Why would super-secret spy software be written in a video game language?  As security researchers continue to unpack the digital mystery that is the Flame virus, that's just one question looming over perhaps the world's most intriguing digital whodunit.

With all the talk about Flame being the most powerful, ingenious and stealthy computer virus ever written, some properties of the mysterious malicious software are causing confusion.

---

For one thing, the program takes up 20 megabytes of space on infected machines. That's not stealthy; large files usually indicate sloppy programming. Also, unlike Stuxnet, Flame didn't come with precision targeting, and hasn't yet been credited with doing anything as impressive as hacking nuclear power plant computers. But perhaps most mysterious of all: Part of Flame’s code was written in the Lua programming language, a simple language used almost exclusively by video game programmers.  Why would a nation-state trying to commit secret espionage toy with video game software?

"This is not a stealth operation," said Marcus Carey, who worked as a security analyst at the National Security Agency for eight years before joining the security firm Rapid7 in Boston.

News of the Flame virus hit Monday, as multiple computer security firms claimed the program represented a huge escalation in cyberwarfare. Moscow-based Kaspersky Labs, among the first to analyze the virus, called it the most powerful malicious program ever.

“The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date,” it said.

Flame reportedly comes loaded with lots of capabilities, such as remotely turning on victims' PC microphones, but it's hardly the first virus to accomplish that.  And unlike Stuxnet, it's yet clear that Flame used a series of so-called 0-day exploits --  vulnerabilities in software that are undiscovered by the security industry and for which there are no antidotes.  While initial reports immediately linked Stuxnet to Flame, primarily because they both seem to target Iran, skepticism is beginning to build that the two are directly linked.

That's partly because the two programs were written in very different ways. Flame’s authors used Lua, something that confuses observers.

"Lua in a spy tool is just ... weird," said one Israeli programmer who uses Lua and requested anonymity. "The little snippet I've seen of the code seems so ... ordinary ... really like the work of your average programmer.  Stuxnet sounded genius.”

Said another: "Lua is considered a kids language.... All I see around that is built with Lua are games. I mean, the syntax is very simple."

Not exactly the stuff of high-tech international espionage. Or is it?

Lua has been around since the 1980s, developed at the Pontifical Catholic University of Rio de Janeiro in Brazil. It was created out of necessity; at the time, trade barriers made importing software development tools too expensive.  Development of Lua as a programming language remains centered in Brazil, where a small group of programmers make infrequent updates to the language.  But it's become a favorite platform for a few thousand devotees around the world, who are attracted to its simplicity, its ability to play well with other software and its tiny footprint, which makes it ideal for use on embedded devices or games, where memory and space are at a premium.

Unlike other programming languages that grow in size out of necessity over  time, Lua has actually shrunken in recent years, as developers have revised and refined its architecture.

Its name – Portuguese for “moon” – hints at Lua’s use as a subordinate language to attach satellite projects to larger pieces of software.

At the Lua-L discussion list, Flame talk was all the rage on Monday, as its users’ small corner of the technology world was suddenly thrust into the limelight. One even the virus "in some morbid way...an endorsement for Lua."

"I'm a bit perplexed about the alleged high sophistication of that malware, when I see unobfuscated Lua with self-descriptive names," added a poster identified as Enrico Colombini

But longtime Lua programmer Erik Hougaard, based in Denmark, said such opinions show a fundamental misunderstanding of Lua's simple elegance as a programming tool.

"It's a well-kept secret, but it's everywhere. It's hard to pick up an Xbox game without it," said Hougaard, who now uses Lua to program robots but has also used it to create from-scratch accounting software and other financial tools at EFoqus Danmark A/S.  "It's not sexy, but it's unique. It's so small you can fit it onto a single chip."

That's essential, because Lua includes both program and programming language in one tidy package -- meaning programs written in Lua will run reliably on machines as diverse as PCs and iPhones. 

"Lua is quite common in the mobile application space. If someone has Angry Birds installed on their iPhone, they are using Lua," said Carey, the security analyst. In fact, thousands of iPhone apps are written with Lua, he said.

Hackers have taken notice. While security firms have said they can't think of another computer virus before Flame that used Lua, it is a fundamental part of a favorite hacker tool called "NMAP." NMAP is used to scan the Internet for computers with potentially exploitable vulnerabilities; it’s the first tool used by hackers looking for trouble, and by security professionals looking to plug holes. NMAP permits use of a scripting language that runs under Lua so hackers can adjust the tool as needed.

"People have been using Lua to hack networks for a while, so this shouldn't surprise anyone," Carey said.  "Attackers are just using what works."

Lua first came to hackers' attention about two or three years ago, roughly when some analysts believe Flame was written, Carey said.

As with most information about Flame, Lua's appearance in the virus can be interpreted in two ways:

• Flame's writers may have been ahead of their time, using a unique programming language to create their cybermonster, and further confuse computer security professionals.
• Or, Flame's writers may have been video gamers and relative amateurs who didn't bother to do much to cover their tracks.

Symantec Corp. believes the use of Lua supports the former theory. It’s one of many security firms calling Flame one of the most powerful and complex virus ever written.

"Lua is scriptable, easy to understand, and easy to update. That said, it’s not used often," said Vikram Thakur, principal security manager at Symantec Security Response. "Anecdotally, we can’t think of another threat that is written in Lua..... The usage of the programming language is what makes the program, independent of the language, interesting."

But is it the work of genius, and a sign that cyberwar has escalated a new and dangerous level? Carey is not so sure.

"Saying this is the work of a nation-state is premature," he said. "This is not a particularly clever piece of malware or uber-elite." And despite the fact that it apparently operated in stealth for at least two years, many experts say it is too big to have been conceived as a spy tool.

"What's with the size?" said the anonymous Israeli Lua programmer. "It's like the trick they do in the movies of making a scene on the train/plane” to create a diversion while committing a crime. 

Colombini was even more direct in his assessment.

"I find it difficult to believe this to be the work of an intelligence service, at least of a decent one,” he said. “Obfuscating … the Lua code would have made analysis more difficult and above all slower. In the spying business gaining time has a very high value. … No self-respecting intelligence service (would have neglected to do that)."  

So far, most of the roughly 300 confirmed Flame infections have been in Middle Eastern countries that are natural enemies of Israel, including 189 in Iran, according to Kaspersky Lab.  

