From rforno at infowarrior.org Mon Mar 1 12:57:23 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Mar 2010 07:57:23 -0500 Subject: [Infowarrior] - Pew Report: Participatory News Message-ID: <69800B00-B73A-462D-A89B-8CAD667E767F@infowarrior.org> While much attention is given the changing technology of news-getting, I found the info on respondent attitudes more interesting. Found the report via a blog, since the survey is not showing up on the Pew site yet. Either that, or I need more coffee. -rf Understanding the participatory news consumer How internet and cell phone users have turned news into a social experience http://www.swamppolitics.com/news/politics/blog/2010/02/28/Pew%20News%20Source%20Study.pdf From rforno at infowarrior.org Mon Mar 1 13:20:49 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Mar 2010 08:20:49 -0500 Subject: [Infowarrior] - Verizon Incident Metrics Framework Released Message-ID: (c/o J) http://securityblog.verizonbusiness.com/2010/02/19/veris-framework-2/ Verizon Incident Metrics Framework Released Wade Baker February 19th, 2010 Many of you who reading our blog regularly are familiar with our .Data Breach Investigations Report.. We hope that you.ve found past reports informative, useful, and above all, actionable. The production of the DBIR has been driven by our desire to help solve what we see as two of the most significant problems facing our industry: 1. Uncertainty due to the lack of data 2. Equivocality due to the lack of a common framework Basically, we believe that until we can all be on the same page regarding what terms mean and why those terms are useful, we.re going to have a problem creating meaning from any data we *do* get. One of the reasons we feel that the DBIR was so successful is because we are able to translate the incident narrative (the attacker did this, then that, then the other thing) into a data set. To accomplish this translation task, we used a framework, a sort of taxonomy of incident elements we thought that, when gathered consistently, would help people better interpret data and manage risk. Today we.re making a version of that framework, the Verizon Incident Sharing Framework (VerIS), available for you to use. In the document that you can download here, you.ll find the first release of the VerIS framework. You can also find a shorter executive summary here. Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve. We hope that you.ll use and even take an active interest in the VerIS Framework. To that extent, we.ve set up an online forum for questions and answers, and have put in place an advisory board of independent security experts to work with the community for the better growth and evolution of the framework as it.s used outside of Verizon. We truly believe that together, we can begin to make a real difference, and it is our hope that this .common language. will be the first step towards creating an era of shared knowledge and collaboration for our industry. _______________________________________________ From rforno at infowarrior.org Mon Mar 1 18:35:26 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Mar 2010 13:35:26 -0500 Subject: [Infowarrior] - Feds Commence Huge Data Center Consolidation Message-ID: <071D868E-25E1-497A-BE1C-923F6B5A01F9@infowarrior.org> Feds Commence Huge Data Center Consolidation March 1st, 2010 : Rich Miller http://www.datacenterknowledge.com/archives/2010/03/01/feds-commence-huge-data-center-consolidation/ The federal government has begun what looms as the largest data center consolidation in history, hoping to dramatically reduce IT operations that are currently distributed among more than 1,100 data centers. On Friday Federal CIO Vivek Kundra outlined details of the ambitious plan in a memo that directs federal agencies to prepare an inventory of the IT assets by April 30 and develop a preliminary data center consolidation plan by June 30. These plans will need to be finalized by Dec. 31, 2010, with implementation beginning in 2011. Huge Implications for Data Center Sector The government data center consolidation has huge implications for the fortunes of system integrators, data center service providers (especially in northern Virginia), and cloud computing platforms optimized for hosting government apps. The consolidation effort figures to generate significant business for companies providing energy efficiency tools and consulting, as Kundra signaled that reducing energy costs will be a driving force in the effort. He noted that the number of government data centers soared from 432 in 1999 to the current 1,100 plus. ?This growth in redundant infrastructure investments is costly, inefficient and unsustainable and has a significant impact on energy consumption,? said Kundra. ?In 2006 Federal servers and data centers consumed 6 billion kwH of electricity, and without a fundamental shift in how we deploy technology it could reach 12 billion kwH by 2012.? First Assessment Due April 30 The immediate challenge: Federal agencies must conduct a ?high-level assessment? of all their IT assessments and data centers by April 30, followed by a more detailed accounting by July 30. In announcing the Federal Data Center Consolidation Initiative, Kundra outlined four high-level goals: ? Promote the use of Green IT by reducing the overall energy and real estate footprint of government data centers; ? Reduce the cost of data center hardware, software and operations; ? Increase the overall IT security posture of the government; ? Shift IT investments to more efficient computing platforms and technologies. That last bullet point is boosting expectations that a meaningful chunk of government IT operations will be shifted to a cloud computing model. Kundra discussed this prospect at an appearance Friday, saying the federal government is looking for ?game-changing approaches? to deal with the problematic growth in data centers rather than ?brute force consolidation.? ?This is a huge opportunity to apply best practices from the private sector,? Kundra told Federal Computer Week. ?It is a huge problem. The path we are on does not make sense.? Likely to Boost Data Center Demand But the cloud model won?t make sense for all federal applications. If recent consolidations by companies like HP and Intel are any indication, the drive for greater efficiency will render many of the current data center properties obsolete. Many older data facilities do not have the power capacity to support a highly-utilized equipment space. Consolidation also leads to higher densities, which are more difficult to cool in legacy facilities. That means new data center space, most likely in northern Virginia and Maryland. Systems integrators and companies building cloud platforms have been among the players driving demand for data center space in northern Virginia, where demand has been strong and new supply has been limited. As the federal consolidation moves ahead, that demand is likely to increase as federal agencies identify new requirements. The federal consolidation is also likely to be good news for server vendors, as consolidations usually include hardware refreshes to take advantage of the latest advances in computing power and energy efficiency. From rforno at infowarrior.org Mon Mar 1 20:22:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Mar 2010 15:22:51 -0500 Subject: [Infowarrior] - Major ACTA Leak: Internet and Civil Enforcement Chapters With Country Positions Message-ID: <4D8C629E-475C-4F11-BBE8-9A0D929390E6@infowarrior.org> Major ACTA Leak: Internet and Civil Enforcement Chapters With Country Positions Monday March 01, 2010 http://www.michaelgeist.ca/content/view/4829/125/ On the heels of the leak of various country positions on ACTA transparency, today an even bigger leak has hit the Internet. A new European Union document prepared several weeks ago canvasses the Internet and Civil Enforcement chapters, disclosing in complete detail the proposals from the U.S., the counter-proposals from the EU, Japan, and other ACTA participants. The 44-page document also highlights specific concerns of individual countries on a wide range of issues including ISP liability, anti-circumvention rules, and the scope of the treaty. This is probably the most significant leak to-date since it goes even beyond the transparency debate by including specific country positions and proposals. The document highlights significant disagreement on a range of issues. For example, on the issue of anti-circumvention legislation and access controls, the U.S. wants it included per the DCMA, but many other countries, including the EU, Japan, and New Zealand do not, noting that the WIPO Internet treaties do not require it. A brief summary of the key findings are posted below, but much more study is needed. Internet Enforcement Chapter ? Canada has expressed concern with the title of the chapter ("Special Measures Related to Technological Enforcement Means and the Internet") and the substance of the chapter ? On the ISP safe harbour chapter, the leak identifies three proposals (consistent with an earlier NZ comment). In addition to the U.S. proposal that was leaked earlier, there is a Japanese proposal and one from the EU. Moreover, many countries have raised specific issues about the U.S. language. For example, New Zealand notes that the safe harbour appears to cover Information Location Tool providers (ie. search engines), but that it wonders why there is a concern of liability to begin with. ? Japan's alternative proposal calls for ISP liability based on knowledge of infringement. It states that there may be liability if it is technically possible to prevent the infringement and the provider "knows or there is reasonable ground to know" that infringement is occurring. There are additional provisions on the inclusion of a notice system and industry cooperation. ? With respect to the requirement of an ISP policy that could include three strikes as a pre-requisite for qualifying for the safe harbour, New Zealand is opposed to the condition altogether. Meanwhile, Japan notes that its law does not contain a policy requirement and it would have to consider whether it can agree to that requirement. ? On the implementation of notice-and-takedown, Canada has noted that the relationship between third party liability and ISP limitation of liability is unclear. ? On the anti-circumvention rules, which involves a U.S. attempt to implement a global DMCA, the EU would like to exclude access controls from the ambit of the provision. They are not alone - New Zealand opposes their inclusion and Japan also takes the position that access controls are not required by the WIPO Internet treaties and is apparently concerned about the implications for its domestic law. There is no reference to a Canadian position, despite the fact that this goes beyond current Canadian law. Civil Enforcement Chapter ? the U.S., Japan, and the European Union want the civil enforcement powers to extend to any intellectual property right. Canada, Singapore, and New Zealand seek a more limited treaty that covers only copyright and trademarks. ? the EU is seeking injunctive relief powers against intermediaries whose services are used by a third party to infringe an IP right. The EU is alone in focusing on intermediary injunctions. ? on statutory damages, the EU seeks to limit damages to actual damages, while the U.S. is proposing statutory damages. There is also dispute on the scope of the IP rights (all vs. just copyright and trademark). Canada and NZ also want to limit or exclude damages in certain special cass. ? on the disclosure of information related to investigations, the U.S. is pushing for very broad language, while the E.U. wants to limit with specific kinds of information (and Canada has proposed further limiting language). From rforno at infowarrior.org Tue Mar 2 03:35:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Mar 2010 22:35:51 -0500 Subject: [Infowarrior] - Cyberwar Hype Intended to Destroy the Open Internet Message-ID: Cyberwar Hype Intended to Destroy the Open Internet ? By Ryan Singel ? March 1, 2010 | ? 6:56 pm http://www.wired.com/threatlevel/2010/03/cyber-war-hype/ The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it?s Michael McConnell, the former director of national intelligence. McConnell?s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He?s the nice-seeming guy who?s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know. When he was head of the country?s national intelligence, he scared President Bush with visions of e-doom, prompting the president to sign a comprehensive secret order that unleashed tens of billions of dollars into the military?s black budget so they could start making firewalls and building malware into military equipment. And now McConnell is back in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton. He?s out in front of Congress and the media, peddling the same Cybaremaggedon! gloom. And now he says we need to re-engineer the internet. We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options ? and we must be able to do this in milliseconds. More specifically, we need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment ? who did it, from where, why and what was the result ? more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same. Re-read that sentence. He?s talking about changing the internet to make everything anyone does on the net traceable and geo-located so the National Security Administration can pinpoint users and their computers for retaliation if the U.S. government doesn?t like what?s written in an e-mail, what search terms were used, what movies were downloaded. Or the tech could be useful if a computer got hijacked without your knowledge and used as part of a botnet. The Washington Post gave McConnell free space to declare that we are losing some sort of cyberwar. He argues that the country needs to get a Cold War strategy, one complete with the online equivalent of ICBMs and Eisenhower-era, secret-codenamed projects. Google?s allegation that Chinese hackers infiltrated its Gmail servers and targeted Chinese dissidents proves the United States is ?losing? the cyberwar, according to McConnell. But that?s not warfare. That?s espionage. McConnell?s op-ed then pointed to breathless stories in The Washington Post and The Wall Street Journal about thousands of malware infections from the well-known Zeus virus. He intimated that the nation?s citizens and corporations were under unstoppable attack by this so- called new breed of hacker malware. despite the masterful PR about the Zeus infections from security company NetWitness (run by a former Bush Administration cyberczar Amit Yoran), the world?s largest security companies McAfee and Symantec downplayed the story. But the message had already gotten out ? the net was under attack. Brian Krebs, one of the country?s most respected cybercrime journalists and occasional Threat Level contributor, described that report: ?Sadly, this botnet documented by NetWitness is neither unusual nor new.? Those enamored with the idea of ?cyberwar? aren?t dissuaded by fact- checking. They like to point to Estonia, where a number of the government?s websites were rendered temporarily inaccessible by angry Russian citizens. They used a crude, remediable denial-of-service attack to temporarily keep users from viewing government websites. (This attack is akin to sending an army of robots to board a bus, so regular riders can?t get on. A website fixes this the same way a bus company would ? by keeping the robots off by identifying the difference between them and humans.) Some like to say this was an act of cyberwar, but if it that was cyberwar, it?s pretty clear the net will be just fine. In fact, none of these examples demonstrate the existence of a cyberwar, let alone that we are losing it. But this battle isn?t about truth. It?s about power. For years, McConnell has wanted the NSA (the ultra-secretive government spy agency responsible for listening in on other countries and for defending classified government computer systems) to take the lead in guarding all government and private networks. Not surprisingly, the contractor he works for has massive, secret contracts with the NSA in that very area. In fact, the company, owned by the shadowy Carlyle Group, is reported to pull in $5 billion a year in government contracts, many of them Top Secret. Now the problem with developing cyberweapons ? say a virus, or a massive botnet for denial-of-service attacks, is that you need to know where to point them. In the Cold War, it wasn?t that hard. In theory, you?d use radar to figure out where a nuclear attack was coming from and then you?d shoot your missiles in that general direction. But online, it?s extremely difficult to tell if an attack traced to a server in China was launched by someone Chinese, or whether it was actually a teenager in Iowa who used a proxy. That?s why McConnell and others want to change the internet. The military needs targets. But McConnell isn?t the only threat to the open internet. Just last week the National Telecommunications and Information Administration ? the portion of the Commerce Department that has long overseen the Internet Corporation for Assigned Names and Numbers ? said it was time for it to revoke its hands-off-the-internet policy. That?s according to a February 24 speech by Assistant Commerce Secretary Lawrence E. Strickling. In fact, ?leaving the Internet alone? has been the nation?s internet policy since the internet was first commercialized in the mid-1990s. The primary government imperative then was just to get out of the way to encourage its growth. And the policy set forth in the Telecommunications Act of 1996 was: ?to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.? This was the right policy for the United States in the early stages of the Internet, and the right message to send to the rest of the world. But that was then and this is now. Now the NTIA needs to start being active to prevent cyberattacks, privacy intrusions and copyright violations, according to Strickland. And since NTIA serves as one of the top advisers to the president on the internet, that stance should not be underestimated. Add to that ? a bill looming in the Senate would hand the president emergency powers over the internet ? and you can see where all this is headed. And let the past be our guide. Following years of the NSA illegally spying on Americans? e-mails and phone calls as part of a secret anti-terrorism project, Congress voted to legalize the program in July 2008. That vote allowed the NSA to legally turn America?s portion of the internet into a giant listening device for the nation?s intelligence services. The new law also gave legal immunity to the telecoms like AT&T that helped the government illegally spy on American?s e-mails and internet use. Then-Senator Barack Obama voted for this legislation, despite earlier campaign promises to oppose it. As anyone slightly versed in the internet knows, the net has flourished because no government has control over it. But there are creeping signs of danger. Where can this lead? Well, consider England, where a new bill targeting online file sharing will outlaw open internet connections at cafes or at home, in a bid to track piracy. To be sure, we could see more demands by the government for surveillance capabilities and backdoors in routers and operating systems. Already, the feds successfully turned the Communications Assistance for Law Enforcement Act (a law mandating surveillance capabilities in telephone switches) into a tool requiring ISPs to build similar government-specified eavesdropping capabilities into their networks. The NSA dreams of ?living in the network,? and that?s what McConnell is calling for in his editorial/advertisement for his company. The NSA lost any credibility it had when it secretly violated American law and its most central tenet: ?We don?t spy on Americans.? Unfortunately, the private sector is ignoring that tenet and is helping the NSA and contractors like Booz Allen Hamilton worm their way into the innards of the net. Security companies make no fuss, since a scared populace and fear-induced federal spending means big bucks in bloated contracts. Google is no help either, recently turning to the NSA for help with its rather routine infiltration by hackers. Make no mistake, the military industrial complex now has its eye on the internet. Generals want to train crack squads of hackers and have wet dreams of cyberwarfare. Never shy of extending its power, the military industrial complex wants to turn the internet into yet another venue for an arms race. And it?s waging a psychological warfare campaign on the American people to make that so. The military industrial complex is backed by sensationalism, and a gullible and pageview-hungry media. Notable examples include the New York Times?s John ?We Need a New Internet? Markoff, 60 Minutes? ?Hackers Took Down Brazilian Power Grid,? and the WSJ?s Siobhan Gorman, who ominously warned in an a piece lacking any verifiable evidence, that Chinese and Russian hackers are already hiding inside the U.S. electrical grid. Now the question is: Which of these events can be turned into a Gulf of Tonkin-like fakery that can create enough fear to let the military and the government turn the open internet into a controlled, surveillance-friendly net. What do they dream of? Think of the internet turning into a tightly monitored AOL circa the early ?90s, run by CEO Big Brother and COO Dr. Strangelove. That?s what McConnell has in mind, and shame on The Washington Post and the Senate Commerce, Science and Transportation Committee for giving McConnell venues to try to make that happen ? without highlighting that McConnell has a serious financial stake in the outcome of this debate. Of course, the net has security problems, and there are pirated movies and spam and botnets trying to steal credit card information. But the online world mimics real life. Just as I know where online to buy a replica of a Coach handbag or watch a new release, I know exactly where I can go to find the same things in the city I live in. There are cons and rip-offs in the real world, just as there are online. I?m more likely to get ripped off by a restaurant server copying down the information on my credit card than I am having my card stolen and used for fraud while shopping online. ?Top Secret? information is more likely to end up in the hands of a foreign government through an employee-turned-spy than from a hacker. But cyber-anything is much scarier than the real world. The NSA can help private companies and networks tighten up their security systems, as McConnell argues. In fact, they already do, and they should continue passing along advice and creating guides to locking down servers and releasing their own secure version of Linux. But companies like Google and AT&T have no business letting the NSA into their networks or giving the NSA information that they won?t share with the American people. Security companies have long relied on creating fear in internet users by hyping the latest threat, whether that be Conficker or the latest PDF flaw. And now they are reaping billions of dollars in security contracts from the federal government for their PR efforts. But the industry and its most influential voices need to take a hard look at the consequences of that strategy and start talking truth to power?s claims that we are losing some non-existent cyberwar. The internet is a hack that seems forever on the edge of falling apart. For awhile, spam looked like it was going to kill e-mail, the net?s first killer app. But smart filters have reduced the problem to a minor nuisance as anyone with a Gmail account can tell you. That?s how the internet survives. The apocalypse looks like it?s coming and it never does, but meanwhile, it becomes more and more useful to our everyday lives, spreading innovation, weird culture, news, commerce and healthy dissent. But one thing it hasn?t spread is ?cyberwar.? There is no cyberwar and we are not losing it. The only war going on is one for the soul of the internet. But if journalists, bloggers and the security industry continue to let self-interested exaggerators dominate our nation?s discourse about online security, we will lose that war ? and the open internet will be its biggest casualty. Read More http://www.wired.com/threatlevel/2010/03/cyber-war-hype/#ixzz0gz8TEyvD From rforno at infowarrior.org Tue Mar 2 03:52:57 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 1 Mar 2010 22:52:57 -0500 Subject: [Infowarrior] - Striving to Map the Shape-Shifting Net Message-ID: <2529ACBE-D1FA-41F3-AD12-F8F7B4227B73@infowarrior.org> March 2, 2010 Striving to Map the Shape-Shifting Net By JOHN MARKOFF http://www.nytimes.com/2010/03/02/science/02topo.html?hpw=&pagewanted=print SAN FRANCISCO ? In a dimly lit chamber festooned with wires and hidden in one of California?s largest data centers, Tim Pozar is changing the shape of the Internet. He is using what Internet engineers refer to as a ?meet-me room.? The room itself is enclosed in a building full of computers and routers. What Mr. Pozar does there is to informally wire together the networks of different businesses that want to freely share their Internet traffic. The practice is known as peering, and it goes back to the earliest days of the Internet, when organizations would directly connect their networks instead of paying yet another company to route data traffic. Originally, the companies that owned the backbone of the Internet shared traffic. In recent years, however, the practice has increased to the point where some researchers who study the way global networks are put together believe that peering is changing the fundamental shape of the Internet, with serious consequences for its stability and security. Others see the vast increase in traffic staying within a structure that has remained essentially the same. What is clear is that today a significant portion of Internet traffic does not flow through the backbone networks of giant Internet companies like AT&T and Level 3. Instead, it has begun to cascade in torrents of data on the edges of the network, as if a river in flood were carving new channels. Some of this traffic coursing through new channels passes through public peering points like Mr. Pozar?s. And some flows through so- called dark networks, private channels created to move information more cheaply and efficiently within a business or any kind of organization. For instance, Google has privately built such a network so that video and search data need not pass through so many points to get to customers. By its very nature, Internet networking technology is intended to support anarchic growth. Unlike earlier communication networks, the Internet is not controlled from the top down. This stems from an innovation at the heart of the Internet ? packet switching. From the start, the information moving around the Internet was broken up into so-called packets that could be sent on different paths to one destination where the original message ? whether it was e-mail, an image or sound file or instructions to another computer ? would be put back together in its original form. This packet-switching technology was conceived in the 1960s in England and the United States. It made delivery of a message through a network possible even if one or many of the nodes of the network failed. Indeed, this resistance to failure or attack was at the very core of the Internet, part of the essential nature of an organic, interconnected communications web with no single control point. During the 1970s, a method emerged to create a network of networks. The connections depended on a communication protocol, or set of rules, known as TCP/IP, a series of letters familiar to anyone who has tried to set up their own wireless network at home. The global network of networks, the Internet, transformed the world, and continues to grow without central planning, extending itself into every area of life, from Facebook to cyberwar. Everyone agrees that the shape of the network is changing rapidly, driven by a variety of factors, including content delivery networks that have pushed both data and applications to the edge of the network; the growing popularity of smartphones leading to the emergence of the wireless Internet; and the explosion of streaming video as the Internet?s predominant data type. ?When we started releasing data publicly, we measured it in petabytes of traffic,? said Doug Webster, a Cisco Systems market executive who is responsible for an annual report by the firm that charts changes in the Internet. ?Then a couple of years ago we had to start measuring them in zettabytes, and now we?re measuring them in what we call yottabytes.? One petabyte is equivalent to one million gigabytes. A zettabyte is a million petabytes. And a yottabyte is a thousand zettabytes. The company estimates that video will account for 90 percent of all Internet traffic by 2013. The staggering growth of video is figuring prominently in political and business debates like the one over the principle of network neutrality ? that all data types, sites and platforms attached to the network should be treated equally. But networks increasingly treat data types differently. Priority is often given to video or voice traffic. A study presented last year by Arbor Networks suggesting that traffic flows were moving away from the core of the network touched off a spirited controversy. The study was based on an analysis of two years of Internet traffic data collected by 110 large and geographically diverse cable operators, international transit backbones, regional networks and content providers. Arbor?s Internet Observatory Report concluded that today the majority of Internet traffic by volume flows directly between large content providers like Google and consumer networks like Comcast. It also described what it referred to as the rise of so-called hyper giants ? monstrous portals that have become the focal point for much of the network?s traffic: ?Out of the 40,000 routed end sites in the Internet, 30 large companies ? ?hyper giants? like Limelight, Facebook, Google, Microsoft and YouTube ? now generate and consume a disproportionate 30 percent of all Internet traffic,? the researchers noted. The changes are not happening just because of the growth of the hyper giants. At the San Francisco data center 365 Main, Mr. Pozar?s SFMIX peering location, or fabric, as it is called, now connects just 13 networks and content providers. But elsewhere in the world, huge peering fabrics are beginning to emerge. As a result, the ?edge? of the Internet is thickening, and that may be adding resilience to the network. In Europe in particular, such connection points now route a significant part of the total traffic. AMS-IX is based in Amsterdam, where it is also run as a nonprofit neutral organization composed of 344 members exchanging 775 gigabits of traffic per second. ?The rise of these highly connected data centers around the world is changing our model of the Internet,? said Jon M. Kleinberg, a computer scientist and network theorist at Cornell University. However, he added that the rise of giant distributed data centers built by Google, Amazon, Microsoft, IBM and others as part of the development of cloud computing services is increasing the part of the network that constitutes a so-called dark Internet, making it harder for researchers to build a complete model. All of these changes have sparked a debate about the big picture. What does the Internet look like now? And is it stronger or weaker in terms of its resistance to failure because of random problems or actual attack. Researchers have come up with a dizzying array of models to explain the consequences of the changing shape of the Internet. Some describe the interconnections of the underlying physical wires. Others analyze patterns of data flow. And still others look at abstract connections like Web page links that Google and other search engine companies analyze as part of the search process. Such models are of great interest to social scientists, who can watch how people connect with each other, and entrepreneurs, who can find new ways to profit from the Internet. They are also of increasing interest to government and law enforcement organizations trying to secure the Net and use it as a surveillance tool. One of the first and most successful attempts to understand the overall shape of the Internet occurred a decade ago, when Albert- L?szl? Barab?si and colleagues at the University of Notre Dame mapped part of the Internet and discovered what they called a scale-free network: connections were not random; instead, a small number of nodes had far more links than most. They asserted that, in essence, the rich get richer. The more connected a node in a network is, the more likely it is to get new connections. The consequences of such a model are that although the Internet is resistant to random failure because of its many connections and control points, it could be vulnerable to cyberwarfare or terrorism, because important points ? where the connections are richest ? could be successfully targeted. Dr. Barab?si said the evolution of the Internet has only strengthened his original scale-free model. ?The Internet as we know it is pretty much vanishing, in the sense that much of the traffic is being routed through lots of new layers and applications, much of it wireless,? said Dr. Barab?si, a physicist who is now the director of Northeastern University?s Center for Network Science. ?Much of the traffic is shifting to providers who have large amounts of traffic, and that is exactly the characteristic of a scale-free distribution.? In other words, the more the Internet changes, the more it stays the same, in terms of its overall shape, strengths and vulnerabilities. Other researchers say changes in the Internet have been more fundamental. In 2005, and again last year, Walter Willinger, a mathematician at AT&T Labs, David Alderson, an operations research scientist at the Naval Post Graduate School in Monterey, Calif., and John C. Doyle, an electrical engineer at California Institute of Technology, criticized the scale-free model as an overly narrow interpretation of the nature of modern computer networks. They argued that the mathematical description of a network as a graph of lines and nodes vastly oversimplifies the reality of the Internet. The real-world Internet, they said, is not a simple scale-free model. Instead, they offered an alternate description that they described as an H.O.T. network, or Highly optimized/Organized tolerance/Trade-offs. The Internet is an example of what they called ?organized complexity.? Their model is meant to represent the trade-offs made by engineers who design networks by connecting computer routers. In such systems, both economic and technological trade-offs play an important role. The result is a ?robust yet fragile? network that they said was far more resilient than the network described by Dr. Barab?si and colleagues. For example, they noted that Google has in recent years built its own global cloud of computers that is highly redundant and distributed around the world. This degree of separation means that Google is insulated to some extent from problems of the broader Internet. Dr. Alderson and Dr. Doyle said that another consequence of this private cloud was that even if Google were to fail, it would have little impact on the overall Internet. So, as the data flood has carved many new channels, the Internet has become stronger and more resistant to random failure and attack. The scale-free theorists, Dr. Alderson said, are just not describing the real Internet. ?What they?re measuring is not the physical network, its some virtual abstraction that?s on top of it,? he said. ?What does the virtual connectivity tell you about the underlying physical vulnerability? My argument would be that it doesn?t tell you anything.? From rforno at infowarrior.org Tue Mar 2 17:41:08 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Mar 2010 12:41:08 -0500 Subject: [Infowarrior] - 60 Percent Of Apps Fail First Security Test Message-ID: <9CBC7B80-539F-437D-A1E2-476D30E3AAB0@infowarrior.org> State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test Veracode app-testing data demonstrates that application security still has a ways to go Mar 01, 2010 | 09:00 AM By Kelly Jackson Higgins DarkReading http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml SAN FRANCISCO -- RSA Conference 2010 -- Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software. Around 58 percent of the applications tested by application security testing service provider Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing. "The degree of failure to meet acceptable standards on first submission is astounding -- and this is coming from folks who care enough to submit their software to our [application security testing] services," says Roger Oberg, senior vice president of marketing for Veracode. "The implication here is that more than half of all applications are susceptible to the kinds of vulnerabilities we saw at Heartland, Google, DoD, and others -- these were all application-layer attacks." The data for Veracode's State of Software Security Report comes from a combination of static, dynamic, and manual testing of all types of software across multiple programming languages -- everything from non- Web and Web applications to components and shared libraries. Veracode tests commercial, internally developed, open-source, and outsourced applications, all of which were represented in its findings. And nearly 90 percent of internally developed applications contained vulnerabilities in the SANS Top 25 and OWASP Top 10 lists of most common programming errors and flaws in the first round of tests, Oberg says. So is software getting more or less secure? Hard to say, Veracode says, since this is the first such report, and there's nothing to compare it to. "We don't know if it's getting better or worse, but it's pretty bad," Oberg says. "Despite all of the awareness about breaches ... this awareness doesn't translate into sufficient action. We hope this report is a call to action." Around 60 percent of the software tested by Veracode was internally developed applications; 30 percent, commercial applications; 8 percent, open source; and 2 percent, outsourced. The software was 60 percent Web applications, and 40 percent non-Web, according to Veracode, and came from companies across 15 different industries. Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn't as risky as you'd think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode's report. "The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That's encouraging," Oberg says. And it was the quickest to remediate any flaws: "It took about 30 days to remediate open-source software, and much longer for commercial and internal projects," he says. Meanwhile, financial services firms and government agencies were second-best in terms of remediation: They took anywhere from one to two tries to fix their vulnerabilities. "This is good news. But there's a lot of room for improvement," Oberg says. The data showed that third-party software is often a part of internally developed apps -- 30 percent of them were based on third- party apps. The vulnerability with the highest total count was cross-site scripting (XSS), and was the third most prevalent flaw. "There's been intense focus on cross-site scripting, and there are lots of different libraries and utilities available to eliminate it, but it's still extremely prevalent," says Chris Eng, director of security research for Veracode. Eng says it's likely due to a lack of education on how to quell XSS, plus it's not uncommon to find 100 XSS bugs in one application. "Cross-site scripting adds up real quickly," he says. Around 20 percent of the applications carried a SQL injection flaw, and most of those were Web applications. And 44 percent of the apps had one or more cryptographic flaw issue, Eng says. "Crypto issues are not generally well-understood by developers," he says. From rforno at infowarrior.org Tue Mar 2 17:55:03 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Mar 2010 12:55:03 -0500 Subject: [Infowarrior] - Lessig presentation silenced (again) Message-ID: Bogus Copyright Claim Silences Yet Another Larry Lessig YouTube Presentation from the not-this-again... dept http://techdirt.com/articles/20100302/0354498358.shtml Nearly a year ago, we wrote about how a YouTube presentation done by well known law professor (and strong believer in fair use and fixing copyright law), Larry Lessig, had been taken down, because his video, in explaining copyright and fair use and other such things, used a snippet of a Warner Music song to demonstrate a point. There could be no clearer example of fair use -- but the video was still taken down. There was some dispute at the time as to whether or not this was an actual DMCA takedown, or merely YouTube's audio/video fingerprinting technology (which the entertainment industry insists can understand fair use and not block it). But, in the end, does it really make a difference? A takedown over copyright is a takedown over copyright. Amazingly enough, it appears that almost the exact same thing has happened again. A video of one of Lessig's presentations, that he just posted -- a "chat" he had done for the OpenVideoAlliance a week or so ago, about open culture and fair use, has received notice that it has been silenced. It hasn't been taken down entirely -- but the entire audio track from the 42 minute video is completely gone. All of it. In the comments, some say there's a notification somewhere that the audio has been disabled because of "an audio track that has not been authorized by WMG" (Warner Music Group) -- which would be the same company whose copyright caused the issue a year ago -- but I haven't seen or heard that particular message anywhere. However, Lessig is now required to fill out a counternotice challenging the takedown -- while silencing his video in the meantime: While you can still see the video on YouTube, without the audio, it's pretty much worthless. Thankfully, the actual video is available elsewhere, where you can both hear and see it. But, really, the fact that Lessig has had two separate videos -- both of which clearly are fair use -- neutered due to bogus copyright infringement risks suggests a serious problem. I'm guessing that, once again, this video was likely caught by the fingerprinting, rather than a direct claim by Warner Music. In fact, the issue may be the identical one, as I believe the problem last year was the muppets theme, which very, very briefly appears in this video (again) as an example of fair use in action. But it was Warner Music and others like it that demanded Google put such a fingerprinting tool in place (and such companies are still talking about requiring such tools under the law). And yet, this seems to show just how problematic such rules are. Even worse, this highlights just how amazingly problematic things get when you put secondary liability on companies like Google. Under such a regime, Google would of course disable such a video, to avoid its own liability. The idea that Google can easily tell what is infringing and what is not is proven ridiculous when something like this is pulled off-line (or just silenced). When a video about fair use itself is pulled down for a bogus copyright infringement, it proves the point. The unintended consequences of asking tool providers to judge what is and what is not copyright infringement lead to tremendous problems with companies shooting first and asking questions later. They are silencing speech, on the threat that it might infringe on copyright. This is backwards. We live in a country that is supposed to cherish free speech, not stifle it in case it harms the business model of a company. We live in a country that is supposed to encourage the free expression of ideas -- not lock it up and take it down because one company doesn't know how to adapt its business model. We should never be silencing videos because they might infringe on copyright. Situations like this demonstrate the dangerous unintended consequences of secondary liability. At least with Lessig, you have someone who knows what happened, and knows how to file a counternotice -- though, who knows how long it will take for this situation to be corrected. But for many, many, many other people, they are simply silenced. Silenced because of industry efforts to turn copyright law into something it was never intended to be: a tool to silence the wider audience in favor of a few large companies. The system is broken. When even the calls to fix the system are silenced by copyright claims, isn't it time that we fixed the system? From rforno at infowarrior.org Tue Mar 2 18:03:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Mar 2010 13:03:24 -0500 Subject: [Infowarrior] - Window Snyder joins Apple Message-ID: <4B141D44-2536-42B4-9A9C-ED198CD2BE5F@infowarrior.org> (there's a great name joke in there somewhere.....lol -rf) Woman called Window joins Apple By John Leyden http://www.theregister.co.uk/2010/03/02/ex_mozilla_security_chief_joins_apple/ Posted in Security, 2nd March 2010 17:04 GMT Ex-Mozilla security boss Window Snyder has joined Apple. Snyder, who worked at Mozilla between 2006 and 2008, and is credited with making Firefox's security response more professional, joins Apple after a spell in consulting. Prior to joining Mozilla, Snyder worked at Microsoft where she acted as security lead on Microsoft Windows XP Service Pack 2 and Windows Server 2003 and at security consultancy @stake. Synder started work with Apple on Monday as senior security product manager, IDG reports. Apple has a reputation, mostly deserved, of not playing well with security researchers who discover flaws in its technology. Snyder has a proven track record of building bridges, so her recruitment has already been welcomed as a positive step towards detente. While at Mozilla, Snyder called on Apple to be more open about how it handles security bugs. From rforno at infowarrior.org Tue Mar 2 19:37:44 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Mar 2010 14:37:44 -0500 Subject: [Infowarrior] - Video: Woman Calls Tech Show When Her Stolen Wi-Fi Disappears Message-ID: <3B108441-3667-46A4-938B-E0EC3E14A9BC@infowarrior.org> (Sorry, this is *too* funny not to pass along!! --rick) Clueless Woman Calls Tech Show When Her Stolen Wi-Fi Disappears http://mashable.com/2010/02/22/stolen-wifi-confusion/ Yeah, everyone has stolen Wi-Fi at one point or another, but not everyone has called into a tech show in order to complain about the fact that someone put the kibosh on said stealing. Meet Jennifer, she had been unwittingly yoinking Wi-Fi for more than a year and a half when the gravy train ran out, after which she called into Leo Laporte?s Tech Guy radio show in a state of utter confusion. After hitting YouTube this weekend ? the show aired on Saturday ? the video depicting Laporte interviewing the confused woman has gone viral, racking up 122,661 views at the time of this post. Maybe it?s Jennifer?s innocent confusion (?Yeah, well they should bring that cost down?), maybe it?s Laporte?s gentle/yet amused explanation that she was, in fact, putting her Internet privacy at risk while simultaneously breaking the law (?So you have ? silly question, but I?m gonna ask it anyway ? you have a wireless access point to begin with??), but something about this vid is striking a chord with Internet denizens. http://mashable.com/2010/02/22/stolen-wifi-confusion/ From rforno at infowarrior.org Tue Mar 2 21:46:36 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Mar 2010 16:46:36 -0500 Subject: [Infowarrior] - WH releases more CNCI information Message-ID: <975D64F1-DED8-4882-A94B-0FB45FA7B234@infowarrior.org> The Comprehensive National Cybersecurity Initiative http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative PDF @ http://www.whitehouse.gov/sites/default/files/Cybersecurity.pdf From rforno at infowarrior.org Wed Mar 3 00:38:54 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 2 Mar 2010 19:38:54 -0500 Subject: [Infowarrior] - MS' Charney suggests 'Net tax for AV Message-ID: (Hey Scott....here's a better idea; rather than tax everyone, including those of us who don't use your company's products, why not figure out how to ensure your bloated, buggy, and insecure products are less susceptible to such things to begin with? Just a thought....but in terms of public safety in cyberspace, for *years* Microsoft has Public Enemy #2 behind the government. -rf) Microsoft's Charney suggests 'Net tax to clean computers The company recently used the U.S. court system to shut down the Waledac botnet by Robert McMillan http://www.itworld.com/software/98522/microsofts-charney-suggests-net-tax-clean-computers March 2, 2010, 02:41 PM ? IDG News Service ? How will we ever get a leg up on hackers who are infecting computers worldwide? Microsoft's security chief laid out several suggestions Tuesday, including a possible Internet usage tax to pay for the inspection and quarantine of machines. Today most hacked PCs run Microsoft's Windows operating system, and the company has invested millions in trying to fight the problem. Microsoft recently used the U.S. court system to shut down the Waledac botnet, introducing a new tactic in the battle against hackers. Speaking at the RSA security conference in San Francisco, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney said that the technology industry needs to think about more "social solutions." That means fighting the bad guys at several levels, he said. "Just like we do defense in depth in IT, we have to do defense in depth in [hacking] response." "I actually think the health care model ... might be an interesting way to think about the problem," Charney said. With medical diseases, there are education programs, but there are also social programs to inspect people and quarantine the sick. This model could work to fight computer viruses too, he said. When a computer user allows malware to run on his computer, "you're not just accepting it for yourself, you're contaminating everyone around you," he said. The idea that Internet service providers might somehow step up in the fight against malware is not new. The problem, however, is cost. Customer calls already eat into service provider profits. Adding quarantine and malware-fixing costs to that would be prohibitive, said Danny McPherson, chief research officer with Arbor Networks, via instant message. "They have no incentive to do anything today." So who would foot the bill? "Maybe markets will make it work," Charney said. But an Internet usage tax might be the way to go. "You could say it's a public safety issue and do it with general taxation," he said. According to Microsoft, there are 3.8 million infected botnet computers worldwide, 1 million of which are in the U.S. They are used to steal sensitive information and send spam, and were a launching point for 190,000 distributed denial-of-service attacks in 2008. IDG News Service From rforno at infowarrior.org Wed Mar 3 12:44:00 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Mar 2010 07:44:00 -0500 Subject: [Infowarrior] - DoD Requires Hacker Certification Message-ID: <6D909435-7EAC-4BC5-88F5-B9D9ECD78D17@infowarrior.org> (I'll withold comment on requiring a cert as a valid 'baseline' of competency as an infosec professional. -rf) DoD Requires Hacker Certification http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=223101209 The Department of Defense mandate solidifies the practice of ethical hacking within its ranks of security pros. By Elizabeth Montalbano InformationWeek March 2, 2010 01:31 PM Official government cyber defenders are now required to have the skills of a hacker according to a mandatory certification approved this week by the Department of Defense. The DoD now