Op-Ed: In defense of Tor routers – Ars Technica

Paul Canavan is part of the three-person team behind InvizBox, based in Dublin, Ireland.

A recent Ars Technica Op-Ed post by Nicholas Weaver took a harsh view on Tor routers, calling their basic premise flawed. We acknowledge that Tor routers are not a privacy silver bullet; we’ve been vocal about the need for people to use privacy add-ons with their web browsers. But I feel Weaver's article was one-sided and overstated the case against Tor routers; many of the arguments he made against them could be applied to VPNs as well.

Some of Weaver's points of contention were:

If you want protection from your ISP, you should use a VPN; A personal VPN hosted on Amazon EC2 is a reasonable choice; VPN providers offer “better performance and equal privacy”; Many Tor exit nodes are malicious (implying that some VPN providers aren’t); Browser fingerprinting can break the anonymity of Tor without the Tor Browser Bundle; and Tor router makers are money-grabbing scumbags.

I'll address each of these in turn; some of them are good points, others not as much. I may be biased because we make a Tor router, and I think we’ve made a pretty good device. But I’ve tried to be as fair as I can here and acknowledge the limits of Tor routers.

VPNs aren't the answer for everyone. VPNs do provide privacy from your ISP if you need privacy from them, but Tor routers provide that privacy as well, without the ongoing cost of a commercial VPN service. And Weaver fails to mention that many countries actively block VPNs, since the Internet Protocol address ranges of commercial VPNs are well-known, and the signature of VPN traffic can be detected by packet inspection. Even Western countries are not immune from this—Australia is considering a law that would ban VPN traffic right now for the sake of copyright protection.

Tor has a number of advantages over VPNs, including both having a pool bridges and pluggable transports to mask your traffic and allow you to connect to bridges—unpublished relays that allow users to connect even under regimes where Tor is blocked. There are also pluggable transports that help Tor traffic evade signature detection. InvizBox offers support for Tor bridging, and has just added pluggable transport configuration via our web UI.

If I log into my Gmail over Tor, Google knows it’s me. People seem to rail on this a lot, but I’d rather Google knew I was using Tor than my ISP and government knew I was using Google (we have data retention laws) .

Rolling your own VPN with Amazon doesn't necessarily guard your privacy. I disagree strongly with the assertion that Amazon is a reasonable choice for privacy. From a cost perspective they’re not too shabby; the micro instances are free for the first year and bandwidth is relatively cheap. I’ve even used them myself—the OpenSSH client can become a SOCKS proxy with a single command-line argument which is very convenient in a pinch.

However, the suggestion that I should hand over the ability to monitor my browsing (and even worse, that of my family) to a company that is actively trying to sell me products, and can easily link the accounts used for AWS and for Amazon, is not a good one. Amazon has a financial imperative to link my browsing with what they advertise to me. And if there’s one thing I have learned about financial imperatives, it’s that they are a powerful motivator for billion dollar corporations.

Lastly, all traffic coming from the Amazon VPN instance you’re paying for is going to be yours and can be tied back to you. At least with a commercial VPN provider it’s slightly harder to identify you.

VPN providers offer “better performance" but not "equal privacy." People have gone to jail for trusting VPNs not to hand over data on them. VPN providers comply with court orders. VPNs have your source address and access to any browsing you do. With Tor, the exit node has no idea what your IP address is, so they can’t hand over anything.Your VPN provider says it logs nothing? Assume for a second they receive a court order telling them to. Now what?

Furthermore, Weaver's implication is that VPN providers are nice people. Just for a minute I’d like you to pretend that you work for the NSA and that you have billions of dollars at your disposal. In that mindset you would be absolutely insane not to set up cheap, high-quality VPN providers and use them to gather lots and lots of tasty data. If you do, you are a true man in the middle for comparatively little cost. Hell, you could even get people to pay you for the privilege of handing over their data. Certainly the overall cost, both financial and in terms of human effort, would be a lot less cost than it takes to correlate data going over Tor. Weaver even says that “running an exit node offers the opportunity to play spy." Running a VPN clearly offers this option too but that point was surprisingly absent.

Exit nodes are malicious, but VPN providers aren’t? I have already dealt with how it’s a bad idea to assume that your VPN provider isn’t malicious. Let’s look at malicious exit nodes. My assumption is that exit nodes are run by an attacker. When you frame yourself in this way it alters your behavior slightly, without preventing use of the Internet. Add HTTPS Everywhere, Privacy Badger, and assume that anything that comes over HTTP is compromised. I assume HTTP is compromised whether it’s going through a Tor exit node or not. If you want to kick it up a notch, HTTPS Everywhere has the option to block HTTP requests. These are not silver bullets, but they do enhance your privacy.

If these things aren’t enough to bring you into a comfort zone or if you’re after true anonymity, Tor routers are not for you. Please do not use an InvizBox to try and keep yourself out of jail.

There have been instances in the past where exit nodes have altered traffic going through them. It’s also fair to say that HTTP traffic can be man-in-the-middle’d anywhere on the Internet. Malicious exit nodes will remain a problem until all traffic on the Internet is encrypted and in other ways (e.g., timing attacks) will remain so after. There is already significant movement in the direction of “encrypting the Internet” with Mozilla putting forward a plan for deprecating insecure HTTP. Fast forward to the point where that has happened, and you have a situation where VPNs have more information on you (source IP and destination IP) than a Tor exit node (destination IP only).
Even if you assume that all exit nodes are malicious (and I know for sure that some aren’t), Tor changes your circuit regularly (with the exception of established sessions). Now this doesn’t guarantee a new exit node each time, but in practice it results in frequent change. What this means is that unless the person you are trying to protect yourself from is running all exit nodes, they will only get a subset of your total traffic. Hopefully most of this is HTTPS traffic and therefore of relatively little (close to zero) value if you’re using some basic precautions.

Browser fingerprinting is a problem. If you’re not familiar with the concept of browser fingerprinting, it boils down to this: There’s a good chance that the browser you’re using to read this is unique. That uniqueness comes from things like your timezone, installed plugins, installed fonts, operating system etc. Head over to Panopticlick if you’d like to check right now.

Browser fingerprinting is a problem for all Internet users. Neither Tor routers nor VPNs can protect you from this. The Tor browser bundle (TBB) does offer some decent protection here. If you’re trying to avoid browser fingerprinting, I would urge you to consider TBB. To my mind, there isn’t a good solution available for this problem at the moment.

We’re money grabbing scumbags? I guess Weaver's characterization of Tor routers as being designed "to separate Kickstarters from their money" is mostly leveled at Anonabox, given how disgraceful their product was and is. But they weren’t singled out, so I have to assume the accusation applies to us, too. We worked hard to make a Tor router that people find easy to use and that fits their requirements. We are genuinely concerned with our customers privacy. You need only look at the feedback on our Indiegogo page and all over twitter about our product to know that people are happy with the product.