“If it weren't for the peculiar geographical distribution, (which is) the only thing that makes one think of politically charged malware, I'd think of a sort of malware construction kit,” designed to simply collect a large series of attack tools in one place, Colombini said.   

Given that the subject is covert cyberwar, confusion, half-truths and disinformation are the rule rather than the exception. Already, an unnamed U.S. official has told NBC News that the U.S. government is probably responsible for it; while Israeli officials have hinted that their side developed it.

Something else concerns Carey about the way that the Flame narrative has progressed so far.  Much of what we know about Flame has come directly from Iran's Computer Emergency Response Team Coordination Center.

 "Generally, we don't believe anything Iran says. Here, we seem to be believing everything they say," he said. "But this incident reinforces a storyline for Iran playing the victim."

Symantec, and many other security organizations, have said the sheer size of Flame is making thorough analysis of the virus a slog. Early reports on the malicious program all came with warnings that findings were preliminary.  Symantec expects to issue a follow-up later this week.

A New Jersey judge ruled Friday that the sender of a text message cannot be held liable for an accident caused by a driver who read that message, dismissing a case that attracted national attention.

Morris County Superior Court Judge David Rand said the sender of the text, Shannon Colonna, had no way to know when driver Kyle Best would read the text, and therefore had no responsibility for a horrific 2009 accident in which Best was found at fault. Both David and Linda Kubert, who were in a vehicle struck by Best, suffered devastating injuries in the crash, including leg amputations.

---

The Kuberts' lawyer, Skippy Weinstein, advanced a novel legal theory which would have placed part of the liability for the crash on Colonna, arguing that she knew Best would be driving as she engaged him in a text message conversation.  His theory rested a claim that Colonna "aided and abetted" the responsible party, and last week, several legal experts told msnbc.com the argument might have merit, and could be convincing to a jury.  

But Rand didn't see it that way. He dismissed the case on summary judgment.

“Were I to extend this duty to this case, in my judgment, any form of distraction could potentially serve as the basis of a liability case,” Rand said, according to the Associated Press. He noted that drivers are tempted by all manner of distractions now, such as GPS devices and smartphones, and senders can assume that recipients who happen to be driving can be expected to behave responsibly.

"We expect more of our drivers. We expect more of the people who are given the license and privilege to operate vehicles on our highways," Rand said, according to the AP. "I find that there was no aiding, abetting here in the legal sense. I find it is unreasonable to impose a duty upon the defendant in this case under these facts."

Weinstein said the Kuberts hope they've generated attention to the important issue of texting while driving.

"Even though the case against Shannon Colonna has been dismissed, they are comforted by the thought that by bringing the case, it has accomplished the goal of making people think before they text, whether while driving or to someone who is driving. Perhaps it may prevent another tragic accident from occurring," he said in a statement.

He said the Kuberts plan to appeal the decision, probably after the remaining case against Best is decided. 

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

You might have seen recently that iconic retailer JC Penney is slumping badly. You almost certainly have seen the reason why: A massive, creative and aggressive new advertising and pricing campaign that promises simplified prices.

No more coupons or confusing multiple markdowns. No more 600 sales a year. No more deceptive circulars full of sneaky fine print. Heck, the store even did away with the 99 cents on the end of most price tags.  Just honest, clear prices.

Sounds like a sales pitch aimed at consumer advocates and collectors of fine print frustration, like me. As it turned out, it was a sales pitch that only a consumer advocate could love.

Shoppers hated it.

---

The campaign, which launched on Feb. 1, appears to be a disaster. Revenue dropped 20 percent for the first quarter compared to last year. Customer traffic fell 10 percent. Last year, the company made $64 million in the first quarter; this year, it lost $163 million.

Could we have a moment of silence please for what might be the last heartbeat of honest price tags?

Not only did Penney’s plain pricing structure fail to attract fair-minded shoppers –  business reporters wrote with seeming glee during the past few days that it “repelled” them.

Don't blame Ellen DeGeneres, the spokeswoman for the Penney’s plain pricing campaign. If only executives at the firm were familiar with the work of behavioral economist Xavier Gabaix and the concept of "shrouding," all of this could have been avoided.

Seven years ago, Gabaix and co-author David Laibson wrote a brilliant (if depressing) paper on shrouding and "information suppression" that should be required reading for all consumers and executives considering a harebrained new pricing strategy. The principle is simple, and shows why cheating is rampant in our markets and why honesty is rarely the best policy.

First, a definition of shrouding:

In days gone by, price tags were simple. An apple cost 10 cents.  A cup of coffee cost $1. But today, the consumer marketplace is far more complicated, giving sellers the opportunity to create confusion. Many items have follow-up costs that make the original price tag meaningless. 

Computer printers are the classic example. You might get a great deal on a printer, but if the ink is expensive, you lose in the end. In fact, Gabaix argues that it's impossible for consumers to intelligently shop for printers. No consumer knows how much ink costs -- the cartridges don't come in standard sizes, the amount of ink used to print varies and ink costs are unpredictable. That makes the true price of a printer "shrouded," in Gabaix's terminology. Not quite hidden, but not quite clear, either.  Advantage seller. It's easy for printer companies to lowball printer price tags and overcharge for ink, enabling them to print money.

If you think about it, shrouded price tags are everywhere. The hotel website might say "$99 a night" but you know the bill will be more like $120 or $130. Pay TV companies promise $30-a-month service, which ends up costing more like $50. And what happens when you buy a TV with a store credit card that offers an upfront discount but a complex interest charge? And so it goes.

Consumers complain about this constantly. That's the basis of the Red Tape Chronicles in fact. At its best, the maddening mixture of coupons, rebates, sales and fine print fees can feel like a game. At worst, it's being cheated. You'd think shoppers would love a chance to buy from a store that doesn't play these games, the way car buyers (allegedly) like shopping at no-haggle auto dealerships.

They don’t, says Gabaix, and Penney should have known better.

“I think it was an ill-advised move,” he said. 

All this price manipulation is really an information war, he says. Shoppers hunt for the tricks that let them save money. Stores hide booby traps that let them take money. It's a bad system, one I've labeled "Gotcha Capitalism." But it is the system we have now.

And it's simply impossible, Gabaix argues, to be the one company that attempts to bridge this information gap.  If a firm tries to educate consumers on tricks and traps, and tries to offer an honest product, a funny thing happens: Consumers say, "Thank you for the tips," and go back to the tricky companies, where they exploit the new knowledge to get cheaper prices, leaving the "honest" firm in the dust.