requires its computer network defenders (CNDs) pass Certified Ethical Hacker certification program from the International Council of E-Commerce Consultants (EC-Council) to fulfill baseline skills. CNDs -- who are part of the DoD's information assurance workforce -- protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks. Assistant Secretary of Defense John Grimes officially instated the Certified Ethical Hacker requirement in late February under DoD Directive 8570, which provides guidance for how DoD information workers should be trained and managed. The move is significant because it solidifies the practice of ethical hacking -- also known as penetration testing -- in mainstream IT practices, said Jay Bavisi, co/founder and president of EC-Council. The council is a vendor-neutral organization that certifies IT professionals in security-related skills. "Now hacking is no longer a bad word in mainstream IT community," he said, adding that ethical hacking is not exactly what people think of when they hear that word anyway. "What we are doing is not hacking -- we are seeking permission from the owners of the network to beat the hackers at their own game," Bavisi said. In fact, the tag line for the EC-Council's Certified Ethical Hacker educational program is: "To beat a hacker, you must think like one." IBM coined the term "ethical hacking" in the 1960s to define a way for IT security researchers to emulate the work of hackers so they can better defend networks, Bavisi said. Ironically, though ethical hacking was first adopted in covert practices by the U.S. military, in the last decade or so it has become a common practice among Fortune 500 companies to employ ethical hackers to defend networks, he added. The practice seems to have come full circle with the DoD directive, which Bavisi said the department took three years to approve. "We were put through a lot of hoops before the DoD accepted us," he said. "It was a very well-thought, very well-planned, researched movement." From rforno at infowarrior.org Wed Mar 3 14:03:04 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Mar 2010 09:03:04 -0500 Subject: [Infowarrior] - Pirate Bay Buyer Offered Millions to Mininova Message-ID: <248DD407-42B1-4240-8C9F-604BA3766E3A@infowarrior.org> Pirate Bay Buyer Offered Millions to Mininova Written by Ernesto on March 03, 2010 http://torrentfreak.com/pirate-bay-buyer-offered-millions-to-mininova-100303/ Global Gaming Factory?s planned acquisition of The Pirate Bay last summer surprised BitTorrent?s friends and foes alike. But The Pirate Bay was not the only site the company was after. Tt also put in a massive 20 million euro offer for fellow BitTorrent site Mininova. When GGF announced that it would take over The Pirate Bay, the company bombarded the press with optimistic plans which indicated the site would become the largest online media store. The attention later shifted to the troublesome financial position of its CEO, but all along the company had confidence in its plans for the new and ?legal? Pirate Bay. This fall, however, it all turned out too good to be true. After GGF?s shareholders agreed to acquire the world?s largest BitTorrent tracker, the company had a month to come up with the proposed $7.8m (SEK 60 million). What followed was mostly silence and the deadline passed without an official response from the company. From the moment it was announced the planned Pirate Bay acquisition had been surrounded by controversy. However, behind the scenes GGF CEO Hans Pandeya was drafting an even bigger deal with BitTorrent?s number one indexer at the time ? Mininova. ?We will try to buy as many torrent sites as possible,? Pandeya told TorrentFreak back in August. In common with their plans for The Pirate Bay, GGF hoped to turn these sites into large media stores where users could download content with the full permission of copyright holders. Little information has been made public about the ?other? sites Pandeya was aiming at and how serious this interest was. Unlike all the other plans and deals that leaked out previously, no other torrent site has been publicly connected to GGF, until today where Pandeya?s connection to Mininova was exposed. TorrentFreak has learned that GGF and Mininova already finalized a contract last summer to sell the torrent index for no less than 20 million Euros. This deal and the amount have been confirmed by several independent sources close to Mininova and GGF. One of the sources who confirmed the Mininova buyout plans was Hans Pandeya himself. One of our sources further said that the deal had already been signed off by Mininova, and that GGF would wait for the verdict in Mininova?s appeal with the Dutch anti-piracy outfit BREIN. This verdict was due one day before the GGF shareholders were set to give the green light on the Pirate Bay deal. A positive outcome for Mininova in that case would have certainly made the site a valuable asset, but as we now know Mininova lost in court and was forced to proactively filter titles and remove a great number of infringing, and indeed non-infringing torrents to ensure absolute compliance. Sources from within Mininova have confirmed the existence of the 20 million euro acquisition offer but denied that the contract was already signed. Instead, Mininova would have liked to see some proof that GGF could pay the proposed sum before signing. Although there seems to be some disagreement on the details, there is no doubt that GGF had set course to get the two major BitTorrent sites in possession. In fact, Mininova was brought in during licensing negotiations with several senior executives at one of the major record labels. During a meeting with the label in London, Pandeya was assisted by his short-lived business partner Wayne Rosso. In the meeting the executives were asking for some traffic metrics and out of the blue and to the surprise of Rosso, Pandeya picked up his mobile phone and rang a Dutch number, claiming that it was a ?company of his? close to Amsterdam that could provide some insight into the traffic question. The person on the other end of the line provided some information to the label execs and plans were made to head over to The Netherlands to do some due diligence. When Rosso later asked Pandeya about this mysterious Dutch company Pandeya revealed that it was in fact Mininova. ?It?s Mininova. I?m going to buy Mininova too and eliminate all the competition,? Pandeya told Rosso explaining the Dutch connection. At the time of this meeting the contract was already drafted but not signed by both parties. If it would have gone through GGF would have had the option to buy out the two largest BitTorrent sites online. Of course we now know that the deal didn?t go though. GGF didn?t have the money and Mininova might not have been worth it after the negative verdict in their case against BREIN. In the months that followed Mininova removed over a million torrent files making it a less lucrative asset for Pandeya. On the other hand it also shows that a torrent site with only ?authorized? content will quickly lose most of its regular visitors. Despite this knowledge and all the failed attempts to pull investors in, Pandeya said a few days ago that we haven?t seen the last of him yet. ?I have a lot of secret plans I?m working on,? he warned. From rforno at infowarrior.org Wed Mar 3 14:20:36 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Mar 2010 09:20:36 -0500 Subject: [Infowarrior] - Spain busts global "botnet" masterminds Message-ID: <3462070D-F29B-4168-9488-42915D729018@infowarrior.org> Spain busts global "botnet" masterminds Jim Finkle BOSTON Wed Mar 3, 2010 7:40am EST http://www.reuters.com/article/idUSTRE6214ST20100303 BOSTON (Reuters) - Spanish police have arrested three men accused of masterminding one of the biggest computer crimes to date -- infecting more than 13 million PCs with a virus that stole credit card numbers and other data. The men were suspected of running the Mariposa botnet, named after the Spanish word for butterfly, Spain's Civil Guard said on Tuesday. A press conference to give more details is scheduled for Wednesday. Mariposa had infected machines in 190 countries in homes, government agencies, schools, more than half of the world's 1,000 largest companies and at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring. "It was so nasty, we thought 'We have to turn this off. We have to cut off the head,'" said Chris Davis, CEO of Defense Intelligence Inc, which discovered the virus last year. The security firms -- Defense Intelligence Inc. of Canada and Panda Security S.L. of Spain -- did not say how much money the hackers had stolen from their victims before the ring was shut down on December 23. Security experts said the cost of removing malicious program from 13 million machines could run into tens of millions of dollars. Mariposa was programed to secretly take control of infected machines, recruiting them as "slaves" in an army known as a "botnet." It would steal login credentials and record every key stroke on an infected computer and send the data to a "command and control center," where the ringleaders stored it. "Basically they were going after anything that would make them money," Davis said. Mariposa initially spread by exploiting a vulnerability in Microsoft Corp's Internet Explorer Web browser. It also contaminated machines by infecting USB memory sticks and by sending out tainted links using Microsoft's MSN instant messaging software, he said. A Microsoft spokeswoman said the company did not immediately have any comment. The suspected ringleader, nicknamed "Netkairo" and "hamlet1917," was arrested last month, as were two alleged partners, "Ostiator" and "Johnyloleante," according to Panda Security. Panda Security Senior Research Advisor Pedro Bustamante said that one of the three was caught with 800,000 personal credentials when Spanish police arrested him. In addition to collecting data, the three men rented out millions of enslaved machines to other hackers, according to Bustamante. The Mariposa botnet is one of many such networks, the bulk of which are controlled by syndicates that authorities believe are based in eastern Europe, southeast Asia, China and Latin America. While authorities sometimes succeed in shutting them down, they rarely catch the criminals behind the networks. "Mariposa's the biggest ever to be shut down, but this is only the tip of the iceberg. These things come up constantly," said Mark Rasch, former head of the U.S. Department of Justice computer crimes unit. He said he suspects there were more than three people behind Mariposa, and that any ringleaders who were not arrested could soon put the network back online. (Reporting by Jim Finkle, additional reporting by Madrid newsroom. Editing by Robert MacMillan) From rforno at infowarrior.org Wed Mar 3 14:23:56 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Mar 2010 09:23:56 -0500 Subject: [Infowarrior] - JFK: A 5 y/o directed air traffic! Message-ID: <755750EB-6D32-4D92-84FA-18BA0C05B84C@infowarrior.org> Incredible. -rf JFK tower allowed a kid to direct air traffic FAA opens probe; child, apparently with supervision, made 5 transmissions http://today.msnbc.msn.com/id/35683779/ns/travel-news/ NEW YORK - Air-traffic control tower employees at New York's Kennedy Airport are under federal investigation for apparently allowing a school-age child to direct pilots. The FAA said the child was brought to the tower by its parent, a controller, on Feb. 17. The controller and the controller's supervisor at the time have been relieved of their duties. "Pending the outcome of our investigation the employees involved in this incident are not controlling traffic," the FAA said in a statement. "This behavior is not acceptable and does not demonstrate the kind of professionalism expected from all FAA employees." The youngster, apparently under adult supervision, makes five transmissions on a tape obtained by Channel 26 in Boston and confirmed as genuine by the FAA. The agency did not give any information as to the age of the child. In a statement Wednesday, the National Air Traffic Controllers Association condemned the incident. "We do not condone this type of behavior in any way," ATC's Director of Communication Doug Church said. "It is not indicative of the highest professional standards that controllers set for themselves and exceed each and every day in the advancement of aviation safety." Directing JetBlue flight According to reports, the clip indicated the child cleared traffic over the course of five radio transmissions. According to the recordings, one exchange went like this: JFK TOWER: JetBlue 171 contact departure. PILOT: Over to departure JetBlue 171, awesome job. A male voice then laughs. JFK TOWER: That's what you get, guys, when the kids are out of school. In another exchange, the kid is playful with a pilot from Aeromexico flight 403, adding "Adios amigos," to his directions for the pilot. From rforno at infowarrior.org Wed Mar 3 14:51:05 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Mar 2010 09:51:05 -0500 Subject: [Infowarrior] - Why DRM doesn't work Message-ID: <762E808F-2795-4D3B-8359-B3F0FA4E99B8@infowarrior.org> This brilliant cartoon pretty much sums it all up. http://www.bradcolbow.com/archive.php/?p=205 From rforno at infowarrior.org Wed Mar 3 22:28:43 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Mar 2010 17:28:43 -0500 Subject: [Infowarrior] - Use Google as Web Proxy Message-ID: Create your own Proxy Server with Google App Engine http://www.labnol.org/internet/setup-proxy-server/12890/ From rforno at infowarrior.org Wed Mar 3 22:37:21 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 3 Mar 2010 17:37:21 -0500 Subject: [Infowarrior] - EFF: Twelve Years under the DMCA Message-ID: <9E4F2E2F-E292-4BD7-A0C0-549C4C011DB4@infowarrior.org> Unintended Consequences: Twelve Years under the DMCA This document collects reported cases where the anti-circumvention provisions of the DMCA have been invoked not against pirates, but against consumers, scientists, and legitimate competitors. It will be updated from time to time as additional cases come to light. Previous versions remain available. http://www.eff.org/wp/unintended-consequences-under-dmca From rforno at infowarrior.org Thu Mar 4 11:59:46 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Mar 2010 06:59:46 -0500 Subject: [Infowarrior] - RSA 'news': here we go again ... Message-ID: <23014859-7D14-4538-90ED-FF6BDC6C729C@infowarrior.org> Talk about a blast from the past! This article could be ripped from FCW's archives with only the dates and names changed .... I mean, didn't we hear industry and gov folks say the same thing in 1997, 2000, 2003, 2005, 2007 and 2009 about critical infrastructure protection, Y2K, homeland security, etc? Heck, the Nation even has a "National Strategy for Information Sharing" issued by the White House. Lot of good that's done, too. Yet after 15 years or so we're *still* talking about the same problems and obstacles to overcome involved with both information-sharing and infosec in general, in both human and technical terms. ...but that's okay, we can always levy a Charney-charge[1] on everyone to help subsidize the industry instead. This is the decade of bailing folks out, isn't it? Same stuff, different year. And folks wonder why I am so damn cynical about this industry. -rf [1] http://blog.seattlepi.com/microsoft/archives/196494.asp Nation's cybersecurity suffers from a lack of information sharing Despite progress, public and private sectors still don't trust each other, panelists say ? By William Jackson ? Mar 03, 2010 http://fcw.com/articles/2010/03/03/cybersecurity-policy.aspx SAN FRANCISCO ? The lack of trust between the public and private sectors continues to inhibit the sharing of information needed for the nation to effectively defend against rapidly evolving cyberthreats, a panel of industry experts and former government officials said Tuesday. ?We need to have more transparency in the public-private partnership,? said Melissa Hathaway, former White House advisor who conducted last year?s comprehensive review of government cybersecurity. ?The trust does not exist between the two parties.? Hathaway, who now runs her own cybersecurity consulting firm, said during a panel discussion at the RSA Security Conference that a ?safe space? overseen by a trusted third party is needed to facilitate sharing. William Crowell, former National Security Agency deputy director, said that it should be possible to share information without identifying the source, to make the parties feel more secure about providing it. ?We need to be able to abstract the information we are are going to share,? he said. ?That?s our best approach in the long run.? The lack of sharing creates a lack of wide visibility into threats, the panelists agreed. While cybercriminals and other evil-doers are collaborative and quick to take advantage of vulnerabilities, cyberdefense is hobbled by a fragmented response that includes too little cooperation. ?In order to respond to the threats we have to change the pace of the game on our side,? Crowell said. ?The pace of our responses are not operating in Internet time.? In most cases, companies that openly share information about attacks on their systems face the possibility of monetary loss. The private sector has little motivation to contribute to cybersecurity beyond its own immediate interests, said Greg Oslan, chief executive officer of Narus. ?We have to look at it as an end-to-end solution,? he said. He proposed a model based on that of the airline industry, which has a global framework of laws and regulations ensuring the safety and security of the industry, brokered by governments, adopted by industry and accepted by the public. Cisco Chief Security Officer John Stewart faulted his own industry for the poor state of cybersecurity. ?We have succeeded in making the security industry so complex that the people who need it the most -- the public -- cannot use it,? Stewart said. Exploiting vulnerabilities is simple, he said, but simplifying security is difficult, and industry has not yet succeeded in doing this. There was general agreement among the panelists that the president?s emphasis on cybersecurity as a national security issue is a first step toward improving the situation.?But that?s not enough,? Crowell said. It has to be followed up with a structure within the White House that can continually drive execution of policies at the technical, legal and international relations levels. Even then the problems never will be completely solved, he said. ?Have we ever solved any criminal problem? No. We?re never going to solve the cyber problem, either. But we can limit it.? From rforno at infowarrior.org Thu Mar 4 13:21:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Mar 2010 08:21:38 -0500 Subject: [Infowarrior] - Feds weigh expansion of Internet monitoring Message-ID: <1B8C726A-77BC-44E6-8666-F482A16A5E18@infowarrior.org> March 4, 2010 4:00 AM PST Feds weigh expansion of Internet monitoring by Declan McCullagh http://news.cnet.com/8301-13578_3-10463665-38.html?part=rss&tag=feed&subj=News-PoliticsandLaw SAN FRANCISCO--Homeland Security and the National Security Agency may be taking a closer look at Internet communications in the future. The Department of Homeland Security's top cybersecurity official told CNET on Wednesday that the department may eventually extend its Einstein technology, which is designed to detect and prevent electronic attacks, to networks operated by the private sector. The technology was created for federal networks. Greg Schaffer, assistant secretary for cybersecurity and communications, said in an interview that the department is evaluating whether Einstein "makes sense for expansion to critical infrastructure spaces" over time. Not much is known about how Einstein works, and the House Intelligence Committee once charged that descriptions were overly "vague" because of "excessive classification." The White House did confirm this week that the latest version, called Einstein 3, involves attempting to thwart in-progress cyberattacks by sharing information with the National Security Agency. Greater federal involvement in privately operated networks may spark privacy or surveillance concerns, not least because of the NSA's central involvement in the Bush administration's warrantless wiretapping scandal. Earlier reports have said that Einstein 3 has the ability to read the content of emails and other messages, and that AT&T has been asked to test the system. (The Obama administration says the "contents" of communications are not shared with the NSA.) "I don't think you have to be Big Brother in order to provide a level of protection either for federal government systems or otherwise," Schaffer said. "As a practical matter, you're looking at data that's relevant to malicious activity, and that's the data that you're focused on. It's not necessary to go into a space where someone will say you're acting like Big Brother. It can be done without crossing over into a space that's problematic from a privacy perspective." If Einstein 3 does perform as well as Homeland Security hopes, it could help less-prepared companies fend off cyberattacks, including worms sent through e-mail, phishing attempts, and even denial of service attacks. On the other hand, civil libertarians are sure to raise questions about privacy, access, and how Einstein could be used in the future. If it can perform deep packet inspection to prevent botnets from accessing certain Web pages, for instance, could it also be used to prevent a human from accessing illegal pornography, copyright- infringing music, or offshore gambling sites? "It's one thing for the government to monitor its own systems for malicious code and intrusions," said Greg Nojeim, senior counsel at the Center for Democracy and Technology. "It's quite another for the government to monitor private networks for those intrusions. We'd be concerned about any notion that a governmental monitoring system like Einstein would be extended to private networks." AT&T did not respond to a request for comment on Wednesday. At the RSA Conference here on Wednesday, Homeland Security Secretary Janet Napolitano stressed the need for more cooperation between the government and the private sector on cybersecurity, saying that "we need to have a system that works together." During a House appropriations hearing on February 26, Napolitano refused to discuss Einstein 3 unless the hearing were closed to the public. "I don't want to comment publicly on Einstein 3, per se, here in an unclassified setting," she said. "What I would suggest, perhaps, is a classified briefing for members of the subcommittee who are interested." Some privacy concerns about Einstein have popped up before. An American Bar Association panel said this about Einstein 3 in a September 2009 report: "Because government communications are commingled with the private communications of non-governmental actors who use the same system, great caution will be necessary to insure that privacy and civil liberties concerns are adequately considered." Jacob Appelbaum, a security researcher and programmer for the Tor anonymity project, said that expanding Einstein 3 to the private sector would amount to a partial outsourcing of security. "It's clearly a win for people without the security know-how to protect their own networks," Appelbaum said. "It's also a clear loss of control. And anyone with access to that monitoring system, legitimate or otherwise, would be able to monitor amazing amounts of traffic." Einstein grew out of a still-classified executive order, called National Security Presidential Directive 54, that President Bush signed in 2008. While little information is available, former Homeland Security Secretary Michael Chertoff once likened it to a new "Manhattan Project," and the Washington Post reported that the accompanying cybersecurity initiative represented the "single largest request for funds" in last year's classified intelligence budget. The Electronic Privacy Information Center has filed a lawsuit (PDF) to obtain the text of the order. Homeland Security has published (PDF) a privacy impact assessment for a less capable system called Einstein 2--which aimed to do intrusion detection and not prevention--but has not done so for Einstein 3. The department did, however, prepare a general set of guidelines (PDF) for privacy and civil liberties in June 2009. In addition, the Bush Justice Department wrote a memo (PDF) saying Einstein 2 "complies with" the U.S. Constitution and federal wiretap laws. That justification for Einstein 2 "turned on the consent of employees in the government that are being communicated with, and on the notion that a person who communicates with the government can't then complain that the government read the communication," said CDT's Nojeim. "How does that legal justification work should Einstein be extended to the private sector?" Declan McCullagh is a contributor to CNET News and a correspondent for CBSNews.com who has covered the intersection of politics and technology for over a decade. Declan writes a regular feature called Taking Liberties, focused on individual and economic rights; you can bookmark his CBS News Taking Liberties site, or subscribe to the RSS feed. You can e-mail Declan at declan at cbsnews.com. From rforno at infowarrior.org Thu Mar 4 14:18:49 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Mar 2010 09:18:49 -0500 Subject: [Infowarrior] - U.S. will determine who can board some Canadian flights Message-ID: http://www.montrealgazette.com/news/gets+which+Canadians/2639893/story.html U.S. will determine who can board some Canadian flights By Kevin Dougherty, Montreal GazetteMarch 4, 2010 QUEBEC ? Starting in December, some passengers on Canadian airlines flying to, from or even over the United States without ever landing there, will only be allowed to board the aircraft once the U.S. Department of Homeland Security has determined they are not terrorists. Secure Flight, the newest weapon in the U.S. war on terrorism, gives the United States unprecedented power over who can board planes that fly over U.S. airspace. Secure Flight applies to flights to, from or over the United States, from Canada to another country. Flights between two Canadian cities, that travel over U.S. airspace, are excluded, but about 80 per cent of Canadian flights to the Caribbean and other southern points and to Europe fly over the U.S. The program, which is set to take effect globally in December 2010, was created as part of the Intelligence Reform and Terrorism Prevention Act, adopted by U.S. Congress in 2004. Parliament never adopted or even discussed the Secure Flight program ? even though Secure Flight transfers the authority of screening passengers, and their personal information, from domestic airlines to the U.S. Department of Homeland Security. When asked about the program, Transport Canada, the federal department in charge of Canadian airlines, deferred to Public Safety Canada. After refusing to comment on Secure Flight or the federal government's position on the U.S. program, David Charbonneau, a Public Safety Canada spokesman, said "Canada works in partnership with the United States, as well as with other allies on aviation safety and security. "Canada's approach will continue to balance the privacy rights of travellers with the need to keep the public safe from terrorist and other threats to the air transportation system." Dimitri Soudas, a spokesman for Prime Minister Stephen Harper, referred all questions on the Secure Flight program back to the office of Transport Minister John Baird, who oversees Transport Canada. The European Parliament, on the other hand, has consistently voiced objections to the Secure Flight plan. Canadian airlines already check their flight manifests against the U.S. no-fly list, which is compiled by the FBI and distributed to airlines around the world. It contains the names of about 16,000 people the U.S. government says are suspected of terrorism. The names and why they are on the list are not disclosed for reasons of "national security." The U.S. Transportation Security Administration says Secure Flight will reduce the number of false positives ? people with the same name as someone on the no-fly list ? who now are stopped at airports. Under Secure Flight, the TSA, a branch of Homeland Security, will have access to all U.S. government databases. As part of Secure Flight, Canadian airlines will transfer personal information of travellers to Homeland Security, preferably 72 hours before takeoff. Then, the TSA will use Infoglide, a package of 50 "identity resolution" algorithms and such complex mathematical formulas as search engines to extract and aggregate information from several sources, to check passenger identities. "If necessary, the TSA analyst will check other classified and unclassified governmental terrorist, law enforcement, and intelligence databases ? including databases maintained by the Department of Homeland Security, Department of Defence, National Counter Terrorism Centre, and Federal Bureau of Investigation," notes Secure Flight Final Rule, the U.S. government document that defines the program. The General Accounting Office, an U.S. institution similar to Canada's auditor general, is concerned this sweeping check could cause new problems. "More individuals could be misidentified, law enforcement would be put in the position of detaining more individuals until their identities could be resolved, and administrative costs could increase, without knowing what measurable increase in security is achieved," the GAO said in a January presentation to the U.S. House of Representatives committee on Homeland Security. Andrea McCauley, a Homeland Security spokeswoman in Washington, D.C., said the TSA is confident there will be fewer false positive results, branding innocent travellers as potential terrorists, than under the current no-fly list system. "We have designed this program to ask for the minimum amount of personal information necessary," she said. If the search of U.S. databases, which will also contain data collected in Canada such as police records, turns up "no match" between and passenger and the watchlist, Homeland Security will inform the airline it can issue a boarding pass. Personal information will be purged from the system after seven days, McCauley said. "If you are a potential match, it would be retained for seven years," she said, explaining that "a potential match is someone who has been determined not to be an exact match but has the potential to match some of the data elements." If the search returns a positive match, personal information will be kept by Secure Flight for 99 years. ? Copyright (c) Canwest News Service From rforno at infowarrior.org Thu Mar 4 18:13:53 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Mar 2010 13:13:53 -0500 Subject: [Infowarrior] - more on...Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley References: <20100304160739.GA11092@gsp.org> Message-ID: Begin forwarded message: > From: Rich Kulawiec > Date: March 4, 2010 11:07:39 AM EST > To: David Farber > Cc: Richard Forno > > > This pitch neatly overlooks something very important, I think. > > We have a plethora of Internet security problems, and any reader of > Dave Farber's IP or Richard Forno's Infowarrior list or Bruce > Schneier's > blog or Marcus Ranum's essays &etc. could enumerate many of them. > > However, the biggest problem we have, the one that dwarfs all others > in terms of scale, scope, difficulty, etc. isn't really an Internet > problem per se: it's a Microsoft Windows problem. > > The zombie/bot problem has been epidemic for the better part of a > decade, > and continue to monotonically increase is size. It started with > malware > like Sobig: > > Sobig.a and the Spam You Received Today > http://www.secureworks.com/research/threats/sobig > > Sobig.e - Evolution of the Worm > http://www.secureworks.com/research/threats/sobig-e/ > > Sobig.f Examined > http://www.secureworks.com/research/threats/sobig-f > > and then escalated as The Bad Guys developed ever-better code that > (a) took over Windows systems and (b) provided the command-and-control > necessary to organize them into botnets. They've gotten really good > at this. > > "How many systems?" remains an open question, but it's clearly > somewhere > above 100 million. (Which is the consensus estimate that some of us > who > work in the anti-spam arena came up with several years ago.) Other > estimates > have been tossed out as well: 250M, 140M, etc. Nobody knows for > sure because > the answer is unknowable -- a botnet member isn't visible until it > does > something bot-like to something that's listening for it -- but we can > come up with reasonable lower bounds based on years of observations. > > "How many botnets, and how large?" is another open question whose best > current answers are probably "many" and "millions to tens of > millions". > For a recent example: > > Mariposa Botnet beheaded > http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32 > > This articles says "as many as 12.7 million poisoned PCs" but does not > elaborate how that number was arrived at. (But suppose it's a 400% > overestimate: that's still a sizable botnet. And suppose it's a 400% > underestimate: yipes.) > > Before anyone celebrates too much at this news: the takeaway from this > article is that the C&C structure has been taken down...which means > that > there are now putatively 12.7 million pre-compromised systems out > there > waiting for the first person(s) who can conscript them into *their* > botnet. > (Any bets on how long that'll take? I've got a dollar that says "it's > already history".) > > "What are they running?" is one of the few questions that we have a > decent answer to, and the answer is "Windows". We can use passive > OS fingerprinting and other techniques to identify the likely OS on > each zombie/bot that we see, and while we do from time to time see > some that classify as "unknown" or "indeterminate" or "something > other than Windows", they're quite rare. The numbers I've got from > several years of doing this boil down to "a handful per million might > not be Windows or might be Windows-behind-something-else". > > So here's the executive summary: there are something in excess of 100M > systems out there which no longer belong, in any real sense, to the > people who think they own them. They are the playthings of the people > running botnets, who have full access to every scrap of data on them, > every set of credentials stored or used on them, and can do *anything* > they want with them. All but a negligible number of them are running > Windows. All the band-aids -- patching, AV, etc. -- aren't working. > They're ubiquitous: desktops, laptops, cellphones, and servers across > commercial, ISP, academic, and government environments. > > And there are more every day. > > All of this has a tremendous ripple effect on everything else we're > working on: anti-spam, anti-phishing, DoS attacks, identity theft, > anti-forgery, data loss, MitM attacks, DNS forgery, etc. > > And while we occasionally see Microsoft doing something minor > about it, e.g.: > > Court order helps Microsoft tear down Waledac botnet > http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html > > these actions are clearly calculated to generate positive PR for > Microsoft, not to seriously address the problem. (Note that all this > did, like the bust above, was attempt to cut out the C&C network. > It does > nothing to remediate the "hundreds of thousands of infected > machines".) > > This isn't just a security problem, it's THE security problem. > And Microsoft owns it -- lock, stock and barrel. > > Now here's an interesting exercise: go try to find a statement made by > anyone at Microsoft in which they acknowledge this: that is, in which > they provide a realistic assessment of the scale of the problem, take > corporate responsibility for it, and explain what they're going to do > to clean up their mess. > > Scott Charney didn't do that, as far as I can tell. He didn't talk > about the 100M bots out there or how they're almost all running his > company's operating system or how much this is costing us in anti- > spam, > anti-bruteforce, anti-DDoS, anti-whatever measures *even if we don't > run > Windows in our operations*. He didn't even come anywhere close to > this. > He just lumped all systems together, as if this was a systemic > problem, > not one almost entirely confined to Windows. > > And neither, as far as I can tell, has anyone else at Microsoft. They > don't even want to be in the same room with this issue because even > for a company with their enormous financial and personnel resources, > it's a staggering task (with an equally-staggering cost) to > contemplate. > > And as long as everyone buys into the Microsoft PR, that we have > "a generic Internet security problem" and not "a Microsoft Windows > security problem", they won't have to. > > ---Rsk > From rforno at infowarrior.org Thu Mar 4 20:54:08 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 4 Mar 2010 15:54:08 -0500 Subject: [Infowarrior] - Ubisoft's Internet-required DRM Already Cracked Message-ID: <73BD9AD3-B086-422E-A484-641129EE6E5B@infowarrior.org> Ubisoft's Internet-required DRM Already Cracked 2:50 PM - March 4, 2010 by Marcus Yam http://www.tomshardware.com/news/ubisoft-drm-internet-crack-hack,9794.html#xtor =RSS-181 Hackers have already found a way around Ubisoft's Internet DRM that's used on Silent Hunter 5 and Assassin's Creed II. Last month, we found out about a new Ubisoft DRM scheme that requires PC gamers to be constantly connected to the Internet in order to play an authenticated game. With the highly anticipated Assassin's Creed II and Settlers VII being some of those titles protected under the new scheme, gamers voiced their concerns over such restrictive and potentially inconvenient DRM. Of course, it'd be na?ve to believe that pirates won't be doing their best in order to circumvent this protection. One of Ubisoft's first titles to use this new scheme, Silent Hunter 5: Battle of the Atlantic, released earlier this week ? and it didn't take much time for pirates to crack the DRM. In the release notes for the pirated version of Silent Hunter 5, the hackers instruct not to use the Ubisoft launcher or to block any connection to the Internet, and then use some modified files to run the game. At the end of the note, the hackers also urge gamers to support the companies that make the software they enjoy. We cannot verify whether or not the cracked files effectively bypass Ubisoft's copy protection schemes, but it's clear that the pirates are tinkering with it. From rforno at infowarrior.org Fri Mar 5 15:50:54 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Mar 2010 10:50:54 -0500 Subject: [Infowarrior] - First web copyright crackdown coming Message-ID: <0465EF28-93CB-45B6-AFAC-B88F163121DF@infowarrior.org> First web copyright crackdown coming http://newsosaur.blogspot.com/2010/03/first-web-copyright-crackdown-coming.html A coalition of traditional and digital publishers this month will launch the first-ever concerted crackdown on copyright pirates on the web, initially targeting violators who use large numbers of intact articles. Details of the crackdown were provided by Jim Pitkow, the chief executive of Attributor, a Silicon Valley start-up that has been selected as the agent for several publishers who want to be compensated by websites that are using their content without paying licensing fees. In a telephone interview yesterday, Pitkow declined to identify the individual publishers in his coalition, but said they include ?about a dozen? organizations representing wire services, traditional print publishers and ?top-tier blog networks.? The first offending sites to be targeted will be those using 80% or more of copyrighted stories more than 10 times per month. In the first stage of a multi-step process aimed at encouraging copyright compliance instead of punishing scofflaws, Pitkow said online publishers identified by his company will be sent a letter informing them of the violations and urging them to enter into license agreements with the publishers whose content appears on their sites. If copyright pirates refuse to pay, Attributor will request the major search engines to remove offending pages from search results and will ask banner services to stop serving ads to pages containing unauthorized content. The search engines and ad services are required to immediately honor such requests by the federal Digital Millennium Copyright Act (DMCA). If the above efforts fail, Attributor will ask hosting services to take down pirate sites. Because hosting services face legal liability under the DCMA if they do not comply, they will act quickly, said Pitkow. ?We are not going after past damages? from sites running unauthorized content said Pitkow. The emphasis, he said is ?to engage with publishers to bring them into compliance? by getting them to agree to pay license fees to copyright holders in the future. License fees, which are set by each of the individual organizations producing content, may range from token sums for a small publisher to several hundred dollars for yearlong rights to a piece from a major publisher, said Pitkow. Attributor identifies copyright violators by scraping the web to find copyrighted content on unauthorized sites. A team of investigators will contact violators in an effort to bring them into compliance or, alternatively, begin taking action under DMCA. Offshore sites will not be immune from the crackdown, said Pitkow, because almost all of them depend on banner ads served by U.S.-based services. Because the DMCA requires the ad service to act against any violator, Attributor says it can interdict the revenue lifeline at any offending site in the world. Attributor already has been engaged by several major book publishers to get unauthorized eBooks off unauthorized sites. ?And we have 99% success rate,? he said. From rforno at infowarrior.org Fri Mar 5 18:44:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Mar 2010 13:44:33 -0500 Subject: [Infowarrior] - Researchers find way to zap RSA security scheme Message-ID: (c/o AJR) This story appeared on Network World at http://www.networkworld.com/news/2010/030410-rsa-security-attack.html Researchers find way to zap RSA security scheme University of Michigan security researchers outline voltage-based attack on the RSA authentication scheme By Network World Staff, Network World March 04, 2010 09:46 AM ET Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and e-commerce servers. RSA authentication is susceptible, they say, to changes in the voltage supplied to a private key holder. The researchers ? Andrea Pellegrini, Valeria Bertacco and Todd Austin -- outline their findings in a paper titled ?Fault-based attack of RSA authentication? to be presented March 10 at the Design, Automation and Test in Europe conference. "The RSA algorithm gives security under the assumption that as long as the private key is private, you can't break in unless you guess it. We've shown that that's not true," said Valeria Bertacco, an associate professor in the Department of Electrical Engineering and Computer Science, in a statement. The RSA algorithm was introduced in a 1978 paper outlining the public- key cryptosystem. The annual RSA security conference is being held this week in San Francisco. While guessing the 1,000-plus digits of binary code in a private key would take unfathomable hours, the researchers say that by varying electric current to a secured computer using an inexpensive purpose- built device they were able to stress out the computer and figure out the 1,024-bit private key in about 100 hours ? all without leaving a trace. The researchers in their paper outline how they made the attack on a SPARC system running Linux. They also say they have come up with a solution, which involves a cryptographic technique called salting that involves randomly juggling a private key's digits. The research is funded by the National Science Foundation and the Gigascale Systems Research Center. From rforno at infowarrior.org Fri Mar 5 23:02:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Mar 2010 18:02:28 -0500 Subject: [Infowarrior] - RIAA Claims Music Pirates Hurt Haiti Fund Raising Message-ID: RIAA Claims Music Pirates Hurt Haiti Fund Raising Written by Ernesto on March 05, 2010 http://torrentfreak.com/riaa-claims-music-pirates-hurt-haiti-fund-raising-100305/ The RIAA has published a blog post where they accuse music pirates of stealing from Haitians. In a brilliant piece of propaganda they say that those illegally downloading ?We Are The World? are undermining fund raising. However, they leave out the fact that the music industry itself profits big from such charity singles. The original ?We Are The World? single released in 1985 to help Africa was the first single to receive multi-platinum certification. It brought in millions of dollars for humanitarian aid and still holds the record for the fastest selling single in the USA. Dozens of contributing artists waived their rights and performed free of charge to maximize the revenue for Africa. In an attempt to replicate this success, a group of artists recorded ?We Are the World 25 for Haiti? following the devastating earthquake in Haiti, hoping to raise money to help those in need. Although most people realize that donating directly to Doctors Without Borders or the Red Cross is a more efficient way to donate, the initiative was obviously started with the best intentions by most of the people involved. According to the RIAA however, there is also a group of people who deliberately try to ?steal? from this fundraising campaign ? music pirates. In a recent blog post the RIAA dramatically claims that ?the album is now widely available on illicit BitTorrent sites like The Pirate Bay, Torrentz and more. The posting highlights a truly ugly side of P2P piracy ? the undermining of humanitarian fundraising efforts via online theft of the ?Hope for Haiti Now? compilation.? The RIAA basically says that pirates are purposely stealing money from Haitians. But are they? In a response to the RIAA?s writing, Music Ally dug up some numbers and they found out that compared to most other popular singles the number of downloads the song gets are really low. Aside from this, one has to wonder if those who downloaded the song would have paid for it if it was not available on BitTorrent. Perhaps they already donated through a more direct channel? Techdirt further notes that the RIAA blames sites like Torrentz which doesn?t even store torrent files, while they leave out Google, the site through which their source actually found the torrents. What most people missed though, might make the RIAA?s post look even more hypocritical. Charity singles such as ?We Are The World? actually bring in a lot of cash for the record industry and related businesses. This could be easily framed as ?Stealing from Haitians? as well. Columbia Records fared well with the release of the first ?We Are The World? single and the performance rights that still come in today continue to benefit the ?copyright holders.? In addition, charity songs including ?Do They Know It?s Christmas?? ended up on thousands of compilation albums for which the charities probably never saw a penny. We were unable to find out exactly how long the profits of the new Haiti single will actually go to Haiti, but we?re sure that the music industry will take a cut regardless. Similarly, iTunes will give up their share for a few months but will be profiting from the single later on. These examples show that reality is always a bit more balanced than how the RIAA portrays it. Nonetheless, those who actually like the song should definitely consider buying it or at least donate to one of the other charities that benefit Haiti. From rforno at infowarrior.org Sat Mar 6 01:04:19 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 5 Mar 2010 20:04:19 -0500 Subject: [Infowarrior] - Why the White House Won't Release a Key Cyber Paper Message-ID: Why the White House Won't Release a Key Cyber Paper Mar 4 2010, 5:58 PM ET http://www.theatlantic.com/personal/archive/2010/03/why-the-white-house-wont-release-a-key-cyber-paper/36954/ Even as the new government-wide cyber coordinator, Howard Schmidt, pledged to promote transparency as the government moves to protect cyberspace, the administration won't release a legal memorandum that many, including the one-time head of its cyber security review, hoped would be made public. The memo was drafted as an appendix to the White House Cyberspace Policy Review led by Melissa Hathaway, at the time the acting senior director for cyber issues at the National Security Council. Hathaway has since left the government. She has told colleagues that the White House overruled her decision to release the legal annex. Administration officials dispute the idea that it was her decision to make in the first place. Speaking at last year's RSA conference, Hathaway praised the review process for its "unprecedented transparency." A footnote in the appendix of the main report notes that the legal analysis was not intended to be of the type that would or could influence policy. And the report itself calls for a new interagency legal review team -- the team that would produce products for internal, executive-branch only deliberation. Hathaway, in discussing the review the next week, expressed enthusiasm about the legal review to an audience of intelligence professionals and journalists at a conference in Virginia. Bob Gourley, a former senior intelligence official, blogged after the event that Hathaway bragged about the comprehensiveness of the legal review. Gourley noted that the legal annex "captures some of some of the opinion of federal legal experts from across the government." Wednesday, Schmidt announced the declassification of part of the Comprehensive National Cyber Initiative, which has been shrouded in secrecy, even to members of Congress. Even though most of the information has been in the public domain, the declassification marked a step that the previous administration was unwilling to take. A senior administration official said the legal report would not be released because its contents are classified. The official cited "national security" as the reason why the legal annex has not been released, said that the White House should have been given more credit for declassifying some information about the CNCI, and said that President Obama is committed to as much "transparency as possible." Congress has also asked the White House for a copy of the annex and as of a month ago had not received it. Schmidt told an audience earlier this week that administration lawyers are working on about 40 discrete issues. But two people who have seen the report say that although it covers sensitive matters like the legal authority the United States has to conduct offensive cyber warfare, a minimally redacted version could be released without compromising any intelligence program or strategy. The document poses many questions, these people said, and does not presuppose that the U.S. government has come to any conclusions. For example, a portion of the document about the laws of war is a straightforward, academic discussion about how they might or might not apply to cyber attacks. According to these people, the report also includes a rigorous discussion about whether offensive cyber capabilities are best described as a traditional military activity (and therefore be subject to Title 10 of the US code) or an intelligence activity, which would impose a different set of legal requirements upon whatever action was being considered. The analysis also ponders whether the U.S. might establish a "first use" doctrine of cyber offense. The legal annex includes some discussion about the National Security Agency's