Tor routers have a place in the world. They have advantages and disadvantages when compared against VPNs. A hardware solution has benefits compared to a software solution, too. Our implementation is good and we continue to improve it for the people we have sold to. We have yet to take a penny out of the business. We have reduced our margins by offering to match donations to the Tor project (Tor Project, if you’re reading this, we have tried to contact you three times by e-mail and once by twitter to discuss a way for people to validate our contribution matching with no reply yet). We are NOT just trying to scam people out of money and strongly resent the accusation that we are. You may not have figured it out yet, but there isn’t huge money in this. We believe in what we’re doing.

Just in case people think I’m hating on VPNs, I’m not. VPNs have their place and for sure not all of them are run by malicious spy agencies. On the other hand, an InvizBox might just suit your needs nicely.

Listing image by Erich Ferdinand

French police arrest student on charges of plotting Paris terror attack – World Socialist Web Site

  By Kumaran Ira
24 April 2015

A 24-year-old Franco-Algerian IT student, Sid Ahmed Ghlam, has been in police custody since Sunday on charges of preparing a terrorist attack. Ghlam, who was already known to French intelligence services due to alleged ties with Islamist groups, is charged with plotting terrorist attack on two churches in the Paris area. He is also being questioned about the killing of a fitness teacher on Sunday.

On Sunday, ambulance staff reportedly notified police that they had received an 8 a.m. call from a man with a gunshot wound to the thigh. Police tracked the trail of blood to a vehicle and said they found an assault rifle, a bulletproof vest, and ammunition there. Ghlam stated that he was the owner of the vehicle, and he was then placed under medical arrest.

Reports of the alleged “imminent” terrorist attack broke only four days after Ghlam’s arrest, however, when they were trumpeted to the mass media. On Wednesday, French interior minister Bernard Cazeneuve told the media, “A terrorist attack was foiled on Sunday morning.”

“Documents were also found and they prove, without any ambiguity, that the individual was preparing an imminent attack, in all probability, against one or two churches,” said Cazeneuve.

Cazeneuve also charged Ghlam with the murder of a 33-year-old fitness teacher, Aurélie Châtelain, who was found dead in the passenger seat of her car in Villejuif, just south of Paris. DNA at the scene links Ghlam with Aurélie’s murder, according to Cazeneuve.

Ghlam’s sister was also arrested in Saint-Dizier; French media claimed that she was a “known radical.” His girlfriend has also been held for questioning.

According to press reports, Ghlam had traveled to Turkey for a week earlier this year and was detained upon his return to France. Le Monde noted, “The technical environment (Internet browsing data, telephone, etc.) of this student had been drawn up and he was the subject of a ‘S file’ for State security, which means he was under police surveillance ‘that does not attract attention.’ ” After studying these details, however, police let him go, according to Cazeneuve, concluding they had nothing “to justify launching an investigation.”

Turkey is a frequent destination for the hundreds of European Muslims who are seeking to join reactionary Al Qaeda-linked Sunni Islamist militias in Syria, fighting in the French- and US-backed proxy war to topple Syrian president Bashar al-Assad. Ghlam was reported to have posted notes on Facebook stating that he wanted to travel to Syria to fight.

On Wednesday, Cazeneuve dismissed concerns over French intelligence’s failure to foresee Ghlam’s plot though he was being watched. He told TF1 television: “The DGSI [General Directorate of Interior Security] did everything it had to do and proceeded to all the investigations that were required.”

People who knew Ghlam in France said he did not appear particularly unusual. He arrived for the first time in France with his mother in 2001 to join his father in Saint-Dizier. He had to return to Algeria in 2003 for lack of papers allowing him to remain in France, however. He received his high school diploma in Algeria in 2010, before returning to France the same year.

He was a student from November 2011 to June 2013 at the SUPINFO school of computer science, in Montparnasse. Students are selected to participate in the school based on good marks.

“He did not attract attention to himself, he was a normal student with decent results. We are very surprised to see his name in the press today,” one school official told Le Figaro. While the curriculum is five years, he left at the end of its second year, however. “He was around much less in his second year. He finally told us that he wanted to switch career tracks and go to another school,” the same official added.

Until his arrest Sunday, he lived in a room of a student hostel in Paris. A spokesman for the students’ representative body (CROUS) told AFP: “It’s the first time we’ve heard about him since he took that apartment, there were no complaints about him, he paid his rent normally, around 200 euros a month.”

Given Ghlam’s history and the peculiar timing of the government’s decision to highlight his arrest, his detention raises more questions than it answers about the political forces behind the affair. As with Mohamed Merah’s shooting spree in Toulouse in 2012 and the Kouachi brothers’ shooting at Charlie Hebdo in January, the suspect was under close police surveillance and apparently had links to Islamist operations in Syria that are supported by sections of the state.

Now, before his case has been publicly investigated, his detention is being seized upon to justify attacks on democratic rights and handing over even greater powers to the intelligence agencies.

The Socialist Party (PS) is seizing on the arrest to push for rapid passage of its controversial surveillance bill, currently being debated in parliament, that legalises mass electronic spying and intelligence-gathering methods under the guise of fighting terrorism.

“We must always improve our intelligence capabilities,” French president François Hollande said in response to Ghlam’s arrest, stressing that this was the purpose of the surveillance bill.

The new spy measures give intelligence agencies sweeping powers to collect phone and Internet data from phone companies and Internet service providers. It allows authorities to spy on the digital and mobile communications of anyone linked to a terrorism investigation, without authorisation from a judge.

Though the bill has attracted criticism from human rights groups and even from sections of the political establishment, according to Les Echos, these are now “winds that the Elysée presidential palace and the Matignon prime minister’s office hope will die down on May 5, during the formal vote.”

Please enable JavaScript to view the comments powered by Disqus. ' ]; var html = htmlArray.join(''); $('#page').prepend(html); $('#top-appeal').animate({opacity:1.0},1000).slideDown(1000); } else {*/ var htmlArray = [ '' ]; var html = htmlArray.join(''); $('#sidebar > .column:last').prepend(html); /*}*/ } } function appendFundAppeal2015() { if ($.cookie('fundAppeal2015') != 'seen') { if ($('#page').length > 0) { var htmlArray = [ '', '', '', //'

The WSWS is a unique and indispensable resource. Every day, the site provides news, analysis and commentary on world events from a socialist perspective. It counters the lies of the corporate media. We are not sponsored by the ruling class, nor backed by any government. To keep the WSWS running, we depend on the financial contributions of our readers. Donate today!

', //'

Please take a moment to hear a personal message from Joseph Kishore, National Secretary of the Socialist Equality Party (US).

', //'

To respond to the intensifying crisis of world capitalism, the WSWS must significantly expand its content. We must have more on-the-spot coverage, more interviews with our writers and contributors, and a greater use of live streaming media.

', //'

All of this depends on your support. Please make a donation today!

