associates eTrust. Users at Public Hotspot must be aware that, if such Remote Device is not running a firewall, a malicious user can gain access to the Remote Device and install software or remove files from the Remote Device’s hard drive.

Any Authorized User using a Remote Device outside the firewall must use the VPN to send and receive Firm email. No Firm email may be sent using third-party email services (including but not limited to gmail, hotmail, etc).

Any Authorized User accessing any computer or device on the LAN for remote management or administration must use SSH or VPN. For remote file transfer, SCP, SFTP or VPN must be used. Under no circumstances shall Telnet, FTP or other un-encrypted access method be used.

No Employee using any Remote Device shall access the LAN while connected to any other network, except a personal network over which such Employee has complete control.


Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all


A proposal for Reasonable Wireless Security for law firms

It’s just past 8.30 am on a busy Tuesday. A five-person legal team
has just arrived to work with your firm on that big case. For the
next four days, these five lawyers will be camped in your conference
room. And their first question is, “How do we get Internet
access?”

[Ian Sacklow co-wrote this white paper]

At
many small and mid-sized firms in the US, the answer is increasingly,
“We’ve got Wi-Fi1.”
A Wi-Fi Access Point (WAP) allows your computer or personal digital
assistant (PDA) to connect to the Internet, or a computer network, at
high speed, without wires (see sidebar).

Wi-Fi lets your clients use the Internet or access their corporate
network. It allows your partners, associates and interns access to
the web and your Local Area Network (LAN) from the library or
lunchroom – or the coffee shop across the street.

In
the immediate future, lack of a Wi-Fi connection to the Internet will
be as disruptive to a law firm as the lack of an Internet connection,
or a mobile phone.

As
we adopt new technologies, no matter how revolutionary or wonderful
they may be, we must not be reluctant to address their
vulnerabilities. An improperly or incompletely configured WAP has
vulnerabilities. Fortunately, there
are inexpensive and easy-to-employ safeguards against many of them.

Executive Summary
This article is intended to provide attorneys and support staff with
an overview of Wi-Fi, and the challenges they face as they maintain
the confidentiality of client documents and information in a wireless
network setting. This article proposes a standard comprising the
steps which law firms should take to reasonably prevent intrusion
into their LAN via their WAP, and thereby protect the confidentiality
of their clients’ information.

The
article is geared towards those in the many law firms which don’t
have full time Information Technology (IT) departments, or formal
computer training. The steps suggested do not provide a guarantee
against unauthorized intrusion. They do provide a reasonable amount
of security at reasonable expense2.

When
it comes to a lawyer’s duties to maintain confidentiality, I’ve been
told there has been no landmark ruling about what are reasonable
measures to protect client data across a WAP. A poorly configured WAP
can expose your clients’ confidential information. Unless you wish to
be the test case to establish that standard, you should establish and
maintain reasonable levels of security when deploying a WAP.

It
is submitted that the steps I propose are reasonable, and it is hoped
that they would therefore be adopted as a standard to be followed and
provide a safe harbor for law firms seeking to protect the
confidentiality of client information in a wireless network setting.

The proposed standard includes four steps to protect and encrypt the
traffic on the WAP. Any WAP not so protected shall be considered to
be an “Open WAP.”

The
proposed standard also includes a written security policy covering:

  • WAPs in the office
  • WAPs at the homes of those with remote-access authorization to the
    firm’s local area network
  • Computers which contain client data and access publicly-accessible
    WAPs (at coffee bars, airports, Bar Association Libraries, airports,
    etc.)

Wi-Fi: An Indispensable Tool

  • Wi-Fi is everywhere, and it’s no fad.

There were more than 10 million WAPs in US homes by the end of 2004, with an expected 14 million by the end of 2005.

At coffee bars, restaurants and offices throughout the world, you’ll see people working on Wi-Fi-enabled devices like notebook computers. Publicly-accessible WAPs, known as Hotspots,
are provided in scores of cities to
encourage Internet use. Many Hotspots provide the Internet access at no cost, to encourage foot traffic.