“Once you educate consumers on the right way to shop, they will seek out the lowest cost store, and that will be the one with the shrouded prices,” he said. “Once they are savvier consumers, you make less money from them.”

Gabaix calls this the "curse of debiasing." And it leads to this depressing conclusion: "Shrouding is the more profitable strategy."

To oversimplify for a moment, here's Penney's problem. They told the world that retailers only offer their best prices during crazy sales, and Penney stores would no longer host them. Sensible consumers apparently took that information to heart and decided to simply wait for such sales at other stores. As an added benefit, Penney lowered consumers' search costs, because they now knew they didn't need to bother driving to a Penney’s store anymore.

That's probably not what new Penney CEO Ron Johnson had in mind when he decided to spend his marketing budget on those witty DeGeneres ads. A former Apple Inc. executive who took the Penney’s job in November, he thought he was lifting the store out of the brutal commodity clothing market. He may ultimately succeed at that. But he won't do it by telling customers the firm's pricing is fairer than at other stores, Gabaix believes.

"It will be a very, very uphill battle," Gabaix said. "So, sorry for them."

There have been a few other celebrated efforts by companies to educate consumers that their higher prices are really lower prices after hidden fees. During the last decade, Intercontinental Hotels experimented with up-front pricing that included all fees on its website. Executives at the firm told the New York Times that customers left in droves, choosing competitors with lowball prices. 

More recently, Southwest Airlines has undertaken the most aggressive anti-shrouding campaign to date, picking on other airlines' baggage fees. The profitable carrier is holding its own with its "Bags Fly Free" campaign, but there are indications that the firm won't be able to resist all that free money forever. In what may be a sign of things to come, Southwest elected to leave AirTran's baggage fee structure in place after it acquired the competitor last year. 

Shrouding isn't the only reason Penney's pricing plan is flawed. The firm is also leaving a lot of money on the table by rejecting a phenomenon known as "price discrimination." Some people have more money than time, and some have more time than money.  Some shoppers don't mind spending hours to save $20; others would gladly give a store $20 to escape quickly. Smart retailers get money from both. By killing couponing, Penney has eliminated its ability to satisfy price discriminators.

And as others have pointed out, markdowns serve the age-old retailing trick of "anchoring." For some reason, even very smart consumers feel better paying $60 for something if you initially tell them it costs $100, and then reduce the price.

But the real problem is Penney's ill-fated attempt to cast itself as the only fair poker player in a game of cheats. Shoppers just aren't buying it. However unsophisticated consumers are, very few of them believe a pair of shoes bought at Penney's everyday low price will be cheaper than a pair of shoes bought at Macy's on clearance with a 25 percent off coupon.

Like it or not, hidden fees – and secret discounts – are here to stay.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

Could you be blamed for a car crash because you sent a text message? 

A New Jersey judge will decide later this week if the sender of a text message might be partially liable for a horrific auto accident that occurred because the driver was reading that message on his cell phone and drifted into oncoming traffic.

With nearly half a million U.S. drivers injured in distracted driving-related accidents every year, according to the National Highway Traffic Safety Administration, the judge’s decision could have wide-ranging impact in both the legal and digital realms.

While it might seem absurd to blame someone who isn't even in the car -- or anywhere near it -- for causing an accident, some legal experts say the plaintiff is on firmer ground than you might think.

---

Skippy Weinstein, a Morristown-based lawyer, is using similar logic to press the case he filed on behalf of David and Linda Kuber. Both Kubers lost their legs during a 2009 crash in Mine Hill, N.J., after 19-year-old Kyle Best sideswiped their car when driving while texting. Weinstein said Shannon Colonna, who was texting with Best, should also be held responsible for the Kubers’ injuries.

"She was not physically in the vehicle but she was electronically present," Weinstein told msnbc.com. "She and he were assisting each other in a violation of the law."

That word "assisting" is at the crux of Weinstein's novel legal argument. 

Most readers will be familiar with the notion of "aiding and abetting" a criminal act and the guilt it brings: the man who knowingly holds the door for the gang is just likely to be convicted of bank robbery as the safe cracker.

More recently, this notion of aiding and abetting has been extended to civil liability cases, too, creating a basis for what's sometimes called "secondary" or "vicarious" liability. For the past two decades, most civil aiding and abetting cases have been limited to investment and securities fraud: An aggrieved investor might not only sue Bernie Madoff for stealing his money, for example, but also go after a third-party broker who repeatedly executed trades for Madoff. Even if the trader wasn't profiting from the scheme or part of a "joint enterprise,“ a court might find the trader provided assistance to Madoff, and should have known that someone was likely be injured by his actions.

The aiding and abetting argument in injuries that give rise to lawsuits, known as "torts," is only beginning to find its way into other kinds of civil cases.

There's a simple three-pronged test to prove someone is partly to blame for causing an injury by aiding and abetting someone else. It is set out in the Restatement of Torts published by the American Law Institute, which guides most civil courtrooms:

1) The party the defendant assists must do a wrongful act;

2) The party must be generally aware of his or her role in the illegal or "tortuous" act;

3) The party must "substantially assist" in the principal violation.

Weinstein think his argument is easy to make. The driver violated the law by texting while driving. Colonna, the text sender, should have known that Best was driving home from work and had to know texting while driving was a violation, he said. Therefore, it's hard to argue that a text sender isn't substantially assisting in the creation of a text message conversation that violates New Jersey's driving laws.

"That very comfortably satisfies the third prong of the legal test," he said.

Colonna’s lawyer, Joseph McGlone, doesn't think the argument has any merit, and has asked Morris County Superior Court Judge David Rand to dismiss the case. Rand is scheduled to rule this week on McGlone’s motion to dismiss the case.

The sender of a text message has no way to control or predict when the recipient will read it, McGlone argues.

"The sender of the text has the right to assume the recipient will read it at a safe time,” McGlone told the local Daily Record  newspaper. “It’s not fair. It’s not reasonable. Shannon Colonna has no way to control when Kyle Best is going to read that message."

He added that there is no precedent for heaping liability on a person on the other side of a text message conversation that causes injury.