', //'

The WSWS is the only authentic voice of the international working class and socialism. We need your support to send reporting teams to cover workers struggles around the world, including the ongoing strike of oil workers in the United States. The WSWS is unique in providing both a voice for the working class and a program and perspective to fight back. Please donate today!

', //'', //'

The WSWS is the only authentic voice of the international working class and socialism. We need your support to help build a genuine socialist movement around the world. Please donate today!

', '', '

In order to develop an international movement of the working class against the dictatorship of money and capital all over the world, we need resources. Those resources can come only from you, our readers.

', //'Video appeal from Joseph Kishore', //'Video appeal from WSWS writer Andre Damon', //'Video appeal from WSWS writer Jerry White', //'Video appeal from Ulrich Rippert, Chairman of the PSG in Germany', //'Video appeal from Ulrich Rippert', 'Video appeal from Nick Beams', '', '', '', '

', 'Monthly donation', 'One time', '

', '

', '$25', '$50', '$75', '$100', '$250', '$500', 'Other amount', '

', 'PayPal or Credit Card', 'Donate by mail', '', '', '

', '

', 'close   x', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', ]; var html = htmlArray.join(''); $('body').prepend(html); $('#fundAppeal2015 > .wrapper > .left').children('img, button').click(function() { if ($('#fundAppeal2015').hasClass('video')) { $('#fundAppeal2015 > .wrapper > .video').empty(); } else { //var html = ''; //var html = ''; //var html = ''; //var html = ''; var html = ''; $('#fundAppeal2015 > .wrapper > .video').append(html); } $('#fundAppeal2015').toggleClass('video'); }); $('#fundAppeal2015 > .wrapper > .right > form > .button').click(function() { var type = $('#fundAppeal2015 > .wrapper > .right > form > .type > input:checked').val(); var amount = $('#fundAppeal2015 > .wrapper > .right > form > .amount > > input:checked').val(); if (type == 'subscribe') { if (amount == '') amount = 10; $('#fundAppeal2015 > .wrapper > .subscribeForm > input[name=a3]').val(amount); $('#fundAppeal2015 > .wrapper > .subscribeForm').submit(); } else { $('#fundAppeal2015 > .wrapper > .donateForm > input[name=amount]').val(amount); $('#fundAppeal2015 > .wrapper > .donateForm').submit(); } return false; }); $('#fundAppeal2015 > .wrapper > .button-close').click(function() { $('#fundAppeal2015 > .wrapper > .video').empty(); $('#fundAppeal2015 > .wrapper').removeClass('video'); $('#fundAppeal2015').removeClass('active'); var expireDate = new Date(); var minutes = 1440; expireDate.setTime(expireDate.getTime() + (minutes * 60 * 1000)); $.cookie('fundAppeal2015', 'seen', { expires: expireDate, path: '/', domain: 'wsws.org', secure: false }); }); setTimeout(function() { $('#fundAppeal2015').addClass('active'); }, 2000); } } } function appendInlineAppeal() { var excludes = [ 'wsws', 'twih', 'vide', 'sale', 'dart', 'task', 'powe', 'gmhv', 'raul' ]; var url = document.location.href; var filename = url.substring(url.lastIndexOf("/") + 1, url.length); if (!$('#content').is('.width72,.category') && excludes.indexOf(filename.substr(0,4)) == -1) { var htmlArray = [ '', '', 'The WSWS needs your support!', '

Your donations go directly to financing, improving, and expanding the web site.

', 'Donate', '' ]; var html = htmlArray.join(''); var pCount = $('#content').children('p').length; var position = Math.floor(pCount*0.1); $('#content').children('p').eq(position).before(html); $('#inline-appeal').children('form').children('.more-options').children('a').click(function() { $('#inline-appeal').children('.initially-hidden').show(); $(this).parent().hide(); return false; }); } } function appendInlineAppeal2() { var excludes = [ 'wsws', 'twih', 'vide', 'sale', 'dart', 'task', 'powe', 'gmhv', 'raul' ]; var url = document.location.href; var filename = url.substring(url.lastIndexOf("/") + 1, url.length); if (!$('#content').is('.width72,.category') && excludes.indexOf(filename.substr(0,4)) == -1) { var htmlArray = [ '' ]; var html = htmlArray.join(''); var pCount = $('#content').children('p').length; var position = Math.floor(pCount*0.2); $('#content').children('p').eq(position).before(html); } } function appendBottomAppeal() { var excludes = [ 'lect-a20' ]; var url = document.location.href; var filename = url.substring(url.lastIndexOf("/") + 1, url.length); if (!$('#content').is('.width72,.category') && excludes.indexOf(filename.substr(0,8)) == -1) { var htmlArray = [ '', '', '', 'The WSWS needs your support!', '

Your donations go directly to financing, improving, and expanding the web site.

', '', '', '' ]; var html = htmlArray.join(''); if ($('#article-tools').length > 0) { $('#article-tools').before(html); } else { $('#content').append(html); } $('#inline-appeal').children('form').children('.more-options').children('a').click(function() { $('#inline-appeal').children('.initially-hidden').show(); $(this).parent().hide(); return false; }); } } function appendBottomAppeal2() { var excludes = [ 'lect-a20' ]; var url = document.location.href; var filename = url.substring(url.lastIndexOf("/") + 1, url.length); if (!$('#content').is('.width72,.category') && excludes.indexOf(filename.substr(0,8)) == -1) { var htmlArray = [ '' ]; var html = htmlArray.join(''); if ($('#article-tools').length > 0) { $('#article-tools').before(html); } else { $('#content').append(html); } } } function popupMaydayAd() { if ($.cookie('mayday') != 'seen') { var html = ''; $('#content').append(html); $('#maydayad').lightbox({fitToScreen: true}).click(); $('#lightbox').attr('style', 'display:blcock; top:'+$('#lightbox').css('top')+'; left:0px; margin-top: 60px !important'); var temp1 = $('#imageContainer').html(); var temp2 = '' + temp1 + ''; $('#imageContainer').html(temp2); $.cookie('mayday', 'seen', { expires: 1, path: '/', domain: 'wsws.org', secure: false }); } } $(document).ready(function(){ //appendTopAppeal(); //appendInlineAppeal(); //appendInlineAppeal2(); //appendBottomAppeal(); //appendBottomAppeal2(); //appendFundAppeal2015(); //popupMaydayAd(); });

Will Australia’s metadata retention scheme track your digital browser … – Sydney Morning Herald

Whether you're downloading national secrets or <i>Game of Thrones</i>, your web browser fingerprint is much harder to hide than your IP address.

Whether you're downloading national secrets or Game of Thrones, your web browser fingerprint is much harder to hide than your IP address.

There's little point in hiding behind a VPN if your web browser rats you out.

At first glance Australia's metadata retention laws seem easy to bypass when surfing the web. Simply engage your Virtual Private Network and you're protected by a magical cloak which hides your activities from prying eyes. Sounds simple, but the quest for online anonymity is not so straightforward.