Other Hotspots, such as those at most Starbucks, Barnes and Noble,
Borders and Kinkos locations, charge access fees for Wi-Fi – about
$1.30 a day for a monthly subscription.

WAP Overview

  • The vast difference between connecting via Wi-Fi to the Internet, and connecting via Wi-Fi to your LAN is an important distinction.

Components
comprising a Wi-Fi network work in much the same way as
walkie-talkies and a base station. When you set up a WAP (sometimes
also referred to as a, “Wireless Router”), you are broadcasting a
radio signal to the area within a radius of up to 3003
feet from the WAP. By default, anyone with a mobile device equipped
with a Wi-Fi transceiver (“Wi-Fi Adapter”) can detect this
signal and request a connection. When the WAP recognizes the request,
by default it assigns to the requesting device a unique identifier
(an “IP Address”) which permits the WAP and mobile device to
communicate. Once this connection has been made, the mobile device is
granted access to the network to which the WAP is connected.

Most
people connect the WAP to a high-speed Internet connection. Once a
mobile device is connected to such a WAP that device can access the
Internet.

Some
people also connect the WAP to their Local Area Network (LAN). Your
LAN is the network of computers which contain your data and client
information. LAN access must be protected by a firewall, which
prevents unauthorized communications originating outside the LAN from
getting in.

For
reasons which will be made clear below, I highly recommend that
anyone accessing your LAN from anywhere outside the firewall –
be it through your WAP, their home computer or network (wired or
wireless) or a public Hotspot – do so through a Virtual Private
Network (VPN). A VPN creates a “tunnel” through which your
data is transported, crytographically encrypted, through the firewall
and on to the LAN.

VPNs are the number one thing people should be doing. A VPN lets trusted4 users be as productive as possible. Even if an unauthorized user gets
on to your WAP, you can keep him locked out of your LAN.

The
proposed standard therefore requires you place the WAP outside
your firm’s firewall. By creating a “demilitarized zone”
(DMZ) which is inside the WAP but outside the firewall, you grant
wireless Internet access via your WAP, while only Trusted users may
access the LAN, through the VPN.

Unless you intend to offer public Internet access (which you might,
see below), then you must also protect your WAP with encryption and
an authentication scheme, which requires user name and password, to
help keep unauthorized users out. While less important than
protecting your LAN, protecting your WAP from just anyone getting
Internet access can be important as well (see sidebar).

What’s
Your Responsibility?

  • Connecting an Open WAP to your firm’s LAN is literally as unsafe
    as placing your client files in an unlocked file cabinet in the
    center of a city street.

Lawyers in New York State mustn’t knowingly “… reveal a confidence or secret of a client”, and “…shall exercise reasonable care to
prevent … employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client.”5

An
Open WAP is a Hotspot – a publicly shared computer network open to
anyone, anywhere within 300 feet. In 2001, the DC Legal
Ethics Committee stated it is “…impermissible for unaffiliated
attorneys to have unrestricted access to each other’s electronic
files (including e-mails and word processing documents) and other
client records. If separate computer systems are not utilized, each
attorney’s confidential client information should be protected in a
way that guards against unauthorized access and preserves client
confidences and secrets.”6

The Delaware Bar opined that client confidentiality is
broken when a lawyer, “should reasonably anticipate the
possibility that his or her communication could be intercepted and
confidences disclosed.”7

An
irate client whose opponent became aware of embarrassing information
via such an interception might well make the argument that
maintaining an Open WAP doesn’t protect his data in a way that guards
against unauthorized access and preserves client confidences and
secrets.

Protecting
the confidentiality of client information on an Open WAP is
impossible. Cheap and simple steps can solve this problem.