Of course, there's no precedent for a lot of legal areas in the Digital Age. In situations like this, judges usually turn to analogies. In driving injury cases, the judge has a bushel full to choose from.

For starters, it's hard to tag liability on anyone who isn't holding the steering wheel of the car while an accident occurs. Lawyers around the nation have repeatedly tried and failed to make passengers partly responsible for accidents caused by drunken drivers when passengers knowingly get into a car with an intoxicated driver.

There are exceptions, however. A South Carolina court has said a passenger could be judged a "proximate cause" of an injury if the driver and passenger were in some kind of "joint enterprise," such as the passenger steering the car while the driver presses the gas pedal.

Passengers who have directly encouraged drivers to break the law -- by urging them to speed excessively or to drive in the oncoming lane as part of a game, for example -- have also been found liable, Weinstein says.

But to find a passenger liable, the South Carolina court said, "The passenger must have an equal right to control the direction and management of the vehicle." It seems hard to argue that a text message sender has equal ability to control the vehicle as the driver does.

But there are plenty of other situations where someone other than the driver has to pay after an injury accident, an extension of liability called “imputed negligence.” The most common is when the driver is "an agent" of someone else -- when a pizza delivery man driving for work causes an accident, his employer is liable.  Parents are often liable for accidents their children cause if they kids are directly under their care. 

There's also concept called "negligent entrustment": if you knowingly let an unlicensed driver take your auto out for a spin, you will probably be liable for an accident he or she causes. 

Neither of those cases fit this situation well, however. So Weinstein has settled on a simpler analogy.

"If she was in the vehicle and put her hands over his eyes so he couldn't see, she would be liable," he said. "(Texting with him) is as if she put her hands over his eyes."

Is texting the digital equivalent of willfully rendering someone blind? To even make that argument, and to press on with the aiding and abetting claim, Weinstein has to persuade the judge that Colonna knew that Best was texting while driving. Colonna's lawyers are contesting that point, but Weinstein says the pattern of texts between boyfriend and girlfriend make clear that she must have known he was on his way home from work.

But even if he fails on that argument, it's easy to imagine other lawsuits where evidence of knowledge by the sender could be hard to deny. A driver might directly text, "Hey, I'm driving home," for example.

That would make a big difference in a case like this, said Robert Mitchell, a Utah-based lawyer and author of a recent article on aiding and abetting claims.

"If there is conclusive evidence that the person sending the text messages to the driver knew the driver was texting while driving, we see no reason why a claim for aiding and abetting the driver’s negligent or reckless conduct could not be made. The case is probably weaker if there is no evidence of actual knowledge, but only evidence of ‘constructive knowledge,’" said Mitchell, referring to a concept that the sender "should have known" the recipient was driving. "Courts disagree over whether constructive knowledge is sufficient to give rise to aiding and abetting liability."

Courts have found that the contribution by this third party in aiding and abetting cases can't be slight – it must be “significant.” For example, giving directions to the bank robber probably wouldn’t be substantial enough to get you prosecuted, but telling him what time security guard shifts change could be. And, as with most civil liability cases, the harm caused by the action doesn't have to be intentional.

Mitchell said this is the critical phrase in the American Law Institute's guidelines.

"If the encouragement or assistance is a substantial factor in causing the resulting tort, the one giving it is himself a tortfeasor and is responsible for the consequences of the other’s act. This is true both when the act done is (intentional) and when it is merely (negligent)," Mitchell wrote in his review, quoting the guidelines with added parenthesis. In fact, liability exists even if the third-party has no idea he or she is doing something illegal or negligent.

So in Mitchell’s view, it's a relatively easy to argue that the texter "substantially assisted" the driver in causing the accident. 

"The third prong, substantial assistance, would be an easier hurdle to clear (than knowledge) since sending somebody a text message while driving distracts the driver and that distraction may ultimately cause the accident," he said.  "Of course defenses may include superseding or intervening causes to the underlying tort (the first prong), like bad weather, poor road conditions or visibility, avoiding someone or something on the road."

Not all experts agree, however. Maryland-based lawyer Bradley Shear, an expert in digital law, openly fretted about how far liability might extend if Weinstein is successful in his novel legal argument.

"What if someone is hopping on a boat, and they look down at a text, slip and drown? What if a doctor gets a text before a surgery that upsets him and he makes a mistake? Is the sender responsible?" he said. "If you start going down that route where are you going to draw the line?"

Mark Rasch, for head of the Justice Department’s Computer Crimes Unit, said he thinks the case will boil down simply into this question: Can anyone really prove that the sender of the text, Colonna, knew that Best would read it while driving? Absent such proof, there is no case, he says.

But he was concerned with the larger issue of extending liability through digital means.

“The real question here is, do we as a society want to impose a duty on the non-driving texter for accidents that happen when a recipient is driving?” he said. “For now, it seems a reasonable place to draw the line at this: The person driving has a duty not to text. And the person on other end of line has no duty unless there are special circumstances.”

One special circumstance he envisioned: A boss or other person in a position of power who received a message from an employee saying, “I can’t text, I’m driving,” but continued to send demanding texts with an implied threat if they weren’t answered quickly.

“The person in the position of authority might have liability then,” said Rasch, now a cybersecurity consultant with Virginia-based CSC Inc.

Complicating matters, juries can apportion liability, and theoretically could find a driver 90 percent responsible and the sender of a text 10 percent responsible. Damages can be similarly apportioned, although the realities of collections means the party with the deepest pockets usually pays the most in damages.

It’s also possible that Congress or state legislatures might create a chain of liability, as states have done with dram shop laws, which make bars liable for injuries and damages caused by patron who are served after they’re drunk.

For his part, Weinstein demurs when asked if he's trying to set an important legal precedent or make law. He's just trying to win a case for his client, he said.

"The defense ... wants to make this into a cause celebre, but this is not complicated," he said. "A jury may find I'm wrong and thrown me out on my duff. ... All I'm saying is don't (text) while driving, and don't assist someone else in texting while driving."

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

Welcome to the hangout on social media and privacy, powered by Google+, conducted on May 18. 

Our panelists are: Bob Sullivan, author of msnbc.com's Red Tape Chronicles, Jeff Fox of Consumers Union and Steve Rubel of the public relations firm Edelman. You can read a bit more about them below:

Questions were submitted at msnbc.com's Google Hangout or by tweeting using the hashtag #talkprivacy.