We're assured that Australia's metadata retention scheme won't track your web browsing habits, it will only force your internet service provider to keep record of the IP addresses it allocates to your home – the internet equivalent of a street address. This means law enforcement and intelligence agencies won't be able to trawl through your browsing history – at least not without some kind of warrant.

They will however be able to track suspicious online activity back your IP address and then demand your ISP match it up with your account holder details so they can knock on your door. So rather than track everyone's browser history to see where we went, they'll track suspicious websites to see who's visited and then work backwards to find us. Some people still consider this mass surveillance, others don't.

Most consumer-grade broadband connections issue your home a new IP address every time you reboot your broadband modem, which is why the scheme wants ISPs to retain this data for two years, so they can determine who was using a specific IP address at any given time. Of course identifying the account holder isn't necessarily the same as identifying the perpetrator, but it's obviously a strong lead.

In theory you can bypass the metadata retention scheme by using a VPN, proxy server or proxy chain to mask the IP address allocated by your ISP. The outside world will only trace your activities back to the IP address of the middleman, seemingly keeping your true IP address safe – assuming the middleman isn't forced to dob you in.

This might be enough to protect your privacy in some circumstances, but it's important to realise that your IP address isn't the only digital fingerprint that you leave behind on the internet. Much harder to hide is the fingerprint left by your web browser, which remains intact regardless of how you mask your web traffic.

When you visit a website, it asks your web browser for a user-agent string in order to serve up the best possible page – for example "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" if you're running Chrome on Windows 7 64-bit.

This might not seem too incriminating, but the website can also examine other details of your computer like your browser plugins and system fonts to build up a more distinct profile. For example, according to browser fingerprint research website Panopticlick, my browser fingerprint is unique among the 5.2 million tested so far. That means that if two different websites record that exact browser fingerprint, and you know for sure the first one was me, there's a pretty good chance the second one was also me. This isn't just theoretical, many websites already use browser fingerprinting to identify users and groups like Electronic Frontier Foundation see it as a major privacy threat.

Admittedly browser fingerprints alone are circumstantial evidence, but they're a very good starting point. That's before you allow for HTML5 canvas fingerprinting, which can check even more attributes of your computer to narrow it down even further, along with other tricks for tracking people online. Your chances of remaining anonymous online all depend on who you're hiding from and what you're hiding.

All of these web browser characteristics fall under the classic definition of metadata. They're not the contents of your online activities, just data relating to your activities – the information written on the outside of Brandis' metaphorical envelope. Should Australia's metadata retention scheme eventually expand to incorporate a browser fingerprint register, even just for "persons of interest", it could offer the ability to cross-reference fingerprints to help track down people who hide behind a VPN.

The concept is pretty straight-forward. Visit Facebook with your VPN disabled, then use the same browser to visit The Pirate Bay with your VPN enabled. The IP addresses logged by the websites won't match, but you've used the same browser fingerprint – it's like wearing a fake moustache when you rob a second bank but leaving the same fingerprints on the counter.

A database search for the browser fingerprint you left at The Pirate Bay would turn up your visit to Facebook – even if your browser fingerprint isn't unique it would narrow the search down to a handful of suspects. From here the Facebook logs could be traced back to your true IP address which your ISP can match to your account details.

For this trick to work, law enforcement and intelligence agencies would need a way to embed browser fingerprint tracking on third-party websites. If you've been reading the news lately then it's naive to think that they couldn't pull this off. Admittedly they're more likely to use such tools to catch terrorists than file-sharers, but once such a system was in place it would be open to scope creep. Hollywood pirate hunters and others could demand access – something the Trans Pacific Partnership might assist with.

Just because you're paranoid doesn't mean they're not out to get you. How do you protect your privacy online?

Gogo says it’s working to make in-flight Wi-Fi faster, less expensive – Chicago Tribune

If you’ve used Wi-Fi on an airplane, you’ve no doubt found service slow, inconsistent and pricey. Anand Chari, chief technology officer for Itasca-based Gogo, aims to change that. Gogo provides Wi-Fi connections to 9,000 corporate and passenger planes, including U.S. airlines such as American Airlines and Virgin America and global carriers such as Aeroméxico and Japan Airlines. Chari explains how he’s trying to make in-flight Wi-Fi faster and cheaper.

Q. How are you boosting bandwidth?

A. We first launched in 2008 with air-to-ground service (ATG) and we started with three megabits per second. We went to 10 megabits per second with ATG4, another variation of air-to-ground service using cell tower technology. To give more capacity to the aircraft, we’re relying on the second-generation satellite technology called 2Ku, that uses satellite and a proprietary antenna technology that Gogo has exclusive access to use. That gets us to 70 to 100 megabits per second.

Then, the (U.S.) government discussed setting aside vast amounts of (radio frequency) spectrum for the in-flight market. If and when that happens, we’ll be able to provide each aircraft 50- to 100-megabits-per-second speeds at a much-reduced cost. What that means is almost every passenger in an airplane can do pretty much whatever you’re doing on the ground. Right now with the speeds we've got, we have to restrict video streaming.

Q. How long will it take to get the capacity and pricing in the air on par with the ground?

A. We can bring more bandwidth to the sky right now, and by the end of this year we can make it more affordable. In the next three to five years, we would be substantially done with our upgrade program to a point where people can do what they do on the ground. But it is still going to cost more than what it costs on the ground.

Q. How are you addressing cost?

A. This is going to be evolving over time. More bandwidth at a more effective cost structure makes this more affordable. We’re also working on various products that a passenger can choose from, like text only, browsing only, email only and video-on-demand from content stored on the aircraft. It’s not like everyone needs to pay one price to get full Internet access.

Q. In January, news reports said your web portal used fake Google SSL certificates that duped users’ computers into thinking Gogo was Google, helping you block YouTube and giving you or others the ability to spy on customers’ searches and email. How did you address that?

A. That was an inadvertent side effect of one of the bandwidth-management techniques we were exploring. We were trying to restrict video streaming sites, and a lot of them use secure connections to stream video. One of the techniques used to stop that was to first terminate that secure session. The only way to terminate the secure session is to act as a proxy, but we are not collecting any user information. We would have never implemented that type of solution if it made passengers uncomfortable. Once we realized the issue it was causing to passengers, we removed it from the network. We take security and privacy enormously seriously. We do not collect or store any of the passengers’ communications to the Internet or over the Internet. That was never an issue.

Q. What’s your next innovation challenge?

A. The challenge is to bring more bandwidth at a better cost to connect every passenger and every device or system that needs connectivity. It’s a connected aircraft concept to make that a reality. From the engine data to weather data to avionics data, avionic manufacturers would love to know and get access to that data. So the connected aircraft concept takes this air-to-ground communications beyond passenger Wi-Fi. It takes it to a whole new level of enormous value of connecting the aircraft to the ground and a variety of participants in this ecosystem.

Q&As are edited for length and clarity.

MacArthur is a freelance writer for Blue Sky.