data collection and retention policies, most of which has already been declassified in other forums by the previous administration. Among the more sensitive political issues that harass elected officials is the degree to which the NSA might have to monitor the dot.com domain in order to fully protect the country from major cyber attacks. To date, government officials have been reluctant to even acknowledge that the possibility would ever be discussed, which would require Congress to change current law. > From the administration's perspective, because the questions raised in the analysis were brought forward by lawyers working for intelligence agencies, releasing the information would provide enemies with an insight into what capabilities the government might have or might want to develop. "As vitally important as openness is, every organization also needs to have confidentiality around legal deliberations so that the client can get sound, unvarnished advice from counsel. That concern is particularly acute in matters of national security," the official said in an e-mailed statement. "These deliberations concerned important legal issues facing the cyber review team, and should remain privileged." The official would not say whether the administration planned to discuss the complex legal issues in public at any point. Aside from offensive cyber warfare, these issues include the legal implications of the government working with the private sector, restrictions imposed by the Fourth Amendment, whether existing statues like the Electronic Communications Privacy Act need to be expanded. In 2006, the Justice Department produced an unclassified white paper on the National Security Agency's surveillance program that was well received, even as it protected sensitive programs and even as many legal experts profoundly disagreed with the analysis. In 2009, it released an unclassified legal memorandum on a sensitive government program known as Einstein II, which was set up to protect servers on the dot-gov domain. In February, at a symposium at the University of Texas at Austin's law school, a CIA consultant gave an unclassified speech, which included CIA-approved Power Point slides, about the difficulties inherent in crafting a comprehensive legal approach. The consultant, Sean Kanuck, included several slides about the current questions the U.S. government is wrestling with, including what type of cyber attack constitutes an act of war, and whether offensive cyber security actions require the government to take into account the potential for human suffering on the other side. (Kanuck said at the time that his presentation was not endorsed by the CIA and that his discussion did not necessarily reflect any specific internal deliberations.) As with the NSA program, the cyber law terrain triggers extreme sensitivities, with journalists and commentators worrying about whether the government is planning in secret to take control of the Internet. They aren't -- but in refusing to open parts of the issue to public discussion, they are feeding the uneducated and impoverished public discourse on the subject. "Why can't we have a debate about nuclear weapons that it's in the open and not have that debate about cyber?" said James A. Lewis of the Center for Strategic and International Studies, who has consulted with the administration in the past about cyber security issues. "The answer they give is that we would give our adversaries notice of our red lines. Well, that assumes the enemies don't know our red lines already." From rforno at infowarrior.org Sat Mar 6 23:32:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 6 Mar 2010 18:32:35 -0500 Subject: [Infowarrior] - CRS Report on the CNCI (3/2010) Message-ID: CYBERSECURITY Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative March 2010 http://cryptome.org/gao-10-338.pdf From rforno at infowarrior.org Sun Mar 7 01:31:20 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 6 Mar 2010 20:31:20 -0500 Subject: [Infowarrior] - Reeling in the hackers Message-ID: (c/o ST) Reeling in the hackers KARLIN LILLINGTON http://www.irishtimes.com/newspaper/finance/2010/0219/1224264787078.html A new study reveals that the popular film portrayal of computer hackers is actually quite accurate, writes KARLIN LILLINGTON IF YOU don?t like the idea of a scholarly paper on the trail of hackers in films, then take it up with Damian Gordon?s parents. ?I have to blame my parents ? the only films we were ever taken to were science fiction and futuristic kinds of films,? says Gordon, a lecturer in computer science at the Dublin Institute of Technology. Gordon has just published his paper, Forty Years of Movie Hacking: Considering the Potential Implications of the Popular Media Representation of Computer Hackers from 1968 to 2008, in the current issue of the International Journal of Internet Technology and Secured Transactions. A self-confessed film buff, he likes to show students clips from such films as a teaching tool because he feels they bring an abstract subject to life and help initiate lively discussions. ?With computer science you?re always trying to explain complex ideas in a clear way. Clips from films can be very useful for that. Any time I can, I try to slip in a film clip.? In trying to teach his students about security issues, he realised many had misguided notions about what the typical computer hacker is like and where security threats come from. That set him thinking that perhaps the misperceptions came from the upper trails of hackers in popular culture. So Gordon set out to compile a list of as many films that featured hacking as he could and came up with 50 ? which he realises is not comprehensive and excludes foreign films, but does pick up most Hollywood films since the late 1960s that fit within his criteria outlined in the 29-page paper. He excluded animated films and documentaries, for example. He included films from as early as 1968 through to 2008, across several genres from science fiction to crime films. His paper observes a curious dearth of films in the 1970s, just as computing was coming into popular visibility. His theory is that a lifting of censorship rules caused films to focus more on violence and sex. ?Hacking computers was probably too passive and boring,? he laughs. The aim of his paper ?was really to investigate why there is a general public perception that hackers all seem to be teenagers in bedrooms. Lots of books on hacking talk about this, but it is so wrong. Most hackers are around 30 and are computer professionals. ?Being a hacker is really not about sitting alone in a dark bedroom. It has a lot more to do with your interpersonal skills.? His film findings surprised Gordon just as much as they might surprise others. Far from having public perceptions of hackers shaped by films, he found that the celluloid portrayal of hackers was actually quite accurate ? setting aside the unlikelihood of your average female hacker looking like Sandra Bullock or Angelina Jolie. ?It?s devastating to realise that most movies do portray hackers correctly,? he jokes. First off, he found that the average age of the majority of film hackers was over 25, with only a quarter younger than that. Some 65 per cent were aged between 25 and 50, and only 3 per cent were older than 50, which he thinks is fairly accurate. As for profession, 32 per cent were portrayed as working in the computer industry, 28 per cent were full-time hackers, 20 per cent were students and 20 per cent worked in other professions. Gordon notes that this actually meshes fairly closely with reality ? one study cited in his paper notes that the average hacker is 27 and either a computer professional or full-time hacker. Gordon also found that, in the films, about 10 per cent of the hackers were women, which also approximates real-world statistics. He notes that for some reason there are far more female hackers portrayed on television compared to film. ?I?m presuming that?s because men tend to do the action bits on television,? he says. Two areas in which film deviated from real-world hacking are the number of attacks depicted as coming from outside an organisation rather than being instigated from those inside an organisation, and the portrayal of the intentions of hackers. In film, only 20 per cent of the attacks are internal, but industry studies suggest the ratio may be closer to 50-50, Gordon notes in his paper. Also, the vast majority of hackers in films are actually portrayed as the good guys ? a huge 73 per cent, with 10 per cent being somewhere in between, and 17 per cent portrayed as bad guys. ?I was definitely surprised at the number of films showing hackers in a positive light,? he says. However, he rather likes this himself, given that the term ?hacker? started out as a positive one, referring to people who were highly adept at tinkering with electronics and writing or modifying computer programs. Only much later did the public start to use the term hacker to mean someone with malicious intent. ?I?d like to reclaim the title as a positive one,? says Gordon. Damian's top five Top Millions (1968) Peter Ustinov as Marcus Pendleton, a con-man just out of prison. ?Really a great movie.? Tron (1982) Jeff Bridges as Kevin Flynn, a former employee of fictional computer company ENCOM. ?I adored Tron, and you can never go wrong with Jeff Bridges.? Superman III (1983) Gus Gorman (Richard Pryor) discovers that he has an extraordinary talent for computer programming. ?A great salami-slicing attack.? WarGames (1983) David Lightman (Matthew Broderick) as a high school student who is highly unmotivated at school but is an enthusiastic computer hacker at home. ?Fixed in people?s minds the archetype of the young hacker operating from his bedroom.? Sneakers (1992, Heist) College students Martin Brice (Gary Hershberger) and his friend Cosmo (Jo Marr) use a college computer to hack into banking systems to transfer funds. ?Fantastic film? From rforno at infowarrior.org Mon Mar 8 02:01:49 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 7 Mar 2010 21:01:49 -0500 Subject: [Infowarrior] - Ubisoft servers down: DRM fails Message-ID: <6444BD09-39B2-46DA-8F92-368FDC7EE5AA@infowarrior.org> *chuckle* They have nobody to blame but themselves for their customer's well-placed wrath. -rick Ubisoft DRM authentification server is down, Assassin's Creed 2 unplayable by Griffin McElroy { Mar 7th 2010 at 4:00PM } http://www.joystiq.com/2010/03/07/ubisoft-drm-authentification-server-is-down-assassins-creed-2/ Earlier today, our tips inbox and the official Assassin's Creed 2 forum were set ablaze by incensed owners of the PC version of the aforementioned Italian revenge epic. According to numerous reports from prospective players of the game, Ubisoft's DRM authentification servers have crashed, forcing some players to suffer lengthy login periods when booting up Assassin's Creed 2, and locking some folks out of the game entirely. A Ubisoft representative responded to a particularly rage-filled forum thread, stating "clearly the extended downtime and lengthy login issues are unacceptable, particularly as I've been told these servers are constantly monitored." The representative added "I'll do what I can to get more information on what the issue is here first thing tomorrow and push for a resolution and assurance this won't happen in the future." We've got a really great suggestion for how to make such an assurance: Find a less abominable DRM policy. From rforno at infowarrior.org Mon Mar 8 12:55:01 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Mar 2010 07:55:01 -0500 Subject: [Infowarrior] - Musing on Cyber "Attack" Metrics Message-ID: We're seeing a ton of spooky statements and soundbytes about the "number of cyber attacks" being thrown around Washington these days. But absent the context of how such statistics are generated and compiled, it's hard to place much credence in them if you're serious about really understanding the cyber environment and developing an accurate picture of things. To wit: "In 2008, security events caused by vectors including worms, Trojan horses and spybots averaged 8 million hits per month. That number skyrocketed to 1.6 billion in 2009 and climbed to 1.8 billion this year, according to Senate Sergeant-at-Arms Terrance Gainer......The Senate Security Operations Center alone receives 13.9 million of those attempts per day. " (http://www.politico.com/news/stories/0310/33987.html) This leads me to wonder: what is the metric used in defining and quantifying an "attack" for the Senate, DOD, USG, etc? Does a single malicious email (ie phishing) sent to one person at one agency count as one "attack"? But does that same email sent to 20K people at the same agency constitute 20K "attacks?" If 1 person's system does a reply-all to a malicious message, does that raise the number of "attacks" logged by the agency by another 20K? In the case of e- mail, is an "attack" based on the number of messages received or the number of different attack mechanisms encountered? IE, is it 20K "attacks" coming from 1 identified worm, or is it 20K different worms attacking the agency? Clearly how these metrics are defined go a long way in their believability and usability for security planning. For years we've heard such awesomely-bad statistics about cyber- attacks bandied around in Hill hearings, industry conferences, and industry marketing. Again, knowing the context of these statistics that become oft-echoed media and policy talking points would go a long way in letting us take them more seriously. -rick PS: I know DHS was working on some cybersecurity reporting metrics for the USG some years ago but I have no idea if it's gone anywhere or been mandated for gov-wide use yet. From rforno at infowarrior.org Mon Mar 8 12:58:21 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Mar 2010 07:58:21 -0500 Subject: [Infowarrior] - Energizer Bunny carries backdoor malware Message-ID: <71A3C077-EA42-425E-9690-ECDA77D263EC@infowarrior.org> (c/o MC) Energizer Bunny carries backdoor malware March 8, 2010 - 6:26am http://www.federalnewsradio.com/?nid=15&sid=1906611 Researchers at United States Computer Emergency Readiness Team have found that software that accompanies the Energizer DUO USB battery charger contains a Trojan horse which gives hackers total access to a Windows PC, reports ComputerWorld. Energizer has since discontinued the charger and they are working with CERT to find the source of the code. Energizer's DUO was sold in the U.S., Latin America, Europe and Asia starting in 2007. The Trojan can download and execute files, transmit files stolen from the PC, or tweak the Windows registry and automatically executes each time the PC is turned on. It remains active, even if the Energizer charger is not connected to the machine. US-CERT urged users who had installed the Energizer software to uninstall it, which disables the automatic execution of the Trojan. From rforno at infowarrior.org Mon Mar 8 13:19:27 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Mar 2010 08:19:27 -0500 Subject: [Infowarrior] - Whatever happened to the email app? Message-ID: <435C559A-8C3A-46FD-8846-8B3435A75683@infowarrior.org> Original URL: http://www.theregister.co.uk/2010/03/08/the_great_email_client_mystery/ Whatever happened to the email app? Andrew Orlowski (andrew.orlowski at theregister.co.uk) Posted in Applications, 8th March 2010 12:33 GMT Lab Notes Is the email program dead? Did the whole world just migrate away from Hotmail over to Facebook when we weren't looking? Does anyone else care? Weirdly, the answer seems to be yes, yes, and no. Email has never gone away, and its advantages are unique: but the email client seems to be going the way of the Gopher. Which is a bit odd when you consider how useful it still is. Nobody knows your email address unless you tell them, and messages are private by default. These are still the internet's universal protocols for private communication, something Web 2.0 types only grudgingly admit exists. We have to be honest - managing your own POP3 or IMAP accounts always was a bit of a minority pastime. Notes and Outlook ruled the roost on corporate PCs. Most of the rest of the world - normal people - only ever used a webmail service as a primary email account. Facebook offers them a pretty straightforward upgrade - with the illusion of privacy, no spam, and a pretty easy to use address book. Just don't tell Facebook investors that one day it might be as profitable as Hotmail... But for me and many of you I suspect, the choice of email client is something in which you make a bit of investment, and a careful decision. And what a sorry landscape we have before us. < - > http://www.theregister.co.uk/2010/03/08/the_great_email_client_mystery/print.html From rforno at infowarrior.org Mon Mar 8 13:31:52 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Mar 2010 08:31:52 -0500 Subject: [Infowarrior] - A Practical Attack to De-Anonymize Social Network Users Message-ID: A Practical Attack to De-Anonymize Social Network Users Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data. In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors. The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack. Paper @ http://www.iseclab.org/papers/sonda-TR.pdf From rforno at infowarrior.org Mon Mar 8 19:19:17 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Mar 2010 14:19:17 -0500 Subject: [Infowarrior] - Retired Army general to lead TSA Message-ID: Retired Army general to lead TSA Updated 1:57 p.m. ET http://voices.washingtonpost.com/federal-eye/2010/03/retired_army_general_tapped_to.html President Obama on Monday tapped retired Army Major Gen. Robert A. Harding to lead the Transportation Security Administration. Homeland Security Secretary Janet Napolitano is scheduled to make the announcement during a noontime appearance with Harding at DHS headquarters. ?I am confident that Bob?s talent and expertise will make him a tremendous asset in our ongoing efforts to bolster security and screening measures at our airports," President Obama said in a statement. "I can think of no one more qualified than Bob to take on this important job, and I look forward to working with him in the months and years ahead.? But Harding is Obama's second choice for the post after Erroll Southers withdrew from consideration in January following reports that he may have misled Congress about an incident in the late 1980s involving a background check of the boyfriend of his ex-wife. Harding retired from the Army in 2001 after 33 years of military service, according to the White House. He served as deputy to the Army's chief of intelligence and, previously, served as director for operations in the Defense Intelligence Agency. In 2003, he founded a defense and intelligence contracting firm, Harding Security Associates, which employs more than 400 people, according to the White House. Harding currently serves on the boards of directors of the Wolf Trap Foundation for the Performing Arts and the Association of Former Intelligence Officers. If confirmed, Harding will likely help settle the issue of whether TSA employees should earn collective bargaining rights, an issue that led Republican lawmakers to place a hold on Southers' nomination. Federal union leaders said they knew little about Harding, but hoped to meet with him soon to discuss labor concerns. ?We haven?t had the opportunity to research this candidate as we have some of the other White House nominees,? said American Federation of Government Employees President John Gage ?However, if the administration believes him to be the best person to lead TSA, we will trust that decision until given a reason not to.? National Treasury Employee Union President Colleen M. Kelley also said she didn't know Harding, but "it appears his lengthy intelligence background would bring an important and useful perspective to the agency?s efforts." Both unions hope to win the right to represent TSA workers and said earning collective bargaining rights remained their top concern. Harding would join TSA in the aftermath of the thwarted Christmas Day bombing attack and amid Congressional concerns with several recent reports of passenger mistreatment by TSA officers. The agency also continues to deploy 150 new body-scanning machines at major American airports. Senate Majority Leader Harry Reid (D-Nev.) urged swift confirmation for Harding. "This nomination should not be subject to partisan delay tactics," Reid said in a statement. The leaders of the Senate Commerce and Homeland Security committees, which will hold hearings on the nomination, also pledged to move quickly on Harding. From rforno at infowarrior.org Tue Mar 9 00:26:11 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Mar 2010 19:26:11 -0500 Subject: [Infowarrior] - OT: What If Everybody in Canada Flushed At Once? Message-ID: <098FF2F5-FD57-46B4-8050-096328F177DE@infowarrior.org> What If Everybody in Canada Flushed At Once? The water utiity in Edmonton, EPCOR, published the most incredible graph of water consumption last week. By now you?ve probably heard that up to 80% of Canadians were watching last Sunday?s gold medal Olympic hockey game. So I guess it stands to reason that they?d all go pee between periods. But still?the degree to which the water consumption matches with the key breaks in the hockey game is stunning.... < - > http://www.patspapers.com/blog/item/what_if_everybody_flushed_at_once_Edmonton_water_gold_medal_hockey_game From rforno at infowarrior.org Tue Mar 9 03:50:02 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 8 Mar 2010 22:50:02 -0500 Subject: [Infowarrior] - EFF: iPhone Dev License Analysis Message-ID: <6AB2D1B8-9EBA-4EFC-87B1-849031D20EFF@infowarrior.org> (the 'non-public' iphone developer agreement is @ http://www.eff.org/files/20100302_iphone_dev_agr.pdf) All Your Apps Are Belong to Apple: The iPhone Developer Program License Agreement Legal Analysis by Fred von Lohmann http://www.eff.org/deeplinks/2010/03/iphone-developer-program-license-agreement-all The entire family of devices built on the iPhone OS (iPhone, iPod Touch, iPad) have been designed to run only software that is approved by Apple?a major shift from the norms of the personal computer market. Software developers who want Apple's approval must first agree to the iPhone Developer Program License Agreement. So today we're posting the "iPhone Developer Program License Agreement"?the contract that every developer who writes software for the iTunes App Store must "sign." Though more than 100,000 app developers have clicked "I agree," public copies of the agreement are scarce, perhaps thanks to the prohibition on making any "public statements regarding this Agreement, its terms and conditions, or the relationship of the parties without Apple's express prior written approval." But when we saw the NASA App for iPhone, we used the Freedom of Information Act (FOIA) to ask NASA for a copy, so that the general public could see what rules conrolled the technology they could use with their phones. NASA responded with the Rev. 3-17-09 version of the agreement (it has reportedly been revised somewhat since?please send us the current version if you are able). This "license agreement" is particularly relevant right now, given the imminent launch of the iPad and anytime-now issuance of the U.S. Copyright Office's ruling regarding jailbreaking of the iPhone. So what's in the Agreement? Here are a few troubling highlights: Ban on Public Statements: As mentioned above, Section 10.4 prohibits developers, including government agencies such as NASA, from making any "public statements" about the terms of the Agreement. This is particularly strange, since the Agreement itself is not "Apple Confidential Information" as defined in Section 10.1. So the terms are not confidential, but developers are contractually forbidden from speaking "publicly" about them. App Store Only: Section 7.2 makes it clear that any applications developed using Apple's SDK may only be publicly distributed through the App Store, and that Apple can reject an app for any reason, even if it meets all the formal requirements disclosed by Apple. So if you use the SDK and your app is rejected by Apple, you're prohibited from distributing it through competing app stores like Cydia or Rock Your Phone. Ban on Reverse Engineering: Section 2.6 prohibits any reverse engineering (including the kinds of reverse engineering for interoperability that courts have recognized as a fair use under copyright law), as well as anything that would "enable others" to reverse engineer, the SDK or iPhone OS. No Tinkering with Any Apple Products: Section 3.2(e) is the "ban on jailbreaking" provision that received some attention when it was introduced last year. Surprisingly, however, it appears to prohibit developers from tinkering with any Apple software or technology, not just the iPhone, or "enabling others to do so." For example, this could mean that iPhone app developers are forbidden from making iPods interoperate with open source software, for example. You will not, through use of the Apple Software, services or otherwise create any Application or other program that would disable, hack, or otherwise interfere with the Security Solution, or any security, digital signing, digital rights management, verification or authentication mechanisms implemented in or by the iPhone operating system software, iPod Touch operating system software, this Apple Software, any services or other Apple software or technology, or enable others to do so Kill Your App Any Time: Section 8 makes it clear that Apple can "revoke the digital certificate of any of Your Applications at any time." Steve Jobs has confirmed that Apple can remotely disable apps, even after they have been installed by users. This contract provision would appear to allow that. We Never Owe You More than Fifty Bucks: Section 14 states that, no matter what, Apple will never be liable to any developer for more than $50 in damages. That's pretty remarkable, considering that Apple holds a developer's reputational and commercial value in its hands?it's not as though the developer can reach its existing customers anywhere else. So if Apple botches an update, accidentally kills your app, or leaks your entire customer list to a competitor, the Agreement tries to cap you at the cost of a nice dinner for one in Cupertino. Overall, the Agreement is a very one-sided contract, favoring Apple at every turn. That's not unusual where end-user license agreements are concerned (and not all the terms may ultimately be enforceable), but it's a bit of a surprise as applied to the more than 100,000 developers for the iPhone, including many large public companies. How can Apple get away with it? Because it is the sole gateway to the more than 40 million iPhones that have been sold. In other words, it's only because Apple still "owns" the customer, long after each iPhone (and soon, iPad) is sold, that it is able to push these contractual terms on the entire universe of software developers for the platform. In short, no competition among app stores means no competition for the license terms that apply to iPhone developers. If Apple's mobile devices are the future of computing, you can expect that future to be one with more limits on innovation and competition (or "generativity," in the words of Prof. Jonathan Zittrain) than the PC era that came before. It's frustrating to see Apple, the original pioneer in generative computing, putting shackles on the market it (for now) leads. If Apple wants to be a real leader, it should be fostering innovation and competition, rather than acting as a jealous and arbitrary feudal lord. Developers should demand better terms and customers who love their iPhones should back them. From rforno at infowarrior.org Tue Mar 9 12:08:49 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Mar 2010 07:08:49 -0500 Subject: [Infowarrior] - BBC Survey: Internet access 'a human right' Message-ID: Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/8548190.stm Internet access 'a human right' Almost four in five people around the world believe that access to the internet is a fundamental right, a poll for the BBC World Service suggests. The survey - of more than 27,000 adults across 26 countries - found strong support for net access on both sides of the digital divide. Countries such as Finland and Estonia have already ruled that access is a human right for their citizens. International bodies such as the UN are also pushing for universal net access. "The right to communicate cannot be ignored," Dr Hamadoun Toure, secretary-general of the International Telecommunication Union (ITU), told BBC News. "The internet is the most powerful potential source of enlightenment ever created." He said that governments must "regard the internet as basic infrastructure - just like roads, waste and water". "We have entered the knowledge society and everyone must have access to participate." The survey, conducted by GlobeScan for the BBC, also revealed divisions on the question of government oversight of some aspects of the net. Web users questioned in South Korea and Nigeria felt strongly that governments should never be involved in regulation of the internet. However, a majority of those in China and the many European countries disagreed. In the UK, for example, 55% believed that there was a case for some government regulation of the internet. Rural retreat The finding comes as the UK government tries to push through its controversial Digital Economy Bill. As well as promising to deliver universal broadband in the UK by 2012, the bill could also see a so-called "three strikes rule" become law. This rule would give regulators new powers to disconnect or slow down the net connections of persistent illegal file-sharers. Other countries, such as France, are also considering similar laws. A season of reports from 8-19 March 2010 exploring the extraordinary power of the internet, including: ? Digital giants - top thinkers in the business on the future of the web ? Recently, the EU adopted an internet freedom provision, stating that any measures taken by member states that may affect citizen's access to or use of the internet "must respect the fundamental rights and freedoms of citizens". In particular, it states that EU citizens are entitled to a "fair and impartial procedure" before any measures can be taken to limit their net access. The EU is also committed to providing universal access to broadband. However, like many areas around the world the region is grappling with how to deliver high-speed net access to rural areas where the market is reluctant to go. Analysts say that is a problem many countries will increasingly have to deal with as citizens demand access to the net. The BBC survey found that 87% of internet users felt internet access should be the "fundamental right of all people". More than 70% of non-users felt that they should have access to the net. Overall, almost 79% of those questioned said they either strongly agreed or somewhat agreed with the description of the internet as a fundamental right - whether they currently had access or not. Free speech Countries such as Mexico, Brazil and Turkey most strongly support the idea of net access as a right, the survey found. More than 90% of those surveyed in Turkey, for example, stated that internet access is a fundamental right - more than those in any other European Country. South Korea - the most wired country on Earth - had the greatest majority of people (96%) who believed that net access was a fundamental right. Nearly all of the country's citizens already enjoy high-speed net access. The survey also revealed that the internet is rapidly becoming a vital part of many people's lives in a diverse range of nations. In Japan, Mexico and Russia around three-quarters of respondents said they could not cope without it. Most of those questioned also said that they believed the web had a positive impact, with nearly four in five saying it had brought them greater freedom. However, many web users also expressed concerns. The dangers of fraud, the ease of access to violent and explicit content and worries over privacy were the most concerning aspects for those questioned. A majority of users in Japan, South Korea and Germany felt that they could not express their opinions safely online, although in Nigeria, India and Ghana there was much more confidence about speaking out. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/8548190.stm Published: 2010/03/08 08:52:59 GMT ? BBC MMX From rforno at infowarrior.org Tue Mar 9 12:54:50 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Mar 2010 07:54:50 -0500 Subject: [Infowarrior] - Disable Microsoft SpyNet In Windows 7 Message-ID: <2059DFC7-089A-4B69-BE24-82D989E623A6@infowarrior.org> How To Disable Microsoft SpyNet In Windows 7 http://www.ghacks.net/2010/03/07/how-to-disable-microsoft-spynet-in-windows-7/ From rforno at infowarrior.org Tue Mar 9 14:30:53 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Mar 2010 09:30:53 -0500 Subject: [Infowarrior] - Former NSA tech chief: I don't trust the cloud Message-ID: <408C5F3F-A5E5-4DB8-BCC3-9B351F7D02B6@infowarrior.org> (agree 100% -rick) This story appeared on Network World at http://www.networkworld.com/news/2010/030410-rsa-cloud-security-warning.html Former NSA tech chief: I don't trust the cloud RSA Conference hears warnings about trusting cloud services By Tim Greene, Network World March 04, 2010 10:20 AM ET The former National Security Agency technical director told the RSA Conference he doesn't trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years. Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. "You don't know what else is cuddling up next to it," he says Snow was speaking as a member of the annual cryptographers panel at RSA Conference. Another panelist said he doesn't trust clouds either, but his reluctance was based upon worry about what NSA might be up to. Adi Shamir a computer science professor at Israel's Weizmann Institute of Science and also the "S" in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. "There's a pipe out of the back of an office at AT&T in San Francisco to NSA," he said. Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. "Please don't use Crypto AG," he said. On another topic, Snow said many commercial applications and security products contain known flaws or shortcomings that users accept without understanding them or analyzing them thoroughly. That trust is similar to the trust investors had in unsound Wall Street derivative investment products, he said. Just as the country's financial markets melted down last year, he said network security could face a "trust- bubble meltdown". He alluded to a 17-year-old Microsoft vulnerability that went unpatched. Fixing such problems before they are exploited gives vendors a commercial advantage, so they should do so. "Fix vulnerabilities before you first smell an attack," he said. "End of message." Also during the panel, Snow acknowledged that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt. "I do believe NSA is still ahead, but not by much -- a handful of years," said Snow, the former technical director for the agency. "I think we've got the edge still." He said that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. "Now we are very close together and moving very slowly forward in a mature field," Snow said. The NSA has a deep staff of Ph.D. mathematicians and other cryptographic experts to work on securing traffic and breaking codes, and also has another key advantage. "We cheat. We get to read what [academics] publish. We do not publish what we research," he said. Whitfield Diffie -- the Diffie in Diffie-Hellman key exchange -- said the NSA lead might have to do with the fact that some cryptography problems are out of bounds for academics, such as nuclear command and control platforms. "It would be illegal, expensive and frustrating to do," said Diffie, who sat on the cryptographers' panel. Any work done privately would be immediately be classified and the researchers would be unable to discuss it publicly or claim credit, he said. Plus the demands of commercial cryptography don't allow for the thoroughness of refinement that is the hallmark of NSA work, he said. There are practical issues -- such as developing products quickly that can be sold to business as valuable assets -- that NSA doesn't face. Snow's claim of NSA superiority seemed to rankle. He noted that when the titles of papers in NSA technical journals were declassified up to 1983, there were none that included public key encryption. "That demonstrates that NSA was behind," Shamir said. But Snow said that perhaps the topic was written about, only under another name. When technologies are developed separately in parallel, the developers don't necessarily use the same terms for them, he said. From rforno at infowarrior.org Tue Mar 9 15:47:18 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Mar 2010 10:47:18 -0500 Subject: [Infowarrior] - ID Card for all Workers Is at Center of Immigration Plan Message-ID: <1639DFCE-E486-4BA2-BD84-52BE40075EE4@infowarrior.org> MARCH 9, 2010 ID Card for Workers Is at Center of Immigration Plan By LAURA MECKLER http://online.wsj.com/article/SB10001424052748703954904575110124037066854.html Lawmakers working to craft a new comprehensive immigration bill have settled on a way to prevent employers from hiring illegal immigrants: a national biometric identification card all American workers would eventually be required to obtain. Under the potentially controversial plan still taking shape in the Senate, all legal U.S. workers, including citizens and immigrants, would be issued an ID card with embedded information, such as fingerprints, to tie the card to the worker. The ID card plan is one of several steps advocates of an immigration overhaul are taking to address concerns that have defeated similar bills in the past. The uphill effort to pass a bill is being led by Sens. Chuck Schumer (D., N.Y.) and Lindsey Graham (R., S.C.), who plan to meet with President Barack Obama as soon as this week to update him on their work. An administration official said the White House had no position on the biometric card. "It's the nub of solving the immigration dilemma politically speaking," Mr. Schumer said in an interview. The card, he said, would directly answer concerns that after legislation is signed, another wave of illegal immigrants would arrive. "If you say they can't get a job when they come here, you'll stop it." The biggest objections to the biometric cards may come from privacy advocates, who fear they would become de facto national ID cards that enable the government to track citizens. "It is fundamentally a massive invasion of people's privacy," said Chris Calabrese, legislative counsel for the American Civil Liberties Union. "We're not only talking about fingerprinting every American, treating ordinary Americans like criminals in order to work. We're also talking about a card that would quickly spread from work to voting to travel to pretty much every aspect of American life that requires identification." Mr. Graham says he respects those concerns but disagrees. "We've all got Social Security cards," he said. "They're just easily tampered with. Make them tamper-proof. That's all I'm saying." U.S. employers now have the option of using an online system called E- Verify to check whether potential employees are in the U.S. legally. Many Republicans have pressed to make the system mandatory. But others, including Mr. Schumer, complain that the existing system is ineffective. Last year, White House aides said they expected to push immigration legislation in 2010. But with health care and unemployment dominating his attention, the president has given little indication the issue is a priority. Rather, Mr. Obama has said he wanted to see bipartisan support in Congress first. So far, Mr. Graham is the only Republican to voice interest publicly, and he wants at least one other GOP co-sponsor to launch the effort. An immigration overhaul has long proven a complicated political task. The Latino community is pressing for action and will be angry if it is put off again. But many Americans oppose any measure that resembles amnesty for people who came here illegally. Under the legislation envisioned by Messrs. Graham and Schumer, the estimated 10.8 million people living illegally in the U.S. would be offered a path to citizenship, though they would have to register, pay taxes, pay a fine and wait in line. A guest-worker program would let a set number of new foreigners come to the U.S. legally to work. Most European countries require citizens and foreigners to carry ID cards. The U.K. had been a holdout, but in the early 2000s it considered national cards as a way to stop identify fraud, protect against terrorism and help stop illegal foreign workers. Amid worries about the cost and complaints that the cards infringe on personal privacy, the government said it would make them voluntary for British citizens. They are required for foreign workers and students, and so far about 130,000 cards have been issued. Mr. Schumer first suggested a biometric-based employer-verification system last summer. Since then, the idea has gained currency and is now a centerpiece of the legislation being developed, aides said. A person familiar with the legislative planning said the biometric data would likely be either fingerprints or a scan of the veins in the top of the hand. It would be required of all workers, including teenagers, but would be phased in, with current workers needing to obtain the card only when they next changed jobs, the person said. The card requirement also would be phased in among employers, beginning with industries that typically rely on illegal-immigrant labor. The U.S. Chamber of Commerce doesn't have a position on the proposal, but it is concerned that employers would find it expensive and complicated to properly check the biometrics. Mr. Schumer said employers would be able to buy a scanner to check the IDs for as much as $800. Small employers, he said, could take their applicants to a government office to like the Department of Motor Vehicles and have their hands scanned there. ?Alistair MacDonald contributed to this article. Write to Laura Meckler at laura.meckler at wsj.com From rforno at infowarrior.org Tue Mar 9 16:56:48 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Mar 2010 11:56:48 -0500 Subject: [Infowarrior] - EU declares war on ACTA Message-ID: Joint European Parliament ACTA Transparency Resolution Tabled, Vote on Wednesday http://www.michaelgeist.ca/content/view/4848/125/ Tuesday March 09, 2010 A joint resolution on Transparency and State of Play of ACTA negotiations from virtually all party groups in the European Parliament was tabled earlier today. It will debated tonight and faces a vote on Wednesday. If approved, the resolution marks a major development in the fight over ACTA transparency. It calls for public access to negotiation texts and rules out further confidential negotiations. Moreover, the EP wants a ban on imposing a three- strikes model, assurances that ACTA will not result in personal searchers at the border, and an ACTA impact assessment on fundamental rights and data protection. The full resolution: The European Parliament, ? having regard to Articles 207 and 218 TFEU - having regard to its Resolution of 9 February 2010 on a "Renewed Framework Agreement between the Parliament and the Commission for the next legislative term" (B7-0091/2010) ? having regard to its Resolution of 11 March 2009 on "Public access to European Parliament, Council and Commission documents (recast)" to be considered as Parliaments position in First Reading (COM(2008)0229 ? C6-0184/2008 ? 2008/0090(COD)) ? having regard to its Resolution of 18 December 2008 on "the impact of counterfeiting on international trade" (2008/2133(INI)) - having regard to the Opinion of the European Data Protection Supervisor of 22 February 2010 on "the current negotiations by the European Union of an Anti-Counterfeiting Trade Agreement (ACTA)" - having regard to the Charter of Fundamental Rights of the European Union, and in particular its Article 8, - having regard to Directive 2002/58/EC of European Parliament and Council concerning the processing of personal data and the protection of privacy in the electronic communications sector, as last amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 - having regard to Directive 2000/31/EC of European Parliament and Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on Electronic Commerce) - having regard to Rule 110 of its Rules of Procedure, A. whereas in 2008 the European Union and other OECD countries opened negotiations on a new plurilateral agreement designed to strengthen the enforcement of Intellectual Property Rights (IPRs) and combat counterfeiting and piracy (Anti-Counterfeiting Trade Agreement - ACTA), and jointly agreed on a confidentiality clause, B. whereas in its report of 11 March 2009 Parliament called on the Commission to "immediately make all documents related to the ongoing international negotiations on the Anti-Counterfeiting Trade Agreement (ACTA) publicly available", C. whereas the Commission on 27 January 2010 assured its commitment to a reinforced association with Parliament in the terms of its Resolution of 9 February 2010 on a renewed Framework Agreement with the Commission, demanding "immediate and full information at every stage of negotiations on international agreements, in particular on trade matters and other negotiations involving the consent procedure, to give full effect to Article 218 TFEU", D. whereas Council representatives have attended ACTA negotiation rounds alongside with Commission representatives, E. whereas the Commission as guardian of the Treaties is obliged to uphold the acquis communitaire when negotiating international agreements affecting legislation in the EU, F. whereas, according to documents leaked, the ACTA negotiations touch, among others, on pending EU legislation regarding the enforcement of IPRs (COD/2005/0127, Criminal measures aimed at assuring the enforcement of intellectual property rights, (IPRED-II)) and the so-called "Telecom Package", and on existing EU legislation regarding E-Commerce and data protection, G. whereas the ongoing EU efforts to harmonise IPR enforcement measures should not be circumvented by trade negotiations which are outside the scope of the normal EU decision-making processes, H. whereas it is crucial to ensure that the development of IPR enforcement measures is accomplished in a manner that does not impede innovation or competition, undermine IPR limitations and personal data protection, restrict the free flow of information, or unduly burden legitimate trade, I. whereas any agreement reached by the European Union on ACTA must comply with the legal obligations imposed on the EU with respect to privacy and data protection law, as notably set forth in Directive 95/46/EC, in Directive 2002/58/EC and in the jurisprudence of the European Court of Human Rights and of the Court of Justice, J. whereas the Treaty of Lisbon is in force since 1 December 2009, K. whereas as a result of the entry into force of the Lisbon Treaty, the Parliament will have to give its consent to the ACTA Treaty text, prior to its entry into force in the EU, L. whereas the Commission committed itself to provide immediate and full information to the European Parliament at every stage of negotiations on international agreements, 1. Reminds that the Commission has since the 1 December 2009 the legal obligation to immediately and fully inform the European Parliament at all stages of international negotiations; 2. Expresses its concern over the lack of a transparent process in the conduct of the ACTA negotiations which contradicts the letter and the spirit of the TFEU; is deeply concerned that no legal base has been established before the start of the ACTA negotiations and that no parliamentary approval has been asked for the mandate; 3. Calls on the Commission and Council to grant public and parliamentary access to ACTA negotiation texts and summaries in accordance with the Treaty and the Regulation 1049/2001 on Public Access to Documents; 4. Calls on the Commission and Council to pro-actively engage with ACTA partners to rule out any further negotiations of an a piori confidential nature and to timely and entirely inform Parliament about its initiatives in this regard; expects the Commission to make proposals already prior to the next negotiation round in New Zealand in April 2010 and to demand that the issue of transparency is put on the agenda of that meeting, and to refer to Parliament the outcome of this round immediately after its conclusion; 5. Stresses that, unless the Parliament is immediately and fully informed at all stages of the negotiations, Parliament reserves its right to take suitable action, including bringing a case before the Court of Justice in order to safeguard its prerogatives; 6. Calls on the Commission to conduct an impact assessment of ACTA's implementation on fundamental rights and data protection, on the ongoing EU efforts to harmonise IPR enforcement measures, and on E- Commerce, prior to any EU agreement to a consolidated ACTA treaty text, and to timely consult with Parliament about the results of this assessment; 7. Welcomes affirmations by the Commission that any ACTA agreement will be limited to the enforcement of existing IPRs, with no prejudice for the development of substantive IP law in the European Union; 8. Calls on the Commission to continue the negotiations on ACTA in order to improve the effectiveness of the IPR enforcement system against counterfeiting; 9. Urges the Commission to ensure that the enforcement of ACTA provisions - especially its provisions on copyright enforcement procedures in the digital environment - are fully in line with the acquis communitaire; demands that no personal search is undertaken at the EU borders and requests full clarification of any clauses that would allow for warrantless searches and confiscation of information storage devices, such as laptops, cell phones and MP3 players, by border and customs authorities; 10. Considers that in order to respect fundamental rights such as freedom of expression and the right to privacy, with full respect for subsidiarity, the proposed Agreement must refrain from imposing any so called "three strikes" procedures, in full respect of the decision of Parliament on article 1.1b in the (amending) Directive 2009/140/EC that calls to insert a new para 3 a to article 1 Directive 2002/21/EC on the matter of "three strikes" 11. Emphasizes that privacy and data protection are core values of the European Union, recognised in Article 8 ECHR and Articles 7 and 8 of the EU Charter of Fundamental Rights, which must be respected in all the policies and rules adopted by the EU pursuant to Article 16 of the TFEU; 12. Instructs its President to forward this resolution to the Commission, the Council and the Governments and Parliaments of ACTA negotiation participants. From rforno at infowarrior.org Tue Mar 9 21:40:47 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Mar 2010 16:40:47 -0500 Subject: [Infowarrior] - OT: Scary 'Pelosism' Message-ID: This following line is from Speaker Pelosi's Remarks at the 2010 Legislative Conference for National Association of Counties (http://www.speaker.gov/newsroom/pressreleases?id=1576 ) Regarding the health care bill --- "...we have to pass the bill so that you can find out what is in it, away from the fog of the controversy." Say ---- what?? The audacity of Congress should not continue to astound me, yet it still does. Both partiies are equally reprehensible, it seems. Just when you think "they" can't become any more idiotic, they strike. It used to be the Republicans; this time it's the Democrats. -rick From rforno at infowarrior.org Tue Mar 9 21:44:32 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 