---

• Bob Sullivan is an award-winng journalist and author of The Red Tape Chronicles on msnbc.com. He also is the author of three books, including the 2008 New York Times Best-Seller, "Gotcha Capitalism," and the 2010 New York Times Best Seller, "Stop Getting Ripped Off!"
• Steve Rubel, executive vice president for global strategy and insights at Edelman, the world’s largest independent public relations firm. He’s also a frequent social media commentator.
• Jeff Fox, technology editor at Consumers Union. He was responsible for this month’s Consumer Reports cover story on Facebook and privacy. 

A mother who says her middle-school daughter was forced to let school officials browse the 13-year-old girl’s private Facebook page is speaking out against the practice because, she says, "other parents are scared to talk about it."

Pam Broviak, who lives in the Chicago suburb of Geneva, Ill., says her daughter was traumatized when the principal of Geneva Middle School South forced the child to log in to her Facebook account, then rummaged through the girl's private information.

"What a violation of my daughter's privacy this whole episode was," Broviak said. The incident took "a huge toll on my daughter, who ended up crying through most of the rest of the day and therefore missed most of her classes. She was embarrassed and very upset."

There have been several descriptions lately of Facebook prying by schools – and one lawsuit was filed recently by the American Civil Liberties Union on behalf of an anonymous plaintiff against a school district that allegedly demanded a student’s social media passwords. But Broviak may be the first parent to go public with concerns about what she sees as serious violations of student privacy.

---

In a conversation with msnbc.com, Broviak said she confronted school officials about the incident involving her daughter soon after it occurred last fall and was told that they routinely investigate student issues by asking kids to log into their social networking pages -- or cellphones -- in the presence of administrators. And she said her daughter and other students told her they are frequently called into the principal’s office and told that they can’t leave until they surrender their passwords or unlock their phones and allow school officials to browse their personal information.

"(Students) let them see the accounts because otherwise, they are not allowed to leave the room. And that is just wrong," she said.

Kent Mutchler, superintendent of Geneva schools, said in an interview with msnbc.com that he couldn't comment on Broviak’s daughter because privacy rules prevent him from publicly discussing an individual student’s situation. But he said Broviak's description of district policy is inaccurate.

"We would never demand someone's password. When you have someone's password, you open yourself up to other issues," Mutchler said. "But if we have a disruptive situation, a school (official) will ask to see the page, and if the student refuses, we call the parents."

But principals only request access to students' social media pages under extreme circumstances, Mutchler said.

"There are different levels of concern. If there is a drug trafficking suspicion, we'll get the police involved. If it's something like cyberbullying, we'll say, 'This has been reported to us,' and ask to see the page," he said.

Often, students volunteer before they are even asked, he said.

"We ask, 'Is there something you want to show us?' that sort of thing. And they volunteer," he said. 

Such incidents are very rare among district middle schools, he said, contradicting Broviak's assertion that the inspections are commonplace. 

"It happens a half-dozen to a dozen times per year," he said.

Broviak's public complaint comes at a time when schools, employers and lawmakers around the country are wrestling with sticky privacy issues surrounding social networks. The state Legislature in Illinois is considering legislation that would make it illegal for employers to demand access to workers’ or applicants’ private social media information. That law is silent on the issue of schools and social media snooping, but federal legislation introduced last month by Rep. Eliot Engel, D-N.Y., would extend the protections to students, too.

Submit your questions about social media and privacy, then join our Google+ Hangout Friday at 4 p.m. ET.

Broviak said she didn't think school officials should ever look at a child's personal social media page or cellphone without first contacting parents.

"It's just wrong for them to do this, but parents are afraid to talk about it, because they are worried, 'Are they going to target my kid?'" she said.

Additionally, she said, looking at a kids' social media page violates an entire family's privacy, even if school officials don’t intend to look at posts involving other family members.

"The whole family is exposed in this," she said. "Some families communicate through Facebook. What if her aunt was going through a divorce or had an illness? And now there's these anonymous people reading through this information."

When the first incident occurred in the fall, Broviak said she didn't know what to do -- and initially chose to let it drop for fear that complaining might make things worse for her daughter. But she said reports from her daughter that other kids have been treated the same way and a recent spate of news stories surrounding the issue pushed her to speak up. Three weeks ago she published a detailed accounting of events on her personal blog, and this week agreed to be interviewed by msnbc.com.

"It's really important for people to talk about this and know what's going on," she said. "And I'm really glad that the state Legislature and Congress are considering laws to deal with this."

Her daughter, meanwhile, has learned an important but sad lesson through this experience, Broviak said.

"It's taught her to use better judgment with adults," she said. "Basically, what (they) showed her was you can’t trust anyone. Her trust in and the respect of the adults at her school has been shattered to the point that she is struggling to look beyond this abuse and allow for the education process to occur."

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

Ever wonder what it's like to have FBI agents knock on your door? Or to have them walk into your business unannounced and walk away with your computer?  Jamie McClelland and Alfredo Lopez can tell you.

Their recent run-in with the men in black – the result of a spate of email bomb threats to the University of Pittsburgh -- offers a rare glimpse into the collision between free speech rights and the benefits of anonymity on one side with the needs of law enforcement to act quickly in the face of real threats on the other.

Their tale ends with an odd twist: FBI agents, caught on video, returning the server only four days after it was seized from a co-location facility in New York City. At the moment, no one knows why the FBI would take that unusual step. FBI Special Agent Bill Crowley said the agency wouldn't comment on either the seizure or the return of the server.

Federal investigators and local officials in Pittsburgh were scrambling last month as bomb threats targeting the University of Pittsburgh piled up. Within days, 46 such threats were logged, causing massive disruption as students and teachers were continually evacuated from building after building.  Parents and school officials pressured law enforcement to solve the case. For some reason, the FBI thought a server in a small facility in New York City might contain a crucial clue.

---

McClelland and Lopez run a progressive Internet organization called MayFirst/PeopleLink, which helps democracy-seeking groups around the world use the Web to organize. Together with sister organization RiseUp, MayFirst/PeopleLink offers email services, mailing list support and other Web tools. But their services make a promise that's critical to people fighting oppressive regimes: All data is encrypted, guaranteeing total anonymity to those who need it.

 

 

 

McClelland was on a conference call in MayFirst/PeopleLink's Brooklyn office -- which is in the same building where Lopez and his wife live -- on April 11 when he saw two men in suits standing at the door.