Criminal Liability of Accessing a ‘Public’ Hotspot

  • You
    cannot rely on existing laws to prosecute “unauthorized” WAP
    access. It is difficult to determine how a user becomes authorized
    to access a WAP, and there’s no common mechanism by which to post a
    notice that he is not.

In
early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III
for accessing a residential WAP and connecting to the Internet –
from his car. Smith was charged with unauthorized access to a
computer network.

He
might get off. Who’s to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of Hotspots,
who can say whether a person can reasonably infer an Open WAP is
intended for public use?

Under
current New York law, it is illegal to intentionally access someone
else’s computer, computer network or equipment without authorization
to do so where such computer or equipment, “…is equipped or
programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer
system.”8.

The
New York Penal Law also attempts to define “authorization”
by providing that to establish authorization, one must be either

(i)
give actual notice in writing or orally to the user;

(ii)
prominently post written notice adjacent to the computer being
utilized; or

(iii)
a notice that is displayed on, printed out on or announced by the
computer being utilized by the user9.

Significantly,
the Penal Law also provides for a presumption that notice of such
authorization is given where, “the computer is programmed to
automatically display, print or announce such notice ….”10

Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout
downtown Albany, New York, is a technology attorney at the law
firm of Lemery Greisler LLC. While Almas does not endorse the
unauthorized use of open WAPs, he points out significant problems
with New York’s law when viewed against the practical reality of the
proliferation of Open WAPs.

“I
am particularly troubled,” Almas said, “by how a user is supposed
to know whether or not the owner of the Open WAP is authorizing use
of the access point where the owner broadcasts to the world the
presence of the access point and takes no steps to secure it. By the
very nature of WAPs, there is no reasonable way to post or provide
oral notice, and it can be difficult to interpret from the
broadcasted name of the access point whether authorization is
intended.”

“In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set
up process,” Almas said, “I believe anyone who sets up a
WAP and does not follow the advice to install even the most basic,
minimal safeguards should be presumed to be providing authorization
to access the Open AP for otherwise lawful Internet use.”

“The presumption should not,” adds Almas “extend to authority to access information on the WAP owner’s LAN, or other illegal or
harmful activities.”

Oops. Was That Your WAP?

    <li><p>
    <strong>If
    a mobile device automatically seeks and connects to a WAP, then
    accessing an Open WAP needn't even be intentional. </strong>
    </li>
    

    Most
    new notebook computers ship with the Microsoft Windows XP or
    Macintosh OSX operating systems, and are equipped with internal
    wireless adapters (see sidebar). If the wireless adapter is switched
    on, the notebook will seek, and attempt to connect with, WAPs – even
    before the screen comes to life.

    People set their notebooks to connect to any available network, so
    the onus is on the owner of the WAP. I would think that if your WAP offers credentials to enter – such as an IP address – a user might reasonably think that they’ve been granted access to your WAP.

    And New York Penal Law Section 156.50 provides a defense for persons who
    had reasonable grounds to believe that they had authorization to use
    the computer. Therefore, unfortunately, the issue will likely be left
    for the Courts to decide whether such a presumption exists and is
    applicable in any given case.

    Attorneys
    and the public must properly frame these issues and arguments, so
    that the Courts can properly interpret and apply the law.

    Determine
    Your Needs

      <li>
      <strong>You can protect your LAN while providing public access to your
      WAP and the Internet - so long as you configure your WAP properly</strong></li>
      

      Lemery Greisler, Almas’ Albany, New York law firm, provides a Hotspot
      to afford anyone in the area free access to the Internet. By giving
      pedestrians a good reason to mill about, this is a fine goodwill
      gesture towards local businesses at low cost.

      That’s
      a perfectly reasonable thing to do, so long as you reasonably ensure (as did Lemery Greisler) that it is difficult for strangers to
      access your LAN from the Hotspot. They placed the Hotspot outside
      their firm’s firewall, thereby providing a public service at little
      risk to their own network.