9 Mar 2010 16:44:32 -0500 Subject: [Infowarrior] - Adobe Reader is world's most-exploited app Message-ID: t's official: Adobe Reader is world's most-exploited app The new Microsoft By Dan Goodin in San Francisco ? Get more from this author Posted in Malware, 9th March 2010 20:33 GMT http://www.theregister.co.uk/2010/03/09/adobe_reader_attacks/ Adobe's ubiquitous Reader application has replaced Microsoft Word as the program that's most often targeted in malware campaigns, according to figures compiled by F-Secure. Files based on Reader were exploited in almost 49 percent of the targeted attacks of 2009, compared with about 39 percent that took aim at Microsoft Word. By comparison, in 2008, Acrobat was targeted in almost 29 percent of attacks and Word was exploited by almost 35 percent. "Why has it changed?" F-Secure asks here. "Primarily because there has been more vulnerabilities in Adobe Acrobat/Reader than in the Microsoft Office applications." Underscoring the surge of Reader attacks, online thugs recently unleashed a new malware campaign that exploits vulnerabilities patched three weeks ago in the widely used program. The attacks target financial institutions with a PDF file with a name that refers to the so-called Group of 20 most influential economic powers. F-Secure and Microsoft have additional details here and here. When victims click on the file with unpatched versions of Reader, the file installs a backdoor that causes their system to connect to a server at tiantian.ninth.biz. Other applications included in Microsoft Office also experiences sharp declines in exploitation. PowerPoint attacks dropped from almost 17 percent in 2008 to less than 5 percent last year. Excel fell from about 17 percent to less than 8 percent. ? From rforno at infowarrior.org Wed Mar 10 13:07:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Mar 2010 08:07:38 -0500 Subject: [Infowarrior] - OpEd: The MS 'net tax' Message-ID: The Charney-Charge: The Health Care Model is Appropriate Framework Richard Forno First published on 2010-03-10. (c) 2010 by author. Permission granted to reproduce with appropriate credit. Source URL: http://www.infowarrior.org/articles/ms-net-tax.html During remarks at last week's RSA conference, Scott Charney, Microsoft's vice president for Trustworthy Computing, pitched the idea of a "tax" on Internet usage as a public service fee to help defray the costs of providing cybersecurity to the public. (I'll wait for the laughter and howls of disdain to die down. There's serious commentary ahead!) While light on details, Charney's proposal - what I refer to as the 'Charney-Charge' - would send taxpayer money to Internet companies to do things they should be doing already to improve Internet security; specifically, developing secure and securable products. "I actually think the health care model ... might be an interesting way to think about the problem," he said. Charney picked his words carefully. The health care model - specifically, health insurance - charges outrageous monthly premiums yet still retains the right to decide whether or not it will cover a given ailment or treatment. Customers then are forced to purchase additional insurance to better protect themselves -- such as what America's senior citizens do with their prescription drug coverage. The insurance companies also have (for the moment) antitrust protections. As a result, their customers are trapped in a bad situation with limited recourse or ability to improve their position. That's just how the insurance industry likes it, too. (Note: Charney did use other health care analagies more appropriately.) Similar protections exist for technology industry vendors resulting in similar situations for their customers. Contained in the End-User License Agreement (EULA) that accompanies software products is a requirement forcing customers to indemnify the product vendor for any damages, losses, or incidents arising from their use of that product. Moreover, since the customer's costs of switching products can be extraordinary, it's akin to the vendor holding a monopoly over its customers. Again, customers are trapped in a bad situation with limited recourse or ability to improve their position. That's just how the product vendors like it, too. Unfortunately, history shows that 'good enough' is the unofficial standard for technology products and services, and that customer problems, damages, or losses resulting from such standards of quality -- many of which are preventable -- generally are accepted as the 'price of doing business' in cyberspace. Accordingly, there's no economic incentive for vendors to accept responsibility for fixing the products they sell or develop ones that are more resilient and secure. In the absence of serious product quality, the ability to seek legal recourse against product vendors, or being compensated for damages or losses under the terms and conditions of their EULAs, customers are forced to purchase additional Internet 'insurance' from cybersecurity vendors to better protect themselves. This, in turn, creates an artificial need for the cybersecurity industry; an industry that depends on the continued insecurity of the underlying products and environment they purportedly 'protect.' The cybersecurity industry likes this setup since this situation justifies and sustains its business model. Customers clearly are the losers in this scenario. As with the health insurance industry, neither product vendors nor the cybersecurity industry want patient conditions to improve because it's less profitable. Sick or sickly people mean revenue; well and healthy ones don't. Instead, these companies prefer making money through prescribed tests, chronic treatments, new therapies, and vists by specialists to diagnose and alleviate the short-term symptoms of their patients' sickness while the ignoring the underlying long-term causes. In this regard, Charney is correct: the health care model indeed is an appropriate analagy for use within the cybersecurity community. Put another way, a product vendor is proposing to extract money from all Internet users to compensate itself for fixing problems it is under no obligation to fix anyway given the insidious nature of EULAs and a constrained marketplace environment for its customers. In essence, this is a proposed (and stealthy) profit windfall for the Internet industry being marketed as something necessary for improving public safety in cyberspace: by taxing everyone, the cybersecurity costs become socialized while the profits are privatized, and the business models of the product vendors and cybersecurity industry remain intact. After all, it works for the health insurance industry! In fairness, Charney's idea for a net-tax may be a red herring intended to foster discussion on innovative ways of addressing (or even fixing) national cybersecurity problems. However, such a proposal not only is arrogant and irresponsible in its purpose but also shifts the accountability for cybersecurity problems into the abstract and away from the specific. Such an idea coming from Microsoft should come as no surprise given that the company's products are responsible for many of the major cybersecurity problems in recent years. Therein lies another of the absurdities regarding this propsal. If Microsoft, or any vendor, wants a proposal for a "net tax" to help offset the costs of implementing better public cybersecurity to be taken seriously, the company first must change its EULAs to accept legal and financial responsibility for its product quality. To continue the health care analogy, customers then would be free to file malpractice suits against - and seek compensation from - product vendors who are negligent and endanger their customers' cyber-health and well-being. Otherwise, there's another word for the Charney-Charge if it ever gets enacted -- extortion. # # # Richard Forno is a Washington, DC-based security researcher. From rforno at infowarrior.org Wed Mar 10 14:14:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Mar 2010 09:14:51 -0500 Subject: [Infowarrior] - UK medical records privacy concerns Message-ID: Patients' medical records go online without consent Patients? confidential medical records are being placed on a controversial NHS database without their knowledge, doctors? leaders have warned. By Kate Devlin, Medical Correspondent Published: 10:20PM GMT 09 Mar 2010 http://www.telegraph.co.uk/health/healthnews/7408379/Patients-medical-records-go-online-without-consent.html Those who do not wish to have their details on the ?11 billion computer system are supposed to be able to opt out by informing health authorities. But doctors have accused the Government of rushing the project through, meaning that patients have had their details uploaded to the database before they have had a chance to object. The scheme, one of the largest of its kind in the world, will eventually hold the private records of more than 50 million patients. But it has been dogged by accusations that the private information held on it will not be safe from hackers. The British Medical Association claims that records have been placed on the system without patients? knowledge or consent. It follows allegations that the Government wanted to complete the project before the Conservatives had a chance to cancel it. In a letter to ministers published today, the BMA urges the Government to suspend the scheme. Hamish Meldrum, its chairman, writes: "The breakneck speed with which this programme is being implemented is of huge concern. "Patients? right to opt out is crucial, and it is extremely alarming that records are apparently being created without them being aware of it. "If the process continues to be rushed, not only will the rights of patients be damaged, but the limited confidence of the public and the medical profession in NHS IT will be further eroded." At present 1.29 million people have had their details placed on the system. A further 8.9 million records are due to be added by June. By the end of next year, the NHS hopes to have more than 50 million uploaded. The "summary" records contain basic medical information including illnesses, vaccination history, and could include medication patients have been given. Ages and addresses are also included. Patients are supposed to be notified by letter at least 12 weeks before their details go live on the system and given the chance to opt out. The BMA says that letters have gone to the wrong addresses and that many patients have been unsure what they mean. Doctors point out that there has been no national advertising programme to explain the scheme, as has been the case with other government initiatives. David Wrigley, from the BMA's GP committee, said: "The concern is that people may not be aware, because they did not receive the letter, they did not read it or they thought it was junk mail and threw it away." The BMA also criticises the fact that the information packs do not include the form which allows patients to opt out. It can only be obtained via the internet or by calling a helpline. Katherine Murphy, of the Patients Association, said: "The Health Service should not put in place bureaucratic obstacles to patient choice because they are worried about what patients might choose to do." Norman Lamb, the Liberal Democrat health spokesman, said: "The Government needs to end its obsession with massive central databases. "The NHS IT scheme has been a disastrous waste of money and the national programme should be abandoned." A spokesman for the Department of Health said that ministers "absolutely support" the right of patients to opt out of the scheme, adding that various options were provided to make this straightforward. From rforno at infowarrior.org Wed Mar 10 18:50:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Mar 2010 13:50:39 -0500 Subject: [Infowarrior] - Comcast Funds BitStalker Anti-Piracy Research Message-ID: <074EDDB9-0A73-4767-9259-19D148ED588C@infowarrior.org> Comcast Funds BitStalker Anti-Piracy Research Written by Ernesto on March 10, 2010 http://torrentfreak.com/comcast-funds-bitstalker-anti-piracy-research-100610/ Together with Cox and Warner Cable, Comcast has aided in the development of a new piracy tracking tool. Named BitStalker, researchers claim it can effectively collect evidence on millions of file-sharers with relative ease. Operators of large BitTorrent trackers have their doubts. For years the RIAA and other copyright holders have been sending copyright infringement notices to ISPs, requesting they forward them to their customers. ISPs including Comcast have always kindly complied with these requests, but remained a neutral party. It therefore came as a surprise when we found out that three major US ISPs ? Comcast, Cox and Warner Cable ? have been funding research which aims to help copyright holders track down and gather evidence against BitTorrent pirates more efficiently. Unlike most of the ?passive? BitTorrent tracking tools that are in fashion today, BitStalker uses an ?active? method through which they can actually prove that the BitTorrent client associated with an IP- address is sharing files. Where the passive methods wrongfully accuse 1 in 10 downloaders, BitStalker promises to avoid such false positives. The researchers who developed BitStalker further claim (pdf) that their tool is much more effective than the current competition, as it would allow copyright holders to get information on 20 million BitTorrent users for a bargain price of $12.40. What remains unclear, however, is why three large ISPs are interested in funding this project. It is no secret that the RIAA has been pushing Comcast, Cox and other ISPs to take stricter measures against copyright infringers, including the ultimate sanction of terminating customers? Internet access. However, thus far the ISPs have largely maintained their neutral position as information carriers. Whether the funding of BitStalker?s research is a signal that this may change is open for speculation. Another argument for ISPs to join could be that they want to protect their customers from receiving copyright infringement notices in error. Regarding the BitStalker method of tracking BitTorrent users, we can say that it is not as revolutionary as the researchers portray it. TorrentFreak spoke to several people who are currently operating the largest BitTorrent trackers on the Internet and none of them was impressed by BitStalker?s technology. If BitStalker is indeed implemented the large scale monitoring will have to be executed from thousands of IP-addresses. Most trackers have rules in place so that one single IP-address will be banned from the tracker if it connects to too many torrents. Similarly, if BitStalker was put on a cloud service like the research suggests, it wouldn?t take long before these IP-ranges would appear in block-lists, rendering BitStalker useless. If we add to this that BitStalker?s active BitTorrent tracking method will require users to be ?connectible?, which a large percentage of users aren?t, this means that it will result in many false negatives. The researchers report that they could only connect to less than half of all available peers, which might be caused in the main by the connectability issue. Whatever the motivations are for Comcast and the other ISPs to fund this project, the good news is that less people will be accused of uploading something they haven?t. Whether BitStalker will really be that more efficient depends on one?s definition of efficiency. For now, we doubt that it will result in a global BitTorrent crackdown. From rforno at infowarrior.org Thu Mar 11 00:24:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Mar 2010 19:24:38 -0500 Subject: [Infowarrior] - EU Parliament votes 663-13 against ACTA Message-ID: <86507C6F-F847-44D8-80F5-544E78DC4F93@infowarrior.org> EU Parliament votes 663-13 against ACTA's enforcement measures Cory Doctorow at 7:40 AM March 10, 2010 http://www.boingboing.net/2010/03/10/eu-parliament-votes.html The European Parliament resoundingly voted against the secret Anti-Counterfeiting Trade Agreement (ACTA), in a resounding 663 to 13 tally. The parliamentarians defied the EU executive and threatened to take the issue to the European Court of Justice if the EU doesn't reject ACTA's provisions on disconnection for infringement and other enforcement provisions. A strong majority of MEPs (663 against and 13 in favour) today voted against the Anti-Counterfeiting Trade Agreement (ACTA), arguing that it flouts agreed EU laws on counterfeiting and piracy online. In addition, the Parliament's decision today states that MEPs will go to the Court of Justice if the EU does not reject ACTA rules, including cutting off users from the Internet "gradually" if caught stealing content. Though MEPs cannot participate in the ACTA talks, without the consent of the European Parliament, EU negotiators will have to go back to the drawing board and come up with a compromise. http://www.boingboing.net/2010/03/10/eu-parliament-votes.html From rforno at infowarrior.org Thu Mar 11 12:56:00 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Mar 2010 07:56:00 -0500 Subject: [Infowarrior] - thoughts on net policy Message-ID: (c/o a friend discussing a chat he had with one of his friends, but worthy enough to post here) A fellow security-geek friend of mine has long compared the current US approach towards the Internet to China's innovation of black powder: One nation invents something that is destined to change the world, and the lives of everyone in it forever after - and that nation then disregards its invention, leaving further innovation and refinement (and the POWER associated with the original invention) to anyone else who wants to pick it up and run with it. The Chinese invented gunpowder, and said "that's good enough. No need to develop it further." Then some genius on another continent said "hmm, this stuff can make a projectile REALLY fly - what a great new weapon!" We invented the Internet, and now we're doing everything we can to stifle its growth in this country. The South Koreans are flat-out obliterating us (and the rest of the world) in broadband penetration, and we're... not even in the top 15. From rforno at infowarrior.org Thu Mar 11 12:57:09 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Mar 2010 07:57:09 -0500 Subject: [Infowarrior] - more on ...OpEd: The MS 'net tax' References: <20100310223720.GA20370@gsp.org> Message-ID: <43A22E25-4C2A-45CD-B9AE-D02B3B52A933@infowarrior.org> Thanks RK.... -rf Begin forwarded message: > From: Rich Kulawiec > Date: March 10, 2010 5:37:20 PM EST > > On Wed, Mar 10, 2010 at 08:07:38AM -0500, Richard Forno wrote: >> The Charney-Charge: The Health Care Model is Appropriate Framework >> Richard Forno > > Oh, well-played! This is a really good analogy, one which I will be > shamelessly swiping (with appropriate credit given, of course). > > I've got a rebuttal to a couple of the followup comments on my message > to the IP list in draft mode; I don't think Dave will choose to > run it, although sometimes he surprises me. Here's part of it, > in quasi-raw, quasi-edited form: > > ---------------------- > Charney wants to quarantine infected systems? That's nice. Except: > > 1. Where was he most of a decade ago when we were pointing > out this very problem and saying this very thing? Back then it > was several orders of magnitude smaller and *possibly* > tractable, although I think even then it was probably a longshot. > But now? See next several points. > > 2. What's the plan for quarantining (to pick a centrist number) > 150M infected systems? Who's gonna pay for that? Microsoft? > > I'll pause while everyone laughs at that prospect. > > 3. Suppose that through some highly unlikely twist of fate, > point 2 actually happens. Great. Now...what's the plan for > keeping those systems from being re-infected next week? And > who's gonna pay for that? > > I'll pause again while everyone refers to Marcus Ranum's: > > The Six Dumbest Ideas in Computer Security > http://www.ranum.com/security/computer_security/editorials/dumb/ > > to make sure that "the plan" for this point isn't based around > one of those. We already KNOW those ideas don't work. > > 4. Let's suppose through an even more unlikely twist of fate, > that point 3 actually happens. Great. Are we done yet? > > No. We're not. > > Because we're not going to "see" all the infected systems that > aren't doing us the favor of making themselves visible. And our > adversaries have long since proven to us that they understand > concepts like distributed, fault-tolerant commmand and control, > misdirection, failover -- and reserves. > > The only way we have to find all the "sleepers" -- and we know > they exist in large numbers, we just don't know how many there > are -- is to go to each individual system, boot it from > known-clean media, and go over it with a fine-toothed comb. > Who's going to do that? And who's going to pay for it? > > I'm sure some folks will claim that this step can be omitted. > It can't. Please see the McNamara Fallacy. [1] And note that > our adversaries have already demonstrated baseline competence > in using small footholds to create much larger breaches in > a rather short time. > > What we have here is classic externalization of costs. It's quite > clear > that Microsoft should pay for *all* of this, yet they're assiduously > trying to pay for *none* of it. (Note how carefully Microsoft's shill > avoided taking any corporate responsibility for this mess, choosing > to frame it as a generic security problem rather than the Microsoft- > only > security problem it really is.) > > This is the same "business model" as industrialists who use the > nearest > river as a sewer for their effluent and then do everything possible > to avoid > culpability for the resulting pollution -- because they don't want > to pay > the cost of cleaning up the mess they've made, the secondary cost of > the > damage they've done, or the tertiary costs incurred by those trying to > keep themselves from being contaminated. > > [1] The McNamara Fallacy: > > "The first step is to measure whatever can be easily measured. That > is okay as far as it goes. The second step is to disregard that > which can't be measured or give it an arbitrary quantitative value. > This is artificial and misleading. The third step is to presume that > what can't be measured easily really isn't very important. This is > blindness. The fourth step is to say that what can't be easily > measured doesn't exist. This is suicide." > > --- social scientist Daniel Yankelovich describes the "McNamara > fallacy". Quoted by Jay Harris, former publisher of the San Jose > Mercury News, in a speech explaining why he resigned his post. > [http://www.poynter.org/centerpiece/harris.htm] > ---------------------- > > > ---Rsk > From rforno at infowarrior.org Thu Mar 11 13:59:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Mar 2010 08:59:39 -0500 Subject: [Infowarrior] - Securityfocus.Com Changes Message-ID: Change in Focus SecurityFocus Staff, SecurityFocus 2010-03-10 http://www.securityfocus.com/news/11582 Since its inception in 1999, SecurityFocus has been a mainstay in the security community. From original news content to detailed technical papers and guest columnists, we?ve strived to be the community?s source for all things security related. SecurityFocus was formed with the idea that the community needed a place to come together and share its collected wisdom and knowledge. At the time, the security community was fairly fragmented with mainstream security information in its infancy. If you worked in security, it was difficult and frustrating to find the information you were looking for because it was scattered across a small number of mailing lists, sites and publications. There was no single place where a community of security professionals could go to get the information they needed and there was a unique opportunity to build a community portal that would provide its users with a destination and voice. At SecurityFocus, the community has always been our primary focus. We knew then as we know now that providing the community with a place to share information, discuss new ideas and share technologies was critical to staying in touch with the constantly evolving threat landscape. With its purchase of SecurityFocus in 2002, Symantec became one of the first vendors to recognize the importance of maintaining a close relationship with the security community to the point where they made a commitment to its founders to continue to operate SecurityFocus as an independent company with the same mandate ? ?It?s all here ? and it?s all free.? The threat landscape has changed significantly over the past 10 years and so has the community. What was once a dispersed though vocal collection of users, researchers and analysts has become a much larger and more cohesive community of experts who have endeavored to make security more than just an after-thought. Vendors have also changed significantly, to the point where entire divisions are devoted to security research and education. Today, more information is shared openly within the community than ever before through the use of blogs, threat analysis, and whitepapers as vendors increasingly work with the community to solve today?s security challenges. The enormous growth in dedicated portals and alternative news sources such as social networking sites allows us to get our security news and information from a variety of sources and as a result, it makes sense for SecurityFocus to evaluate how best to serve its readers. With this in mind, the time is right for SecurityFocus to focus more on its core components. Beginning March 15, 2010 SecurityFocus will begin a transition of its content to Symantec Connect. As part of its continued commitment to the community, all of SecurityFocus? mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged while Infocus articles, whitepapers, and other SecurityFocus content will be available off of the main Symantec website in the coming months. While the news portal section of SecurityFocus will no longer be offered, we think our readers will be better served by this change as we combine our efforts with Symantec Connect and continue to provide a valuable service to the community. As always, if you have any questions or concerns you can reach us at editor-at-securityfocus-dot- com. From rforno at infowarrior.org Thu Mar 11 14:08:26 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Mar 2010 09:08:26 -0500 Subject: [Infowarrior] - How obscure security makes school suck Message-ID: http://boingboing.net/features/security.html How obscure security makes school suck By James Stephenson I graduated from Virginia's public schooling system two years ago, but my memories of it are fresh. After all, my little sister is still there. Being a kid today sucks. I couldn't tell you if it sucks more or less than other generations because I wasn't a part of them. But I can tell you that the reasons why it sucks are new -- and about some of the unfair acts perpetrated in the name of education. Unlike the webcam snoopers of Lower Merion school disctict, ours doesn't have the money to buy every kid a laptop. That will probably change soon; the cost of laptops is plummeting. If our school district (and most school districts in the US) don't have a laptop for every child within the next five years, it'd be a surprise. And when my school district gives out hardware, I'm certain that the administrators would watch us with them if they could, just like the students at Harriton High School. The thing to remember about the public schools of today is that students are treated worse than criminals. Everyone is presumed guilty until proven innocent. I remember the day they installed the cameras in my high school. Everyone was surprised when we walked and saw them hanging ominously from the ceiling. Everyone except me: I moved to rural Virginia from the wealthier and more heavily populated region of northern Virginia. Cameras have watched me since middle school. So I wasn't surprised, just disappointed. "What have we done?" asked one of my friends. It felt like the faculty was punishing us for something. A common justification for cameras is that they make students safer, and make them feel more secure. I can tell you from first hand experience that that argument is bullshit. Columbine had cameras, but they didn't make the 15 people who died there any safer. Cameras don't make you feel more secure; they make you feel twitchy and paranoid. Some people say that the only people who don't like school cameras are the people that have something to hide. But having the cameras is a constant reminder that the school does not trust you and that the school is worried your fellow classmates might go on some sort of killing rampage. Cameras aren't the worst of the privacy violations. Staff perform random searches of cars and lockers. Most of the kids know about locker searches because they see the administration going though their stuff in the hall. But not everyone knows about the car searches, all the way out in the parking lot where administrators aren't likely to be observed. (People don't often bother to lock their cars, either). My best friend found out about the car searches the hard way during our senior year. They searched his car and found a stage sword in his trunk. It was a harmless fake, the kind of sword that is used as a prop on stage. My friend is a live-action role playing enthusiast, and he had planned on going to a friends house to fool around after school. But the school has a zero tolerence policy on "weapons." He was expelled. The school claimed that he had "recourse." He could have appealed his case--to the same administration that had kicked him out. But the injustice of it is is that he was kicked out first, and only then offered a hearing. Guilty until proven innocent. This could have easily have happened to me. One time when I was still in middle school, I went on a camping trip with my scout troop. As usual I packed my camping equipment in the same backpack I used for school. Only when the weekend was over and I went back to school, I realized with horror that my pocket knife was still stuck in the bottom of my backpack. If administrators had searched my bag, not only would I have been expelled, I could have been arrested. The sad thing is that the school district I've described is one of the better ones. In northern Virginia, the measures are even more Draconian. They have heavily-armed and -armored police officers roaming the halls. Students undergo a mandatory security orientation during their first week of middle school. In it, a police officer goes through the implements they carry at all times. The police women who performed the demo I attended showed us how she was always wore a bulletproof vest, and carried handcuffs, cable-tie style restraints, a large knife, a can of mace, and a retractable steel baton. "It's nonlethal, kids," she said. "But you don't want me to have to shatter you kneecaps with it." She also wore a pistol with exactly thirteen rounds: one in the chamber, 12 in the clip. She could have taken out a terrorist or two; which I guess that is what they were expecting some of us to be. At the tender age of 12, this made quite an impression of me, and I still remember the event clearly. But these methods were useless in keeping me or any of my classmates safe. They didn't stop the kid who flashed a gun at me, or the bully who took a swipe at me with a switchblade. Some people say youngsters are more disrespectful than ever before. But if you were in an environment where you were constantly being treated as a criminal, would you still be respectful? In high school, one of my favorite English teachers never had trouble with her students. The students in her class were the most well behaved in the school--even if they were horrible in other teachers' classes. We were well-mannered, addressed her as "Ma'am," and stood when she entered the room. Other teachers were astonished that she could manage her students so well, especially since many of them were troublemakers. She accomplished this not though harsh discipline, but by treating us with respect and being genuinely hurt if we did not return it. Being a kid of my generation isn't all bad. Thanks to the Internet, if we want to study something it's a matter of seconds before the relevant encyclopedia article is before us. It makes doing research papers a heck of a lot easier, even if most teachers won't accept Wikipedia as a source (Pro tip: teachers rarely check sources, so in a pinch, read the sources that are linked Wikipedia article and cite them instead). And even if there are lots of bullying administrators, there are many good teachers, too. Heaven bless the long-suffering school librarians: the library was the one place I enjoyed in school. I could always find a good book to read there, and they even had manga. My librarians were interested and helpful, and always wanted to chat about what you were currently reading. The Library and a few good teachers are what kept me from dropping out. It's a shame that the football team got a bigger budget than the Library. Petty acts of rebellion--and innocent little covert activities--kept our spirits up. The school's computer network may have been censored, but the sneakernet is alive and well. Just like in times past, high school students don't have much money to buy music, movies or games, but all are avidly traded at every American high school. It used to be tapes; now it's thumbdrives and flash disks. My friends and I once started an underground leaflet campaign that was a lot of fun. I even read about a girl who ran a library of banned books out of her locker. These trivial things are more important than they seembecause they make students feel like they have some measure of control over their lives. Schools today are not training students to be good citizens: they are training students to be obedient. James is starting a new blog about being a scho From rforno at infowarrior.org Thu Mar 11 14:12:52 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Mar 2010 09:12:52 -0500 Subject: [Infowarrior] - TSA: Epic Fail (of infosec 101) Message-ID: <378DED27-0CBC-4598-A7CD-FFB6311DECA3@infowarrior.org> Epic Fail!! For years we advise clients that if you're going to fire someone who has access to sensitive systems you cut off their access *before* you fire them, and you escort them from the building. So what did TSA do? Gave this guy two weeks' notice and did nothing about his access to sensitive national security systems. Theatrical Security Agency, anyone? -rick Former TSA analyst charged with computer tampering He allegedly tried to tamper with databases that track possible terrorists Robert McMillan (IDG News Service) 11 March, 2010 08:09 http://www.goodgearguide.com.au/article/339185/former_tsa_analyst_charged_computer_tampering/ A U.S. Transport Security Administration analyst has been indicted with tampering with databases used by the TSA to identify possible terrorists who may be trying to fly in the U.S. Douglas James Duchak, 46, was indicted by a grand jury Wednesday with two counts of damaging protected computers. According to a federal indictment, Duchak tried to compromise computers at the TSA's Colorado Springs Operations Center (CSOC) on Oct. 22, 2009, seven days after he'd being given two weeks notice that he was being dismissed. He was also charged with tampering with a TSA server that contained data from the U.S. Marshal's Service Warrant Information Network. He "knowingly transmitted code into the CSOC server that contained the Terrorist Screening Database, and thereby attempted intentionally to cause damage to the CSOC computer and database," prosecutors said Wednesday in a press release. Duchak, who had been with the TSA for about five years at the time, was responsible for keeping TSA servers up-to-date with information received from the terrorist screening database and the United States Marshal's Service Warrant Information Network. If convicted, Duchak faces 10 years in prison. He was expected to make his initial appearance in federal court in Denver Wednesday. From rforno at infowarrior.org Fri Mar 12 02:23:23 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Mar 2010 21:23:23 -0500 Subject: [Infowarrior] - Report Details How Lehman Hid Its Woes as It Collapsed Message-ID: (Report files @ http://lehmanreport.jenner.com/) March 11, 2010 Report Details How Lehman Hid Its Woes as It Collapsed By MICHAEL J. de la MERCED and ANDREW ROSS SORKIN http://www.nytimes.com/2010/03/12/business/12lehman.html?hp=&pagewanted=print It is the Wall Street equivalent of a coroner?s report ? a 2,200-page document that lays out, in new and startling detail, how Lehman Brothers used accounting sleight of hand to conceal the bad investments that led to its undoing. The report, compiled by an examiner for the now-bankrupt bank, hit Wall Street with a thud late Thursday. The 158-year-old company, it concluded, died from multiple causes. Among them were bad mortgage holdings and, less directly, demands by two rivals, JPMorgan Chase and Citigroup, that the foundering bank post collateral against loans it desperately needed. But the examiner, Anton R. Valukas, also for the first time laid out what the report characterized as ?materially misleading? accounting gimmicks that Lehman used to mask the perilous state of its finances. The bank?s bankruptcy, the largest in American history, shook the financial world. Fears that other banks might topple in a cascade of failures eventually led Washington to arrange a sweeping rescue for the nation?s financial system. According to the report, Lehman used what amounted to financial engineering to temporarily shuffle $50 billion off its books in the months before its collapse in September 2008 to conceal its dependence on leverage, or borrowed money. Senior Lehman executives, as well as the bank?s accountants at Ernst & Young, were aware of the moves, according to Mr. Valukas, a partner at the law firm Jenner & Block, who filed the report in connection with Lehman?s bankruptcy case. Richard S. Fuld Jr., Lehman?s former chief executive, certified the misleading accounts, the report said. ?Unbeknownst to the investing public, rating agencies, government regulators, and Lehman?s board of directors, Lehman reverse engineered the firm?s net leverage ratio for public consumption,? Mr. Valukas wrote. Mr. Fuld was ?at least grossly negligent,? the report states. Henry M. Paulson Jr., who was then the Treasury secretary, warned Mr. Fuld that Lehman might fail unless it stabilized its finances or found a buyer. Lehman executives engaged in what the report characterized as ?actionable balance sheet manipulation,? in addition to ?nonculpable errors of business judgment.? The report draws no conclusions as to whether Lehman executives violated securities laws. But it does suggest that enough evidence exists for potential civil claims. Lehman executives are already plaintiffs in civil suits, but have not been charged with criminal wrongdoing. The report comes more than a year and a half after much of Lehman was sold to Barclays, which occupies Lehman?s former offices in Midtown Manhattan. A large portion of the nine-volume report centers on the accounting maneuvers, known inside Lehman as ?Repo 105.? First used in 2001, long before the crisis struck, Repo 105 involved transactions that secretly moved billions of dollars off Lehman?s books at a time the bank was under heavy scrutiny. According to Mr. Valukas, Mr. Fuld ordered Lehman executives to reduce the bank?s debt levels, and senior officials sought repeatedly to apply Repo 105 to dress up the firm?s results. Other executives named in the examiner?s report in connection with the use of the accounting tool include three former Lehman chief financial officers: Christopher O?Meara, Erin Callan and Ian Lowitt. Patricia Hynes, a lawyer for Mr. Fuld, said in an e-mailed statement that Mr. Fuld ?did not know what those transactions were ? he didn?t structure or negotiate them, nor was he aware of their accounting treatment.? Charles Perkins, a spokesman for Ernst & Young, said in an e-mailed statement: ?Our last audit of the company was for the fiscal year ending Nov. 30, 2007. Our opinion indicated that Lehman?s financial statements for that year were fairly presented in accordance with Generally Accepted Accounting Principles (GAAP), and we remain of that view.? Bryan Marsal, Lehman?s current chief executive who is unwinding the firm, said in a statement, ?We have just received this voluminous report and will carefully evaluate it in the coming weeks to assess how it might help us in our ongoing efforts to advance creditor interests.? Repos, short for repurchase agreements, are a standard practice on Wall Street, representing short-term loans that provide sometimes crucial financing. But Lehman used aggressive accounting in its Repo 105 transactions, allowing them to move withering assets off its books to help hit end-of-quarter targets. In a series of e-mail messages cited by the examiner, one Lehman executive writes of Repo 105: ?It?s basically window-dressing.? Another responds: ?I see ... so it?s legally do-able but doesn?t look good when we actually do it? Does the rest of the street do it? Also is that why we have so much BS [balance sheet] to Rates Europe?? The first executive replies: ?Yes, No and yes. :)? Mr. Valukas writes in the report that ?colorable claims? could be made against some former Lehman executives and Ernst & Young, meaning that enough evidence existed that could lead to the awarding of damages in a trial. He added that Lehman?s directors were not aware of the accounting engineering. By his reckoning, Lehman managed to ?shed? about $39 billion from its balance sheet at the end of the fourth quarter of 2007, $49 billion in the first quarter of 2008 and $50 billion in the second quarter. At that time, Lehman sought to reassure the public that its finances were fine ? despite pressure from short-sellers. Executives, including Herbert McDade, who was known internally as the firm?s ?balance sheet czar,? seemed aware that repeatedly using Repo 105 was disguising the true health of the investment bank. ?I am very aware ... it is another drug we r on,? he wrote in an April 2008 e-mail cited by the examiner?s report. By May and June of 2008, a Lehman senior vice president, Matthew Lee, wrote to senior management and the firm?s auditors at Ernst & Young flagging ?accounting improprieties.? Neither Lehman executives nor Ernst & Young alerted the firm?s board about Mr. Lee?s allegations, according to the report. Mr. Fuld is described in the examiner?s report as denying having knowledge of the Repo 105 transactions, though he recalled issuing several directives to reduce the firm?s debt levels. Mr. McDade is reported as telling Mr. Fuld about using Repo 105 to achieve that goal. From rforno at infowarrior.org Fri Mar 12 02:26:53 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Mar 2010 21:26:53 -0500 Subject: [Infowarrior] - The MPAA says the movie business is great. Unless it's lousy. Message-ID: <6F25835A-779D-4B54-9AE5-D80D314F00DE@infowarrior.org> The MPAA says the movie business is great. Unless it's lousy. http://voices.washingtonpost.com/fasterforward/2010/03/mpaa_box_office_bragging.html?hpid=sec-tech The Motion Picture Association of America issued its annual report on the movie business yesterday -- and to hear the MPAA say it, things have never been better for Hollywood. In a press release (PDF), the District-based trade group touted the findings of its Theatrical Market Statistics Report: ... global box office receipts reached an all time high of $29.9 billion, an increase of 7.6% over 2008 and almost 30% from 2005. The U.S./Canada market reached $10.6 billion, an increase of more than 10%, and International receipts increased 6.3% to $19.3 billion in 2009 .... Ticket sales in the U.S. and Canada rose more than 5.5% from 2008, the first admissions increase in two years. Per capita ticket purchases in the U.S. and Canada also increased 4.6% to 4.3 tickets per person, the first significant increase since 2002. The release also noted major advances in digital technology -- theaters now have more than 16,000 digital screens worldwide, up 86 percent from last year -- and 3D -- 8,989 screens worldwide, 6 percent of the total. But the number of films produced in the U.S. dropped 12 percent last year. The full report (PDF) offers such added details as the average ticket price ($7.50) and the number of drive-in theaters in the U.S. (we only have 689 left), though the L.A. Times notes that it no longer cites the average cost to make and market a movie. Considering the crummy state of the economy, any industry would be delighted to have a report card like that. The funny thing is, you wouldn't know that the movie business was doing so well from other MPAA announcements. Take, for instance, the December press release (PDF) in which MPAA chairman Dan Glickman suggested that unauthorized copies of movies were running the industry into the ground: Yet our industry faces the relentless challenge of the theft of its creative content, a challenge extracting an increasingly unbearable cost. So is the movie business terrific or terrible? Asked to clarify, MPAA spokesman Howard Gantman said the industry suffers the greatest damage from fraudulent copies (he said "piracy," but I disagree with that usage) in the post-theatrical markets -- video-on-demand, downloads, DVD and Blu-ray. Gantman pointed to a study released at the end of 2009 by Adams Media Research that reported a 13 percent drop in U.S. DVD and Blu-ray movie sales, to $8.73 billion. (Blu-ray sales made up roughly $1.1 billion of that total.) That made 2009 the first year since 2002 that movie disc sales fell below U.S. box-office revenues. But the Adams report, at least as summarized by Reuters, did not cite file-sharing or bootleg copies as reasons for that decline. Instead, it pointed to "the rise of low-cost rental options, such as Coinstar Inc's kiosk chain Redbox, which rents DVDs for $1 a day, and online subscription services such as Netflix." I'm not saying that the movie industry doesn't have problems, or that people grabbing movies off the Internet without paying for them isn't one of them (though I will note that the best counterattack against file sharing is a good selection of fairly priced movie downloads). But if the MPAA is going to brag about how great it's doing, it seems reasonable to ask that movie studios go to the end of the line of companies seeking help from Washington. From rforno at infowarrior.org Fri Mar 12 13:14:43 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Mar 2010 08:14:43 -0500 Subject: [Infowarrior] - Big Media or Big SEO Spammers? Message-ID: <6B4E3227-737B-4D65-A8FF-6ECFAF4155C3@infowarrior.org> Big Media or Big SEO Spammers? By Om Malik Mar. 10, 2010, 8:30pm PST 11 Comments http://gigaom.com/2010/03/10/big-media-or-big-seo-spammers/ Updated: Faced with declining revenues and increasingly dismal prospects, some mainstream media outlets are adopting questionable tactics, specifically dead-end web pages stuffed with outbound links and pay-per-click ads. A liberally funded LA startup is only too quick to help them. The story starts with San Francisco-based sex writer Violet Blue. She used to be a columnist for the San Francisco Chronicle, the SF daily with ever-declining circulation. Recently, while writing a column, she did a search through the archives of SFGate.com, the online presence of the Chron. She discovered that the web site was ?copying? and ?distorting? her column archives. (Here?s the link? Warning: Not Safe for Work) Here?s how she describes what she saw: The column had been stripped of all links, and divided across several pages. My bio was missing, as were all the comments. Freakishly, all the commas were gone. And the URL had been changed. The address was comprised of words; to my horror the URL had been keyworded to say ?ashamed porn star? ? the exact opposite of the article?s content. There is a much bigger story here. It?s all in what?s going on with archive duplication and the nation?s old media newspapers online. I think that the work done to the duped content is done for the purpose of SEO (Search Engine Optimization). The idea here seems to be stripping content, duplicating it, make SEO?d content that is a dead end for readers, and drive up results with cost per click ads. The San Francisco Chronicle, it seems, like the Los Angeles Times, is using the technology of an LA-based startup, Perfect Market, which has raised $20 million from Trinity Ventures, Rustic Canyon Ventures and others. Tim Oren, a venture capitalist at The Pacifica Fund, on his blog, Due Diligence, points out that while there?s nothing illegal about what the newspapers are doing, it does border on scraping. Typically, spammers scrape web sites, then set up shadow blogs and fill them with pay-per-click ads. As Oren writes: The keyword and ad-stuffed dead end pages apparently produced by Perfect Markets?s technology are isomorphic, from a search company?s point of view, to those created by more questionable tactics such as scraping. The intent is the same: to spam the index. This is the behavior that routinely gets questionable sites shoved to Google?s back pages, or banished altogether. One has to wonder just how long this type of abuse will be tolerated, simply because it?s being practiced by a recognized media outlet. < - > http://gigaom.com/2010/03/10/big-media-or-big-seo-spammers/ From rforno at infowarrior.org Fri Mar 12 20:26:46 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Mar 2010 15:26:46 -0500 Subject: [Infowarrior] - Suicide bomb plot suspect 'volunteered as British Airways cabin crew' References: <4B9AA213.7080802@inetassoc.com> Message-ID: Begin forwarded message: > From: Duane Schell > Date: March 12, 2010 3:20:35 PM EST > > > http://www.timesonline.co.uk/tol/news/uk/crime/article7058145.ece?print=yes&randnum=1268425079716 > > From Times Online > March 11, 2010 > > > Suicide bomb plot suspect 'volunteered as British Airways cabin crew' > *By Nico Hines * > > A British Airways computer expert charged with terror offences > planned to take advantage of a strike by BA staff to become a > temporary member of the cabin crew, a court heard today. > > Rajib Karim, 30, from Newcastle upon Tyne, faces three charges under > counter terrorism legislation. He is accused of two counts of > planning suicide bombings and his own martyrdom. > > It is alleged that Mr Karim came to Britain, obtained a passport and > secured a job at the airline as part of the conspiracy. > > Prosecutor Colin Gibbs told City of Westminster Magistrates? Court > that the charge sheet alleges he shared information about his work, > including security measures, and offered to take advantage of > planned strikes by BA staff to join the airline?s cabin crew. > > Anti-terrorist sources told The Times last night that investigations > were continuing into possible contact between Mr Karim and militants > in Yemen from where al-Qaeda launched its failed attempt to bring > down a US airliner over Detroit at Christmas. > > The terror threat level in Britain was raised to ?severe? in January > after the attempted Detroit attack which was allegedly carried out > by Umar Farouk Abdulmutallab, a former student at University College > London, who had explosives sewn into his underwear. > > The computer expert also faces a charge alleging that he collected > money and transferred it through trusted associates and wire > services to terrorist associates overseas. The offences are alleged > to have taken place between April 2006 and February this year. > > Mr Karim was arrested by officers from Scotland Yard?s Counter > Terrorism Command, working with colleagues in the north east of > England, on February 25. > > They