"I thought they were Jehovah’s Witnesses, but I joked with people on the call that it was the FBI," he said.  Moments later, it was no joke.

The agents flashed their badges and asked if they could come in; McClelland refused.  They asked if they could step into the vestibule. He refused again.

"I had had some rudimentary training,” he said. “It certainly had occurred to us that we might some day get a visit from the FBI given the nature of what we do. But this wasn't what I expected. I was surprised at how easy it was to say ‘no’ to them...There was no intimidation, none of that. The agent appeared more nervous than me, and I was pretty nervous."

Standing outside, the agents then showed printouts of a few emails with full headers to him, saying they were related to the Pittsburgh bomb threats. At that point, McClelland hadn’t  heard about the threats, so he said he didn't know anything about them. They asked if he knew anything about ECN.org, a server which appeared in the e-mail headers. Again, he said “no,” truthfully.

"I asked if I could have copies of the emails. The agents said “no.” But I then asked if I could get pen and paper and write down details of what we were looking at. They let me do that," McClelland said. "I then asked them if they thought our server was compromised. But they couldn’t tell me anything. So I asked for their business card and told them we would research it."

The agents left, but McClelland’s day had only just begun. What was ECN.org? Why did the agents show up unannounced? And most important, what would happen next? He was sure that wasn't the end of it.

"When you are visited by the FBI, even when it goes relatively easy like it did, your entire life gets put on hold as you deal with all the implications," he said. McClelland called Lopez and other leadership team members, and then called the Electronic Frontier Foundation for legal help.

“There were three hours of calls to run through things and make sure we had everything covered," he said.

Initially, Lopez and McClelland assumed that one of their members had been hacked, and the account used for illegal purposes. Simply patching whatever security hole existed could end the problem. But a visit to ECN.org indicated there was a much more complex issue.

ECN stands for the European Counter Network, an independent Internet service provider in Europe. It shares much the same mission as MayFirst/PeopleLink. On ECN.org, the provider offers anonymous email services through a service called "Mixmaster." Using Mixmaster, email users can achieve nearly undefeatable anonymity -- multiple servers pass messages from one to the other, each time stripping out header information and replacing it with false data, making it nearly impossible for investigators to "trace" the message to the original sender. 

ECN had subcontracted space on RiseUp's New York City server; RiseUp had in turn subcontracted that space from MayFirst/PeopleLink.  It now appeared that the FBI believed someone connected to the Pittsburgh bomb threats had used ECN's anonymous email capabilities, which led to FBI agents knocking on the door at Alfredo Lopez's home office.

"If you had asked me before this happened if one of our members ran an anonymous remailer, I would have said, 'probably,' " said McClelland. "That's exactly the kind of thing we want to support and we want to protect."

When correctly configured, anonymous remailers leave no trace at all. There are no log files to check, no other server "fingerprints." After making sure the server was running properly, McClelland called the FBI agent on the business card and told him all he knew about ECN, which essentially was nothing.

"We told him we suspected there was an anonymous remailer, there's nothing else we can tell you," he said. "We decided that was our best strategy ... to minimize disruption to our members. We didn't want to risk going to the next level of escalation."

The strategy failed.  The next day, MayFirst/People Link received a subpoena demanding that the organization answer a series of questions about its server. With help from the EFF lawyer, they sent the responses on Monday, April 16.

"At that point, we thought everything was OK, that we were done, and ready to move on," he said. 

Then on Wednesday, April 18, at around 6 p.m., things took a turn for the worse.

"I got a call from a tech who said, 'Jamie, the server isn't responding.' So he went to look for it in the rack and found that it was gone," McClelland said.

Later, Lopez and McClelland would learn that the FBI had produced a search warrant when it showed up at the XO Communications Manhattan server farm, where the MayFirst/PeopleLink server was housed, which gave agents the right to take the box. But at the time, they could only guess what happened.

"We filled out a help ticket that said, 'Our server is missing.'  We've never done that before," McClelland said.  "I can't emphasize enough that we received no communication from the FBI. From a human point of view, that is atrocious. But from a legal point of view, they don't have to do any more."

The impact was immediate, and devastating, for both MayFirst/PeopleLink and RiseUp. Hundreds of mailing lists, websites and email accounts were immediately knocked offline.

“The FBI is using a sledgehammer approach, shutting down service to hundreds of users due to the actions of one anonymous person,” Devin Theriot-Orr, a spokesperson for RiseUp, said  in a statement at the time. “This is particularly misguided because there is unlikely to be any information on the server regarding the source of the threatening emails.”

While Lopez was scrambling to find a way to get the organizations back online, a camera with motion detection capabilities was installed at the server facility by an assistant.

"We thought it was a little like shutting the barn door after the horse ran out, but we did it anyway," he said McClelland said.

Generally, when FBI agents seize computers as part of an investigation, they're not returned for months, or even years. But within a week, a worker in the server room noticed that the motion detector camera had been activated on April 23. When he looked at the video, the tale took an even more unusual turn.

The video shows two men in suits -- apparently FBI agents -- placing the server back in its rack.  But the box isn't merely dropped off. The two appear to be plugging it in, and then watching the machine for a few minutes, perhaps looking to see if it is operating correctly.

Why would they do that? The FBI refused to answer a question about that.

But Lopez has a theory. There's only one way to defeat most anonymous email services: to compromise the computer that processes the emails with special software -- a virus -- that could defeat the anonymizing software.

"There was not even a scintilla of expectation that this server would return to our rack. It's the most amazing thing," Lopez said. "It's possible they put device on it or a virus or Trojan of some kind." 

MayFirst/PeopleLink later posted the FBI agent video online. The agency hasn't commented on it.

The server has not been returned to service; the organization is currently auditing the machine to see if it has been tampered with.

"I can tell you that's the burning question in my mind. We are planning on doing a full diagnostic on server to see if we detect anything on server," McClelland said. 

But even if it hasn't been tampered with, Lopez said he's outraged that U.S. federal agents would compromise Internet access for global groups fighting for democratic rights while hunting for evidence that doesn’t exist.

"Look at the atrocity of them going in and taking a computer ... and disrupting all this information, and potentially getting all this information from hundreds of people not even accused of a crime," Lopez said. "This is serious … for people all over the world who depend on this stuff for their day to day work. To have it taken away by some other government, it's really unfair to them in every conceivable way."