      It’s
      important that you, too, determine what you want your WAP to do, and
      deploy it properly.

      Don’t Panic … But Set A Policy

        <li>
        <strong>A clearly communicated and strongly enforced written policy
        governing remote network access is essential. </strong>
        </li>
        

        A
        written wireless data security policy is vital in any environment; in
        a law firm, the lack of one could be expensive, embarrassing and
        time-consuming. It could create civil liability – and even criminal
        liability (see sidebar) – for the firm.

        All
        people in the firm must be made aware of the policy, not matter their
        position: it does you no good to take steps to increase security if
        your receptionist or even a junior associate tells a caller
        information about your WAP and network. This happens far more often
        than you’d think. Specifics on what the policy should cover are
        listed below, within the proposed standard.

        Everybody’s Not Doing It

          <li>
          If you haven't
          locked down your firm's WAP, you're not alone. This problem is
          widespread and international.</strong> 
          </li>
          

          In March, 2005, data
          protection company RSA Security reported that a survey it
          commissioned from netSurity found more than one third of wireless
          business networks in four major cities were unsecured – 38% of
          businesses in New York, 35% in San Francisco, 36% in London and 34%
          in Frankfurt.

          Those numbers are about
          right – a safe, if not conservative, figure. It’s analagous to a car, which comes with locks built right in to the doors, but it’s up to you to depress the lock button.

          From Elite Geeks to An Unruly Mob

            <li>
            One no longer
            needs to be a gifted programmer to be a successful intruder.</strong></li>
            

            Cracking WEP, the lowest form of Wi-Fi encryption, is increasingly trivial
            (see sidebar), and attorneys must never entrust WEP – no
            matter how large the bit-size – to be the sole means of protecting
            a LAN.

            The popular image of a “Hacker,” as a young, pale-skinned
            male perched behind a complex computer using arcane tools to
            penetrate computer systems is dated.

            Hacking, password- and encryption-breaking tools have become
            ubiquitous, sophisticated, simple to use and are totally free to
            download from the Internet.

            PROPOSED
            STANDARD

            A
            determined intruder with the right tools will get in no matter what
            you do – nothing offers 100% security or guarantees, but you
            should employ the best security you can install and maintain without
            unreasonably disrupting productivity. Take all reasonable steps to
            secure client information on your LAN with a well-configured
            firewall.

            If
            you merely wish to allow Trusted users wireless Internet access,
            securing your WAP can likely be done by Dan – that geeky intern who
            likes Star Trek. It can take as little as 15 minutes, and can
            cost nothing: if you’ve got a WAP, you’ve almost certainly got the
            hardware needed (and if you don’t, you can spend as little as $40 to
            get it).

            If
            you wish to allow the WAP to also grant LAN access, and you don’t
            have an IT person in-house, you might buy a combination VPN/WAP for
            as little as $149 (see sidebar). Otherwise, you may need to hire an
            outside consultant or installation specialist for a few hours’
            consultation or work to set up the VPN.

            Four Main Steps

            Because
            Linksys is the most popular WAP maker, examples below refer to
            Linksys products; your WAP’s instruction manual contains specific
            How-Tos and instructions to do all the following. All brands provide
            similar steps and menus, and all use the same terminology.

            STEP ONE: CHANGE THE DEFAULTS

            The simplest solution for a range of common problems raised by WAPs is to
            change the default information on the WAP itself. This is
            accomplished by opening a web browser and surfing to the IP address
            of the WAP device.

            First go to the Setup Page:

              <li>
              Change the Router Name<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><SUP>11</SUP></a>.
                  </li>
              <li>
              Change the last two fields in the WAP's Local IP address to
              something other than what's there. Reasonable entries include
              192.168.11.1 or 192.168.0.25. 
              </li>
              

              Next,
              go to the Wireless Basic Settings Page. The Service Set Identifier
              (SSID) is the name of the wireless network your users will connect
              to. By default it is set to “Linksys.”