Copyright © 2015, Chicago Tribune

Browse with confidence: NPI’s core network now encrypting all visits by default – Northwest Progressive Institute Advocate (blog)

It seems like hardly a week goes by these days when we don’t hear about yet another data breach or newly-discovered exploit in widely used software. Bad neighborhoods have existed on the Internet for a long time, but danger now seems to present itself at every turn. There’s malware lurking all over the place, email accounts are constantly being hijacked to send spam, and websites are being broken into to steal information or cause damage to a firm’s reputation.

Sadly, many of these incidents are happening because people aren’t taking basic steps to stay safe. Technologies like HTTPS and SNI exist to encrypt data and user sessions, but they aren’t as widely used as they ought to be.

NPI has always been a security and privacy conscious organization, and we have repeatedly spoken out here in support of good cybersecurity hygiene.

But we know that speaking out isn’t enough. Real leadership means setting a good example for others to follow. We have to walk our talk.

And today, we’re doing just that.

With so many grim developments on the cybersecurity front lately, it’s our pleasure to be the bearers of some good news for a change.

Over the past year, we’ve invested in some important improvements to our web infrastructure, with the last pieces going into place this week. Thanks to these improvements, which are made possible due to the generosity of our loyal supporters, we are now able to encrypt – by default! – all visits to our core network (nwprogressive.org), which includes the Cascadia Advocate and In Brief.

What does this mean? It means that when you type in nwprogressive.org or navigate here from a link or bookmark, your browser will communicate with our server over an encrypted connection.

How can we guarantee this? Because we’re no longer giving anybody the option of connecting to nwprogressive.org insecurely.

Try typing the address for this blog right now, and our server will redirect you. It’ll require you to connect over a secure port, and you’ll see the prefix change to HTTPS if you didn’t put in. The idea here is to make sure that data sent by our web server to your computer gets scrambled as it travels across the Internet using Transport Layer Security (TLS). Likewise, if you fill out a form on our site and send us data, the contents will be encrypted while in transit to our server.

We have actually been using HTTPS to manage NPI’s websites for quite a long time, but now HTTPS is the default on the frontend as well as the backend.

You can tell that the connection is secure because a padlock icon will appear in your address bar. Additionally, because we have invested in an extended validation certificate, the padlock icon should be green, and part or all of your address bar may also appear green. If you’re using a desktop browser, you’ll see NPI’s name.

For example, in Mozilla Firefox on a Mac:

Screenshot of address bar in Firefox with Cascadia Advocate loaded

If you click on the green portion of the address bar with NPI’s name in it, a tooltip pops up verifying that you’re accessing NPI’s website over a secure connection, and the certificate is trusted.

Depending on what browser and operating system you have, the address bar will look different. The green background might stretch across the entire width of the bar, or it might only appear behind the text that says Northwest Progressive Institute. Regardless, some part of the bar will turn a shade of a green, as you can see from the following compilation of browser address bars:

Examples of address bars with green fields Not many organizations go to the trouble of investing in extended validation certificates. They can be pretty expensive (though we secured ours at a very good price) and a bit of a bother to set up.

But EV certificates have one critically important advantage over regular secure certificates: they’re immune to spoofing in two of the most-widely used browsers in the world. Those are Firefox and Chromium (which Google Chrome is based on).

Coincidentally, Chromium/Chrome and Firefox also happen to be the browsers of choice for the vast majority of people visiting NPI’s network of websites. That much we know from consulting our server logs and site statistics.

So, most of you reading this benefit from our investment in an EV certificate.

Certificate spoofing can certainly be malicious (with an intent to cause harm) but sometimes it is done by institutions we trust – like our employers or our schools – that want to spy on us. Researcher Steve Gibson explains:

Any corporation, educational institution, or other Internet connectivity provider who wishes to monitor every Internet action of its employees, students or users—every private user ID & password of every social networking or banking site they visit, their medical records, all “secure” email… EVERYTHING — simply arranges to add one additional “Pseudo Certificate Authority” to their users’ browsers or computers.

It’s that simple.

By “pseudo certificate authority”, Steve means a fake entity invented by the corporation or institution that wishes to spy on its users, as opposed to a real certificate authority like Symantec’s Thawte, Comodo Group, Trustwave, GeoTrust, or the newly-formed, free software community-backed Let’s Encrypt.

Consider Steve’s hypothetical:

For example, suppose that “Bendover Industries” installs a commercially available “SSL Proxy” (also known as an HTTPS or TLS Proxy). Then, as part of prepping computers for use inside their network, Bendover’s IT department simply adds one additional “trusted” Certificate Authority to each computer. That’s all it takes.

Now, whenever anyone inside Bendover’s network makes a “secure” connection to any remote public web site—their bank, Google Mail, Facebook, anything—that connection is intercepted by Bendover’s SSL Proxy appliance before it leaves the building.

On-the-fly, the SSL Proxy Appliance creates a fraudulent “spoofed” web server certificate in order to impersonate the intended remote web site, and it signs that fraudulent certificate itself using the signature of the also-fraudulent Certificate Authority that was previously planted inside the user’s browser or computer.

If this sounds villainous, well, that’s because it is. Do note that the technique Steve is describing can only be practically and readily implemented on computers that an institution controls. A personally-owned computer that an institution’s IT department doesn’t have access to can’t be tricked out with a pseudo-CA.

The consequences of this spoofing are pretty serious:

Instead of connecting to the remote web server, the browser is “securely” connected only to the local Proxy Appliance which is decrypting, inspecting, and logging all of the material sent from the browser. It inspects all content to determine whether it abides by whatever arbitrary policies the local network is enforcing. Its users have NO privacy and NO security. Or perhaps it just silently logs & records everything for possible future need. Either way, it has obtained full access to everything the user enters into their web browser.

While SSL/TLS interception cannot be prevented when a user doesn’t have control over the computer he or she is using, it can almost always be detected, because certificate spoofing results in a fingerprinting mismatch between the public key and the private key (which the institution running the pseudo-CA doesn’t know).

In the course of his research into certificate spoofing, Steve discovered, as I mentioned earlier, that EV certificates cannot be spoofed in Firefox or Chromium/Chrome, owing to the way that those browsers are made:

Since both Mozilla’s Firefox and Google’s Chrome/Chromium browser projects are fully open source, we were able to inspect the way EV certificates are validated.

They maintain their own private internal lists of trusted EV certificate authorities and will ONLY display the green EV coloration when the server’s certificate has been signed by a chain of certificates terminating in one of those known root authorities. This means that they cannot fall prey to EV spoofing the way Internet Explorer was designed to.

The EV handling within Opera and Safari are unknown. They are closed source browsers, and they do not appear to publish any formal statements about their handling of EV certificates. (If anyone does have any definitive information about Opera or Safari, please drop us a line.)

If the above is Greek to you, don’t fret.

Here’s the takeaway that you need to know: If you’re connecting to NPI’s website in an open source browser like Firefox or Chromium and your browser address bar doesn’t partially turn green, it means the connection is not fully secure.