The MixMaster service was uninterrupted by the server seizure; anonymous messages were simply routed through other servers.

MayFirst/PeopleLink and RiseUp both told their members that no identities were compromised during the FBI seizure -- all data on the server is encrypted and there's no reason to believe the encryption was compromised. Still, U.S. government action against anonymous Web services could have a dangerous chilling effect, fretted Lopez.

"In some parts of the world, privacy and anonymity are a matter of life or death," he said. "These services are used for important work, and in many countries, they are the only way to communicate without putting yourself in serious danger."

The Electronic Frontier Foundation issued a statement last week accusing the FBI of "overreaching."

"The fact that the FBI's investigation led them to an anonymous remailer should have been the end of the story. It should have been obvious that digging deeper wouldn't lead to helpful information because anonymous remailers don't always leave paper trails," wrote Hanni Fakhoury. "So enough is enough. The government's ability to search a person and their property -- and in this case, shut down speech -- is an extraordinary power that can easily be abused. Law enforcement needs to do its research before resorting to an extremely intrusive search warrant that intrudes on innocent people's privacy, causes significant disruption to harmless activity, and silences speech. And as we've argued before, search warrants for electronic devices shouldn't be limitless."  

Lopez, who has two children in their 30s, said he understands why parents in Pittsburgh were concerned for their children's safety during the repeated bomb scares.  But he warned that repression often begins with "people who mean well."

"These people making the threats, these are jerks, nobody wants to protect them," he said. "But what do you give up when you give up freedom in exchange for the illusory feeling of security?  You can't trample people's rights because when you do, the terrorists have won."

The Pittsburgh bomb threats stopped on April 21. No bombs were found. There have been arrests in connection with the incidents, but authorities are still investigating.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

Legislation that would give workers broad protection from the prying eyes of employers was introduced in both houses of the U.S. Congress on Wednesday. Both bills would make it illegal for employers to force workers or candidates to divulge social media passwords, similar to legislation nicknamed SNOPA, which was introduced last month. But the new Password Protection Act, sponsored by Sen. Richard Blumenthal, D-Conn.. goes even further, extending such limitations to smart phones, private email accounts, photo sharing sites and any personal information that resides on computers owned by the workers.

But Blumenthal's proposal -- and its companion in the House, introduced by Rep. Ed Perlmutter, D-Colo. -- is narrower in some ways than the Social Networking Online Protection Act(SNOPA) introduced April 27 by Rep. Eliot Engel, D-N. Y. SNOPA extended similar protections to elementary, high school and college students. Under the Password Protection Act,  students would not be protected.

---

Still, Blumenthal's legislation is "a good start," said Chris Calabrese, a lawyer for the American Civil Liberties Union. "We feel like it's a very flexible standard. It extends to your iPhone, to information you have on Google and anything else that may come up in the future that we haven't thought of yet. “

Still, Calabrese said his organization will work to include students before any proposal reaches a vote in Congress.

"Students are clearly the target of a lot of social media monitoring," he said. "We think students should have the same rights as everyone else. We'd like to see the best of both of these pieces of legislation combined."

Blumenthal, who has been publicly critical of firms that have requested employee Facebook passwords, said legislation is needed to protect workers.

“Employers seeking access to passwords or confidential information on social networks, email accounts or other protected Internet services is an unreasonable and intolerable invasion of privacy,” Blumenthal said in a statement. “With few exceptions, employers do not have the need or the right to demand access to applicants’ private, password-protected information. This legislation, which I am proud to introduce, ensures that employees and job seekers are free from these invasive and intrusive practices.”

Bradley Shear, a Maryland lawyer and activist who has helped draw attention to the issue, said he "applauded" the efforts of legislators who introduced the Password Protection Act, but was also concerned that students not be left behind as the legislation works its way through committee.

"Hopefully all the different interested parties will come together to find a solution that covers everyone," he said. "This is something that won't go away unless it's handled now."

The Facebook password issue has been bubbling up for years — in 2009, a Maryland state employee complained that he was required to provide his Facebook password during a job interview. But the subject has gained much more attention in recent weeks, after several news reports, including an msnbc.com investigation.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

Buying a smart phone from a third-party, discount online retailer might seem like a shrewd move, but a $50 discount could cost you $400 later if something goes wrong, in addition to any early termination fees charged by the carrier. That means consumers who buy from big-name third-party retailers like Target or Radio Shack could end up facing up to $750 if they prematurely cancel service. It also means consumers might be hit with a big bill from an unexpected place.

Ohio consumer Chris Eash found this out the hard way when an innocent mistake involving a handset return to a RadioShack retail store led to weeks of pestering by a company named Simplexity, which powers online cellphone sales at some of the nation's largest retailers, including RadioShack.com and Target.com.

Simplexity's proposition might sound simple: Consumers accept a discount in exchange for promising to pay a hefty fine if they cancel or change service within the first 181 days. But a glance online shows many complaints from consumers who are confused when hit by the fee.  

Simplexity does disclose the fee prior to purchase, but it takes some work to find it. On RadioShack's mobile sales Website, for example, the fee is revealed via a link labeled "instant savings terms and terms of purchase," on the final page of the cellphone checkout procedure. Users must click on that link and read through a pop-up window to learn that their credit cards will be charged $400 if the carrier indicates service is changed within 181 days.

---

Essentially, Simplexity is forcing consumers to cover the commission that would have been paid by carriers had the consumer maintained service. And it might be a fair deal for cellphone buyers to take a discount now and risk a fee later. For example, visitors to RadioShack.com on Monday were offered a chance to buy a 16 GB Droid Bionic with a Verizon contract for $49 -- $50 less than the $99 price advertised at VerizonWireless.com.

 

But as Eash learned, Simplexity can be very aggressive about getting its bounty from consumers when anything goes wrong. He visited RadioShack.com in March and decided to buy a 4G Motorola phone, then went to his local store to actually make the purchase. When he got home, he realized that the salesman had given him the wrong handset -- the 3G version -- and he went back to the store the next day to return it. At the store, he was told the 4G phone was only available at the Radio Shack Website. He was also told by Verizon that if he returned the 3G phone before buying the 4G phone online, he would lose his phone number.  So within about 48 hours, he ordered the 4G online, ported his number to it, then returned the 3G at the store.