                <li>
                Change the SSID to something non-descriptive - not your firm's
                name. While the concept of security through obscurity is not to be solely relied upon, choose for your SSID something obscure, like B3QXR25. 
                </li>
                <li>
                Then, disable the SSID broadcast, so it won't be readily visible to
                users who don't know that the WAP is there (though &quot;war-drivers&quot;
                - people who drive around looking for Open WAPs - might see it.
                Yes, there's a war-driving subculture). 
                </li>
                

                STEP TWO: CHANGE THE ADMINISTRATIVE PASSWORD

                A hacker, using the default username of (nothing) and the default
                password of “admin” can take over your WAP and lock you out. In the Administration page:

                  <li>
                  Set a new, hard-to-guess administration password, using at least an
                  eight character string which is not a word found in a dictionary,
                  and which comprises upper and lower case letters and numbers.</li>
                  

                  STEP
                  THREE: ENCRYPT THE SIGNAL

                  Use
                  the best encryption method you possibly can, preferably WPA2 (see
                  sidebar). If WPA2 is not available, then deploy, in descending order
                  of preferability, either WPA or WEP. If you absolutely must use
                  WEP, use 128-bit encryption – which takes a bit longer to crack
                  than weaker versions of WEP.

                  STEP FOUR: VPN INTO THE LAN

                  You absolutely, positively may not allow access to your LAN through the
                  WAP except with the use of a VPN.

                  Because
                  the VPN’s authentication is vastly more secure than Wi-Fi’s and
                  encrypts all data between the client (that’s your notebook computer
                  or PDA) and the LAN, it helps ensure that anyone gaining access to
                  the LAN is authorized.

                  Written Policy

                  Anyone who has been granted remote access to your LAN must abide by
                  the written remote access policy. This policy must cover the remote
                  users’ notebook computers, PDAs and other mobile data devices; their
                  home LAN and any home computers, and any other machines which they
                  may use to access the company LAN.

                  The policy must be clearly posted in the firm, and discussed with all
                  remote users and staff. It must explicitly set forth rules governing
                  what employees may tell outsiders about your computers, your network,
                  your WAP and your security policies. It must be regularly reviewed.

                  For a sample written policy, see http://www.nickselby.com/wifi

                  Protect Home WAPs

                  Anyone granted permission to access the LAN via VPN must apply all
                  four steps above to their home or other remote WAP. This not only
                  protects your LAN, it protects personal data they store on their home
                  machines.

                  Current OS Patches, Anti-Virus, Firewall & Spyware Blockers

                  Anyone accessing the LAN must ensure that their device is updated
                  with the most recent security patches for their Operating System.

                  All machines on the LAN must run current versions of anti-virus
                  software with regularly updated virus definitions. Note that new
                  viruses are introduced every hour; “regularly updated virus
                  definitions” means at a minimum of once each week. It could be
                  argued it is reasonable to update every 24 hours.

                  Any
                  device accessing from outside the LAN must be running a
                  properly-configured firewall program such as Zone Alarm or Computer
                  Associates eTrust. The Basic Signal Set (BSS) is shared by all users of an AP; should the hotspot not block inner BSS connections, and you should assume it is not blocked, then if you connect to that AP and you are not running a firewall, a malicious user can gain access to your machine and install software or remove files from your hard drive. If you’re not encrypting your e-mail, it (and your password and username) can be very, very easily captured and viewed in plain text by others on the Hotspot –
                  unless you’re encrypting your email through a VPN, or an encryption
                  program such as PGP.

                  Always
                  assume that others can see you on a Hotspot. Make sure you have a firewall running, and anything
                  you care about – such as email or confidential files – is encrypted
                  across a tunnel.

                  Call
                  For Discussion

                  As when you access a Hotspot, you’re always looking for the balance
                  between ease of access and loss of security. The best we can do
                  is educate people about the upside and downsides of using WAPs, and discuss ways to protect yourself so that your information remains reasonably secure.