raided the office complex where he worked in Newcastle as a > computer software developer and searched his home in the city. > > Forensic specialists are continuing to sift through hundreds of > files held on computers seized from his workplace and home. > > Urgent inquiries are also understood to be under way in Bangladesh, > Pakistan and Yemen to trace the others allegedly involved. > > Mr Karim, a well-built man with a thin beard and close-cropped hair, > spoke only to confirm his name and date of birth during the 15- > minute hearing. He wore a black fleece. > > His solicitor James Nicolls said he did not want his client?s > address made public over fears of reprisal attacks against his young > family. He did not apply for bail. > > District Judge Timothy Workman remanded Mr Karim in custody and > adjourned the case until March 26 at the Old Bailey. > > Scotland Yard also arrested three men in Slough, Berkshire, during > the inquiry. > > They were released without charge on Tuesday. > > From rforno at infowarrior.org Sat Mar 13 03:25:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Mar 2010 22:25:38 -0500 Subject: [Infowarrior] - Irony Alert: Rep. Howard Berman Message-ID: <963A1B5D-0649-4D50-A940-8403DEE109AA@infowarrior.org> (The irony is, this is the same Congresscritter who in 2002 proposed legislation to allow the entertainment industry to disable the computers of people it believed were infringing on their products. I wrote about it at http://www.securityfocus.com/columnists/99 -rick) Irony Alert: Hollywood Howard Berman To Introduce 'Internet Freedom' Bill from the are-you-serious? dept http://techdirt.com/articles/20100312/0129208532.shtml Earlier this year we noted this was likely, but now it appears that Rep. Howard Berman is getting ready to introduce an "Internet Freedom Bill," that would limit how US companies could operate in "internet- restricting countries." Now, we've already pointed out that it's odd to see politicians pushing such bills when the US itself is pushing to restrict the internet in similar ways -- but it's particularly ironic with Berman. In supporting this new legislation, Berman notes: He's trying to figure out "what's the most effective thing we can do to help people in countries where the government is" seeking to restrict Internet freedom. But, here's the thing. Howard Berman, who literally is the Representative for (part of) Hollywood, has been a very, very, very strong proponent of restricting internet freedoms any chance he gets -- as long as those restrictions are part of Hollywood's plan to prop up its business model. Berman famously proposed letting companies hack into file sharing networks to break them a few years back. He's also been a major proponent of turning ISPs into copyright cops, and (of course) was actively involved in the initial planning for ACTA. He's also sought to limit the ability for people to access publicly funded research, claiming that he didn't want the "N" in NIH to "stand for Napster." Perhaps before passing legislation to try to punish other countries for their internet restrictions, Berman should take a long hard look in the mirror, at his own long and detailed history of supporting internet restrictions in the US. Separately, with the news coming out that New Zealand has just started rolling out its own internet censoring system, it will be interesting to see if Berman's legislation includes "friendly" countries like New Zealand and Australia that push internet censorship. From rforno at infowarrior.org Sat Mar 13 14:19:44 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Mar 2010 09:19:44 -0500 Subject: [Infowarrior] - Why no one cares about privacy anymore Message-ID: <934C998B-E66D-4ACA-B9CD-87B5DD71A17D@infowarrior.org> Why no one cares about privacy anymore by Declan McCullagh http://news.cnet.com/8301-13578_3-20000336-38.html Google co-founder Sergey Brin adores the company's social network called Google Buzz. We know this because an engineer working five feet from Brin used Google Buzz to say so. "I just finished eating dinner with Sergey and four other Buzz engineers in one of Google's cafes," engineer John Costigan wrote a day after the Twitter-and-Facebook-esque service was announced. "He was particularly impressed with the smooth launch and the great media response it generated." You might call Brin's enthusiasm premature, especially since privacy criticisms prompted Google to make a series of quick changes a few days later. Activists have asked the Federal Trade Commission to "compel" Google to reprogram Buzz a third time to adhere to the no doubt well-informed specifications of Beltway lawyers. A class action lawsuit filed on behalf of an aggrieved second-year law student is underway. But a funny thing happened on the way to the courthouse: relatively few Google Buzz users seem to mind. Within four days of its launch, millions of people proved Brin right by using the messaging service to publish 9 million posts. A backlash to the backlash developed, with more thoughtful commentators pointing out that Google Buzz disclosed your "followers" and who you were "following" only if you had elected to publish that information publicly on your Google profile in the first place. My hunch is that Google Buzz will continue to grow because, after nearly a decade of social-networking experiences (its great- granddaddy, Friendster, started in early 2002), Internet users have grown accustomed to informational exhibitionism. The default setting for a Buzz message is public, and Buzz-ers using mobile phones are prompted to disclose their locations. Norms are changing, with confidentiality giving way to openness. Participating in YouTube, Loopt, FriendFeed, Flickr, and other elements of modern digital society means giving up some privacy, yet millions of people are willing to make that trade-off every day. Of people with an online profile, nearly 40 percent have disabled privacy settings so anyone may view it, according to a Pew Internet survey released a year ago. The percentage is probably higher today. No doubt critics of Google Buzz would reply that accidental disclosure of some correspondents was ample reason to worry. While it's true that privacy options at first were not as obvious as they could have been, they did exist. Even the original version let you edit the "auto- following" list and preview your profile to see how you'd appear to others. (If you're that sensitive about your privacy, especially on a free service, why not take a moment to click that link?) Different people, different privacy preferences Much of our modern concept of privacy can be traced to a 1890 law review article by Samuel Warren and future Supreme Court Justice Louis Brandeis. They complained that "the law must afford some remedy for the unauthorized circulation of portraits of private persons" and sympathized with those who were "victims of journalistic enterprise." If this sounds like Barbra Streisand's famously futile privacy lawsuit against a photographer who dared to take an aerial snapshot of her Malibu beach home, it is. What outraged Warren was a rather tame society article in a Boston newspaper about a lavish breakfast party that he had organized for his daughter's wedding. (Like the censor- happy Streisand, Brandeis and Warren paid scant attention to the First Amendment's guarantee of freedom of the press.) Fortunately, courts have not embraced all of Warren and Brandeis' arguments, and American citizens are not as muzzled today as those two would have wished. A lawsuit that a Pennsylvania couple filed against Google Street View, for the clearly felonious act of publishing a photograph of their house that mirrored what was on the county tax assessor's Web site, recently met with an ignominious end. "As a social good," says Richard Posner, the federal judge and iconoclastic conservative, "I think privacy is greatly overrated because privacy basically means concealment. People conceal things in order to fool other people about them. They want to appear healthier than they are, smarter, more honest and so forth." That isn't a defense of snooping as much as a warning of the flip side of privacy-- concealing facts that are discreditable, including those that other people have a legitimate reason for knowing. The truth about privacy is counter-intuitive: less of it can lead to a more virtuous society. Markets function more efficiently when it's cheap to identify and deliver the right product to the right person at the right time. Behavioral targeting allows you to see relevant, interesting Web ads instead of irrelevant, annoying ones. The ability to identify customers unlikely to pay their bills lets stores offer better deals to those people who will. Anyone who's spent a moment reading comments on blogs or news articles knows that encouraging participants to keep their identities private generates vitriol or worse. Thoughtful discussions tend to arise when identities are public. Without that, as Adam Smith wrote about an anonymous man in a large city in The Wealth of Nations, he is likely to "abandon himself to every low profligacy and vice." Privacy relinquishment is the business model behind exhibitionistic start-ups like Blippy.com, which lets users broadcast what they buy from Amazon, iTunes, and other sites. Other users are invited to submit critiques. After a Blippy user named Joe Greenstein purchased an iPhone app titled "SpeedDate--Dating for Singles of any Sex," it didn't take long for the discussion to turn risque. One fellow wondered: "Are you really 'dating singles of any sex?'" Another asked: "What gives, Joe. Did you break up with your gal?" The original poster replied: "Yes, to breakup. Yes, to dating singles of any sex." Location-disclosing services are proliferating. Twitter now permits users to include geolocation data in messages, and the company has told developers to "encourage" users to enable the feature. Start-ups like Brightkite and Loopt let you select who can monitor your GPS- derived location, moment-by-moment, through your cell phone. Google Latitude is similar; Foursquare and Dopplr let you disclose your whereabouts more selectively. A report this week said that Facebook may do the same. Medical privacy is, in some cases, being selectively discarded. Cancer patients share intimate details on survivor discussion sites. On theKnot.com, theNest.com, and theBump.com, members often tell other community members they're pregnant before they tell their families, and often don't bother to conceal their identities. These discussion areas go beyond support networks; they've become additions to and substitutes for in-person conversations. Commercial data-mining is reaching its apogee at companies like Amazon.com, Last.fm, Apple, and Netflix that use it to do nothing more sinister than suggest relevant books or movies. Customers applauded when Netflix offered $1 million to anyone who could improve its recommendation engine; a team including three AT&T researchers claimed the prize last September. Netflix's next contest will require entrants to crunch millions of chunks of demographic data, including age, sex, ZIP code, and previously rented movies, and then predict which movies those people will like. Generation X-hibitionist If any of this concerns you, then you didn't grow up with the Internet. It's difficult to overstate how thoroughly today's youth-- call them Generation X-hibitionist--have adjusted to living in a world of porn spam and Viagra ads that utterly lacks quaint 20th-century conceptions of privacy. (When dealing with the police, privacy is a Fourth Amendment right; when dealing with Blippy, it's a mere preference.) A 2008 Harris Interactive/CTIA survey of more than 2,000 American teens confirms that youth are least worried about privacy. Only 41 percent were concerned; 59 percent were happy to provide personal information to marketers. Compare this to a Harris poll conducted in 1998, the same year Google was founded, that found a remarkable 80 percent of people were hesitant to shop online because of privacy worries. Fast forward 12 years and we're bragging on Blippy about what we bought with our Mastercard. "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people-- and that social norm is just something that has evolved over time." --Mark Zuckerberg, CEO, Facebook Perhaps this disinterest in traditional concepts of privacy is one reason why Twitter (originally public) is growing so much faster than Facebook (originally private). While Facebook's remarkable share of global Internet eyeballs doubled last year, according to Alexa.com, Twitter's grew tenfold. Because Facebook has such a large audience, it can no longer grow as fast. But one advantage that Twitter has is that its founders intentionally chose openness and offered simpler choices. With mere followers instead of friends, there's no need to worry about whether someone qualifies as an intimate or not. Much of this change is generational. But it also happens when folks old enough to remember cassette tapes and President George H.W. Bush become more comfortable with disclosure. It was only three years ago that Time magazine wondered if Google Street View was "an invasion of privacy." Now even municipal IT departments, including those of Atlanta and Lynchburg, Va., have found uses for it. Does anyone remember when the Electronic Privacy Information Center claimed in 2004 that Google's Gmail somehow violated wiretap laws? Hundreds of millions of satisfied users later, we know that nobody else cared. At a technology conference in January, Facebook CEO Mark Zuckerberg told his audience that Internet users don't care as much about privacy anymore. The 25-year old said that, in the seven years since he started the company, "people have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people--and that social norm is just something that has evolved over time." Zuckerberg defended the company's decision in December to push users to reveal more, saying "we decided that these would be the social norms now and we just went for it." That change drew the same wails of protest that greeted Google Buzz. Advocacy groups wrote an alarmist note to federal regulators demanding an injunction on grounds that the changes "harm the public interest"-- effectively substituting a small clique's privacy preferences for everyone else's. The ACLU announced a letter-writing campaign. The Federal Trade Commission noted, ominously, that Facebook's changes are "of particular interest to us." About the only thing missing--no doubt a press release is being drafted this very moment--is a class action lawsuit to enrich plaintiffs' attorneys while resulting in no measurable changes to Facebook.com. But as regulatory enthusiasts in Washington were attempting ritualistic divinations of the public interest, something different was happening on the Web: the actual public didn't care. Instead of abandoning the site en masse, Facebook users clicked through a few menus of options and went on with their lives. A protest group titled "Facebook! Fix the Privacy Settings" drew a mere 3,400 of more than 350 million users, less than one-thousandth of 1 percent. Compare that unconcern with the number of people who turned their attention to such weighty topics as "Chuck Norris Facts" (more than 225,000), "Physics Doesn't Exist, It's All Gnomes" (more than 76,000), and "I Flip My Pillow Over To Get To The Cold Side" group (nearly 1 million). One reason why Zuckerberg's who-needs-privacy argument works is that, through a growing collection of these services with unusual vowel counts, we're choosing what to share. Unlike interactions with government snoops, these are voluntary: Give up a bit of privacy to get a service for free, and everyone benefits (except perhaps rivals that used to charge). Zuckerberg's own approach to privacy mirrors his company's. His public Facebook profile shows him snuggling up to a teddy bear and attempting to walk while tied to what appears to be a co-worker dressed as a banana. Another photographic montage captures Zuckerberg at his sister's wedding in Jamaica, smiling bravely while wearing a fluorescent vest matching the bridesmaids' turquoise gowns. There are photos of Zuck The Party Animal at a 2006 kegger, and others with his girlfriend Priscilla at an honest-to-goodness Silicon Valley bison roast. The most telling informational tidbit may be that the Keds-sporting entrepreneur is, officially and publicly, a "fan" of himself. Perhaps the real issue is not technology but psychology. Irwin Altman, a professor emeritus in the University of Utah's psychology department, created one of the more widely cited theories of privacy before Facebook's founder was born. "If one can choose how much or how little to divulge about oneself to another voluntarily, privacy is maintained," Altman wrote, effectively blessing the social media of a generation later. "If another person can influence how much information we divulge about ourselves or how much information input we let in about others, a lower level of privacy exists." Now those boundaries are so fluid. Fifty years ago Mark Zuckerberg would have been seen as disclosing far too much information. Doesn't that guy need help, or at least therapy? Now it makes him a very normal, by the standards of his generation, Internet billionaire. Disclosure: The author is married to a Google employee who was not involved with Google Buzz. From rforno at infowarrior.org Sat Mar 13 17:03:56 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Mar 2010 12:03:56 -0500 Subject: [Infowarrior] - Obama Sides with RIAA, MPAA; Backs ACTA Message-ID: <25CE421C-E613-47D5-9B9E-398062C5056A@infowarrior.org> (Let's not forget that Ari, the brother of Rahm Emmanuel, the WH Chief of Staff, is a bigshot in the entertainment industry. And oh yes -- the DOJ IP shop is staffed with ex- or pro-Hollywood lawyers. Coincidence? -rick) Obama Sides with RIAA, MPAA; Backs ACTA posted by Thom Holwerda on Fri 12th Mar 2010 23:18 UTC http://www.osnews.com/story/23002/Obama_Sides_with_RIAA_MPAA_Backs_ACTA And thus, our true colours reveal. Since Obama was the young newcomer, technically savvy, many of us were hoping that he might support patent and/or copyright reform. In case our story earlier on this subject didn't already tip you off, this certainly will: Obama has sided squarely with the RIAA/MPAA lobby, and backs ACTA. No copyright and/or patent reform for you, American citizens! Obama made the remarks in a speech at the Export-Import Bank's annual conference in Washington. "We're going to aggressively protect our intellectual property," Obama said in his speech, "Our single greatest asset is the innovation and the ingenuity and creativity of the American people [...] It is essential to our prosperity and it will only become more so in this century. But it's only a competitive advantage if our companies know that someone else can't just steal that idea and duplicate it with cheaper inputs and labor." "There's nothing wrong with other people using our technologies, we welcome it," Obama continued, "We just want to make sure that it's licensed and that American businesses are getting paid appropriately. That's why the [US Trade Representative] is using the full arsenal of tools available to crack down on practices that blatantly harm our businesses, and that includes negotiating proper protections and enforcing our existing agreements, and moving forward on new agreements, including the proposed Anti-Counterfeiting Trade Agreement." It seems that the RIAA, MPAA, and similar organisations have been successful in lobbying the US administration into supporting their cause. This means that the US government will continue to (financially) support an industry that is simply outdated, and has failed to adapt to the changing market - which seems remarkably anti-capitalistic and anti-free market, even for a Democratic president. Luckily for at least us Europeans, the European Parliament has already shot the ACTA agreement down in an overwhelming 633-to-13 vote, while also forcing total openness - something the US does not want. This means that despite Obama siding with the content providers, ACTA will most likely not come to fruition. Sadly, all this also means that American consumers will continue to see their rights eroded, as corporations and content providers further gain influence within the government. This means that devices you buy will not actually be yours, that uploading a video of your daughter dancing to a song on the radio could cost you thousands of dollars in damages, and it will also most likely mean that three strikes laws will be enacted. Good times. From rforno at infowarrior.org Sat Mar 13 16:53:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Mar 2010 11:53:33 -0500 Subject: [Infowarrior] - The dark side of the web Message-ID: <7507CF68-B120-4862-9787-6DD3627F5914@infowarrior.org> The dark side of the web Posted on 9 Mar 2010 at 15:47 http://www.pcpro.co.uk/features/356254/the-dark-side-of-the-web Google sees only a fraction of the content that appears on the internet. Stuart Andrews finds out what's lurking in the deep web When Google indexes so many billions of web pages that it doesn?t even bother listing the number any more, it?s hard to imagine that much lies beyond its far-reaching tentacles. Beneath, however, lies an online world that few know exists. It?s a realm of huge, untapped reserves of valuable information containing sprawling databases, hidden websites and murky forums. It?s a world where academics and researchers might find the data required to solve some of mankind?s biggest problems, but also where criminal syndicates operate, and terrorist handbooks and child pornography are freely distributed. Disappear into the dark web There's many valid reasons why you might not want your online exploits searchable. Find out how you can disappear from the web At the same time, the underground web is the best hope for those who want to escape the bonds of totalitarian state censorship, and share their ideas or experiences with the outside world. Interested? You?re not alone. The deep web and its ?darknets? are a new battleground for those who want to uphold the right to privacy online, and those who feel that rights need to be sacrificed for the safety of society. The deep web is also the new frontier for those who want to rival Google in the field of search. Take a journey with us to the other side of the internet. Deep webs, the dark web and darknets The first thing to grasp is that, while the elements that make up this other web have aspects in common, we?re not talking about a single, unified entity. Those in the know will often talk in terms of the deep or invisible web, darknets and the dark web, and you might think these are all the same thing. In fact, they?re separate phenomena, albeit linked by common themes, properties or interests. The deep web isn?t half as strange or sinister as it sounds. In computer-science speak, it refers to those portions of the web that, for whatever reason, have been invisible to conventional search engines such as Google. The majority of this deep web is made up of dynamically created pages and database entries that are accessible only through manual completion of an HTML form The majority of this deep web is made up of dynamically created pages and database entries that are accessible only through manual completion of an HTML form. A smaller proportion has been accidentally or purposefully made inaccessible to Google?s crawlers, while other areas sit behind password-protected or subscription-only sites. Make no mistake, the deep web is huge. Michael Bergman?s pioneering 2001 study, The Deep Web: Surfacing Hidden Value, estimated that it accounted for 7,500TB of data at a time when search engines could index only 19. Even the more conservative estimates in a 2007 paper written by Google?s Jayant Madhavan, Alon Halevy and colleagues, suggests that there are more than 25 million different sources of deep web content, many of which are huge repositories. ?There is a prevailing sense in the database community that we missed the boat with the WWW,? the Google paper concluded. ?The over-arching message of this paper is that a second boat is here, with staggering volumes of structured data, and that boat should be ours.? Treasures of the deep ?There?s a lot of legitimate and valuable content in the deep web,? said Dr Juliana Freire, the leader of a University of Utah project, DeepPeep, which aims to make deep web content more accessible. ?For example, there are several scientific data sets (such as the Sloan Digital Sky Survey and the Center for Coastal Margin Observation & Prediction), documents and databases, and these are useful to society and have many important applications.? For Freire, exposing this data and giving researchers the tools to share and analyse it could be a key step for the evolution of science. DeepPeep is far from alone. Next-generation search engines such as Kosmix and info-driven harvesters such as BrightPlanet are working hard to pull data from the deep, while Google now has its own automated deep web search program in place. There?s nothing necessarily secretive about the majority of this hidden content. When asked if the deep web harbours criminal or illicit activities, Dr Freire explains that ?underworld? content is just as likely to be found on the ?surface web?, and describes the deep web as ?a more benign place? than some imagine. There are, however, areas that are more intentionally secretive, and this is where the deep becomes the dark. The deep web is a more benign place than some imagine Liam O Murchu, a security expert at Symantec?s Security Technology and Response team (STAR), believes there are three tiers of criminal operating online. The least serious, and most common, will operate in plain sight, on forums that can be found with a conventional search engine. Beyond this, there are more serious ? and paranoid ? cybercriminals who ?may only work in environments that they consider secure, for example, invite-only forums or secure private chat channels?. These forums will be ?harder to find, often by word of mouth in other forums, or by invitation only or via ?vetting? and will not be indexed in search engines?. For a higher level of secrecy, however, there?s the third option: the darknet. Exploring the anonymous web Often associated with small file-sharing networks, the term darknet refers to any closed, private network that operates on top of the more conventional internet protocols. To join these hidden internets, all you need to do is install a program, such as Freenet or I2P, and browse away, secure in the knowledge that you?re almost impossible to trace. Freenet is effectively a shadow of the web, with its own sites, forums and email services. A related service, TOR (The Onion Router), provides tools to set up hidden services, including websites, which will be anonymous within TOR and inaccessible from the outside. Technically, these applications are ingenious. Freenet operates as a network of decentralised nodes, with each system on the network contributing bandwidth. Since Freenet sites don?t sit on servers, but on data stores spread throughout the network, they can?t be taken down, and because each communication between one computer and another is routed through other nodes, with each one only ?knowing? the address of the next node and that of the last, Freenet?s users can maintain high levels of anonymity. On Freenet, nobody knows who you are, or what you?re looking at. Each system also contributes hard disk space, which is occupied by a data cache containing chunks of heavily encrypted data that the program can reassemble into Freenet forums and sites. A trip through Freenet can be unsettling. It isn?t hard to find sites offering hard-core porn or such charming tomes as The Terrorist?s Handbook, Arson Around with Auntie ALF and the Mujahideen Poisons Handbook, along with copyrighted software, video and music to download. And while we didn?t come across any child pornography during our time on Freenet (for obvious reasons, we didn?t look), it?s widely acknowledged that it can be found. Freenet was the brainchild of a young Irish computer scientist, Ian Clarke, who came up with the idea during his studies at the University of Edinburgh in the mid-1990s. He wanted to ?build a communication tool that would realise the things that a lot of people thought the internet was ? a place where you could communicate without being watched, and where people could be anonymous if they wanted to be?. Built by a global team of developers, more than two million people have downloaded Freenet, and the network has up to 10,000 concurrent users at peak times. Clarke has evidence that Freenet has been distributed in heavily censored regions such as China, and that it?s used as a vehicle for free speech and safe communication. But does this justify its use as a vehicle for child porn or inflammatory material? ?The post is used more widely by paedophiles than Freenet is, yet nobody would talk seriously about shutting down the Royal Mail,? Clarke retorts. ?While there will be content, such as child pornography, that we wish didn?t exist, we feel that the benefits, such as the freedom to communicate, that are provided by Freenet greatly outweigh the risks.? Steven J Murdoch, a security specialist at the University of Cambridge and a member of the TOR project, would doubtless agree. By bouncing communications through a distributed network of relays, TOR both hides the source of your internet traffic ? your IP address ? and the destination: the site you?re visiting. Like Freenet, TOR is used by dissidents living under oppressive regimes to counteract IP-based censorship and to preserve their anonymity. It?s also used by law-enforcement agencies, journalists and those ? such as corporate whistleblowers or abused wives talking to a support group ? who need to cover their tracks. TOR is used by dissidents living under oppressive regimes to counteract IP-based censorship and to preserve their anonymity The application is easy to download, and can be switched on with nothing more than a browser plugin. Like Ian Clarke, Murdoch doesn?t shirk from the accusation that TOR can be used for illicit purposes. As with any technology, ?bad people will use it, and TOR and other anonymous communication networks are really no exception in this regard?. For Murdoch, the overall benefit to society is greater, however, ?not only because the bad users are a small proportion, but also because the people who are willing to break the law already have the ability to get reasonable anonymous communications?. It?s a view echoed by Symantec?s Liam O Murchu. ?One property that all cybercriminals desire is anonymity online. Then, even if their activity is monitored, their identity still remains hidden.? However, he adds that, ?this doesn?t mean that closed networks should be banned, of course, because there are perfectly legitimate reasons for legal groups to use them?. There?s another issue with services such as Freenet, I2P and TOR that might make some users uncomfortable: as the whole technology relies on routing traffic through the various nodes on the network, your system and your internet connection will inevitably be used to transmit content ? albeit in an unreadable and encrypted form ? that you might find objectionable. Worse still, Freenet will use the cache on your hard disk to store and serve it. ?There is potential that, on your computer, there would be a hold of material like that sitting on your hard disk,? Ian Clarke explains, ?but it would be in a form that you couldn?t access, even if you wanted to. Certainly, for some people, they view that as a reason not to use Freenet, but a higher percentage realise that they?re providing a service to people, and that while, yes, some material like that will be on it, they can?t be held responsible.? Policing the darknet Do these applications and services make things more difficult for those investigating, say, child abuse? ?To a degree,? a spokesperson for the UK?s Child Exploitation and Online Protection Centre (CEOP) told us. ?We are aware of darknets, closed networks and closed forums, and how offenders are using them to communicate, but we can and we do use everything within our power to track down these people.? It?s also worth pointing out that services such as TOR are in active use by law-enforcement and intelligence agencies. After all, it?s hard to investigate criminal networks if your IP address marks you as a cop. Of course, it isn?t only ordinary criminals who have adopted the dark web. Terrorist organisations, too, are looking at it as an alternative to more easily monitored forms of internet communication. In 2007, Mark Burgess, director of the World Security Institute in Brussels, warned that ?too much focus on closing down websites could also be counter-productive, since it likely forces terrorist websites to go underground to the so-called ?deep? or hidden web?. It looks like this warning was justified. In an article written for the Combating Terrorism Center at the US Military Academy, West Point, Dr Manuel R Torres Soriano, professor of political science at the University of Seville, explains how Islamic terrorists have responded to the constant closure of propaganda websites by going underground. They?ve adopted the practices of internet pirates by using file-hosting websites and forum software to maintain a web presence. Online terrorists have also been known to use TOR (its use is covered in some Jihadist FAQs), and have even created their own secrecy tools, such as the Mujahideen Secrets encryption tool. However, the same techniques being used to mine the deep web for information can also make life harder for the terrorists. In 2007, a team led by Hsinchun Chen of the University of Arizona unveiled a project, DarkWeb, which now tracks terrorist activity across the surface and deep webs. Where previously various counter-terrorist and law-enforcement agencies worked piecemeal on infiltrating and extracting information from websites and forums, DarkWeb is designed to root out terrorist groups and, in Chen?s words, ?exhaustively collect their content?. Over the past eight years, DarkWeb has collected close to two million files, documents, videos and messages, logged them and made them accessible to intelligence agencies and research bodies across the world. If these organisations want to investigate a threat or try out new theories, they no longer have to trawl the deep web themselves. Instead, ?they can take a look at that collection and study it in a more systematic and data-driven manner,? said Chen. As far as Chen is concerned, however, darknets and closed forums aren?t a major concern. ?In general, 95 to 99% [of terrorist content], is really in the open area,? he explains. For terrorists, moving to ?somewhere more secretive, like a darknet, isn?t so interesting because they won?t be able to recruit or touch or influence a large number of their target audience?. The Internet Watch Foundation ? the UK industry body charged with removing paedophile content from the web ? makes a similar point about child abuse. ?The majority of content still comes from big, commercial enterprises,? a spokesperson told us, ?and they need to be out there on the open web.? In fact, Dr Chen argues that terrorists are more likely to make use of familiar forms of communication. ?We?ve done a lot of work in websites, forums and even on YouTube, and now we?re doing a lot of exploration in Second Life, because we need to monitor the more fluid and more dynamic web environments that are more difficult to look at.? In short, there?s some dark stuff going on in the deep, dark portions of the web, but don?t get too hung up on it. After all, there?s plenty of equally dark stuff still floating on the surface. Author: Stuart Andrews From rforno at infowarrior.org Sun Mar 14 02:01:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Mar 2010 21:01:35 -0500 Subject: [Infowarrior] - BBC Series: The Virtual Revolution Message-ID: <7011E936-581E-4A6E-81E8-1288B5783399@infowarrior.org> The Virtual Revolution: How and when to listen http://www.bbc.co.uk/worldservice/programmes/2010/03/100311_virtual_revolution_how_and_when.shtml Twenty years on from the invention of the World Wide Web, Dr Aleks Krotoski looks at how it is reshaping almost every aspect of our lives. Joined by some of the web's biggest names - including the founders of Facebook, Twitter, Amazon, Apple and Microsoft, and the web's inventor - she explores how far the web has lived up to its early promise. Part One: The Great Levelling In the first in this four-part series, Aleks charts the extraordinary rise of blogs, Wikipedia and YouTube. She also traces an ongoing clash between the freedom the technology offers us, and our innate human desire to control and profit. See The Great Levelling on BBC World television on Saturday 6 March 2010 at 0110GMT (repeated 1510GMT and at 0910GMT and 2210GMT on Sunday 7 March 2010) Part Two: Enemy Of The State Aleks charts how the Web is forging a new brand of politics, both in democracies and authoritarian regimes. With contributions from Al Gore, Martha Lane Fox, Stephen Fry and Bill Gates, the programme explores how interactive, unmediated sites like Twitter and YouTube have encouraged direct action and politicised young people in unprecedented numbers. Yet, at the same time, the Web's openness enables hardline states to spy and censor, and extremists to threaten with networks of hate and crippling cyber attacks. See Enemy Of The State on BBC World television on Saturday 13 March 2010 at 0110GMT (repeated 1510GMT and at 0910GMT and 2210GMT on Sunday 14 March 2010) Part Three: The Cost Of Free Aleks gives the lowdown on how, for better and for worse, commerce has colonised the web - and reveals how web users are paying for what appear to be 'free' sites and services in hidden ways. Joined by some of the most influential business leaders of today's web - including Jeff Bezos (CEO of Amazon), Eric Schmidt (CEO of Google), Chad Hurley (CEO of YouTube) and Bill Gates, the programme traces how business - with varying degrees of success - has attempted to make money on the web. She tells the inside story of the gold rush years of the dotcom bubble, and reveals how retailers such as Amazon learned the lessons. The programme also charts how, out of the ashes, Google forged the business model that has come to dominate today's web, offering a plethora of highly attractive, overtly free web services - including search, maps and video - that are in fact funded through a sophisticated and highly lucrative advertising system which trades on what we users look for. See Enemy Of The State on BBC World television on Saturday 20 March 2010 at 0110GMT (repeated 1510GMT and at 0910GMT and 2210GMT on Sunday 21 March 2010) Part Four: Homo Interneticus? Part Four will be available to listen on BBC World Service radio from 15 March 2010 Dr Aleks Krotoski concludes her investigation of how the World Wide Web is transforming almost every aspect of our lives. Joined by Facebook founder Mark Zuckerberg, Bill Gates, Al Gore and the neuroscientist Susan Greenfield, the programme examines the popularity of social networks such as Facebook and asks how they are changing our relationships. And, in a ground-breaking test at University College London, Aleks investigates how the Web may be distracting and overloading our brains. See Enemy Of The State on BBC World television on Saturday 27 March 2010 at 0110GMT (repeated 1510GMT and at 0910GMT and 2210GMT on Sunday 28 March 2010) http://www.bbc.co.uk/worldservice/programmes/2010/03/100311_virtual_revolution_how_and_when.shtml From rforno at infowarrior.org Sun Mar 14 04:45:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Mar 2010 23:45:33 -0500 Subject: [Infowarrior] - IRS visits Sacramento carwash in pursuit of 4 cents Message-ID: <52AE4AF8-01B2-49A3-AF26-8E4E35CD6A49@infowarrior.org> Talk about a waste of resourcs!! -rf Bob Shallit: IRS visits Sacramento carwash in pursuit of 4 cents http://www.sacbee.com/2010/03/13/2604016/irs-suits-pay-visit-to-car-wash.html Published: Saturday, Mar. 13, 2010 - 12:00 am | Page 1B Last Modified: Saturday, Mar. 13, 2010 - 9:58 am It was every businessperson's nightmare. Arriving at Harv's Metro Car Wash in midtown Wednesday afternoon were two dark-suited IRS agents demanding payment of delinquent taxes. "They were deadly serious, very aggressive, very condescending," says Harv's owner, Aaron Zeff. The really odd part of this: The letter that was hand-delivered to Zeff's on-site manager showed the amount of money owed to the feds was ... 4 cents. Inexplicably, penalties and taxes accruing on the debt ? stemming from the 2006 tax year ? were listed as $202.31, leaving Harv's with an obligation of $202.35. Zeff, who also owns local parking lots and is the president of the Midtown Business Association, finds the situation a bit comical. "It's hilarious," he says, "that two people hopped in a car and came down here for just 4 cents. I think (the IRS) may have a problem with priorities." Now he's trying to figure out how penalties and interest could climb so high on such a small debt. He says he's never been told he owes any taxes or that he's ever incurred any late-payment penalties in the four years he's owned Harv's. In fact, he provided us with an Oct. 22, 2009, letter from the IRS that states Harv's "has filed all required returns and addressed any balances due." IRS spokesman Jesse Weller isn't commenting "due to privacy and disclosure laws." Zeff says he's as offended as much as anything else by what he considers rude behavior by the IRS guys. While at Harv's, he sniffs, "they didn't even get a car wash." From rforno at infowarrior.org Sun Mar 14 04:52:55 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Mar 2010 23:52:55 -0500 Subject: [Infowarrior] - Danah Boyd: How Technology Makes A Mess Of Privacy and Publicity Message-ID: Danah Boyd: How Technology Makes A Mess Of Privacy and Publicity by Jason Kincaid on Mar 13, 2010 http://techcrunch.com/2010/03/13/privacy-publicity-sxsw/ Today at SXSWi, keynote speaker Danah Boyd took the stage to talk about privacy and publicity, and how they intertwine online. Boyd is a Social Media Researcher at Microsoft Research New England, and has studied this space extensively for years. It was a compelling talk that challenged the notion that personal information is on a binary spectrum of public or private. To help underscore her points, she recalled and discussed a number of major privacy blunders from Facebook and Google. You can find my notes from the presentation below. Boyd says that privacy is not dead, but that a big part of our notion of privacy relates to maintaining control over our content, and that when we don?t have control, we feel that our privacy has been violated. This has happened a few times recently. How The Buzz Launch Failed As a first example Boyd brought up Google Buzz. She says that nothing with the launch was technologically wrong ? you could opt out of Buzz, elect to hide your friend list, and so on. But the service resulted in a PR disaster because Google made non-technical mistakes, doing things that didn?t meet user expectations: ? Google integrated a public facing system in one of the most private systems you can imagine. Lots of people thought Google was exposing their email to the world. ? Google assumed people would opt out if users didn?t want to participate. ?I can?t help but notice that more technology companies think it?s ok to expose people tremendously and then back pedal when people flip out?, she says. ? You want to help users understand the proposition. You need to ease them in, invite them to contribute their content. Boyd says that years ago, researchers noticed people in a chat room would often ask ?A/S/L? (age, sex, location). So some services, looking to streamlines things a bit, started building user profiles that had this information. What they failed to understand is that this ?A/S/L? was a sort of chatroom icebreaker. Users lost that, and putting that information in a profile ? even if they would have shared it to answer that chat message ? could creep them out. With Buzz, Google found the social equivalent to the famous ?uncanny valley? (where things seem almost natural, but aren?t quite close enough, so they?re creepy). They collapsed articulated networks (email) and assumed it was a personal network. Boyd then transitioned to talk a bit about the fuzzy lines between what is public and private. She says that just because people put material in public places doesn?t mean it was meant to be aggregated. And just because something is publically accessible doesn?t mean people want it to be publicized. The Facebook Privacy Fail Boyd?s second case study was Facebook?s privacy changes in December, when Facebook changed ?everyone? to the default. We?ve written extensively on this fiasco, which may take years to really reveal the extent of the damage it has done. ? Facebook said 35% of users had read the new privacy documentation and changed something in the privacy settings. Facebook thinks this is a good thing, but it means 65% of population made their content public. Boyd has asked non-techie users to tell her what they thought their settings were. She has yet to find a single person whose actual privacy settings matched what they thought they were. ? Boyd recounted a story of a young woman who had moved far away from an abusive father. The young woman talked with her mother (who had moved with her) about possibly joining Facebook. They sat down to make the content as private as possible, which worked well. But in December, the young woman clicked through Facebook?s privacy dialog (as most people did) and had no idea her content was public. She only found out when someone who should not have seen the content told her. Boyd then discussed how different groups of people think about privacy. She says that teenagers are much more conscious about what they have to gain by being in public, whereas adults are more concerned about what they have to lose. As an example, Boyd talked about a teenage girl who often put risqu?, sometimes illegal content online. When Boyd asked why she?d want to do something, the girl replied, ?I want to get a modeling contract just like Tila Tequilla?. Her calculation wasn?t about what she could potentially lose, but rather what she stood to gain. Boyd says that most techies think about Personally Identifiable Information, but that the vast majority of people are thinking about personally embarrassing information. People often share private information with their friends in part because it allows them to bond, it makes them somewhat vulnerable and establishes trust. But when it?s through technology (e.g. Facebook?s public by default setting) it?s a huge technology fail. Boyd also called out the presence of racism in social media. On the night of the BET awards last year, all of the trending topics were dominated by terms relating to the event and the black community. In response, some Twitter users made very racist comments ? clearly even these open communication platforms are still prone to hate. To conclude the talk, Boyd pointed out some of the challenges we will continue to face with regard to privacy online. She asks whether or not teachers can be expected to maintain a professional, pristine presence online ? something that is very difficult to do while leading a normal life. Ultimately, she says, ?neither privacy nor publicity is dead, but technology will continue to make a mess of both.? We?ve been looking at privacy and publicity as a black-or-white attribute for content, when really it?s defined by context and the implications of what we?ve chosen to share. From rforno at infowarrior.org Mon Mar 15 01:12:33 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 Mar 2010 21:12:33 -0400 Subject: [Infowarrior] - Obama Supports DNA Sampling Upon Arrest Message-ID: <5E2190A8-D477-4356-9598-3B21F78E7FB5@infowarrior.org> Obama Supports DNA Sampling Upon Arrest ? By David Kravets ? March 10, 2010 | ? 