Within days, Simplexity -- the retailer behind RadioShack.com -- contacted Eash and said he owed $400 because he'd changed the number associated with the 4G phone when it was sold. He hadn’t done anything wrong; he only had one phone handset, and he was honoring his contract. But no amount of pleading could deter the collectors, he said. The saga dragged on, with each firm blaming the other.

"I got a notice from Simplexity ... (saying) that since I haven't paid the $400, they are going to charge the debit card I used for my purchase," he said. He canceled his debit card to avoid the charge, but Simplexity then threatened his credit report. "I have spent hours on the phone with both Verizon and Simplexity trying to get them to work it out with no luck. Both say the resolution is up to the other company.  It's come down to ‘Give us $400 or we crap on your credit record.'"

Operators told him that, essentially, if Verizon didn't pay Simplexity its bounty for getting him to sign up as a new customer, he'd have to pay it.

At the end of his rope, he contacted msnbc.com. We contacted Verizon, which escalated his problem with Simplexity. Eash was then contacted by a Simplexity official who apologized and promised to fix the mix-up. The official indicated there was honest confusion because the number associated with the phone purchased from Simplexity had been changed, and that resulted in a “charge-back” from VerizonWireless.

The e-mail also explained that Simplexity must charge a hefty fee when phones are deactivated to avoid consumers simply purchasing their discounted phones and then canceling service and using a different provider.

Eash was satisfied, but the experience left him with serious reservations about using online discount cellphone retailers.

"Without some serious string pulling, I would have never talked to (the final Simplexity official) and would still be fighting with Simplexity,” he said. “I told him he had a company that with the exception of one person ... shows very little regard for their customers. I would strongly urge anyone considering buying a cellphone online to make sure this company is not the one behind the curtain pulling the levers.  They operate many store brand cellphone web sites that have absolutely no connection to the store on the page."

Simplexity did not respond to questions about Eash’s complaint or about its business model, which also involves selling phones directly to consumers through its WireFly.com Website.

Tom Pica, a spokesman for Verizon, said he couldn't comment on an individual consumer's account, but added that the firm has not received many complaints from consumers who purchased their devices from Simplexity.

"We have high standards for our authorized agents and the service they provide to our customers," he said.

Neither Target nor Radio Shack responded to requests for comment by press time.

If you’ve never shopped at a third-party online cell phone retailer, dual fees for prematurely ending a cell phone contract may be new to you. But they are common.  Amazon, for example, offers deep phone discounts but charges $250 if the service is disconnected or canceled before 181 days have passed, in addition to any carrier fees. Letstalk.com, which operates Walmart’s online cellphone sales, also charges $250, describing the charge as an “equipment subsidy recovery fee.” Such fees first caught the attention of the public – and regulators – in 2010, when Google added a hefty early termination fee to initial buyers of its pricey Nexus One phone.  After inquiries from the FCC, the fee was reduced from $350 to $150.

(ShopNBC.com also uses Simplexity to fulfill cell phone orders. Msnbc.com is a joint venture of Microsoft and NBC News)

Still, some consumers are apparently confused by Simplexity’s charges, and have lodged numerous complaints on Websites. Nearly all of them are accompanied by a note from a Simplexity official offering to clear up the matter.

One writer on ComplaintsBoard.com sounded desperate in a post titled, "I want my $600 back."  That consumer said he or she had purchased two Droid phones and returned them, only to be hit with a $600 charge. A writer named "WireflyKSCorpHQ" wrote back and offered to help and later posted a note saying the matter was resolved.  Another writer added, " I just received a text message (Alert) stating a withdrawal of 600.00 from Simplexity. I don't even know who they are or how they have my account number! Were you able to solve this issue? Is there any way I can receive my money back?" WireflyKSCorpHQ again offered to help.

Simplexity acknowledges questions about its discounts at a page on the Wirefly Website titled "How can Wirefly offer such great deals" Is it a scam? What's the catch?"

On the page, Simplexity explains that it passes commissions it receives from cellphone network operators on to consumers and why it must recover the commissions if consumers cancel service. It also brags about the price clarity it offers consumers.

"Cellphone rebates can be confusing and most people don’t like them. That’s why Wirefly has not offered rebates on any products since 2007," the page says.

The page doesn't to mention that in 2006, Wirefly.com, under previous ownership while named InPhonic Inc., was sued by the Washington, D.C., attorney general's office after more than 2,000 complaints about unpaid  rebates were received by the local Better Business Bureau office. The complaints were also the focus of an msnbc.com story. At the time, the firm was accused of creating near-impossible rebate terms, such as requiring consumers to file for rebates 180 days after service started, but no later than 210 days.

InPhonic, which at the time claimed to be the largest independent online cell phone retailer, settled that case in late 2006, agreeing to pay the rebates. The following year, the firm filed for bankruptcy. WireFly.com and other assets of the company were purchased by the Philadelphia-based private equity firm Versa Capital Management, which created a new firm named Simplexity. A spokesperson at the time told the Washington Post that the new company would not engage in any rebate programs in a story titled, "Rebates for customers of InPhonic in peril, again." Also at that time, InPhonic CEO David Steinberg said he would step aside.

But several members of the current Simplexity "Leadership Team" also worked at InPhonic, according to the Simplexity website. On that page, InPhonic is described only as "a publicly traded Internet retailer."

Simplexity maintains an A rating at the Better Business Bureau, though that agency's site says there have been 662 complaints filed against the firm in the past three years -- all of them "closed." That generally means the firm has responded, though it does not guarantee that consumers are satisfied with that response.

The only direct connection between Simplexity's current business model and InPhonic's troubled rebate model is the magic 180-day mark at which authorized resellers get to keep their bounty from mobile providers for signing up new customers.  What Simplexity is doing now is in some ways the reverse of a rebate program – rather than making consumers wait 180 days to receive a $100 or $200 check, the firm is crediting the consumer immediately and grabbing back that money in the event that the deal goes sour before 180 days. As long as consumers understand the risk they are taking by accepting Simplexity/Wirefly's discount, bargains can be had. Things do happen, however, and it’s worth considering if $50 today is worth a possible $400 bill tomorrow.

Eash was so scarred by his experience, and the hidden traps he landed in, that he says he would never do it again.

"My advice: Buy directly from the service provider and NEVER from a third party. In the long run it may be a LOT less expensive," he said.

 *Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.