                  As I mentioned earlier, this is all very new. The proposed standard
                  is a first step towards reducing the likelihood that your LAN will be
                  compromised, or your Internet connection abused. In order to further
                  this recommendation and develop a final specification, I welcome your
                  comments.

                  Ian Sacklow, the founder of the Capital District Linux Users Group and
                  Information Systems Manager for Dodge Chamberlain Luzine Weber
                  Associates, an architectural firm with offices in East Greenbush,
                  Plattsburgh and Jericho, New York, co-authoried this white paper.

                  Members
                  of the Capital District Linux Users Group contributed technical
                  information and fact checking for this article.

                  <p><a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
                  Wi-Fi is short for &quot;Wireless Fidelity,&quot; the nickname for a
                  wireless area network (WAN) complying with IEEE 802.11
                  specifications. Wi-Fi&reg;
                  is a Registered Trademark of the Wi-Fi Alliance. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>Of
                  course as the state of the art changes, so must any standard be
                  updated.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>One
                  can extend this range in a variety of ways, all fairly technical.
                  300 feet is the default, stock range without modification, and
                  therefore the range I discuss here.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>On
                  a network, a &quot;Trusted&quot; user is given access to sensitive
                  files. An &quot;Untrusted&quot; user may be granted access to
                  certain parts of the network, but not to areas containing sensitive
                  data. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
                  New York Lawyer's Code of
                  Professional Responsibility , DR
                  4-101 [1200.19] 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
                   District of Columbia
                  Ethics Opinion 303, February 2, 2001</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
                   Delaware State Bar Association Opinion 2001-02
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
                   New York Penal Law Section 156.05</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
                   New York Penal Law Section 156.00</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a> id.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>You
                  change the Router Name to slow down would-be intruders. Router Names
                  provide enough information to attackers to obtain all default
                  information for that WAP. <a href='http://coffer.com/mac_find/' target='_blank'>http://coffer.com/mac_find/</a> is one
                  Website which provides lookups which match Router Names with
                  manufacturer and model number, linking to the manufacturer website
                  which lists that machine's default settings and password.</p>
                  


                  Also in this series…
                  A proposal for Reasonable Wireless Security for law firms

                  A sample network access policy

                  Wifi encryption standards

                  “There’s nothing on my desk worth stealing”

                  …and free hotspots for all


A Pornographer Plumbs the Depths of What is ‘Reasonable’

A decision in the US Court of Appeals, Ninth District in the case of United States V Borowy1, addresses the issue of the expectation of privacy in communications. I’m so not a lawyer, but as a security consultant I am someone with a vested interest in understanding privacy, so I find some of the language the court used to be very interesting. And when I consulted a good friend, a lawyer (who IS a lawyer), he said, “If it comes from the Ninth Circuit, it’s solid.”

Background
Mr Charles Borowy is a child pornographer who installed the file-sharing program LimeWire on his computer. As a feature, LimeWire made his hard drive available to anyone with LimeWire. On May 3, 2007, and one such person was FBI Special Agent Byron Mitchell, who logged onto LimeWire to monitor trafficking in child pornography. According to the opinion, Agent Mitchell searched LimeWire for the term “Lolitaguy,” a term known to be associated with child pornography. After getting hits on that phrase from Borowy’s computer, using LimeWire’s “View-files-on-this-host” feature, Agent Mitchell saw about 240 files that his FBI software identified as being known child pornography.

Using that as probable cause, Agent Mitchell, still using LimeWire’s out-of-the-box functions, downloaded copies of files from Borowy’s computer, confirmed that they were child pornography and Borowy was arrested. Later it was discovered that Borowy had more than 600 images and 75 videos of child pornography.

Privacy
Did the FBI violate Borowy’s privacy? Do people have a reasonable expectation of privacy on their computer when they connect it to the Internet?