The absence of the green field might occasionally be due to the presence of mixed content. That’s when a page you’re accessing over HTTPS loads embedded content like images or scripts over a regular ‘ol HTTP connection that isn’t secure.

We haven’t scoured every single page and post on nwprogressive.org yet to remove all of the hardcoded HTTP prefixes that may exist. But we’ve corrected enough that you should see the green field most of the time.

If you never see it, it’s quite possible that your secure browsing is being intercepted. To know for sure, you’d want to compare certificate fingerprints (if you know how… if you don’t, you could ask a tech-savvy friend, or contact us for assistance.)

When an institution lacks the power to sniff or intercept Internet traffic, it sometimes blocks use of HTTPS altogether, which is really unfortunate.

The Bellevue School District does this, for example. I know they do it because I’ve logged onto their guest Wi-Fi network before and discovered that it’s not possible to securely connect to any website. It doesn’t matter what it is.

Because this domain now only accepts traffic over HTTPS, it’s not going to load at all on a public Wi-Fi network where HTTPS is blocked. That’s a consequence we are willing to live with. None of us should be using an Internet service provider or Wi-Fi network where HTTPS has been blocked anyway.

Projects not hosted at nwprogressive.org are not yet set to require visitors to use HTTPS, but will be soon. Permanent Defense will be next – it already has its CA-issued certificate. After that, we’ll move on to Pacific NW Portal.

Making websites secure is hard work, so it may be a few months before we’re done. But the effort has been and will be well worth it.

If you have any questions or comments about the security upgrades we’ve made here, please don’t hesitate to get in touch or leave a comment here. In either case, your message to us will be transmitted over an encrypted connection!

‘Personalisation’ has the wrong name – and we’re not even close to getting it … – The Drum

In the agency world, we all like to keep up with technology and the latest buzzwords. We need to stay one step ahead and we need to keep innovating. I’m no exception. The three big things keeping me up at night at the moment are personalisation, the Internet of Things, and artificial intelligence.

What I have realised recently is that all these topics are intertwined. What I’ve also realised, is that ‘personalisation’ is the wrong word for personalisation.

We talk about personalisation as modifying the content, functionality or design of a campaign based on user behaviour, and other factors, to create a better, more relevant experience for customers when using a website, an app, or other digital touch-point. This is all very modern – most brands aren’t personalising their users’ digital experience at all and, of those that are, many aren’t doing it brilliantly. If you get it right though, it can be hugely effective.

One major problem is that, while all the platforms offering personalisation are super-smart, most still require lots of human input to work out what the intelligence behind the digital experience for each user should be. They can learn a bit, but not much. In reality, personalisation as we talk about it today just isn’t personal enough.

Even though a single user may have a unique experience, it’s probably more accurate to call personalisation (as it currently stands) ‘categorisation’ or maybe even ‘pseudo-personalisation’?

Brands have amazing platforms to deliver content. They also have a stream of engaging content coming from the thought-leaders inside their organisation, from their agencies, influencers, industry, and from their customers. But, in actual fact, they often know very little about their customers – no matter how much data they have painstakingly gathered.

This means that brands aren’t in any real position to work out which specific customer, let alone which group of customers, should be shown what content, how often, and at what point during the ‘digital transaction’ – which, these days, may be between 10-20 touch points across 5-10 channels.

You can have a very good shot at this working with personas and other methods, but really you are categorising with an aim to personalise rather than the other way around.

True personalisation

We need to look to the world of artificial intelligence before we can really see true personalisation in action. We need algorithms that can decide on the fly what people might want to see based on way more variables than the simple stuff we currently factor in, such as previous browsing behaviour, referral data, and social profiles.

What’s more, everything needs to be connected, and that’s where the Internet of Things comes in.

I want my Papa John’s pizza app to fire up and ping me an offer of my favourite pizza, because my fridge has told it that I couldn’t be arsed to buy food two days ago.  Oh, and order me a Pepsi too, as the scrap that’s left in the 2-litre bottle must be flat because it’s been there two weeks.

I want Facebook to spring up a dialogue: “Are you sure you want to go to this event? Your TV told us that you like watching The Walking Dead on Monday nights.” Oh, good point TV.

I want the BBC News website to know that I’m not in the country, but it’s still me, and no, I do not want to hear about political issues in Africa more than Jeremy Clarkson’s demise just because I’m there. I want it to promote an article to the home page about a major manufacturer safety update on my new car because it knows what car I drive and what model it is and that I have a family that I don’t want to kill in a fire. Isn’t that really personalised, important and relevant news?

When we start to factor in basic artificial intelligence, not just ‘programmed responses for categorisations of users’, and data from the connected ‘things’, we start to move into true personalisation.

But the big question is will the brands control the artificial intelligence? Will we give them that much access to our data? Or will we all have our own little bunch of artificial neurons working on our behalf, acting as our proxy to the big wide world? You’ll definitely learn to trust your own bot more to go and gather relevant content or to make those decisions for you rather than a brand.

Maybe brands will just become nothing more than sources of content, products and services which bots can choose to consume and promote to you as they see fit?

Maybe artificial intelligence will be the final nail in the service economy’s coffin, commoditisation gone too far, and all we’ll have left after that is the ‘experience economy’. True personalisation; connected; an experience.

But we’re not there yet.

Jonny Tooze is founder and managing director of Lab.

NAB 2015 Tech: Vizrt Editing & Workflows – TV News Check

Vizrt | Booth SL2417 | Website: www.vizrt.com

At the NAB conference Vizrt will demonstrate a smarter integration enabling efficient video editing and productions workflows in the latest Adobe software.

Vizrt will demonstrate the latest integrations between Viz One media asset management (MAM) system, Viz Artist 3D design software, and Adobe After Effects CC, Adobe Premiere Pro CC — both part of Adobe Creative Cloud — and Adobe Anywhere.

HTML video and remote access

The latest version of Adobe Premiere Pro CC features a new Viz One HTML video panel that speeds the recall and playback of video content while editing. The Viz One panel displays video with HTML and gives editors in Adobe Premiere Pro complete access to all of their Viz One media assets including search, browsing, and proxy   editing.

Adobe Anywhere extends remote access to Viz One media asset capabilities. Full resolution files are accessed on Viz One and Adobe Anywhere provides a viewing stream based on the available bandwidth to the nonlinear editor (NLE). Video and graphics rendering takes place on the Adobe Anywhere server, which fosters realtime collaboration and media file sharing between creative team members from any location with high­speed LAN or WAN connectivity.

New design integrations

Designers now get more out of the integration between Adobe After Effects CC and Viz Artist, Vizrt’s 3D modeling and animation software. Adobe After Effects CC compositions are easily imported into Viz Artist with a multi­layer composition import tool. The import creates sub­scenes using nested graphics channels that have 2D and 3D layers. Text paragraphics elements are now imported with editable elements when using Adobe After Effects CC. Additionally, control text and control image plugins are automatically assigned creating a fast transition from Adobe After Effects composition to a template ready for on­air use in Viz Artist.