6:40 pm | ? Categories: Crime, privacy http://www.wired.com/threatlevel/2010/03/obama-supports-dna-sampling-upon-arrest Josh Gerstein over at Politico sent Threat Level his piece underscoring once again President Barack Obama is not the civil-liberties knight in shining armor many were expecting. Gerstein posts a televised interview of Obama and John Walsh of America?s Most Wanted. The nation?s chief executive extols the virtues of mandatory DNA testing of Americans upon arrest, even absent charges or a conviction. Obama said, ?It?s the right thing to do? to ?tighten the grip around folks? who commit crime. When it comes to civil liberties, the Obama administration has come under fire for often mirroring his predecessor?s practices surrounding state secrets, the Patriot Act and domestic spying. There?s also Gitmo, Jay Bybee and John Yoo. Now there?s DNA sampling. Obama told Walsh he supported the federal government, as well as the 18 states that have varying laws requiring compulsory DNA sampling of individuals upon an arrest for crimes ranging from misdemeanors to felonies. The data is lodged in state and federal databases, and has fostered as many as 200 arrests nationwide, Walsh said. The American Civil Liberties Union claims DNA sampling is different from mandatory, upon-arrest fingerprinting that has been standard practice in the United States for decades. A fingerprint, the group says, reveals nothing more than a person?s identity. But much can be learned from a DNA sample, which codes a person?s family ties, some health risks, and, according to some, can predict a propensity for violence. The ACLU is suing California to block its voter-approved measure requiring saliva sampling of people picked up on felony charges. Authorities in the Golden State are allowed to conduct so-called ?familial searching? ? when a genetic sample does not directly match another, authorities start investigating people with closely matched DNA in hopes of finding leads to the perpetrator. Do you wonder whether DNA sampling is legal? The courts have already upheld DNA sampling of convicted felons, based on the theory that the convicted have fewer privacy rights. The U.S. Supreme Court has held that when conducting intrusions of the body during an investigation, the police need so-called ?exigent circumstances? or a warrant. That alcohol evaporates in the blood stream is the exigent circumstance to draw blood from a suspected drunk driver without a warrant. From rforno at infowarrior.org Mon Mar 15 11:28:03 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Mar 2010 07:28:03 -0400 Subject: [Infowarrior] - Pew Report: State of the News Media 2010 Message-ID: http://www.stateofthemedia.org/2010/ The State of the News Media 2010 is the seventh edition of our annual report on the health and status of American journalism. Our goals are to take stock of the revolution occurring in how Americans get information and provide a resource for citizens, journalists and researchers to make their own assessments. To do so we gather in one place as much data as possible about all the major sectors of journalism, identify trends across media, mark key findings, delve deep into each sector and note areas for further inquiry. This year?s report is the most interactive it?s ever been, and contains a number of new features. A Year in the News Interactive, for instance, allows users to explore for themselves our content database of some 68,000 stories from 55 different news outlets. Users can look at what they want, answer their own questions and create their own charts. Who Owns the News Media is a new multi-dimensional directory of the more than 120 companies that own news properties in the United States that allows users to explore and compare companies by sector, revenue, and audience. This year?s study also includes a new survey of the economic attitudes of online news consumers. The report also contains a detailed analysis of the online behavior of visitors to news websites and a study of the most highly regarded community journalism websites in the country. There is also, for the first time, a content analysis of blogs and social media, and explores the extent to which their news agenda relates to, differs from, and draws on traditional media. Coming in April is a survey of news executives on the future of their industry. Also new to the report is a glossary of key terms for each media sector, as well as a central compilation of sidebars and backgrounders, accessible by hyperlink throughout each chapter. This report is the work of the Pew Research Center?s Project for Excellence in Journalism, a nonpolitical, nonpartisan research institute. The study is funded by the Pew Charitable Trusts and was produced with the help of a number of authors and collaborators, including Rick Edmonds of the Poynter Institute and a host of industry readers. The full report is comprehensive, totaling nearly 180,000 words. Click here for information about printing the report. Published March 15, 2010 http://www.stateofthemedia.org/2010/ From rforno at infowarrior.org Mon Mar 15 12:23:07 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Mar 2010 08:23:07 -0400 Subject: [Infowarrior] - Tim Bray on the iPhone Message-ID: <8365D97C-660E-4D2F-8C0E-ED95071AE952@infowarrior.org> http://www.electronista.com/articles/10/03/15/web.pioneer.joins.google.to.prove.apple.wrong/ XML co-creator Tim Bray on Monday said he has joined Google as a Developer Advocate, primarily for Android. The former Sun worker made the pick both because Android embraces an open-source, web-heavy philosophy but also as a direct opposition to Apple's iPhone policies. Bray praised Apple's hardware but couldn't abide by the at times arbitrary filtering of the App Store, which he likened to censorship. "The iPhone vision of the mobile Internet?s future omits controversy, sex, and freedom, but includes strict limits on who can know what and who can say what," Bray wrote. "It's a sterile Disney-fied walled garden surrounded by sharp-toothed lawyers. The people who create the apps serve at the landlord?s pleasure and fear his anger." He added that Apple is self-contradictory and claims to want the benefits of the Internet but wants to limit access to hardware and software, even limiting what information developers can share. Android lets developers access most phone components directly and even modify parts of the interface as well as write apps that improve on existing features. Apple has historically banned apps that "duplicate" core functionality but has been accused of trying to prevent competition. From rforno at infowarrior.org Mon Mar 15 12:44:27 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Mar 2010 08:44:27 -0400 Subject: [Infowarrior] - Dot-Com turns 25 Message-ID: <2FF71C79-87C1-4318-828A-AC87F5DCD849@infowarrior.org> Dotcom marks silver anniversary By Maggie Shiels Technology reporter, BBC News, Silicon Valley http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/8567414.stm The internet celebrates a landmark event on the 15 March - the 25th birthday of the day the first dotcom name was registered. In March 1985, Symbolics computers of Cambridge, Massachusetts entered the history books with an internet address ending in dotcom. That same year another five companies jumped on a very slow bandwagon. It took until 1997, well into the internet boom, before the one millionth dotcom was registered. "This birthday is really significant because what we are celebrating here is the internet and dotcom is a good, well known placeholder for the rest of the internet," said Mark Mclaughlin, chief executive officer of Verisign the company that is responsible for looking after the dotcom domain. "Who would have guessed 25 years ago where the internet would be today. This really was a groundbreaking event," he said. Commercialisation For most of the late 1980s and early 1990s hardly anyone knew what a dotcom was. Scholars generally agree that a turning point was the introduction of the Mosaic web browser by Netscape that brought mainstream consumers on to the web. A season of reports exploring the extraordinary power of the internet, including: ? Digital giants - top thinkers in the business on the future of the web ? With 668,000 dotcom sites registered every month, they have become part of the fabric of our lives. Today people go to dotcom sites to shop, connect with friends, book holidays, be entertained, learn new things and exchange ideas. "Dotcoms have touched us in a way we could not have imagined," Robert Atkinson of the Information Technology and Innovation Foundation (ITIF) told BBC News. "It used to be, 10 years ago you could live an okay life if you weren't engaged on a dot com site on a daily basis. You could get what you needed. "But today we see how dotcoms have enriched our lives that if you are not engaged you would be fine but much further behind than the rest of us." Proof of that Mr Atkinson said can be seen with how dotcoms have commercialised the internet "bringing consumers choice and value and businesses greater customer reach and profits". DOTCOM GROWTH ? 21m domain names registered between 1985 and 2000 ? 57m domain names registered between 2000 and 2010 ? Source: OECD A study by the ITIF claims that "the average profitability of companies using the internet increased by 2.7%". The research also found that the economic benefits equal $1.5 trillion, which it says is "more than the global sales of medicine, investment in renewable energy and government investment in research and development combined". By 2020 the internet should add $3.8 trillion (?2.5trillion) to the global economy, exceeding the gross domestic product of Germany, it found. The future An estimated 1.7 billion people - one quarter of the world's population - now use the internet. Verisign's Mr McLaughlin only sees that figure growing over the next quarter of a century. "I think that the way we access information today, mostly still through PCs and laptops is highly likely to change; that the voice will be more important than text input. "I think the whole fabric of how we access, search, find and get information is going to be radically different." At the moment Verisign logs 53 billion requests for websites - not just dotcoms - every day, about the same number handled for all of 1995. "We expect that to grow in 2020 to somewhere between three and four quadrillion," Mr McLaughlin told BBC News. One quadrillion is 1,000 billion. It is a phenomenal pace of growth that would have been very difficult to predict 25 years ago when a small computer firm took the first pioneering steps into the connected world. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/8567414.stm Published: 2010/03/15 08:49:15 GMT ? BBC MMX From rforno at infowarrior.org Mon Mar 15 16:36:00 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Mar 2010 12:36:00 -0400 Subject: [Infowarrior] - Seven Firefox Plug-ins That Improve Online Privacy Message-ID: <6E7409F8-1970-4169-8BA4-21279B167CE5@infowarrior.org> Seven Firefox Plug-ins That Improve Online Privacy Worried about preserving your privacy in an online world where privacy is disappearing? Here are seven Firefox add-ons that will help. http://www.csoonline.com/article/print/574763 Joseph Guarino, CISSP, LPIC, CSO March 12, 2010 As strange as it might sound, there are times when I wish for the old days of the Internet circa the early 1990's. The days of Mosaic and Lynx, where there was no Flash, no Javascript and no Java. A simpler time where protecting your privacy and security wasn't as essential as it is today. Time travel isn't an option for securing my browser. But Firefox gives me it all and then some. The number-two browser (with 32 percent market share), Firefox is a cross platform, standards based, open source browser. It is feature rich and has supernumerary add-ons to extend its functionality. In the spirit of Open Source, its community maintains a focus on security and has a strong record of swiftly patching known vulnerabilities, faster in some cases than most others in the market. Firefox isn't just a killer app; it's also a pillar of the Internet community. When it comes to security and privacy, the Firefox picture is compelling, with over 600 plug-ins related to privacy and security. Acknowledging the current state of privacy and security, these plug- ins are a welcome addition to any browsing experience. My goal in this article is to highlight a few of my favorites with the hopes that you too will take advantage of them. NoScript NoScript is a powerful add-on that blocks and blacklists Javascript, Java, Flash, and other plug-ins by default. It features protections against Cross-Site Scripting (XSS), Flash XSS and clickjacking, to name a few. With most websites relying on these plug-in technologies, you effectively have to whitelist the sites for them to function. Using the NoScript status bar icon, you can whitelist on a temporary basis or add sites to your permanent whitelist. This preemptive script blocking tool is a must for any Firefox user. BetterPrivacy BetterPrivacy is an add-on that lets you manage LSO-cookies -- or, as they are commonly known, flash cookies. Flash cookies are a newer and more enhanced way of storing information about you and your online activities than traditional cookies. Unlike the traditional Web cookie, flash cookies don't expire and can't be deleted within the browser's interface. Even "delete your recent history" doesn't remove these "super cookies." Adobe currently only provides an online-only website storage panel to manage them, which is hardly user-or-privacy friendly. Thankfully, BetterPrivacy helps us chomp on those pesky cookies, allowing us to manage and remove them. Adblock Plus Adblock Plus is a simple add-on that gives granular control over page elements such as ads/banners content in your browser experience. Although it does use a region-specific block list, you can configure filters with great flexibility, blocking or allowing content as you see fit. Adblock is a God-send for those of us who don't want a Web littered with poorly targeted ads. Foxproxy Foxproxy is a feature-rich proxy management add-on. It allows ease and customization in managing your proxy setting. For example, you can add multiple proxies and to define how and when they are used based on URL patterns, wildcards, expressions, etc. Added support for Tor provides some privacy and anonymity. Foxproxy even supports Tor in conjunction with Privoxy, the non-caching Web privacy enhancing proxy offering even greater potential for online privacy and anonymity. Firebug Although Firebug is technically a Web-development tool, it certainly holds its weight in helping protect our privacy/security. This tool allows us to monitor, debug and edit the content of any website live in any webpage within the browser. We can see all the details on the regarding HTML, CSS, Javascript and related webpage resources in great detail. It does help the more nerdy among us ascertain what's going on under the hood of a website with nicely detailed, color-coded and organized displays. It's helpful in investigating websites that seem slightly fishy. Torbutton Torbutton is A simple add-on that allows you to configure Firefox to use Tor. For those unfamiliar with Tor, it is a distributed, community run network that provides relative anonymity/privacy to those utilizing it. Torbutton allows for a Firefox user to easily and quickly turn on Tor for some basic anonymity in their Internet activities. FireGPG FireGPG is an add-on that allows integration with the cross-platform, free software encryption suite GnuPG. (GNU Privacy Guard). GnuPG is an OpenPGP standards-based free software encryption tool that allows you to encrypt and sign your communications. FireGPG allows you to encrypt, decrypt, sign, etc. directly within Firefox. FireGPG also supports direct integration with Gmail, with more webmail applications planned the near future. Firefox is a great choice for those interested in a feature-rich, stable and secure browser. With the addition of these add-ons it proves to be a powerful tool for protecting your security and privacy. If you're not already a user I encourage you to give it a try. The dedicated nature of the Firefox community promises more innovations to look forward to in the future. Joseph Guarino is the owner and senior consultant at EvolutionaryIT and is based in Boston. ? CXO Media Inc. From rforno at infowarrior.org Mon Mar 15 16:41:10 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Mar 2010 12:41:10 -0400 Subject: [Infowarrior] - Foursquare: Telling Friends Where You Are (or Not) Message-ID: <2FFCE80F-330C-4944-8E0E-B394717ACA71@infowarrior.org> March 14, 2010 Telling Friends Where You Are (or Not) By JENNA WORTHAM http://www.nytimes.com/2010/03/15/technology/15locate.html?8dpc=&pagewanted=print AUSTIN, Tex. ? As Jordan Viator roams the conference rooms, dimly lit bars and restaurants here at the South by Southwest Interactive conference, she often pulls out her cellphone and uses the Foursquare service to broadcast her location. Such a service might sound creepy to the privacy-minded. But it came in handy for Ms. Viator when she arrived Friday at a party in a bar called Speakeasy and could not find anyone she knew. Her friends who also use Foursquare could see where she was, and some joined her a few minutes later. ?I only share my location with people I am comfortable meeting up with, and when I want to be found,? said Ms. Viator, a 26-year-old communications manager at a nonprofit company. Mobile services like Loopt and Google?s Latitude have promoted the notion of constantly beaming your location to a map that is visible to a network of friends ? an idea that is not for everybody. But now there is a different approach, one that is being popularized by Foursquare. After firing up the Foursquare application on their phones, users see a list of nearby bars, restaurants and other places, select their location and ?check in,? sending an alert to friends using the service. This model, which may be more attractive than tracking because it gives people more choice in revealing their locations, is gathering speed in the Internet industry. Yelp, the popular site that compiles reviews of restaurants and other businesses, recently added a check-in feature to its cellphone application. And Facebook is expected to take a similar approach when it introduces location features to its 400 million users in coming months. If checking in goes mainstream, it could give a lift to mobile advertising, which is now just a tiny percentage of overall spending on online ads. If a company was able to pitch offers to people who say they are at a particular spot, it would ?allow for the sharpening of mobile advertising,? said Anne Lapkin, an analyst at the research firm Gartner. The check-in idea got its start in 2004, when Foursquare?s predecessor, a service called Dodgeball, started to let people tell their friends where they were with a text-message blast. Most cellphones at the time did not have GPS location features, ?so using text to check in was a necessity,? said Dennis Crowley, who created the service with a classmate in the Interactive Telecommunications Program at New York University. In 2005, Mr. Crowley sold Dodgeball to Google, which eventually shut it. He decided to expand on the idea with Foursquare. ?Each time you check in, you?re giving permission to share your location and get pinged with information about interesting things nearby,? Mr. Crowley said. Since it was introduced at South by Southwest a year ago, Foursquare has swelled to more than 500,000 users. It now has 1.6 million check- ins a week. This year, Foursquare and other location services are the talk of the conference, which has become a launching pad and testing ground for Internet start-up companies. One of the drawbacks to the check-in model, as opposed to constant tracking, is that people have to remember to use a service, said Josh Williams, co-founder of Gowalla, a location game. Gowalla revolves around finding virtual objects in real-world locations, something like a scavenger hunt. ?Just as people had to get into the habit of tweeting, they?ll have to learn the habit of checking in,? Mr. Williams said. Many of these services are building in incentives to encourage regular use, often in the form of points and virtual badges. Gowalla, which says about 100,000 people are using its application, is working with several companies to spread the word about its service at South by Southwest. Users who find a virtual drink coaster can redeem it at a participating bar for a free beverage. And the company teamed up with Palm to offer free cellphones to conference attendees who find a phone icon. Other services are trying the check-in approach. Hot Potato allows users to create instant chat rooms around locations or events, like a concert. Whrrl hopes to lure users by treating check-ins as keys to exclusive virtual ?societies.? And a service called MyTown lets people buy virtual property around them, in a twist on Monopoly. For Yelp, check-ins are a way to make its users? reviews more authoritative. Yelp users who check into a restaurant or bar can write a short review from the mobile application and earn points. ?If you go to a business often enough, you get a special badge deeming you a regular of a place,? said Eric Singley, a product manager at Yelp. ?It adds an extra layer of credibility to a review online.? Even Loopt, which since 2006 has relied on a live tracking approach, unveiled a new feature in November called Pulse, which allows users to check into locations to receive tips and suggestions on things to do nearby. One big hurdle for tracking services like Loopt has been that the iPhone does not allow their applications to keep running in the background for continuous monitoring. Many early-adopter types who might try a new location service are iPhone owners. But Sam Altman, a co-founder of Loopt, said the check-in model opened up some interesting advertising opportunities. Businesses can offer coupons and specials based on where people check in, he said, as they do with Loopt and Foursquare. ?For advertisers, the places you go are much more interesting than the Web sites you click on,? he said. From rforno at infowarrior.org Mon Mar 15 18:54:45 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Mar 2010 14:54:45 -0400 Subject: [Infowarrior] - U.S. Army worried about Wikileaks in secret report Message-ID: <462AD1E0-127E-4AB0-AFAB-E82C8CDF94A3@infowarrior.org> March 15, 2010 11:43 AM PDT U.S. Army worried about Wikileaks in secret report by Declan Mccullagh http://news.cnet.com/8301-13578_3-20000469-38.html?part=rss&subj=news&tag=2547-1_3-0-20 A leaked U.S. Army intelligence report, classified as secret, says the Wikileaks Web site poses a significant "operational security and information security" threat to military operations. Classified U.S. military information appearing on Wikileaks could "influence operations against the U.S. Army by a variety of domestic and foreign actors," says the report, prepared in 2008 by the Army Counterintelligence Center and apparently disclosed in its entirety on Monday. The embarrassing twist: It was Wikileaks that published the 32-page document, but not before editor Julian Assange prepended a critique saying that some details in the Army report were inaccurate and its recommendations flawed. One section of the original document says that "criminal prosecution" of anyone leaking sensitive information could "deter others considering similar actions from using the Wikileaks.org Web site." Another speculates that Wikileaks -- which boasts that it is "uncensorable" -- is "knowingly encouraging criminal activities" including violation of national security laws regarding sedition and espionage. Lt. Col Lee Packnett, a spokesman for the U.S. Army on intelligence topics, said he was not familiar with the Wikileaks disclosure and would not immediately be able to comment. The National Ground Intelligence Center, which provides the Army with information about enemy weapons system and was mentioned in the report, did not immediately respond to a query from CNET. Under the federal Espionage Act, it is a crime to disclose "information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States" (18 USC 793(e)). Another section says that even indirect disclosures of national defense information to foreign citizens can be punished, in certain cases, by death (18 USC 794(a)). Some First Amendment scholars have argued that those portions of the federal code cannot survive legal scrutiny -- otherwise, as a few conservative commentators have claimed, the New York Times' disclosure of Bush-era warrantless wiretapping would have been a crime. In a since-abandoned prosecution of two former pro-Israel lobbyists charged with disclosing classified U.S. defense information, however, a federal judge had ruled that the balance struck by the Espionage Act "is constitutionally permissible." Wikileaks has disclosed classified U.S. Defense Department information before. A 2004 report about Fallujah also marked secret was highlighted repeatedly as an example of damaging disclosure in the document released Monday. The document no longer appears to exist on Wikileaks' Web site. A previous location now returns the error message: "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable." (Wikileaks' Assange did not immediately reply when asked for an explanation.) Wikileaks previously disclosed thousands of pages of pager logs from September 11, 2001 and won a case in federal court in San Francisco after a Swiss bank attempted to pull the plug on the entire Web site. It shut down briefly last month because of lack of funds. "While we will not comment on whether this is, in fact, an official document, we do consider the deliberate release of what Wikileaks believes to be a classified document is irresponsible and, if valid, could put U.S. military personnel at risk," Rear Adm. Gregory J. Smith, a spokesman for American military command in Baghdad, told the New York Times after Wikileaks posted a classified 2005 document about rules of engagement in that country. From rforno at infowarrior.org Tue Mar 16 11:18:41 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Mar 2010 07:18:41 -0400 Subject: [Infowarrior] - FCC Broadband Plan (PDF) Message-ID: FCC Broadband Plan (PDF) http://download.broadband.gov/plan/national-broadband-plan.pdf From rforno at infowarrior.org Tue Mar 16 11:31:59 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Mar 2010 07:31:59 -0400 Subject: [Infowarrior] - C-Span Puts Full Archives on the Web Message-ID: March 16, 2010 C-Span Puts Full Archives on the Web By BRIAN STELTER http://www.nytimes.com/2010/03/16/arts/television/16cspan.html?pagewanted=print WASHINGTON ? Researchers, political satirists and partisan mudslingers, take note: C-Span has uploaded virtually every minute of its video archives to the Internet. The archives, at C-SpanVideo.org, cover 23 years of history and five presidential administrations and are sure to provide new fodder for pundits and politicians alike. The network will formally announce the completion of the C-Span Video Library on Wednesday. Having free online access to the more than 160,000 hours of C-Span footage is ?like being able to Google political history using the ?I Feel Lucky? button every time,? said Rachel Maddow, the liberal MSNBC host. Ed Morrissey, a senior correspondent for the conservative blog Hot Air (hotair.com), said, ?The geek in me wants to find an excuse to start digging.? No other cable network is likely to give away its precious archives on the Internet. (Even ?Book TV? is available.) But C-Span is one of a kind, a creation of the cable industry that records every Congressional session, every White House press briefing and other acts of official Washington. The online archives reinforce what some would call the Web?s single best quality: its ability to recall seemingly every statement and smear. And it is even more powerful when the viewer can rewind the video. The C-Span founder, Brian Lamb, said in an interview here last week that the archives were an extension of the network?s public service commitment. ?That?s where the history will be,? Mr. Lamb said. C-Span has been uploading its history for several years, working its way to 1987, when its archives were established at Purdue University, Mr. Lamb?s alma mater. The archive staff now operates from an office park in West Lafayette, Ind., where two machines that can turn 16 hours of tapes into digital files each hour have been working around the clock to move C-Span?s programs online. They are now finishing the 1987 catalog. ?This is the archive?s coming of age, in a way, because it?s now so accessible,? said Robert Browning, director of the archives. Historically, the $1 million-a-year operation has paid for itself partly by selling videotapes and DVDs to journalists, campaign strategists and others. Mr. Browning acknowledges that video sales have waned as more people have viewed clips online. ?On the other hand, there are a lot of things people now watch that they never would have bought,? he said. The archives? fans include Ms. Maddow, who called it gold. ?It?s raw footage of political actors in their native habitat, without media personalities mediating viewers? access,? she wrote in an e-mail message. Similarly, Mr. Morrissey said the archives made ?for a really intriguing reference set.? He pointed out, however, that the volume of videos ?is so vast that finding valuable references may be a bit like looking for a needle in a haystack.? C-Span executives said they hoped that its search filters would be up to the task. Mr. Lamb said, ?You can see if politicians are saying one thing today, and 15 years ago were saying another thing.? He added, ?Journalists can feast on it.? One of the Web site?s features, the Congressional Chronicle, shows which members of Congress have spoken on the House and Senate floors the most, and the least. Each senator and representative has a profile page. Using the data already available, some newspapers have written about particularly loquacious local lawmakers. C-Span was established in 1979, but there are few recordings of its earliest years. Those ?sort of went down the drain,? Mr. Browning said. But he does have about 10,000 hours of tapes from before 1987, and he will begin reformatting them for the Web soon. Those tapes include Ronald Reagan?s presidential campaign speeches and the Iran- Contra hearings. In a tour of the site last week, Mr. Browning said the various uses of the archives were hard to predict. He found that a newly uploaded 1990 United Nations address by the Romanian president Ion Iliescu was quickly discovered and published by several Romanian bloggers. While C-Span does not receive Nielsen ratings, a recent poll by Fairleigh Dickinson University found that 52 percent of voters said they watched it at least once in a while. The poll did not distinguish among C-Span?s three channels. The original one, C-Span, shows every House of Representatives session; C-Span2 does the same for the Senate; and C-Span3 shows committee hearings, briefings, conferences and other events. The archives of all three channels have been mostly uploaded, but they can only be streamed. Mr. Browning said video downloads were on his agenda. Users can embed the videos on other Web sites and clip small sound bites for repeat viewing. The clips can help citizens gain access to important information, of course, but they can also be entertaining. Last month one of the top clips on the C-Span site was from President Obama?s health care summit meeting, but it wasn?t of a comment about proposed legislation, it was of Vice President Joseph R. Biden Jr. caught on a microphone saying, ?It?s easy being vice president.? A spokesman for the vice president told reporters that Mr. Biden was ?obviously joking.? Regardless, the archives are a reminder that the cameras are always recording. For politicians or anyone else captured by C-Span, Mr. Browning said, ?there?s no more deniability.? From rforno at infowarrior.org Tue Mar 16 11:33:42 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Mar 2010 07:33:42 -0400 Subject: [Infowarrior] - Hand germs could join fingerprints, DNA in forensics labs Message-ID: <1F0CE37E-C42F-4851-B9EC-B1BA3D0F959B@infowarrior.org> Hand germs could join fingerprints, DNA in forensics labs Mar 15 03:13 PM US/Eastern http://www.google.com/hostednews/afp/article/ALeqM5hNy0acu4hmHKYVDhnGGeA9A56NiA A woman is fingerprinted. Forensic scientists could soon use hand germs to ... Forensic scientists could soon use hand germs to help identify criminals and victims, a study said Monday. Researchers led by Noah Fierer of the University of Colorado at Boulder swabbed individual keys on three personal computer keyboards, extracted bacterial DNA from the swabs and compared the results with bacteria on the fingertips of the keyboards' users. They also lifted germs from an unspecified number of other private and public computer keyboards that the three individuals did not use to see if there was a cross-over between the bacteria on an individual's hands and bacteria on keyboards that had never been touched by that individual. The bacteria on each person's fingers were "personal" and gave a much closer match to the germs on the keyboard they used than to bacteria found on keyboards they had never touched, the researchers said. The researchers also swabbed nine personal computer mice that had not been touched for at least 12 hours and took bacteria samples from the palms of their owners. The bacteria on each mouse were "significantly more similar" to those found on the owner's hand than to bacteria taken from 270 other hands, which were on record from previous studies. "Each one of us leaves a unique trail of bugs behind as we travel through our daily lives," said Fierer, a professor at the University of Colorado's ecology and evolutionary biology department, adding that hand bugs could "become a valuable new item in the toolbox of forensic scientists." Hand germs are abundant, can be lifted from small areas and are remarkably hardy. The researchers found that colonies of hand bacteria remain essentially unchanged after two weeks at room temperature, and recovered within hours of handwashing. Fingerprints, however, can be smudged or impossible to obtain, such as on fabric. And unless there is blood, tissue, semen or saliva on an object, it is often difficult to obtain enough human DNA for forensic identification, said the study published in the Proceedings of the National Academy of Sciences (PNAS). "Given the abundance of bacterial cells on the skin surface... it may be easier to recover bacterial DNA than human DNA from touched surfaces although additional studies are needed to confirm that this is actually true," the study said. Copyright AFP 2008, From rforno at infowarrior.org Wed Mar 17 00:58:24 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Mar 2010 20:58:24 -0400 Subject: [Infowarrior] - FAA: Boeing 777s must get new software Message-ID: FAA: Boeing 777s must get new software By HARRY R. WEBER, AP Airlines Writer Harry R. Weber, Ap Airlines Writer 2 hrs 14 mins ago http://news.yahoo.com/s/ap/20100316/ap_on_bi_ge/us_boeing777s_autopilot_problems/print ATLANTA ? The Federal Aviation Administration wants new software installed on Boeing 777s to prevent crews from inadvertently engaging the autopilot before takeoff. The problem can result in a high-speed rejected, or aborted, takeoff and increase the chance of a runway overrun. Boeing says the problem is rare ? just nine reported instances of a rejected takeoff because of inadvertent engagement of the autopilot during the 777's 15-year service history. Two incidents occurred in January. There have been no runway overruns or injuries associated with the issue. The airworthiness directive is to be published in the Federal Register on Wednesday. The rule, which applies to certain model 777-200, 777-200LR, 777-300, 777-300ER and 777F series airplanes, takes effect 15 days later. The 777 is a long-range, wide-body aircraft that seats over 300 passengers. One configuration allows for seating up to 440 passengers. Boeing Co., which is based in Chicago, has delivered 254 777s to U.S. carriers through February. Excluding leasing companies, 147 of the airplanes are operated by U.S. carriers, according to Boeing. Delta Air Lines, the world's biggest carrier, lists on its Web site that as of Sept. 30, 2009, it owned eight Boeing 777-200ERs and eight 777-200LRs. American Airlines says on its Web site that as of May 2009 it had 47 Boeing 777s. United Airlines says on its Web site that it had 52 Boeing 777-200s in its mainline fleet as of the end of 2009. Boeing said it supports the FAA's directive. The company said the directive essentially mandates the service bulletin it issued to 777 operators on Jan. 22. Boeing shares fell 68 cents, or 1 percent, to close at $68.72 in Tuesday trading. From rforno at infowarrior.org Wed Mar 17 01:49:43 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Mar 2010 21:49:43 -0400 Subject: [Infowarrior] - Infosec parts of FCC Broadband Plan Message-ID: (c/o AF) 360 pages on broadband, probably the most important govt document about shaping infrastructure investment in a while, and less than 3 pages on security. Of their 4 sources on the actual problem, two of them refer to a controversial Mike McConnell oped in the Post. On one hand, I'm glad the FCC is not trying to do something important badly, but on the other hand, I don't understand why they are not trying to stake out a bigger chunk of this. < - > From FCC's "Connecting America: The National Broadband Plan", March 2010 16.2 Promoting Cybersecurity and Protecting Critical Infrastructure Improving Cybersecurity Communications providers have experienced frequent attacks on critical Internet infrastructure. A variety of state and non-state entities has demonstrated the ability to steal, alter or destroy data and to manipulate or control systems designed to ensure the functioning of portions of our critical infrastructure. Additional safeguards may be necessary to protect our nation?s commercial communications infrastructure from cyberattack. Such safeguards could promote confidence in the safety and reliability of broadband communications and spur adoption. Recommendation 16.5: the FCC should issue a cybersecurity roadmap. Admiral Mike McConnell, former Director of National Intelligence, said recently that ?the United States is fighting a cyber-war today, and we are losing.?[29] He noted that ?to the extent that the sprawling U.S. economy inhabits a common physical space, it is in our communications networks.?[30] The country needs a clear strategy for securing the vital communications networks upon which critical infrastructure and public safety communications rely. Within 180 days of the release of this plan, the FCC should issue, in coordination with the Executive Branch, a roadmap to address cybersecurity. The FCC roadmap should identify the five most critical cybersecurity threats to the communications infrastructure and its end users. The roadmap should establish a two-year plan, including milestones, for the FCC to address these threats. Recommendation 16.6: the FCC should expand its outage reporting requirements to broadband service providers. Today the FCC currently does not regularly collect outage information when broadband service providers experience network outages. This lack of data limits our understanding of network operations and of how to prevent future outages. The FCC should initiate a proceeding to extend FCC Part 4 outage reporting rules to broadband Internet service providers (ISPs) and interconnected VoIP providers. Such reports will allow the FCC, other federal agencies and, as appropriate, service providers to analyze information on outages affecting IP-based networks. The information also will help prevent future out- ages and ensure a better response to actual outages. The timely and disciplined reporting of network outages will help protect broadband communications networks from cyberattacks, by improving the FCC?s understanding of the causes and how to recover. This will help improve cybersecurity and promote confidence in the safety and reliability of broad- band communications.[31] Recommendation 16.7: the FCC should create a voluntary cybersecurity certification program. Many Internet users apparently do not consider cybersecurity a priority. Nearly half of all businesses in the 2009 Global State of Information Security Study reported that they are cutting budgets for information security initiatives. A 2008 Data Breach Investigations Report concluded that 87% of cyber breaches could have been avoided if reasonable security controls had been in place.[32] The FCC should explore how to encourage voluntary efforts to improve cybersecurity. The FCC should begin a proceeding to establish a voluntary cybersecurity certification system that creates market incentives for communications service providers to upgrade their network cybersecurity. The FCC should examine additional voluntary incentives that could improve cybersecurity as and improve education about cybersecurity issues, and including international aspects of the issues. A voluntary cybersecurity certification program could promote more vigilant network security among market participants, increase the security of the nation?s communications infrastructure and offer end- users more complete information about their providers? cybersecurity practices. In this proceeding, the FCC should consider all measures that will promote confidence in the safety and reliability of broadband communications. [33] Recommendation 16.8: the FCC and the department of Homeland security (DHS) should create a cybersecurity information reporting system (cirs). The FCC, other government partners and ISPs lack ?situational awareness? to allow them to respond in a coordinated, decisive fashion to cyber attacks on communications infra- structure. The FCC and DHS?s Office of Cybersecurity and Communications together should develop an IP network CIRS to accompany the existing Disaster Information Reporting System. CIRS will be an invaluable tool for monitoring cyber- security and providing decisive responses to cyberattacks. CIRS should be designed to disseminate information rapidly to participating providers during major cyber events. CIRS should be crafted as a real-time voluntary monitoring system for cyber events affecting the communications infrastructure. The FCC should act as a trusted facilitator to ensure any sharing is reciprocated and that the system is structured so ISP proprietary information remains confidential. Recommendation 16.9: the FCC should expand its international participation and outreach. The FCC should increase its participation in domestic and international fora addressing international cybersecurity activities and issues. It should also engage in dialogues and partnerships with regulatory authorities addressing cybersecurity matters in other countries. This should include outreach to foreign communications regulators and international organizations about elements of the National Broadband Plan (see Chapter 4 which discusses international outreach). The FCC should also continue to review other nations? and organizations? cybersecurity activities so it is better aware of those activities as they relate to U.S. domestic policies. And it should continue to participate in domestic initiatives that relate to cybersecurity activities in the international arena. Critical infrastructure Survivability Recommendation 16.10: the FCC should explore network resilience and preparedness. Simultaneous failure of or damage to several IP network facilities or routers could halt traffic between major metropolitan areas or between national security and public safety offices. Because many companies colocate equipment, damage to certain buildings could affect a large amount of broadband traffic, including NG 911 communications. The FCC should begin an inquiry into the resilience of broadband networks under a set of physical failures?either malicious or non-malicious?and under severe overload. This will allow the FCC to assess the ability of next-generation public safety communications systems to withstand direct attacks and to determine if any actions should be taken in this regard. This proceeding should also examine commercial networks? preparedness to withstand overloads that may occur during extraordinary events such as bioterrorism attacks or pandemics. DHS has developed pandemic preparedness best practices for network service providers, but adherence to these voluntary standards is not tracked. For example, a surge in residential broadband network use during a pandemic or other disaster could hinder network performance for critical users and applications by hindering the flow of time-sensitive medical and public health information over public networks. This proceeding will give the FCC insight into pandemic prepared- ness in commercial broadband networks. In addition, it will yield important information about the susceptibility of such networks to severe overloads and how network congestion on residential-access networks?particularly in the ?last mile?? may undermine public safety communications and 911 access during a pandemic or other large-scale event. [34] Recommendation 16.11: the FCC and the national communications system (ncs) should create priority network access and routing for broadband communications. Broadband users in the public safety community have no system of priority access and routing on broadband networks. Such a system is critical to protect time-sensitive, safety-of- life information from loss or delay due to network congestion. While technical work is under way to allow the creation of such a system, no corresponding set of FCC rules exists to sup- port it. The FCC and the National Communications System (NCS) should leverage their experience with the Government Emergency Telecommunications Service (GETS) and the WPS to jointly develop a system of priority network access and traffic routing for national security/emergency preparedness (NS/EP) users on broadband communications networks. The Executive Branch should consider clarifying a structure for agency implementation and delineating responsibilities and key milestones; the order should be consistent with national policies already in existing presidential documents. The FCC and NCS should jointly manage this program. Recommendation 16.12: the FCC should explore standards for broadband communications reliability and resiliency. For years, communications networks were designed and deployed to achieve ?carrier-class? reliability. As the communications infrastructure migrates from older technologies to broadband technology, critical communications services will be carried over a communications network that may or may not be built to these high standards. The potential decline in service reliability is a concern for critical sectors, such as energy and public safety, and for consumers in general. The FCC should begin an inquiry proceeding to gain a better understanding of the reliability and resiliency standards being applied to broadband networks. The proceeding should examine the standards and practices applied to broadband infrastructure at all layers, from applications to facilities. Its objective should be to determine what action, if any, the FCC should take to bolster reliability of broadband infrastructure. 29 See Mike McConnell, Op.-Ed., Mike McConnell on How to Win the Cyber-War We?re Losing, Wash. pOst, Feb. 28, 2010, http://www.washingtonpost.com/wp-dyn/ 41 content/article/2010/02/25/AR2010022502493.html. (McConnell, How to Win the Cyber-War). 30 McConnell, How to Win the Cyber-War. 42 31 Steven Chabinsky, Deputy Ass?t Director-Cyber Division, Fed. Bureau of Investigation (FBI), Testimony before the U.S. Senate Judiciary Committee, 43 Subcommittee on Terrorism and Homeland Security (Nov. 17, 2009). The FBI considers the cyber threat 44 against the nation to be ?one of the greatest concerns of the 21st century.? Id. 45 32 verizOn business, 2008 data breach investiGatiOns repOrt 2?3 (2008), available at http://www. 46 verizonbusiness.com/resources/security/ databreachreport.pdf. 33 The Commission will have to allocate funding to obtain a vendor to develop audit criteria and to accredit third- party certification bodies. Congress should consider public funding for the FCC in its next budget and on an ongoing basis as required. 