I say that not only didn’t the FBI violate Borowy’s privacy, but also that Borowy was a) literally and figuratively publishing his files for the world to see and b) an idiot2.

In a passage of the decision upholding the actions of the FBI and affirming that it acted properly and not in violation of Borowy’s fourth amendment rights, the court says that the earlier decision in US v Ganoe was spot on:

“Under Katz v. United States, 389 U.S. 347 (1967), government conduct qualifies as a search only if it violates a reasonable expectation of privacy. Whether Agent Mitchell engaged in an unconstitutional search and seizure is largely controlled by United States v. Ganoe, 538 F.3d 1117, 1127 (9th Cir. 2008), cert. denied, 129 S.Ct. 2037 (2009), which held that the defendant92s expectation of privacy in his personal computer could not “survive [his] decision to install and use file-sharing software, thereby opening his computer to anyone else with the same freely available program.”(US Court of Appeals, 2010)

Analysis
The last sentence of that passage is absolutely crucial in inferring the attitude of the court towards privacy in the Internet era. It says that the moment I install software that opens my computer to anyone else with the same freely available program, I give up my expectation of privacy. Later the Borowy ruling raises “Cf. California v. Ciraolo, 476 U.S. 207, 213-14 (1986) (finding the use of an aircraft to observe marijuana plants was not a Fourth Amendment search as it only revealed information accessible to any member of the public flying in the airspace).”

I would say that unencrypted Internet email will, in the next five years, be found to be analagous to the marijuana nursery, and outside the scope of fourth amendment protection or indeed any reasonable expectation of privacy. When users sign up for Gmail or Hotmail they understand (or should) that Google and Microsoft are mining the contents of their messages for a range of things, including what they say (for the purpose of placing ads within the messages, etc) and with whom they communicate (for the purpose of determining networks of people to whom they will eventually target ads, etc) and myriad other reasons. Users expect no privacy from Google or Microsoft, but they somehow cling to the concept that, once they hit, “send”, the message is protectively wrapped on the way to the intended recipient. Without getting into too many technical details, this is to say the least a charmingly naive concept. Email sent in plan text can be monitored, viewed, copied and is stored all along its multitudinous pathways from sender to recipient.

I’ll make a statement as a published and widely quoted information security person: it is a trivial matter to intercept and read unencrypted email using freely available programs. If I did so, I would expect that a court would find, as did the Ninth Circuit, that someone who sued me for doing so had given up their expectation of privacy when they decided to use software that opened their communications to anyone using freely available tools to intercept it.

Should this understanding signal a change of attitude? Bruce Schneier seems to think so – last March he wrote on his blog:

Between the NSA’s massive internet eavesdropping program and Gmail’s content-dependent advertising, does anyone actually expect their e-mail to be private? Between calls for ISPs to retain user data and companies serving content-dependent web ads, does anyone expect their web browsing to be private? Between the various computer-infecting malware, and world governments increasingly demanding to see laptop data at borders, hard drives are barely private. I certainly don’t believe that my SMSes, any of my telephone data, or anything I say on LiveJournal or Facebook – regardless of the privacy settings – is private.

I would say that with this opinion, the court is further clarifying the judicial attitude towards what is reasonable of a contemporary person to expect in the way of privacy when he lives a life enriched by Internet-based communication between computers. I don’t think that this means that the US system of government as we know it is at risk of collapse – but I do think that it further strengthens the argument that an unencrypted communication across the public Internet is analogous to a conversation on a crowded street corner. And as such, there should be no expectation of privacy.

[1] (United States. Court of Appeals, Ninth Circuit. 2010. [Online] United States v Charles A Borowy. [Available: here])

[2] Within the case, see below, Borowy claims to have tried and failed to make private his hard drive in a number of dumb ways. He tried to claim that because he tried to make it private it should have remained private. The court found that as funny as I did.