Graphics for editing systems

At NAB 2015, Vizrt and Adobe will also demonstrate an Adobe Premiere Pro CC content panel that enables tighter integration between Vizrt’s graphics plugin for NLEs — part of the Viz Trio and Viz Pilot live graphics systems. Rather than burning graphics into video and rendering a final version of the clip within the graphics plugin, this Adobe Premiere Pro CC plugin lets editors just save the graphics metadata with the newly edited video. The assets are then saved to Viz One. The video and graphics elements are moved into the playlist or rundown for playout to air.

Story continues after the ad

As a result, people in the control room can make last minute changes to the graphics right up until they’re needed for the live show. The video and graphics elements can now be composited and rendered as finished clips when they are played out to air by Viz Trio or Viz Pilot.

Read TVNewscheck’s other NAB Show technology coverage here. Find our full convention coverage here.

How to stop pop-up ads on Android – PC Advisor

How to block pop-ups on Android phone. Stop pop-up adverts on Android browser and Chrome for Android. Make your Android phone surf faster, and save money, by blocking pop-up ads on your Android smartphone- or tablet's web browser. See all Android tips.

Pop-up ads are the most intrusive kind of adverts. Annoying on a desktop PC or laptop, potentially ruinously expensive on a mobile device. Downloading heavy web-pages takes enough data: you don't need the additional cost of paying to load up an ad man's marketing message.

Fortunately for Android users, there is no reason to suffer from pop-ups on your mobile. And here we suggest three straightforward ways to stop pop-ups appearing on your Android phone. These tips will all work for Android tablets, too.

We suggest you tackle each of these in order. We suspect that simply enabling the pop-up blocker on your chosen browser will make things work better. But if you need to you can take a real belt-and-braces approach, and block ads at the poxy server level. And if your problem is speed when browsing on Android, check out our article: How to speed up Android browsing.

How to stop pop-up ads on Android: block pop-ups on Android browser and on Chrome

This is pretty straightforward. Open up the Android browser. Click the three dots menu icon you can see in the top righthand corner. Choose 'Settings' from the list.

Now select 'Advanced' from the menu that appears.

Ensure that 'Block pop-ups' is enabled. You shouldn't ever see a pop-up ad on your Android smartphone when you use the Android browser.

Block Pop Ups on Android Browser

You can achieve a similar result with the Chrome browser. Open up Chrome, and then hit the three dots menu icon in the top righthand corner. Scroll down to 'Settings' and select it.

Scroll down to, and select, 'Site Settings', and then 'Pop-ups'. Click that option. By default pop-ups will be blocked and the option will read 'Pop-ups Block (recommended)'. But if pop-ups are allowed, move the slider to change this option. (See also: How to remove a virus from Android phone or tablet.)

Block Pop Ups on Chrome Browser

How to stop pop-up ads on Android: use Chrome and enable Data Saver

Actually using Chrome - with pop-ups blocked - rather than the Android browser will in and of itself help to block some data-hogging advertising nasties. And we would recommend that everyone enable the Data Saver option. Data Saver compresses aspects of web pages that aren't required on mobile devices. It offers a smoother web browsing experience, and savings on your data bill as your phone no longer struggles to pull down unneccessary ads and animations. It can lead to a somewhat flatter browsing experience, and it is possible that some web pages will look wonky. But you can always disable Data Saver. It is a two-second job.

Open up Chrome, and then hit the three dots menu icon in the top righthand corner. Scroll down to 'Settings' and select it.

Under Settings, scroll down and select 'Data Saver'. Push the slider in the top righthand corner from 'Off' to 'On'. To disable Data Saver at any time, you simply need to reverse this action. (See also: How to get more storage in Android: Not enough storage? Here's a fix.)

Data Saver on Chrome browser

How to stop pop-up ads on Android: install an ad-blocker on Chrome

If after both blocking pop-ups on the Android browser, and enabling Data Saver on Chrome, you are still being troubled by pop-up ads on your Android, there is another step you can take.

If you have a rooted Android, you can simply install one of a number of ad blockers. We recommend you install Ad-block Plus from here.

Most people's Androids aren't rooted, however, so things are a little more tricky. Certainly not impossible, but more involved. And you will have to do the following for all of the Wi-Fi networks you use regularly.

You still need to install Ad-block Plus. To do so, you will first need to go to Settings, Security, and enable 'Unknown sources'.

Now use Chrome to browse to the Ad-block Plus download link, and download Ad-block Plus. Once it is downloaded, head to File Manager, find the download and click it to install.

Unfortunately, on a non-rooted handset Ad-block Plus cannot configure your network settings, so you have to do this manually. First, open up Ad-block Plus and click 'Configure' in the top righthand corner. Take a note of the proxy configuration displayed. Then from your home screen go to Settings, and then Wi-Fi. Long press the network to which you are connected, and select 'Modify network'.

Ad block plus proxy settings

Enable 'Show advanced options'.

Go to 'Proxy settings', and change the drop-down from 'None' to 'Manual'.

Now input the settings Ad-block Plus gave you. In our case the Proxy was given as 'localhost' and the Port '2020'. You will now see no ads on websites you browse from that network. See also: How to speed up Android browsing.

Manual proxy settings

​Want fancy Firefox features? Secure your website – CNET

Mozilla has a new idea to use its Firefox browser to protect the Web from problems like eavesdropping and website tampering.

The nonprofit organization, along with allies such as Google and the Electronic Frontier Foundation, want website communications to be encrypted so eavesdroppers can't snoop on what you're saying or alter websites to inject malware or ads.

On Monday, Mozilla Security team leader Richard Barnes proposed an incentive to push this move toward encryption: make the latest browser features work only if it's enabled.

The move toward better encryption -- that is, conversion into unreadable code that can be deciphered only by authorized parties -- represents an arms race between browser makers and increasingly sophisticated malware developers. Only 45 percent of the Web's top million sites offer encryption, according to a 2014 analysis, but browser makers hold a lot of power to change that. It's hard to get the average person to embrace security measures like dual-factor authentication and passwords that are unique and complicated, but making the Web more secure by default helps people without them having do anything different.

And that would make it safer for all of us when shopping online, using chat apps or reading friends' posts on social networks.

"If you want to use new things, you need to provide security," Barnes said in a mailing list posting. The proposal "makes a clear statement to the Web community that the time for plaintext is over," he said, referring to unencrypted data that's more easily snooped and modified. A second phase of the plan would gradually modify existing Web features so they, too, would require the secure connections that new features demand.

Google floated a similar idea in February, suggesting that encryption be required for delivering copy-protected video to a browser or letting a Web app use a PC or phone's camera.

But by raising a similar idea for another major browser, the Mozilla proposal adds significant new muscle to the movement to encrypt Internet communications by default.