34 In fact, estimates of residential-access network capacity suggest that current networks can carry between 1/100 and 1/10 of their advertised per-user capacity. See also AT&T Comments in re National Broadband Plan NOI, filed June 8, 2009, at 67?69; Telcordia Comments in re National Broadband Plan NOI, filed June 8, 2009, at 19. From rforno at infowarrior.org Wed Mar 17 02:22:54 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Mar 2010 22:22:54 -0400 Subject: [Infowarrior] - Measure would force White House, private sector to collaborate in cyber-crisis Message-ID: <26DFD5D2-0B42-4193-9706-88563D2DADB4@infowarrior.org> Measure would force White House, private sector to collaborate in cyber-crisis By Ellen Nakashima Washington Post Staff Writer Wednesday, March 17, 2010; A04 http://www.washingtonpost.com/wp-dyn/content/article/2010/03/16/AR2010031603811_pf.html Key members of Congress are pushing legislation that would require the White House to collaborate with the private sector in any response to a crisis affecting the nation's critical computer networks. The Cybersecurity Act, drafted by Senate commerce committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), another committee member, is an attempt to prod the Obama administration and Congress to be more aggressive in crafting a coordinated national strategy for dealing with cyberthreats. The senators also sponsored the National Cybersecurity Advisor Act, which would create a Senate-confirmed, Cabinet-level position to lead efforts to protect the nation's computer systems, elevating the role of the cyber coordinator's job that President Obama filled late last year. Together, the bills compose the Rockefeller-Snowe cybersecurity legislation. Both senators also are members of the intelligence committee, which might draft legislation of its own, and they are privy to classified briefings on cyberthreats. Despite an effort late in the Bush administration to create a national cyber plan, the Obama administration's effort has been slowed by disputes over what roles the government and the private sector should play in protecting U.S. computer networks. "Too much is at stake for us to pretend that today's cybersecurity policies meet the challenge of protecting us from tomorrow's cyber attacks -- which are waged on our wallets and our power grids and literally threaten to shut down our way of life," Rockefeller said in an e-mail. The Cybersecurity Act was introduced last year to jump-start the debate, but it proved so controversial that it was reworked three times. The new version deletes a provision that would have enabled the president to shut down portions of computer networks in an emergency. The so-called "kill switch" was seen by critics as giving the president authority to shut down the Internet. Instead, the bill would require the White House to work with the private sector in designating which industry networks are considered "critical" and to determine how those networks should be protected. The Department of Homeland Security is creating an emergency response plan, but the legislation would mandate participation of other agencies with a stake in cybersecurity, such as intelligence agencies and the Pentagon. The bill would confer no new presidential authority but is an attempt to clarify the government's authority to avoid bureaucratic confusion, a congressional aide said. Phillip J. Bond, president and chief executive of TechAmerica, an industry group that has commented on drafts of the legislation, said the group is taking a "trust but verify" approach. "We'll want to verify that innovation trumps regulation in terms of the bill's approach, that partnership trumps mandates in terms of working with industry," he said. Bond and other industry leaders have said that the lack of a similar measure in the House, and the lateness of the session, would make passage of the legislation difficult this year. From rforno at infowarrior.org Fri Mar 19 00:47:02 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Mar 2010 20:47:02 -0400 Subject: [Infowarrior] - "Piracy" sounds too sexy, say rightsholders Message-ID: <7DE82A52-F4BC-427F-B731-311DBD6EC7B9@infowarrior.org> "Piracy" sounds too sexy, say rightsholders By Nate Anderson | Last updated about 12 hours ago http://arstechnica.com/tech-policy/news/2010/03/piracy-sounds-too-sexy-say-rightsholders.ars For years, we've heard complaints about using the term "piracy" to describe the online copyright infringement?but most have come from Big Content's critics. As noted copyright scholar William Patry argued in his most recent book, "To say that X is a pirate is a metaphoric heuristic, intended to persuade a policymaker that the in-depth analysis can be skipped and the desired result immediately attained... Claims of piracy are rhetorical nonsense." That may well be true, but copyright holders have long preferred the term, with its suggestions of theft, destruction, and violence. The "pirates" have now co-opted the term, adopting it with gusto and hoisting the Jolly Roger across the Internet (The Pirate Bay being the most famous example). Some of those concerned about online copyright infringement now realize that they may have created a monster by using the term "piracy." This week, at the unveiling of a new study for the International Chamber of Commerce which argued that 1.2 million jobs could be lost in Europe as a result of copyright infringement by 2015, the head of the International Actors' Federation lamented the term. "We should change the word piracy," she said at a press conference. "To me, piracy is something adventurous, it makes you think about Johnny Depp. We all want to be a bit like Johnny Depp. But we're talking about a criminal act. We're talking about making it impossible to make a living from what you do." Translation: we should have chosen a less-sexy term. Speaking at a very different event in Abu Dhabi last week, Rupert Murdoch's son James did his part to redefine the sexy "pirates" as common thieves and nothing more. "There is no difference with going into a store and stealing Pringles or a handbag and taking this stuff," he said. "It's a basic condition for investment and economic growth and there should be the same level of property rights whether it's a house or a movie. The idea that there's a new consumer class and you have to be consumer-friendly when they're stealing stuff. No. There should be the same level of sanctity as there is around property. Content is no different. They're not crazy kids. No. Punish them." Yikes. "Piracy" has certainly had negative effects on many sectors of the content industry, but some of the sturm und drang coming from people like Murdoch is just ridiculous. As Patry and writers like Steve Knopper point out, the disaggregation of the album has been one of the key drivers of lower music revenues?and movies are doing pretty well. In fact, theaters are setting box office records. As departing MPAA Chairman Dan Glickman said in a speech to theater owners recently (PDF), "What a year! As John said, a 10 percent lift for the box office here at home...a 30 percent jump globally since 2005. Reversing a two-year trend, we have more people going to the movies...and more folks going more often...with a hard-core of movie fans?the 10 percent who go once or more a month?accounting for half of all ticket sales." From rforno at infowarrior.org Fri Mar 19 21:54:15 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Mar 2010 17:54:15 -0400 Subject: [Infowarrior] - IRS dogged by information security lapses that make taxpayer records 'vulnerable' Message-ID: Report: IRS dogged by information security lapses that make taxpayer records 'vulnerable' By Tony Romm - 03/19/10 03:35 PM ET http://thehill.com/blogs/hillicon-valley/technology/87931-report-irs-dogged-by-information-security-lapses-that-make-taxpayer-records-vulnerable The Internal Revenue Service remains dogged by serious information security lapses, many of which federal investigators have asked the agency to correct since 2008, according to a new Government Accountability Office report. Despite multiple warnings, IRS officials still do not "enforce strong password management," limit user access to information and programs appropriately, monitor security events on key computers or "physically protect its computer resources," according to the GAO review, released Friday. Consequently, GAO officials warn the IRS will remain "unnecessarily vulnerable" to insider threats -- including the "disclosure, modification or destruction of financial and taxpayer information" -- for as long as those crucial security holes persist. The lapses represent "a material weakness in internal controls over financial reporting related to information security," the GAO wrote Friday in a letter to Douglas Shulman, the commissioner of the IRS. In previous audits, the GAO pinpointed 89 "weaknesses and deficiencies" in IRS information security procedures, ranging from poorly crafted passwords to a lack of adequate computer protections. Investigators pointed those security holes out in previous reports, many of which the agency said earlier this year it had corrected, as the GAO prescribed. But the GAO actually found the IRS had addressed far fewer of its original concerns. Consequently, about 69 percent of the IRS's' security flaws "emain unresolved or unmitigated," according to the GAO. "A key reason for these weaknesses is that IRS has not yet fully implemented its agency-wide information security program to ensure that controls are appropriately designed and operating effectively," the GAO emphasized. "These weaknesses -- both old and new -- continue to jeopardize the confidentiality, integrity, and availability of IRS?s systems and were the basis of our determination that IRS had a material weakness in internal controls over financial reporting related to information security in fiscal year 2009," the GAO report continued. Ultimately, Shulman earlier this month chose not to respond to any of the GAO's specific criticisms. In a letter back to federal investigators, he merely repeated his agency's commitment to ensuring the security of all of its sensitive tax information and financial systems. "The security and privacy of all taxpayer and financial information is of utmost importance to us, and the integrity of our financial systems continues to be sound," he wrote. "We are committed to securing our computer environment as we continually evaluate processes, promote user awareness and apply innovative ideas to increase compliance." From rforno at infowarrior.org Sat Mar 20 00:51:29 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Mar 2010 20:51:29 -0400 Subject: [Infowarrior] - ACTA: the new institution Message-ID: ACTA: the new institution Submitted by James Love on 18. March 2010 - 11:06 http://keionline.org/node/807 KEI has access to yet undisclosed sections of the negotiating ACTA text. The text is organized in 6 chapters. The longest is Chapter 2 on "legal framework for enforcement of intellectual property rights." The second longest is Chapter 5, on "Institutional Arrangements." In ten pages of text, the ACTA negotiators have set out a plan to create a new institution to administer, implement and modify ACTA. ACTA is seen as playing an important role that will rival in some ways the WIPO or WTO. The Oversight Committee The text proposes a governing body referred to as the [CAN: Oversight] [MEX: Steering] Committee. This committee will either include representation from all ACTA countries, like the WIPO General Assembly (GA) or the W.H.O. World Health Assembly (WHA), or it will be organized more like the W.H.O. Executive Board, with representatives from some countries. The new ACTA Committee shall: ? Supervise the implementation of ACTA ? Consider further "elaboration" or "development" of the agreement ? Address "disputes that may arise regarding the interpretation or application" of ACTA ? Consider any other matter that may affect the operation of this agreement. The Committee may: ? Establish ad hoc or standing committees, working groups, experts groups, or task forces to carry out various activities. ? Seek the advice of non-government persons or groups ? make recommendations regarding the implementation of ACTA, ? provide guidelines for implementing the agreement ? identify and monitor techniques of piracy and counterfeiting ? assist non-parties in assessing the benefits of accession, ? share information on best practices ? support international organizations ? take other such actions as the parties may decide. Amendments to ACTA In Chapter 6 of ACTA, there is a proposal to allow the Oversight Committee to amend the provisions of ACTA. Secretariat The Committee is expected to met regularly, as well as in special sessions. The EU wants the meetings to be normally held in Geneva. The ACTA Secretariat may be provided by the country serving as the Chair, or be a permanent independent secretariat, possibly existing within another international body (such as UPOV within WIPO, or UNITAID within WHO). Korea wants the secretariat to be provided by the WTO. Morocco wants the secretariat connected to WIPO. The new ACTA institution will provide a mechanism for consultation, "regarding, such representations as may be made [US: to it] by another party with respect to any matter affecting the operation of this agreement. Observers The ACTA institution can extend invitations to governments who are candidates to join ACTA, to attend as observers. There may or may not be a process to extend invitations to international organizations active in the field of intellectual property to be come observers, and to non governmental groups of intellectual property stakeholders. [Note: USTR has told members of Congress it is their intention to marginalize the participation by consumer interest organizations in the new forum.] Capacity Building and Technical Assistance. In Chapter 3 of ACTA, there is text concerning the role of ACTA in "capacity building and technical assistance" to improve the enforcement of intellectual property rights, with a particular focus on developing countries. Parties providing technical assistance may undertake the obligations under this Article in conjunction with relevant private sector or international organizations. The technical assistance activity will include "integration of anti-counterfeiting and anti-hacking actions in national development strategies," and "shall be designed to help developing countries to harmonize their laws, to carry out their obligations and to exercise their rights as Members. From rforno at infowarrior.org Sun Mar 21 19:11:34 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Mar 2010 15:11:34 -0400 Subject: [Infowarrior] - High-tech copy machines a gold mine for data thieves References: Message-ID: <073BB8F0-AC6A-4C0E-95A3-8608DC017F9E@infowarrior.org> Begin forwarded message: > From: Simon Taplin > Date: March 21, 2010 3:09:18 PM EDT > > High-tech copy machines a gold mine for data thieves > Noor Javed > Staff Reporter > > http://www.thestar.com/news/gta/article/781567--high-tech-copy-machines-a-gold-mine-for-data-thieves#article > > > Want to know what expenses your boss claimed last month? How much your > colleague makes? What the co-worker down the hall is really working > on? Forget about hacking their computers ? you might want to hit the > nearest photocopier instead. > > Turns out the newfangled, multi-purpose copy machines in your office > keep a wealth of copied data on a hard drive that anyone can hack. > > In the age of everything digital, the photocopier is probably the one > workplace item you never thought to worry about. It's just making a > copy of a document, right? How risky could that be? > > Very risky, as it turns out. You might want to press cancel on the > copy machine right about now. > > Victor Beitner, a security expert who reconfigures photocopy machines > destined for resale in Toronto, says businesses are completely unaware > of the potential information security breach when the office > photocopier is replaced. > > They think the copier is just headed for a junkyard but, in most > cases, when the machine goes, so does sensitive data that have been > stored on the copier's hard drive for years. > > "If I was the kind of person looking for certain information, this > would be a gold mine," said Beitner, founder of Cyber Security Canada, > a security, privacy and threat management company. "People have no > clue of what the risks are." > > Of the dozens of multi-purpose copiers Beitner has cleaned out in the > past two years, he has seen hundreds of scanned documents that would > be considered confidential. As a personal policy, he never reads them, > but can easily tell where they are by the file names and sizes. > > "In almost all the machines I have seen, the files, phone numbers, fax > numbers and email addresses are left there as if it was still in the > office," said Beitner. "There are files from insurance companies, > medical facilities, pharmaceutical and regular office-type documents," > he said. > > Even though high-volume photocopy machines with hard drives have been > around for more than five years ? most large offices today would have > them, the kind that photocopy 35 to 60 pages a minute ? people rarely > think of them as computers, said University of Toronto computer > science professor Graeme Hirst. > > "Modern, large, office-type photocopiers are computers. The whole > system is controlled by a computer, it has a hard disk. It scans > images and they are stored on the disc," said Hirst. "They are also > networked computers, and they have all the same security issues that a > computer does, so all the same security issues arise," he said. > > Such as being targeted by hackers, said Beitner. Any web-savvy, > techno-whiz kid could easily access the hard drive, or send all scans > to email or, if they have the password, retrieve copies of > confidential documents by simply hooking their laptop up to the > copier. > > And, as a few Google searches will show you, you don't even need to > leave the comfort of your home. The activity of photocopiers linked to > an unsecure network can be seen and tracked online. With a few clicks > of a mouse, and no knowledge of how to hack, we could see the latest > activity of a photocopier in Korea, which included copies of invoices > and employee expenses. > > "I am at the administrator level of the network," said Hirst. "If the > password is changed, I can't get in and change any of the settings. > But sometimes, all the logins and passwords are easily found online." > > In Toronto, most rented photocopiers are picked up when the lease is > almost over, usually anywhere from two to five years. If the copiers > are in good shape, they are often destined for auction, where they are > bought to be resold. Some end up with dealers, who ensure confidential > information is erased. Others can be found on Kijiji or Craigslist, > and likely still have crucial data on them. > > Some companies, like Rite Copy Service, tell their clients to remove > the hard drives and purge them before they are picked up for resale. > Or they replace the hard drives. But that costs extra time and money. > > The cheaper thing to do, says Beitner, is to make the data > inaccessible, clear the memory on the machine and change the pass > codes through the machine panel. It doesn't completely wipe the hard > drive, but renders it unusable to the average person. > > "Ninety-nine per cent of the population can't get to it. But it's the > one per cent, the guy who is going to come in the middle of the night, > take the hard drive out and scrub all the data off it," said Beitner. > "There is still that risk." > > It's an issue that first came to light five years ago, and larger copy > companies also came up with solutions, said Dr. Avner Levin, the > director of the Privacy and Cyber Crime Institute at Ryerson > University. Companies like Xerox now have enhanced security measures > that enable an office to remove the hard drive and do digital > shredding. > > Levin says this is really part of a larger issue ? the lack of > awareness about technology in the everyday work environment. > > "People in general aren't very good about storing their data, but here > is a case where they don't even know their data is being stored," he > said. "I think few people think about the consequences of the > technology they are using." > From rforno at infowarrior.org Mon Mar 22 03:56:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Mar 2010 23:56:51 -0400 Subject: [Infowarrior] - U-2 Spy Plane Evades the Day of Retirement Message-ID: <90911C98-5E2D-4AE1-B865-56794D2A7D26@infowarrior.org> March 21, 2010 U-2 Spy Plane Evades the Day of Retirement By CHRISTOPHER DREW http://www.nytimes.com/2010/03/22/business/22plane.html?hp=&pagewanted=print The U-2 spy plane, the high-flying aircraft that was often at the heart of cold war suspense, is enjoying an encore. Four years ago, the Pentagon was ready to start retiring the plane, which took its first test flight in 1955. But Congress blocked that, saying the plane was still useful. And so it is. Because of updates in the use of its powerful sensors, it has become the most sought-after spy craft in a very different war in Afghanistan. As it shifts from hunting for nuclear missiles to detecting roadside bombs, it is outshining even the unmanned drones in gathering a rich array of intelligence used to fight the Taliban. All this is a remarkable change from the U-2?s early days as a player in United States-Soviet espionage. Built to find Soviet missiles, it became famous when Francis Gary Powers was shot down in one while streaking across the Soviet Union in 1960, and again when another U-2 took the photographs that set off the Cuban missile crisis in 1962. Newer versions of the plane have gathered intelligence in every war since then and still monitor countries like North Korea. Now the U-2 and its pilots, once isolated in their spacesuits at 70,000 feet, are in direct radio contact with the troops in Afghanistan. And instead of following a rote path, they are now shifted frequently in midflight to scout roads for convoys and aid soldiers in firefights. In some ways, the U-2, which flew its first mission in 1956, is like an updated version of an Etch A Sketch in an era of high-tech computer games. ?It?s like after all the years it?s flown, the U-2 is in its prime again,? said Lt. Col. Jason M. Brown, who commands an intelligence squadron that plans the missions and analyzes much of the data. ?It can do things that nothing else can do.? One of those things, improbably enough, is that even from 13 miles up its sensors can detect small disturbances in the dirt, providing a new way to find makeshift mines that kill many soldiers. In the weeks leading up to the recent offensive in Marja, military officials said, several of the 32 remaining U-2s found nearly 150 possible mines in roads and helicopter landing areas, enabling the Marines to blow them up before approaching the town. Marine officers say they relied on photographs from the U-2?s old film cameras, which take panoramic images at such a high resolution they can see insurgent footpaths, while the U-2?s newer digital cameras beamed back frequent updates on 25 spots where the Marines thought they could be vulnerable. In addition, the U-2?s altitude, once a defense against antiaircraft missiles, enables it to scoop up signals from insurgent phone conversations that mountains would otherwise block. As a result, Colonel Brown said, the U-2 is often able to collect information that suggests where to send the Predator and Reaper drones, which take video and also fire missiles. He said the most reliable intelligence comes when the U-2s and the drones are all concentrated over the same area, as is increasingly the case. The U-2, a black jet with long, narrow wings to help it slip through the thin air, cuts an impressive figure as it rises rapidly into the sky. It flies at twice the height of a commercial jet, affording pilots views of such things as the earth?s curvature. But the plane, nicknamed the Dragon Lady, is difficult to fly, and missions are grueling and dangerous. The U-2s used in Afghanistan and Iraq commute each day from a base near the Persian Gulf, and the trip can last nine to 12 hours. Pilots eat meals squeezed through tubes and wear spacesuits because their blood would literally boil if they had to eject unprotected at such a high altitude. As the number of flights increases, some of the plane?s 60 pilots have suffered from the same disorienting illness, known as the bends, that afflicts deep-sea divers who ascend too quickly. Relaxing recently in their clubhouse at Beale Air Force Base near Sacramento, Calif., the U-2?s home base, several pilots said the most common problems are sharp joint pain or a temporary fogginess. But in 2006, a U-2 pilot almost crashed after drifting in and out of consciousness during a flight over Afghanistan. The pilot, Kevin Henry, now a retired Air Force lieutenant colonel, said in an interview that he felt as if he were drunk, and he suffered some brain damage. At one point, he said, he came within five feet of smashing into the ground before miraculously finding a runway. As a safety measure, U-2 pilots start breathing pure oxygen an hour before takeoff to reduce the nitrogen in their bodies and cut the risk of decompression sickness. Mr. Henry, who now instructs pilots on safety, thinks problems with his helmet seal kept him from breathing enough pure oxygen before his flight. Lt. Col. Kelly N. West, the chief of aerospace medicine at Beale, said one other pilot had also been disqualified from flying the U-2. Since 2002, six pilots have transferred out on their own after suffering decompression illnesses. Still, most of the pilots remain undeterred, and the Air Force is taking more precautions. Holding an oxygen mask to his nose, one pilot, Maj. Eric M. Shontz, hopped on an elliptical machine for 10 minutes before a practice flight at Beale to help dispel the nitrogen faster. Several assistants then made sure he stayed connected to an oxygen machine as they sealed his spacesuit and drove him to the plane. Major Shontz and other U-2 pilots say the planes gradually became more integrated in the operations in Iraq and Afghanistan. But since the flights over Afghanistan began to surge in early 2009, the U-2s have become a much more fluid part of the daily battle plan. Major Shontz said he was on the radio late last year with an officer as a rocket-propelled grenade exploded. ?You could hear his voice talking faster and faster, and he?s telling me that he needs air support,? Major Shontz recalled. He said that a minute after he relayed the message, an A-10 gunship was sent to help. Brig. Gen. H.D. Polumbo Jr., a top policy official with the Air Force, said recent decisions to give intelligence analysts more flexibility in figuring out how to use the U-2 each day had added to its revival. Over beers at the clubhouse, decorated with scrolls honoring the heroes of their small fraternity, other U-2 pilots say they know their aircraft?s reprieve will last only so long. And the U-2?s replacement sits right across the base ? the Global Hawk, a remote-controlled drone that flies almost as high as the U-2 and typically stays aloft for 24 hours or more. The first few Global Hawks have been taking intelligence photos in Iraq and Afghanistan. But a larger model that could also intercept communications has been delayed, and the Air Force is studying how to add sensors that can detect roadside bombs to other planes. So officials say it will most likely be 2013 at the earliest before the U-2 is phased into retirement. ?We?ve needed to be nimble to stay relevant,? said Doug P. McMahon, a major who has flown the U-2 for three years. ?But eventually it?s bound to end.? From rforno at infowarrior.org Mon Mar 22 17:32:41 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Mar 2010 13:32:41 -0400 Subject: [Infowarrior] - Google Is Hiring Bond Traders Message-ID: <76A08892-011A-4734-9CB5-925CEC8CFD0E@infowarrior.org> Google Is Hiring Bond Traders http://www.businessinsider.com/google-builds-bond-trading-desk-in-bid-to-make-money-off-of-cash-reserves-2010-3 Google is hiring traders for its new bond trading platform, according to published advertisements on its job site. Currently, roles include trader of foreign government bonds, portfolio analyst for Google's U.S. government bond portfolio, and a portfolio analyst for agency mortgage-backed securities. All of the roles are at Google's Mountain View facility. A source who interviewed for one of the positions said that this was a means for Google (GOOG) to make use of its large cash reserves. Google has long discussed using its access to massive amounts of data to build a hedge fund. Here's the full listing: Trader, Foreign Government Bonds - Mountain View This position is based in Mountain View, CA The area: Finance Google's Tax and Treasury teams consist of strong, creative performers with deep expertise in their respective fields. We contribute to our company's growing global success by dealing with challenging issues and concepts and then applying them to rapidly evolving business models. In Treasury, we provide funding, risk management and mitigation support as well as investment oversight. The Tax group is responsible for global tax planning and compliance, defending the company in tax audits, and ensuring that the company accurately reports its tax matters in public filings. The role: Trader, Foreign Government Bonds This position involves executing trades for foreign government bond portfolios and maintaining those portfolios. This role also involves financial model building and the construction of tools to enhance performance and portfolio construction, as well as interaction with the sell-side team, portfolio managers, portfolio management team, trading operations team, other traders, and senior management. Responsibilites: ? Execute trades for foreign government bond portfolio and construct/ maintain multi-country portfolios that are within risk tolerances and constraints ? Interact with sell-side to stay current on market trends and interact with portfolio managers to enhance quantitative models ? Develop performance tools to ensure performance attribution, develop portfolio construction and trading tools, and develop tools to assist in the valuation of the rates products ? Deal with day to day administrative issues in support of trading activities and report monthly to senior management ? Drive valuation-related initiatives and identify investment opportunities, as well as enhance price-testing, reporting, and valuation risk control processes Requirements: ? BS/BA or equivalent experience in Finance, economics, mathematics, statistics, or engineering; CFA (or on CFA track) preferred ? At least 5 years of relevant experience trading government bond portfolios, willingness to work market trading hours while in Pacific time zone ? Strong analytical, quantitative, and financial modeling skills, strong verbal and written communication skills ? Excellent with Excel and Power Point, as well as skilled at Bloomberg & trading/portfolio systems (e.g. yield book) ? Familiarity with corporate investment accounting a plus ? Has a good sense of humor From rforno at infowarrior.org Tue Mar 23 03:05:30 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Mar 2010 23:05:30 -0400 Subject: [Infowarrior] - Google Shuts China Site in Dispute Over Censorship Message-ID: <8B312943-467F-4361-B45C-80E15CA0B411@infowarrior.org> March 22, 2010 Google Shuts China Site in Dispute Over Censorship By MIGUEL HELFT and DAVID BARBOZA http://www.nytimes.com/2010/03/23/technology/23google.html?hp=&pagewanted=print SAN FRANCISCO ? Just over two months after threatening to leave China because of censorship and intrusions from hackers, Google on Monday closed its Internet search service there and began directing users in that country to its uncensored search engine in Hong Kong. While the decision to route mainland Chinese users to Hong Kong is an attempt by Google to skirt censorship requirements without running afoul of Chinese laws, it appears to have angered officials in China, setting the stage for a possible escalation of the conflict, which may include blocking the Hong Kong search service in mainland China. The state-controlled Xinhua news agency quoted an unnamed official with the State Council Information Office describing Google?s move as ?totally wrong.? ?Google has violated its written promise it made when entering the Chinese market by stopping filtering its searching service and blaming China in insinuation for alleged hacker attacks,? the official said. Google declined to comment on its talks with Chinese authorities, but said that it was under the impression that its move would be seen as a viable compromise. ?We got reasonable indications that this was O.K.,? Sergey Brin, a Google founder and its president of technology, said. ?We can?t be completely confident.? Google?s retreat from China, for now, is only partial. In a blog post, Google said it would retain much of its existing operations in China, including its research and development team and its local sales force. While the China search engine, google.cn, has stopped working, Google will continue to operate online maps and music services in China. Google?s move represents a powerful rejection of Beijing?s censorship but also a risky ploy in which Google, a global technology powerhouse, will essentially turn its back on the world?s largest Internet market, with nearly 400 million Web users. ?Figuring out how to make good on our promise to stop censoring search on google.cn has been hard,? David Drummond, Google?s chief legal officer, wrote in the blog post. ?The Chinese government has been crystal clear throughout our discussions that self-censorship is a nonnegotiable legal requirement.? Mr. Drummond said that Google?s search engine based in Hong Kong would provide mainland users results in the simplified Chinese characters used on the mainland and that he believed it was ?entirely legal.? ?We very much hope that the Chinese government respects our decision,? Mr. Drummond said, ?though we are well aware that it could at any time block access to our services.? Some Western analysts say Chinese regulators could retaliate against Google by blocking its Hong Kong or American search engines entirely, just as it blocks YouTube, Facebook and Twitter. Google?s decision to scale back operations in China ends a nearly four- year bet that Google?s search engine in China, even if censored, would help bring more information to Chinese citizens and loosen the government?s controls on the Web. Instead, specialists say, Chinese authorities have tightened their grip on the Internet in recent years. In January, Google said it would no longer cooperate with government censors after hackers based in China stole some of the company?s source code and even broke into the Gmail accounts of Chinese human rights advocates. ?It is certainly a historic moment,? said Xiao Qiang of the China Internet project at the University of California, Berkeley. ?The Internet was seen as a catalyst for China being more integrated into the world. The fact that Google cannot exist in China clearly indicates that China?s path as a rising power is going in a direction different from what the world expected and what many Chinese were hoping for.? While other multinational companies are not expected to follow suit, some Western executives say Google?s decision is a symbol of a worsening business climate in China for foreign corporations and perhaps an indication that the Chinese government is favoring home- grown companies. Despite its size and reputation for innovation, Google trails its main Chinese rival, Baidu.com, which was modeled on Google, with 33 percent market share to Baidu?s 63 percent. The decision to shut down google.cn will have a limited financial impact on Google, which is based in Mountain View, Calif. China accounted for a small fraction of Google?s $23.6 billion in global revenue last year. Ads that once appeared on google.cn will now appear on Google?s Hong Kong site. Still, abandoning a direct presence in the largest Internet search market in the world could have long-term repercussions and thwart Google?s global ambitions, analysts say. Government officials in Beijing have sharpened their attacks on Google in recent weeks. China experts say it may be some time before the confrontation is resolved. ?This has become a war of ideas between the American company moralizing about Internet censorship and the Chinese government having its own views on the matter,? said Emily Parker, a senior fellow at the Center on U.S.-China Relations at the Asia Society. In China, many students and professionals said they feared they were about to lose access to Google?s vast resources. In January, when Google first threatened to leave China, many young people placed wreaths at the company headquarters in Beijing as a sign of mourning. The attacks were aimed at Google and more than 30 other American companies. While Google did not say the attacks were sponsored by the government, the company said it had enough information about the attacks to justify its threat to leave China. People, inside and outside of Google, investigating the attacks have since traced them to two universities in China: Shanghai Jiao Tong University and Lanxiang Vocational School. The schools and the government have denied any involvement. After serving Chinese users through its search engine based in the United States, Google decided to enter the Chinese market in 2006 with a local search engine under an arrangement with the government that required it to purge search results on banned topics. But since then, Google has struggled to comply with Chinese censorship rules and failed to gain significant market share from Baidu.com. Google is not the first American Internet company to stumble in China. Nearly every major American brand has arrived with high hopes only to be stymied by government rules or fierce competition from Chinese rivals. After struggling to compete, Yahoo sold its Chinese operations to Alibaba Group, a local company; eBay and Amazon never gained traction; and Microsoft?s MSN instant messaging service badly trails that of Tencent. Google?s departure could present an opportunity for Baidu, whose stock has soared since the confrontation between Google and China began. It could also give a chance to Microsoft, a perennial underdog in Internet search, to make inroads in the Chinese market. Microsoft?s search engine, Bing, has a very small share of the market. Miguel Helft reported from San Francisco, and David Barboza from Shanghai. Steve Lohr contributed reporting from New York. From rforno at infowarrior.org Tue Mar 23 12:52:10 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Mar 2010 08:52:10 -0400 Subject: [Infowarrior] - Fake Game Installer Punishes Pirates Via Epic Privacy Breach Message-ID: <8269484A-4FB0-4359-807F-329725ABF123@infowarrior.org> Fake Game Installer Punishes Pirates Via Epic Privacy Breach Written by enigmax on March 23, 2010 http://torrentfreak.com/fake-game-installer-punishes-pirates-via-epic-privacy-breach-100323 Over the years would-be game pirates have been targeted in a number of ways such as through draconian DRM schemes and even viruses. Now it appears that file-sharers who thought they were going to download a high-profile interactive erotic novel have been instead treated to a security and privacy breach of epic proportions. Although probably not that popular with your average Western Modern Warfare 2 gamer, visual novels are very popular in Japan. Players watch and listen to a story and as it unfolds and are able to influence the outcome of the plot by making decisions which cause the game to branch. These games often have erotic and downright sexual elements and Cross Days from developer 0verflow is no different. The game suffered several delays before release, apparently so that it could be launched along with a special, ahem, USB ?hands-free? device for experiencing ?climax scenes? (NSFW: Male and female versions) but it was finally released just a few days ago. Of course, not everyone would acquire the game through the official channels and many turned to file-sharing networks for their erotic gaming fix. Some, who were not particularly careful about the item they were downloading, were in for a pretty big shock. Alongside the pirated versions of Cross Days can be found some software which claims to be the installer for the game, but is actually a piece of pretty vicious malware which appears to try to punish would-be pirates. When run, the installer pretends to be the game but using personal information gathered from the victim?s computer (including IP address), it presents a survey which asks for more personal information ? including their email address and password. Once completed, the information is uploaded to a website for all the Internet to see ? accompanied by a screenshot of the victim?s desktop. Samples of the information uploaded by the trojan can be viewed here and although much of it is in Japanese, there?s enough pictures and English text to entertain most readers and thoroughly embarrass the unlucky reader of Keily?s Plant. Adding insult to injury, according to a report the installer?s terms of service agreement actually states that all these things happen, but as we all know, hardly anyone reads them. Although it is possible to have the would-be pirate?s personal information taken down from the website, first the user has to effectively apologize for having tried to illegally download Cross Days. Adding to the confusion, developer 0verflow are reporting that users of Avast! anti-virus software receive a false-positive warning (Win32: Trojan-gen) when installing the real game. This isn?t the first time Japanese file-sharers have been targeted by malware writers. In 2007 a bizarre virus was released which threatened to kill people who illegally download using P2P. From rforno at infowarrior.org Tue Mar 23 23:45:02 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Mar 2010 19:45:02 -0400 Subject: [Infowarrior] - Congrats to Katie Spotz Message-ID: "Seventy days, five hours and 22 minutes. That's how long it took 22-year-old Katie Spotz to row solo across the Atlantic Ocean in a high-tech rowboat -- part of a fund-raising effort that also set a new record. Fresh off her 2,817-mile trek, Spotz recently talked to the Rundown about her history-making voyage. The Ohioan became the youngest person to row an entire ocean solo.....In January, Spotz departed Dakar, Senegal, on Africa's western coast and came ashore in Georgetown, Guyana, in South America. You can find a map of her journey and read a blog chronicling the adventure here. The grueling trip raised more than $70,000 for the Blue Plant Run Foundation, an organization that finances clean drinking water projects around the world." (source: http://www.pbs.org/newshour/rundown/2010/03/spotz-solo-row-makes-history-raises-thousands.html) Katie's rowing blog/tweets/chronicle can be found at: http://www.mountainx.com/news/2010/katie_spotz_began_her_solo_voyage_across_the_atlantic_today From rforno at infowarrior.org Wed Mar 24 00:19:03 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Mar 2010 20:19:03 -0400 Subject: [Infowarrior] - ACTA is about more than counterfeits Message-ID: ACTA to cover seven catagories of intellectual property http://keionline.org/node/812 Submitted by James Love on 22. March 2010 - 8:49 KEI has access to a recent draft of ACTA. Chapter One, Section B of the agreement provides for "General Definitions." It is interesting that the term "counterfeits" does not have a general definition. The ten defined terms include: ? days ? intellectual property (See below) ? Council (ACTA Oversight Council) ? measure ? person (natural or juridical) ? right owner (includes federation or assicaitons that have legal standing or authoirty to assert rights) ? territory ? TRIPS Agreement ? WTO ? WTO Agreement ACTA is about more than counterfeits While counterfeiting is a serious problem that deserves attention, its use in the name is widely considered a cynical bait and switch. The provisions on counterfeiting are hardly the focus. The agreement is really about the much broader topic of the enforcement of seven categories of intellectual property. According to the Chapter One general definition, intellectual property is defined as follows: intellectual property refers to all categories of intellectual property that are the subject of section 1 through part 7 of Part II of the Agreement on Trade Related Aspects of Intellectual Property Rights. This is a reference to the TRIPS Agreement. The seven categories are: ? Copyright and Related Rights ? Trademarks ? Geographical Indications ? Industrial Designs ? Patents ? Layout-Designs (Topographies) of Integrated Circuits ? Protection of Undisclosed Information By highlighting the emotive and charged term ?counterfeiting,? a very serious but but fairly narrow type of trademark infringement and fraud, the negotiators expect to deflect scrutiny and criticism over the whole agreement, particularly from political leaders who cannot afford to be seen defending criminals engaged in counterfeiting unsafe products. By extending ACTA to cover the enforcement of seven large categories of intellectual property rights, the impact of the agreement on access to knowledge, innovation, consumer rights, privacy, and other topics is vastly expanded. From rforno at infowarrior.org Wed Mar 24 12:31:50 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Mar 2010 08:31:50 -0400 Subject: [Infowarrior] - Behind the Scenes, Crafting the US No-Fly List Message-ID: <5A40C6EF-C1A4-4331-B0AD-BA9B20121AF0@infowarrior.org> http://abcnews.go.com/print?id=10058645 Behind the Scenes, Crafting the US No-Fly List A Delicate, High-Stakes And Imperfect Effort By EILEEN SULLIVAN The Associated Press WASHINGTON It starts with a tip, a scrap of intelligence, a fingerprint lifted from a suspected terrorist's home. It ends when a person is forbidden to board an airplane ? a decision that's in the hands of about six experts from the Transportation Security Administration. The no-fly list they oversee constantly changes as hundreds of analysts churn through a steady stream of intelligence. Managing the list is a high-stakes process. Go too far in one direction and innocent travelers are inconvenienced. Go in the other direction and a terrorist might slip onto an airplane. It could take minutes to put a name on the list. Or it could take hours, days or months. That's because the list is only as good as the nation's intelligence and the experts who analyze it. If an intelligence lead is not shared, or if an analyst is unable to connect one piece of information to another, a terrorist could slip onto an airplane. Officials allege that's just what took place ahead of the attempted Christmas Day attack on a Detroit-bound jet. In the months since the arrest of Nigerian Umar Farouk Abdulmuttalab, the no-fly list has nearly doubled ? from about 3,400 people to about 6,000 people, according to a senior intelligence official. The list expanded, in part, to add people associated with al-Qaida's Yemen branch and others from Nigeria and Yemen with potential ties to Abdulmuttalab, a counterterrorism official said. The no-fly list has been one of the government's most public counterterrorism tools since the Sept. 11, 2001, attacks. Adding more people to the list could make Americans safer when they fly. But it could also mean more cases of mistaken identity. Current and former intelligence, counterterrorism and U.S. government officials provided The Associated Press a behind-the-scenes look at how the no-fly list is created. They spoke on condition of anonymity to discuss sensitive security issues. Despite changes over time, the list remains an imperfect tool, dependent on the work of hundreds of government terrorism analysts who sift through massive flows of information. The list ballooned after 9/11 and has fluctuated in size over the past decade. In 2004, it included about 20,000 people. The standards for getting on the list have been refined over the years, and technology has improved to make the matching process more reliable. There are four steps to banning a person from flying: ?It begins with law enforcement and intelligence officials collecting the smallest scraps of intelligence ? a tip from a CIA informant or a wiretapped conversation. The information is then sent to the National Counterterrorism Center, a Northern Virginia nerve center set up after 9/11. There, analysts put names ? even partial names ? into a huge classified database of known and suspected terrorists. The database, called Terrorist Identities Datamart Enterprise, or TIDE, also includes some suspects' relatives and others in contact with the suspects. About 2 percent of the people in this database are Americans. Analysts scour the database trying to make connections and update files as new intelligence flows in. Abdulmutallab's name was in TIDE before the Christmas Day attempt, thanks to a warning his father gave the U.S. Embassy in Nigeria about the alleged bomber's extremist ties in Yemen. But much of the information coming into the center is incomplete. This is one reason analysts didn't connect Abdulmutallab's father's warning to other fragmented pieces of information. Because of this, analysts did not send his name to the next tier of analysis at the Terrorist Screening Center, another Northern Virginia intelligence center, staffed by analysts from federal law enforcement agencies across the government. ?About 350 names a day are sent to the Terrorist Screening Center for more analysis and consideration to be put on the government-wide terror watch list. This is a list of about 418,000 people, maintained by the FBI. To place a name on that list, analysts must have a reasonable suspicion that the person is connected to terrorism. People on this watch list may be questioned at a U.S. border checkpoint or when applying for a visa. But just being on this list isn't enough to keep a person off an airplane. Authorities must have a suspect's full name and date of birth as well as adequate information showing the suspect is a threat to aviation or national security. ?Once armed with information for those three categories, about a half- dozen experts from the Transportation Security Administration who work at the screening center have two options. They can add a suspect to the "selectee list," a roster of about 18,000 people who can still fly but must go through extra screening at the airport. Or, if analysts determine a person is too dangerous to board a plane, they can put the suspect on the no-fly list. The names on each list are constantly under review and updated as the threat changes. In 2007, officials removed people who were no longer considered threats. Some were inactive members of the Irish Republican Army, a former law enforcement official said. And in 2008, the criteria was expanded to include information about young Somali-American men leaving the U.S. to join the international terrorist group al-Shabab, the senior intelligence official said. If a person on the no-fly list dies, his name could stay on the list so that the government can catch anyone trying to assume his identity. At times, officials have allowed passengers to fly even if they are on the no-fly list, the former law enforcement official said. In some cases, this is to let agents shadow suspected terrorists while they're in the U.S. Before this happens, FBI agents and TSA experts consult with each other. If it is decided a suspected terrorist should be allowed on the flight, he and his belongings might then go through extra screening, he might be watched on camera at the airport, and more federal air marshals might be assigned to monitor him during his flight, the former official said. As the government takes on more responsibility for checking names against the lists, officials hope the number of mistaken identity cases will dramatically decrease. And since Dec. 25, national security officials have been looking at ways to change and improve the standards for placing people on it. One thing is for sure: Another incident like the Christmas Day near- miss will cause more re-examinations of a system still far from foolproof. ??? Associated Press writer Matt Apuzzo in Washington contributed to this report. ??? On the Net: http://www.nctc.gov/docs/Tide?Fact?Sheet.pdf http://www.fbi.gov/terrorinfo/counterrorism/tsc.htm Copyright 2010 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Copyright ? 2010 ABC News Internet Ventures From rforno at infowarrior.org Wed Mar 24 16:16:56 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Mar 2010 12:16:56 -0400 Subject: [Infowarrior] - ACTA Leaked - Full Text (PDF) Message-ID: <5796A3F0-BE07-4565-BF37-2D942BD1D3D7@infowarrior.org> Finally, we can see it for ourselves .... the full text of the 18 January 2010 ACTA draft has leaked and is making its way around the Net. Interesting to see the various country comments sprinkled throughout. Should be interesting reading! (h/t TL for the headsup) Here is a mirrored copy of the scanned document (15MB). http://www.infowarrior.org/users/rforno/mirror/201001_acta.pdf On matters of lawmaking and treaties, sunlight indeed is the best disinfectant! -rick From rforno at infowarrior.org Wed Mar 24 16:25:28 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Mar 2010 12:25:28 -0400 Subject: [Infowarrior] - DHS to Try Fusion Centers for Sharing Classified Information with Industry Message-ID: DHS to Try Fusion Centers for Sharing Classified Information with Industry Source: http://fcw.com/articles/2010/03/16/web-cyber-threat-fusion-center.aspx The Department of Homeland Security (DHS) plans to start a pilot program that would use state and local intelligence fusion centers to pass secret-level information on cyber threats to critical infrastructure to critical infrastructure industry officials with security clearances, a DHS official said last week. Under the Cybersecurity Partners Local Access Program (CPLAP), officials with the necessary credentials would be able to go to a local fusion center to receive the classified information, according to Jenny Menna, Director of Critical Infrastructure Cyber Protection and Awareness at DHS' National Cyber Security Division. "We've heard from a lot of our private-sector partners that travel budgets are being cut, so this will allow people who are outside the Beltway to go to their local fusion center and get that information, and it will also help build that relationship between the fusion centers and the critical infrastructure and key resource partners within their area," Menna said. In addition to convenience, the CPLAP program would allow industry officials to build relationships with the intelligence and homeland security communities. Five fusion centers have agreed to participate in the planned pilot program, Menna said. If the pilot programs go well, CPLAP could be used to share data related to other hazards. States and municipalities own and run fusion centers that use information technology to share homeland security-related information among officials from different levels of government. DHS serves as the lead federal agency for the centers and is also in charge of leading the coordination of infrastructure protection between federal agencies, state and local authorities, and the private sector. A majority the country's critical infrastructure is privately owned. From rforno at infowarrior.org Wed Mar 24 18:12:13 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Mar 2010 14:12:13 -0400 Subject: [Infowarrior] - GoDaddy to stop China registrations Message-ID: World's top domain name service to stop offering Web addresses in China By Tony Romm - 03/24/10 01:45 PM ET http://thehill.com/blogs/hillicon-valley/technology/88843-worlds-top-domain-name-service-to-stop-offering-web-addresses-in-china U.S.-based GoDaddy.com, the world's largest domain name service, announced Wednesday it will no longer register new Web sites in China. The move arrives in response to China's new website ownership rules, which require holders of .cn domains to provide their personal information -- including photographs of themselves -- to the Chinese government, according to the company. GoDaddy.com plans to announce the new policy late Wednesday, at a hearing on Chinese Internet freedoms before the Congressional- Executive Commission on China. In its testimony, it is expected to describe China's new rules as threats to the "security of individuals" who use GoDaddy.com's domain name services. GoDaddy's decision to cease servicing Chinese Web domains arrives on the heels of another blow to China's Internet economy: the official departure of Google's popular search business from the state. Google announced Wednesday it would begin phasing out its search services, after an attempt to disregard Chinese censors and redirect users to its unfiltered Hong Kong portal invoke the ire of Beijing's top officials. Google's move -- which the company first threatened in response to a January 12 cyberattack company executives blame on China -- has refocused lawmakers' attention on China's strict Web content restrictions. Many on Capitol Hill are now calling for hearings and bills that would sanction companies that operate in states with limits on Internet expression. One lawmaker who supports such a bill -- Rep. Chris Smith (R-N.J.) -- praised GoDaddy's decision to cease its China domain services on Wednesday. In a statement released before Smith joined the CECC for its China hearing, the congressman said the company, as well as Google, "deserve the U.S. government's support" "We want to see American IT companies doing the right thing?but we don?t want to see them forced to leave China for doing so," he said. "Now we see that, however well-intentioned, American IT companies are not powerful enough to stand up to repressive governments." From rforno at infowarrior.org Wed Mar 24 21:05:25 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Mar 2010 17:05:25 -0400 Subject: [Infowarrior] - Governments May Fake SSL Certificates Message-ID: <9C2E9E2A-B6CC-4B6F-BBA1-CCD9202C63E8@infowarrior.org> March 24th, 2010 http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl New Research Suggests That Governments May Fake SSL Certificates Technical Analysis by Seth Schoen Today two computer security researchers, Christopher Soghoian and Sid Stamm, released a draft of a forthcoming research paper in which they present evidence that certificate authorities (CAs) may be cooperating with government agencies to help them spy undetected on "secure" encrypted communications. (EFF sometimes advises Soghoian on responsible disclosure issues, including for this paper.) More details and reporting are available at Wired today. The draft paper includes marketing materials from Packet Forensics, an Arizona company, which suggests that government "users have the ability to import a copy of any legitimate keys they obtain (potentially by court order)" into Packet Forensics products in order to impersonate sites and trick users into "a false sense of security afforded by web, e-mail, or VoIP encryption". This would allow those governments to routinely bypass encryption without breaking it. Many modern encryption systems, including the SSL/TLS system used for encrypted HTTPS web browsing, rely on a public-key infrastructure (PKI) in which some number of CAs are trusted to vouch for the identity of sites and services. The CA's role is crucial for detecting and preventing man-in-the-middle attacks where outsiders invisibly impersonate one of the parties to the communication in order to spy on encrypted messages. CAs make a lot of money, and their only job is to make accurate statements about which cryptographic keys are authentic; if they do this job incorrectly ? willingly, under compulsion, by accident, or negligently ? the security of encrypted communications falls apart, as man-in-the-middle attacks go undetected. These attacks are not technically difficult; surveillance companies like Packet Forensics sell tools to automate the process, while security researchers like Moxie Marlinspike have publicly released tools that do the same. All that's needed to make the attack seamless is a false certificate. Can one be obtained? This risk has been the subject of much speculation, but Soghoian and Stamm's paper is the first time we've seen evidence suggesting that CAs can be induced to sign false certificates. The question of CAs' trustworthiness has been raised repeatedly in the past; researchers recently showed that some CAs continued to use obsolete cryptographic technology, signed certificates without verifying their content, and signed certificates that browsers parsed incorrectly, putting users at risk of undetectable attacks. What's new today, however, is the indication that some CAs may also knowingly falsify certificates in order to cooperate with government surveillance efforts. Soghoian and Stamm also observe that browsers trust huge numbers of CAs ? and all of those organizations are trusted completely, so that the validity of any entity they approve is accepted without question. Every organization on a browser's trusted list has the power to certify sites all around the world. Existing browsers do not consider whether a certificate was signed by a different CA than before; a laptop that has seen Gmail's site certified by a subsidiary of U.S.