Leverage for encryption

Mozilla's idea has power because programmers are embracing new technologies that transform the Web from a place to publish static documents into a foundation for interactive apps for communication, work and entertainment. The Web is steadily advancing in sophistication with new features like accelerated 3D graphics for games, built-in technology for video and audio chat, and standards to let Web-based applications work even when there's no network connection.

But the Firefox maker hasn't yet decided to implement the security change. "The goal of this thread is to determine whether there is support in the Mozilla community for a plan of this general form," Barnes said. A precise plan will require work with website operators, other browser makers, and likely the World Wide Web Consortium, which marshals involvement from dozens of companies and organizations to develop Web standards.

Technology standards groups that collectively chart a lot of the Internet's future have begun pushing for encryption, too. That includes the Internet Engineering Task Force (IETF), Internet Architecture Board (IAB) and World Wide Web Consortium (W3C).

"The Web's trustworthiness has become critical to its success," the W3C's Technical Architecture Group concluded in January. "If a person cannot trust that they are communicating with the party they intend, they can't use the Web to shop safely; if they cannot be assured that Web-delivered news isn't modified in transit, they won't trust it as much. If someone cannot be assured that they're talking only to the intended recipients, they might avoid social networking."

Adding encryption

Websites are delivered to browsers using two options: unencrypted HTTP (Hypertext Transfer Protocol) and the secure, encrypted HTTPS variation. (You'll see those designations at the start of a Web address, such as https://www.facebook.com/.) Encryption on the Web scrambles data sent over the network using a technology called Transport Layer Security (TLS), a successor to the earlier Secure Socket Layer (SSL).

Several tech companies and organizations have been pushing for broader HTTPS use, but the movement picked up a new sense of urgency after former leaks from NSA contractor Edward Snowden revealed details of active government surveillance efforts.

Major Internet sites like Google, Yahoo, Twitter, Facebook and Microsoft have been shifting toward HTTPS by default, but much of the Web has yet to make the jump. It can be more expensive to deliver HTTPS Web pages, in particular for Web site operators that contract with content delivery network (CDN) companies to help disseminate Web data across the whole world.

In January, Google revealed a different option to discourage HTTP: add a warning to the Chrome browser that labels HTTP sites as "insecure." The company lets people test the feature but hasn't enabled it by default.

The US government -- at least those outside the National Security Agency -- are on board, too. One goal of the federal government's chief information officer: "All publicly accessible Federal websites and Web services only provide service over a secure connection." The White House Web site is encrypted, but the US Senate and House of Representatives sites are not.

Politicians are mixed, too. Among declared presidential candidates, Hillary Clinton uses HTTPS but Rand Paul and Ted Cruz do not.

Outdates Otsuka Kagu business model is at the root of family feud – The Japan Times

Retailers know that image maintenance is important for their bottom lines, as proven by Otsuka Kagu Ltd.’s 37.8 percent drop in sales last month compared to March 2014.

Otsuka is one of Japan’s best-known furniture stores, and since last year it has been roiled by a dispute within the family that owns and runs it. Chairman and founder Katsuhisa Otsuka objected to changes that his daughter, Kumiko Otsuka, the company’s president, intended to carry out, thus setting the stage for a proxy fight among shareholders. Kumiko came out on top, but the damage was done: Consumers, it seems, don’t like to watch family businesses implode in public.

However, the dispute and its financial effects have drawn attention away from what it was all about — namely, a change in service policy. Kumiko believed that the membership sales model the company had always used was no longer relevant in today’s economic environment.

When customers come to an Otsuka showroom for the first time, they are asked to fill out a form and become members, who are then entitled to guided tours around the store. Kumiko wants to discontinue this practice and make Otsuka showrooms open to the general public for browsing, with no memberships and no sales staff tagging along unless the customer specifically asks for help. Katsuhisa, however, believed this system is what made Otsuka different and — more significantly — appealing to affluent consumers. Otherwise, the company would just be another furniture store.

Katsuhisa’s idea is based on the belief that buying furniture is a once-in-a-lifetime event. Traditionally, when two people in Japan marry, the family of the bride buys all their furniture, and in this context a place like Otsuka makes sense, since it could help couples coordinate their purchases. But newlyweds today are different — more casual and idiosyncratic about interior decorating decisions.

Such a trend is characterized by the rise of three other retailers who have done more to challenge Otsuka’s sales model than Kumiko: Mujirushi Ryohin (aka Muji), Nitori and IKEA. These stores offer not only cheaper furniture than Otsuka, but also a unified aesthetic, since all their respective merchandise is designed and made expressly for them in accordance with an integrated in-house style. Coordination is built-in; Otsuka, on the other hand, buys furniture from various wholesalers and manufacturers.

According to the wedding industry magazine Zexy, the nationwide interior retail market declined from ¥4.5 trillion in 2001 to ¥3 trillion in 2011. One of the main reasons for the shrinking revenue is that newer houses often come with features that obviate the need for some types of furniture. Older Japanese houses did not have closets and pantries, so families had to buy huge wardrobes (tansu) and standalone cabinets. Now, many new homes have walk-in closets and built-in storage features.

The burgeoning success of the Swedish do-it-yourself interior retailer IKEA is probably what worries Kumiko the most. The company first tried to enter the Japanese market in the ’70s and couldn’t make a go of it. Several decades later, it tried again and younger people with less disposable income and a greater desire for self-expression became dedicated customers.

IKEA now has eight stores in Japan and plans to open six more by 2020. The company’s trademark showrooms, structured like theme parks with lots of illustrative displays, are the opposite of Otsuka’s, which contain merchandise arranged in an almost random fashion, thus requiring a salesperson to navigate.

Nitori is presently the biggest interior retailer in Japan, owing mainly to its low prices but also to its highly developed services, such as a wide range of custom-made curtains and blinds. The company recorded more than ¥340 billion in sales in 2012, with Muji coming in second with ¥220 billion. That year, Otsuka made ¥54.5 billion.

Another reason Otsuka fell out of favor is that consumers no longer think — or maybe they still do but don’t care — that Japanese cabinetmakers and carpenters are necessarily the best in the world. Japanese craftsmen traditionally preferred hardwood from broad-leaf trees, most of which were wiped out during World War II and replaced with fast-growing Japanese cedar (sugi), which produces a soft wood considered ill-suited for furniture. Because Japan doesn’t take care of its forests any more, all the good hardwood has to be imported, which has had a negative impact on the domestic manufacture of furniture.

In the past, Otsuka and smaller mom-and-pop furniture stores were able to exploit this preference for Japanese craftsmanship to maintain high profit margins, which is why they didn’t need to sell a lot of merchandise to stay in business. Recently, however, Japanese consumers have become more savvy about their tastes and more confident in their demand for living spaces that match those tastes. To them, Otsuka seemed to represent a retail model where the seller, not the customer, is king.

Yen For Living covers issues related to making, spending and saving money in Japan on the second and fourth Sundays of the month. For related online content, see blog.japantimes.co.jp/yen-for-living.