- based VeriSign thousands of times would raise no alarm if Gmail suddenly appeared to present a different key apparently certified by an authority in Poland, the United Arab Emirates, Turkey, or Brazil. Yet such a change would be an indication that the user's encrypted HTTP traffic was being intercepted. Who are these CAs, and why do we trust them? Most are for-profit companies, though Microsoft Internet Explorer is willing to trust two dozen governments as CAs, from a list of around 100 entities. Soghoian and Stamm identify the governments Internet Explorer currently trusts as Austria, Brazil, Finland, France, Hong Kong, India, Japan, Korea, Latvia, Macao, Mexico, Portugal, Serbia, Slovenia, Spain, Switzerland, Taiwan, The Netherlands, Tunisia, Turkey, the United States and Uruguay. (Some countries have more than one government entity on the list; Internet Explorer also trusts subnational governments like that of the Autonomous Community of Valencia in Spain, and government- affiliated organizations like the PRC's China Internet Network Information Center.) Although there is no public evidence that this power has been abused or that government-run CAs are less trustworthy than private-sector CAs, each of these states has the power to facilitate attacks on encryption anywhere in the world ? not just in its territory or Internet domain. Certificate authorities get on browsers' trusted lists by making a public statement about how they operate and submitting to some sort of external audit. If they do their job properly, they make it easy for users to securely interact with web sites and services automatically, without having to somehow look up and manually verify encryption keys. Yet these organizations' position at the center of the web encryption infrastructure is largely unaccountable, since users will never know if a CA signs off on something untrue. But any CA could choose to do so. Given what we now know about the vulnerability of the trust infrastructure to both technological and legal interference, we urgently need a meaningful way to double-check the CAs. Soghoian and Stamm propose some mechanisms and offer a plug-in to give users browsers' more information about who is certifying sites and where the CAs are located, which could be of particular interest to those concerned about international espionage. Concerned by this and other research on the vulnerabilities introduced by CAs, EFF has also been working on concepts to help Internet users make use of many more sources of information to supplement and double- check the CAs ? and help detect when they certify things that are not true. We will be publishing a whitepaper to outline some of our proposals in the near future. From rforno at infowarrior.org Wed Mar 24 23:16:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Mar 2010 19:16:35 -0400 Subject: [Infowarrior] - Law Enforcement Appliance Subverts SSL Message-ID: <129BDF34-2913-45DA-8B25-427B8C6DAC5B@infowarrior.org> Law Enforcement Appliance Subverts SSL http://gizmodo.com/5501346/law-enforcement-appliance-subverts-ssl That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means. Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website's certificate to verify its authenticity. At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities. The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there. The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania. "If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this," Blaze said. The company in question is known as Packet Forensics, which advertised its new Man-In-The-Middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington DC wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government. According to the flyer: "Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ?look-alike' keys designed to give the subject a false sense of confidence in its authenticity." The product is recommended to government investigators, saying "IP communication dictates the need to examine encrypted traffic at will" and "Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption." Packet Forensics doesn't advertise the product on its website, and when contacted by Wired.com, asked how we found out about it. Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance. "The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it," Saulino said. "Our target community is the law enforcement community." Blaze described the vulnerability as an exploitation of the architecture of how SSL is used to encrypt web traffic, rather than an attack on the encryption itself. SSL, which is known to many as HTTPS://, enables browsers to talk to servers using high-grade encryption, so that no one between the browser and a company's server can eavesdrop on the data. Normal HTTP traffic can be read by anyone in between - your ISP, a wiretap at your ISP, or in the case of an unencrypted WiFi connection, by anyone using a simple packet sniffing tool. In addition to encrypting the traffic, SSL authenticates that your browser is talking to the website you think it is. To that end, browser makers trust a large number of Certificate Authorities - companies that promise to check a website operator's credentials and ownership before issuing a certificate. A basic certificate costs less than $50 today, and it sits on a website's server, guaranteeing that the BankofAmerica.com website is actually owned by Bank of America. Browser makers have accredited more than one hundred Certificate Authorities from around the world, so any certificate issued by any one of those companies is accepted as valid. To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities - using money, blackmail or legal process - to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online. Technologists at the Electronic Frontier Foundation, who are working on a proposal to fix this whole problem, say hackers can use similar techniques to steal your money or your passwords. In that case, attackers are more likely to trick a Certificate Authority into issuing a certificate, a point driven home last year when two security researchers demonstrated how they could get certificates for any domain on the internet simply by using a special character in a domain name. "It is not hard to do these attacks," said Seth Schoen, an EFF staff technologist. "There is software that is being published for free among security enthusiasts and underground that automate this." China, which is known for spying on dissidents and Tibetan activists, could use such an attack to go after users of supposedly secure services, including some Virtual Private Networks, which are commonly used to tunnel past China's firewall censorship. All they'd need to do is convince a Certificate Authority to issue a fake certificate. When Mozilla added a Chinese company, China Internet Network Information Center, as a trusted Certificate Authority in Firefox this year, it set off a firestorm of debate, sparked by concerns that the Chinese government could convince the company to issue fake certificates to aid government surveillance. In all, Mozilla's Firefox has its own list of 144 root authorities. Other browsers rely on a list supplied by the operating system manufacturers, which comes to 264 for Microsoft and 166 for Apple. Those root authorities can also certify secondary authorities, who can certify still more - all of which are equally trusted by the browser. The list of trusted root authorities includes the United Arab Emirates-based Etilisat, a company which was caught last summer secretly uploading spyware onto 100,000 customers' Blackberrys. Soghoian says fake certificates would be a perfect mechanism for countries hoping to steal intellectual property from visiting business travelers. The researcher published a paper (.pdf) on the risks Wednesday, and promises he will soon release a Firefox add-on to notify users when a site's certificate is issued from an authority in a different country than the last certificate the user's browser accepted from the site. EFF's Schoen, along with fellow staff technologist Peter Eckersley and security expert Chris Palmer, want to take the solution further, using information from around the net so that browsers can eventually tell a user with certainty when they are being attacked by someone using a fake certificate. Currently browsers warn users when they encounter a certificate that doesn't belong to a site, but many people simply click through the multiple warnings. "The basic point is that in the status quo there is no double check and no accountability," Schoen said. "So if Certificate Authorities are doing things that they shouldn't, no one would know, no one would observe it. We think at the very least there needs to be a double check." EFF suggests a regime that relies on a second level of independent notaries to certify each certificate, or an automated mechanism to use anonymous Tor exit nodes to make sure the same certificate is being served from various locations on the internet - in case a user's local ISP has been compromised, either by a criminal, or a government agency using something like Packet Forensics' appliance. One of the most interesting questions raised by Packet Forensics product is how often do governments use such technology and do Certificate Authorities comply. Christine Jones, the general counsel for GoDaddy - one of the net's largest issuers of SSL certificates - says her company has never gotten such a request from a government in her 8 years at the company. "I've read studies and heard speeches in academic circles that theorize that concept, but we never would issue a ?fake' SSL certificate," Jones said, arguing that would violate the SSL auditing standards and put them at risk of losing their certification. "Theoretically it would work, but the thing is we get requests from law enforcement every day, and in entire time we have been doing this, we have never had a single instance where law enforcement asked us to do something inappropriate." VeriSign, the largest Certificate Authority, declined to comment. Matt Blaze notes that domestic law enforcement can get many records, such as a person's Amazon purchases, with a simple subpoena, while getting a fake SSL certificate would certainly involve a much higher burden of proof and technical hassles for the same data. Intelligence agencies would find fake certificates more useful, he adds. If the NSA got a fake certificate for Gmail - which now uses SSL as the default for e-mail sessions in their entirety (not just their logins) - they could install one of Packet Forensics' boxes surreptitiously at an ISP in, for example, Afghanistan, in order to read all the customer's Gmail messages. Such an attack, though, could be detected with a little digging, and the NSA would never know if they'd been found out. Despite the vulnerabilities, experts are pushing more sites to join Gmail in wrapping their entire sessions in SSL. "I still lock my doors even though I know how to pick the lock," Blaze said. From rforno at infowarrior.org Thu Mar 25 12:57:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Mar 2010 08:57:35 -0400 Subject: [Infowarrior] - AT&T's latest cell scam Message-ID: <59BD8E5E-4ADF-4CBC-A92A-9E13219D7BC3@infowarrior.org> AT&T Tries to Trick Customers into Paying More to Use Less ? By: Nick Mokey ? ? March 24, 2010 http://www.digitaltrends.com/mobile/att-tries-to-trick-customers-into-paying-more-to-use-less/ Cell phone data networks are swamped. Now carriers want you to pay more money ? and use your own resources ? to help them deal with it. AT&T has made little secret of the fact that iPhone users? voracious appetite for Internet bandwidth has loaded down its 3G network to its breaking point. But rather than upgrading its 3G network like T- Mobile, or going full throttle on 4G deployment like Sprint and Verizon, AT&T plans to fix the problem by? asking consumers to bear the load for them, and charging them money for the privilege. The company?s new 3G MicroCell acts like a miniature cell phone tower, routing calls through your home Internet connection ? the one you probably pay at least $30 a month to access ? rather than burdening AT&T?s 3G network with your traffic ? which you will continue to pay at least $30 a month for. How nice of you. In exchange for taking your weight off its creaking, overburdened network, AT&T will happily charge you $150 for the 3G MicroCell, and continue to deduct minutes from your plan when you use it, even though you?re paying another company to handle your traffic, and paid out of pocket for the device to do it. If you want to reap any benefits, AT&T will stop deducting minutes from your plan whenever you?re in range of the MicroCell ? in exchange for slapping another $20 bill in its hand every month. The story of Tom Sawyer tricking another boy into whitewashing a fence for him and collecting an apple in payment comes to mind, but I can do one better. Imagine a bus company that charges you $100 a month for a bus pass, but the busses get so crowded you can barely use them. The bus company?s solution: Offer to sell you a bicycle for $150, so you can help free up room on its busses by not using them all the time, even though you?ll continue to pay $100 a month as if you did. It almost offends me that AT&T thinks we?re dumb enough to fall for this, but I know many consumers will be. By promising better reception around the house with the 3G MicroCell, as the company is bound to do in advertising it, many cell customers will happily shell out $150 for one, unaware of the traffic they?re moving to their home Internet connections, or the favor they?re doing to AT&T. Just like Tom Sawyer?s pal. In AT&T?s defense, it?s no guiltier than any other carrier in attempting to dupe us with the 3G MicroCell, which is part of a larger class of electronics known as femtocell devices. Verizon?s Wireless Network Extender, launched last year, costs a whopping $250, doesn?t provide 3G, and won?t even let you stop others ? like neighbors with Verizon plans ? from leeching off your service for better reception. Sprint?s Airave pulls similar shenanigans. I don?t mean to vilify femtocell technology. It?s actually marvelous stuff that could help uncongest airwaves and speed up mobile Internet access, but AT&T and others haven taken a completely backwards approach to implementing it. Ultimately, these devices should be free to anyone who agrees to actually use it ? subsidized by carriers in exchange for the lightened load on their networks. And because you cost carriers less, not more, when you use them, unlimited calling with no minute allotment should be a given on any femtocell device as an incentive to use it as much as possible, not an extra you pay monthly for. As long as evil geniuses with big marketing budgets get their way, that won?t happen. In the mean time, the best you can do is stay as far away from Tom Sawyer?s whitewashing scheme as possible, and wait until he offers a real incentive to pick up the brush. Maybe I?ll flick off the Wi-Fi on my iPhone in protest and soak up even more of AT&T?s precious 3G while at home. Just kidding. No act of protest is worth voluntarily subjecting myself to that network more than necessary. If you would like to leverage your home Wi-Fi connection to make cheap calls without scratching AT&T?s back while you?re at it, make sure to check out our list of iPhone VoIP apps that can help you pay for fewer minutes and get more. From rforno at infowarrior.org Thu Mar 25 20:25:14 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Mar 2010 16:25:14 -0400 Subject: [Infowarrior] - Pwn2Own winner tells Apple, Microsoft to find their own bugs Message-ID: <1BFE0F41-CB6E-4908-8B04-28BFCBCA7F31@infowarrior.org> Pwn2Own winner tells Apple, Microsoft to find their own bugs. Charlie Miller won't hand over 20 flaws he found by fuzzing Mac OS, Office, Adobe Reader By Gregg Keizer March 25, 2010 What really disappointed Miller was how easy it was to find these bugs. "Maybe some will say I'm bragging about finding the bugs, that I can kick ass, but I wasn't that smart. I did the trivial work and I still found bugs." He went into the project figuring that he wouldn't find any vulnerabilities with the dumb fuzzer. "But I found bugs, lots of bugs. That was both surprising and disappointing." And it also made him ask why vendors like Microsoft, Apple and Adobe, which have teams of security engineers and scores of machines running fuzzers looking for flaws, hadn't found these bugs long ago. One researcher with three computers shouldn't be able to do beat the efforts of entire teams, Miller argued. "It doesn't mean that they don't do [fuzzing], but that they don't do it very well." http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Apple_Microsoft_to_find_their_own_bugs? From rforno at infowarrior.org Thu Mar 25 20:44:00 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Mar 2010 16:44:00 -0400 Subject: [Infowarrior] - Fwd: FUD March at FOSE References: <20100325203807.GD11037@lenovox> Message-ID: <2430C783-1485-4EAB-83E4-FC23478A9CA9@infowarrior.org> I would add to the final paragraph that a lot of folks leave USG cybersecurity service when they realize the futility of the system they're working in. On one hand, they are dealing with an unconventional task in an unconventional, dynamic environment. On the other hand ---- they work for the USG, which is a centralized, top- down, stovepiped, conventional organisation that cannot embrace change or adapt easily. Hence, they're in a catch-22. -rick Begin forwarded message: > From: > Date: March 25, 2010 4:38:13 PM EDT > > > In response to: http://www.theregister.co.uk/2010/03/24/us_under_cyber_threat/ > > The very existence of the US is under threat from cyberspace. You > mean > I can delete the US with a script. Please, someone get this ass > clown a > bit of perspective. > > "Chabinsky was certainly emphatic in his warnings. "I am convinced > that > given enough time, motivation and funding," he said, "a determined > adversary will always - always - be able to penetrate a targeted > system." > > How deep he must be. Real security folks have been stating this for > years. Time is the ultimate killer of any security solution. > Congratulations on passing InfoSec 101. > > "Although cyber-terrorism is his top priority, Chabinsky is also > worried > about cyber-snooping. His concerns include foreign agents and > criminals > who "seek every day to steal our state secrets and private sector > intellectual property, sometimes for the purpose of undermining the > stability of our government by weakening our economic or military > supremacy"." > > I am not worried about foreign agents, the elected criminals in the > Sore > on the Potomac do enough to weaken the economy. As for military > supremacy, I would like Chabinsky to move out of 1940 and let me know > what military conflict the US won. Korea, draw, Vietnam, lost, Iraq, > still there, Afghanistan, still there. I think the Washington > Generals > have the same record against the Harlem Globetrotters. > > "If you're an IT type who has been made redundant during the economic > meltdown, the FBI's Chabinsky wants to talk with you. He told the FOSE > crowd that the FBI is looking for agents who can "talk the talk" to > join > the cyber-wars against cyber-baddies." > > Ever think maybe most of the fired were let go because they were not > good at what they did. Similar to most of the tech "experts" of the > tech bubble, gone once it was determined they only floppy of which > they > were aware was their pcker. From rforno at infowarrior.org Fri Mar 26 01:22:34 2010 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Mar 2010 21:22:34 -0400 Subject: [Infowarrior] - Lessig: ACTA raises constitutional concerns Message-ID: <4C26EB78-DCD4-495D-BB03-F1136B574E4F@infowarrior.org> Anti-counterfeiting agreement raises constitutional concerns By Jack Goldsmith and Lawrence Lessig Friday, March 26, 2010; A23 http://www.washingtonpost.com/wp-dyn/content/article/2010/03/25/AR2010032502403_pf.html The much-criticized cloak of secrecy that has surrounded the Obama administration's negotiation of the multilateral Anti-Counterfeiting Trade Agreement was broken Wednesday. The leaked draft of ACTA belies the U.S. trade representative's assertions that the agreement would not alter U.S. intellectual property law. And it raises the stakes on the constitutionally dubious method by which the administration proposes to make the agreement binding on the United States. The goal of the trade pact is to tighten enforcement of global intellectual property rules. The leaked draft, though incomplete in many respects, makes clear that negotiators are considering ideas and principles not reflected in U.S. law. ACTA could, for example, pressure Internet service providers -- such as Comcast and Verizon -- to kick users offline when they (or their children) have been accused of repeated copyright infringement because of content uploaded to sites such as YouTube. It also might oblige the United States to impose criminal liability on those who "incite" copyright violation. The draft more generally addresses "IP infringement" and thus could extend some of its rules to trademark and possibly patent law in ways that, after inevitable international compromises, will depart from U.S. law. It also contemplates creating an international "oversight council" to supervise (and possibly amend) aspects of the agreement. These proposals might or might not make sense. But they ought at least be subject to public deliberation. Normal constitutional procedures would require the administration to submit the final text of the agreement for Senate approval as a treaty or to Congress as a "congressional-executive" agreement. But the Obama administration has suggested it will adopt the pact as a "sole executive agreement" that requires only the president's approval. Such an assertion of unilateral executive power is usually reserved for insignificant matters. It has sometimes been employed in more important contexts, such as when Jimmy Carter ended the Iran hostage crisis and when Franklin Roosevelt recognized and settled expropriation claims with the Soviet Union. The Supreme Court, however, has never clarified the limits on such agreements. Historical practice and constitutional structure suggest that they must be based on one of the president's express constitutional powers (such as the power to recognize foreign governments) or at least have a long historical pedigree (such as the president's claims settlement power, which dates back over a century). Joining ACTA by sole executive agreement would far exceed these precedents. The president has no independent constitutional authority over intellectual property or communications policy, and there is no long historical practice of making sole executive agreements in this area. To the contrary, the Constitution gives primary authority over these matters to Congress, which is charged with making laws that regulate foreign commerce and intellectual property. The administration has suggested that a sole executive agreement in this instance would not trample Congress's prerogatives because the pact would not affect U.S. domestic law. Binding the United States to international obligations of this sort without congressional approval would raise serious constitutional questions even if domestic law were not affected. In any event, an anti-counterfeiting agreement made on the president's own authority could affect domestic law in at least three ways: First, the noncriminal portions of this agreement that contemplate judicial enforcement can override inconsistent state law and possibly federal law. Second, the agreement could invalidate state law that conflicts with its general policies under a doctrine known as obstacle preemption, even if the terms are not otherwise judicially enforceable. Third, a judicial canon requires courts to interpret ambiguous federal laws to avoid violations of international obligations. This means courts will construe the many ambiguities in federal laws on intellectual property, telecom policy and related areas to conform to the agreement. If the president proceeds unilaterally here, ACTA will be challenged in court. But the best route to constitutional fidelity is for Congress or the Senate to protect its constitutional prerogatives. When the George W. Bush administration suggested it might reach a deal with Russia on nuclear arms reduction by sole executive agreement, then-Sen. Joe Biden wrote to Secretary of State Colin Powell insisting that the Constitution required Senate consent and implicitly threatening inter-branch retaliation if it was not given. The Bush administration complied. Congress should follow Biden's lead. If the president succeeds in expanding his power of sole executive agreement here, he will have established a precedent to bypass Congress on other international matters related to trade, intellectual property and communications policy. These mostly secret negotiations have already violated the Obama administration's pledge for greater transparency. Embracing this deal by sole executive agreement would repudiate its pledge to moderate assertions of executive power. Congress should resist this attempt to evade the checks established by our Framers. Jack Goldsmith and Lawrence Lessig are professors at Harvard Law School. Goldsmith is co-author of "Who Controls the Internet?" Lessig is the author of "Remix: Making Art and Commerce Thrive in the Hybrid Economy." From rforno at infowarrior.org Fri Mar 26 14:32:29 2010 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Mar 2010 10:32:29 -0400 Subject: [Infowarrior] - OT: TSA Monkey Screening Procedures References: <4BACC4DC.2070808@inetassoc.com> Message-ID: Here's something totally off-topic to amuse you on this Friday morning. -rick Begin forwarded message: > From: Duane > > http://www.tsa.gov/travelers/airtravel/specialneeds/editorial_1056.shtm#2 > > Monkey Helpers > > When a service monkey is being transported in a carrier, the monkey > must be removed from the carrier by the handler prior to screening, > > The service monkey must be controlled by the handler throughout the > screening process. > > The service monkey handler should carry the monkey through the walk > through metal detector while the monkey remains on a leash. > > When the handler and service monkey go through the walk through > metal detector and the detector alarms, both the handler and the > monkey must undergo additional screening. > > Since service monkeys may likely draw attention, the handler will be > escorted to the physical inspection area where a table is available > for the monkey to sit on. Only the handler will touch or interact > with the service monkey. > > Security Officers have been trained to not touch the service monkey > during the screening process. > > Security Officers will conduct a visual inspection on the service > monkey and will coach the handler on how to hold the monkey during > the visual inspection. > > The inspection process may require that the handler to take off the > monkey?s diaper as part of the visual inspection. -------------- next part -------------- An HTML attachment was scrubbed... URL: https://attrition.org/mailman/private/infowarrior/attachments/20100326/dec671cb/attachment.html From rforno at infowarrior.org Sat Mar 27 14:56:42 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 27 Mar 2010 10:56:42 -0400 Subject: [Infowarrior] - Broadcast-v-Cable News Message-ID: The Case For Nightly Broadcast News ? And What?s Wrong With Cable News http://www.mediaite.com/online/the-case-for-nightly-broadcast-news-and-whats-wrong-with-cable-news/ From rforno at infowarrior.org Sat Mar 27 15:36:27 2010 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 27 Mar 2010 11:36:27 -0400 Subject: [Infowarrior] - =?windows-1252?q?Check_the_Hype_=97_There=92s_No_?= =?windows-1252?q?Such_Thing_As_=91Cyber=92?= Message-ID: <42F94252-68B4-44E5-A8A6-66F9BA74D633@infowarrior.org> For years I cringed at the term 'cyber' for precisely the reasons cited in this article. However, I have warmed to its use (and use it myself nowdays), but do not dispute there remains a huge degree of hype when the term is bandied around inside the DC Beltway. -rick Check the Hype ? There?s No Such Thing As ?Cyber? ? By Ryan Singel ? March 26, 2010 | ? 4:16 pm | ? Categories: Cybarmageddon!, Cyber Warfare, The Ridiculous http://www.wired.com/threatlevel/2010/03/cyber-hype/ How can you tell the difference between a real report about online vulnerabilities and someone who is trying to scare you about the security of the internet because they have an agenda, such as landing lucrative, secret contracts from the government? Here?s a simple test: Count the number of times they use the adjective ?cyber.? Nobody uses the word ?cyber? anymore, except people trying to scare you and trying to make the internet seem scary or foreign. (Think, for instance, of the term ?cyberbullying,? which is somehow much more crazy and new and in need of legislation than ?online bullying.?) When was the last time you said, ?I saw this really cool video in cyberspace? or ?My cyber connection is really slow today?? Of course, no one speaks like that anymore. The internet is no longer distant or foreign (though it thankfully remains beautifully weird). It?s familiar and daily. It?s the internet. It?s so ordinary, Wired.com stopped capitalizing it more than five years ago. Need an adjective to describe something that is internet-based? Try ?online.? But when it comes to scaring senators, presidents and the nation?s citizens into believing the Chinese, the Russians or Al Qaeda are stealing all our secrets or bringing down the power grid, the internet somehow morphs back into ?cyberspace.? Here?s a good example of the ?cyber? test from a pretty interesting story from The Washington Post about the National Security Agency disabling (rather ineptly, it seems) an online forum used by radical Islamic fundamentalists to plan terrorist attacks. The Post uses the adjective 12 times in describing how the NSA and CIA bickered over whether NSA ?cyber-warriors? should use hacking techniques to take down a message board that suspected Al Qaeda were using to make plans. In a brilliant stroke of ?cyberwar,? the NSA ?cyber-operators? took down the CIA-sponsored honeypot message board where extremists were being monitored, somehow inflicting collateral damage on some 300 innocent servers in the process. Forbes got into the ?cyber? action this week as well. Amit Yoran, a respected security expert who runs a company that sells computer security services to the government, wrote a long post on a Forbes blog this week to defend the concept of ?cyberwar,? in no small part because this blog ranted about how that term is used to hype militarization of the internet and feed a new and very dangerous arms race. Yoran says the debate doesn?t matter (even as he falls firmly in the cyberwar camp), but what?s important is that everyone recognize that the dangers of underestimating online risks is worse than ?the impact of misrepresenting or miscalculating risk [...] in the sub-prime market,? which led to ?cascading global financial meltdown.? Gulp. That sounds scary. Bad firewalls will lead to something worse than a global financial meltdown? (That sounds suspiciously like what Michael McConnell told President Bush to scare him into creating a secret government ?cybersecurity? plan.) Those looking for a reality check might check how many times Yoran uses ?cyber? in the body of his piece? The answer: 42. (Yes, we think that?s funny, too.) Yoran defines ?cyberwar? as being launched via ?cyber attacks? or ?cyber exploitation.? He defines the latter as ?the compromise of these targets without their destruction or disruption, but rather through covert means, for the purposes of accessing information or modifying it or preparing such access for future use in exploitation or attack.? That?s the very definition of what the NSA does ? wiretapping abroad (and sometimes domestically), finding ways to spy on electronic machines simply by capturing their unintentional electromagnetic radiation, and scooping up radio and satellite communications of allies and adversaries alike. Yoran and Forbes also fail to mention that his company, NetWitness, markets computer security equipment to the government and has a vested interest in the outcome of this debate. Yoran disputes that his company stands to gain if the ?cyberwar? terminology wins. ?We?re not a government ?cyberwar? operation by any stretch and have nothing to gain by the terminology I suggested in my blog,? Yoran wrote, saying that his company sells the exact same technology to corporations and governments. ?I don?t care what it?s called. And think, if anything, the war implication is a bad one for many reasons.? But for those who relish the idea of a new front for war, it?s way cooler and scarier to say we are in the midst of ? and losing ? a cyberwar, than to factually state that the Chinese want to steal our secrets and we want to steal theirs and we should have better computer security. That kind of rhetoric doesn?t launch sensationalist ? and often demonstrably false ? scare stories in opinion-making outlets like 60 Minutes, The New York Times, The Wall Street Journal, The Washington Post and the National Journal. No, when that kind of fear-mongering is needed to loosen the purse strings for computer security, only one word will do. Cyber. And it?s even better when repeated ad nauseum in front of Congress and at the country?s top security conferences by former and current government officials, even if those people couldn?t even enable MAC address filtering on their own wireless routers. Or as the Beastie Boys might have put it a couple of decades later, ?Our Backs Are Up Against the Wall/Listen All Y?all, It?s Cyberwar.? Update: 3:40 PM Pacific ? The story was updated to include comment from Amit Yoran and to correctly note that his company sells technology products, not services. From rforno at infowarrior.org Mon Mar 29 14:13:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 10:13:39 -0400 Subject: [Infowarrior] - China's Great Firewall spreads overseas Message-ID: <7541313A-C0D1-4CDF-8323-558E7AFAB00C@infowarrior.org> China's Great Firewall spreads overseas Robert McMillan http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas March 25, 2010 (IDG News Service) A networking error has caused computers in Chile and the U.S. to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS (domain name server) information from what's known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China's network censorship overseas. China tightly controls access to a number of Web sites, using technology known colloquially as the Great Firewall of China. The issue was reported Wednesday by Mauricio Ereche, a DNS admin with NIC Chile, who found that an unnamed local ISP reported that DNS queries for sites such as Facebook.com, Twitter.com and YouTube.com -- all of which have been blocked in China -- were being redirected to bogus addresses. It is unclear how widespread the problem is. Ereche reported getting the bogus information from three network access points in Chile, and one in California, but on Thursday he said that the problem was no longer popping up. "The traces show us that we're not hitting the server in China," he wrote in a discussion group post. This issue occurred because, for some reason, at least one outside ISP directed DNS requests to a root server based in China, networking experts say. This is something that service providers outside of China should not do because it allows China's censored network to "leak" outside of the country. Researchers have long known that China has changed DNS routing information to redirect users of censored services to government-run servers instead of sites such as Facebook and Twitter. But this is the first public disclosure that those routes have leaked outside of China, according to Rodney Joffe, a senior technologist with DNS services company Neustar. "All of a sudden, the consequences are that people outside China may be subverted or redirected to servers inside China," he said. By using a China-based root server, ISPs are essentially giving China a way to control all of their users' traffic over the network. That could mean big security problems for people whose network accepted the leaked routes, Joffe said. The ISP that used the bad routes probably misconfigured its BGP (Border Gateway Protocol) system, used to route information on the Internet, according to Danny McPherson, chief security officer with Arbor Networks. "I don't think it was done intentionally, " he said. "This is an example of how easy it is for this information to be contaminated or corrupted or leaked out beyond the boundaries of what it was supposed to be." In February 2008, BGP information from Pakistan -- which had just blocked YouTube -- was shared internationally, effectively knocking Google's video site offline for millions of users. In an e-mail message, Netnod CEO Kurt Erik Lindqvist said his company is not hosting the bad routes on its server. They were most likely changed by machines somewhere on the Chinese network, McPherson said. The incident shows that BGP remains a major weak link in the Internet, Joffe said. "It's really disconcerting form a security point of view and from a privacy point of view." This is the first time that this type of behavior has been made public, but it has apparently been going on for some time. In a discussion group post on Wednesday, Nominet Researcher Roy Arends said that he has been studying this issue for a year. Arends has compiled a list of 20 domain names that will trigger the kind of bad results, reported by Ereche. Arends is keeping the names of those domains secret, but he did publish some of his data in his discussion post. "I wanted to keep this internal, however, the cat is out of the bag now," Arends wrote. From rforno at infowarrior.org Mon Mar 29 14:35:08 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 10:35:08 -0400 Subject: [Infowarrior] - US Biometrics Agency? Message-ID: <10B42F87-665E-4A51-9D58-53E2BEDA1889@infowarrior.org> http://www.fas.org/irp/doddir/army/bima.pdf As of last week, there is now a U.S. Government national security agency called the Biometrics Identity Management Agency (BIMA). It supersedes a Biometrics Task Force that was established in 2000. Though nominally a component of the Army, the biometrics agency has Defense Department-wide responsibilities. ?The Biometrics Identity Management Agency leads Department of Defense activities to prioritize, integrate, and synchronize biometrics technologies and capabilities and to manage the Department of Defense?s authoritative biometrics database to support the National Security Strategy,? according to a March 23 Order (pdf) issued by Army Secretary John M. McHugh that redesignated the previous Biometrics Task Force as the BIMA. http://www.fas.org/blog/secrecy/2010/03/biometrics_agency.html From rforno at infowarrior.org Mon Mar 29 14:37:17 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 10:37:17 -0400 Subject: [Infowarrior] - Open Source and Open Standards under Threat in Europe Message-ID: <5C5FC816-A4BE-423B-91A0-CA10A6FF7CBC@infowarrior.org> Open Source and Open Standards under Threat in Europe March 29, 2010 Posted by: Glyn Moody Open source is under attack in Europe. Not openly or obviously, but in the background, behind closed doors. The battleground is the imminent Digital Agenda for Europe, due to be unveiled by the European Commission in a month's time, and which defines the overall framework for Europe's digital policy. According to people with good contacts to the politicians and bureaucrats drawing up the Agenda, Microsoft is lobbying hard to ensure that open standards and open source are excluded from that policy - and is on the brink of succeeding in that aim. We need to get as many people as possible writing to the key Commissioners *now* if we are to stop them. Details of who to write to are given below. To help you frame things, here's some background on what's at stake. The battle over open source and open stan < - > http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2878&blogid=14 From rforno at infowarrior.org Mon Mar 29 14:43:38 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 10:43:38 -0400 Subject: [Infowarrior] - iPad's horrible roll-out plan Message-ID: Call me crazy but I think there's controlling a roll-out to generate buzz, and controlling a roll-out to generate customer anger. While I'm not getting an iPad, I would be incensed if I was forced to drive all over town because the stores only had such a limited number of products for sale *on purpose.* Way to go, Apple: hype the hell out of a product, and end up annoying customers by making them jump through all sorts of hoops to get them. Imagine if this wasn't an iPad, but Cabbage Patch Dolls (1980s) or Tickle-Me-Elmo (1990s) ... you'd see riots breaking out all over retail America -rick Source: http://www.electronista.com/articles/10/03/28/apple.plans.limited.third.party.ipad.sales/ An escaped playbook from Best Buy has confirmed that the retailer will aggressively promote its Best Buy iPad launch but carry only a low supply. Each shop will have four demo iPads, and Best Buy plans to make the iPad the front cover item for its April 11th flyer nationwide, even for stores where the iPad won't be sold; TUAW hears customers will be steered to any nearby Best Buy that might be carrying stock. Supply, however, will be tightly rationed. Each participating store should have no more than 15 iPads in stock, split equally between the different capacities. Another 15 should arrive on April 11th, but Apple may tell Best Buy before launch day that it doesn't have replacements. Stores may be asked to hold back a portion of their initial supply to prevent disappointments when customers come in after the flyer appears. No online sales will be available, at least initially, but each physical store will also be carrying most of the iPad-specific accessories as they become available. More@ http://www.tuaw.com/2010/03/27/exclusive-best-buy-playbook-for-ipad-leaked-quantities-to-be-e/ From rforno at infowarrior.org Mon Mar 29 18:37:47 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 14:37:47 -0400 Subject: [Infowarrior] - Hey students: snitch on pirates, earn $26K a year Message-ID: <3ECF11B5-04FE-4C48-9BA1-9179945E3643@infowarrior.org> Hey students: snitch on pirates, earn $26K a year By Jacqui Cheng | Last updated about an hour ago http://arstechnica.com/tech-policy/news/2010/03/hey-students-snitch-on-pirate-classmates-earn-26k-a-year.ars Movie studios spying on P2P networks is a phenomenon most users suspect occurs, but have never really seen proof of. Until now, that is ?Warner Bros. in the UK has published a job listing for an intern to dig through known piracy mediums in order to "gather information" and report back to the studio. For ?17,500 (or US$26,000) per year, this internship sounds like the perfect opportunity for a student to learn about the ins and outs of copyright?and possibly get ostracized by content-lovin' peers. According to the job listing (PDF) taken from the University of Manchester (first posted by TorrentFreak), the year-long internship would involve combing IRC networks, forums, and other P2P mediums for Warner Bros. and NBCU content. The goal would be to find new networks and private filesharing sites for informational purposes, but that's not all. Warner also wants the intern to be able to develop bots to scan the Internet for links, send infringement notices, perform "trap purchases of pirated product," and collect "intelligence" on pirate activities. The listing doesn't seem to imply that the company expects interns to turn in specific individuals, but who really knows what Warner expects when it says to "gather information on pirate sites, pirate groups and other pirate activities." It also makes us wonder how Warner plans to protect itself from spies from the outside?that is, members of the "pirate" community who want to learn more about the company's anti- piracy practices. After all, TorrentFreak is already encouraging its readers to apply for the internship so they can provide updates on Warner's efforts. We reached out to Warner for answers to these questions, but did not hear back by publication time. Warner Bros. has been in the news more and more lately for its assertive moves in the movie rental space. After talking both Netflix and Redbox into delaying the DVD release of Warner's titles for 28 days after they hit the streets, the studio promptly turned around and gave same-day release rights to Blockbuster. It's clear that the company is still trying to keep the dying DVD sales market alive, and its online anti-piracy efforts are intended to bolster this strategy. From rforno at infowarrior.org Mon Mar 29 20:22:59 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 16:22:59 -0400 Subject: [Infowarrior] - The State of the Internet Operating System Message-ID: The State of the Internet Operating System by Tim O'Reilly I've been talking for years about "the internet operating system", but I realized I've never written an extended post to define what I think it is, where it is going, and the choices we face. This is that missing post. Here you will see the underlying beliefs about the future that are guiding my publishing program as well as the rationale behind conferences I organize like the Web 2.0 Summit and Web 2.0 Expo, the Where 2.0 Conference, and even the Gov 2.0 Summit and Gov 2.0 Expo. < - BIIIIG SNIP - > http://radar.oreilly.com/2010/03/state-of-internet-operating-system.html From rforno at infowarrior.org Mon Mar 29 20:52:39 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 16:52:39 -0400 Subject: [Infowarrior] - How Not To Market Security Products & Services Message-ID: <98570AD7-2759-4C4B-9594-984F75F446D6@infowarrior.org> How Not To Market Security Products & Services Richard Forno First published on 2010-03-28. (c) 2010 by author. Permission granted to reproduce with appropriate credit. Rant time! < - > http://infowarrior.org/articles/security-spam.html From rforno at infowarrior.org Tue Mar 30 00:00:06 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 20:00:06 -0400 Subject: [Infowarrior] - Judge: Gene Patents Are Invalid Message-ID: <81185C2A-514A-4F5A-B947-87DBFA26D54D@infowarrior.org> This could be big..... -rick Myriad Loses Ruling Over Breast Cancer-Gene Patents (Update1) March 29, 2010, 6:38 PM EDT By Susan Decker and Thom Weidlich http://www.businessweek.com/news/2010-03-29/myriad-loses-ruling-over-breast-cancer-gene-patents-update1-.html March 29 (Bloomberg) -- Myriad Genetics Inc. lost a U.S. court ruling over its patents for a way to detect inherited breast cancer in a decision that may lead to other challenges to gene-related patents. U.S. District Judge Robert Sweet in New York ruled the patents invalid today, saying they ?are directed to a law of nature and were therefore improperly granted.? The judge sided with the American Civil Liberties Union, which sued on behalf of groups including the Association for Molecular Pathology and American College of Medical Genetics. Myriad makes a widely used test for detecting breast cancer. Medical groups say Myriad?s tight control over use of the genes has discouraged scientists from exploring other options for breast-cancer screening. The trade group for biotechnology companies argued that the challenge to the Myriad patents may hinder investment in research. Patents aren?t allowed for rules of nature, natural phenomena or abstract ideas, although the U.S. Patent and Trademark Office has said genes can be patented if they are ?isolated from their natural state and purified.? Myriad, based in Salt Lake City, said its patents cover how to sequence the gene to identify its components, and using that sequence to look for mutations to determine if the woman has a higher risk of developing breast cancer. The genes are known as BRCA1 and BRCA2. ?Scientific Achievement? Sweet said that Myriad simply identified something that occurred in the body, and that the comparisons of DNA sequences are ?abstract mental processes? and neither are eligible for patent protection. ?The identification of the BRCA1 and BRCA2 gene sequences is unquestionably a valuable scientific achievement for which Myriad deserves recognition, but that is not the same as concluding that it is something for which they are entitled to a patent,? Sweet ruled. The case hinged on the baseline question of whether certain gene-related inventions were eligible for patent protection and didn?t look further into the specifics of whether Myriad?s work met other criteria for a patent, such as that it was novel or non-obvious. ?The principal that an isolated gene is the same as a gene is a broad principal and may have an impact on other gene patents,? said Christopher Hansen, a lawyer for the ACLU, who said he was ?delighted? with the decision. Hansen said about 20 percent of human genes are patented. Shares Fall Officials with Myriad didn?t immediately return queries seeking comment. Myriad dropped as much as 12 percent after the close of regular trading. The shares were down 23 cents to $24.90 on the Nasdaq Stock Market before Sweet released his opinion. The patents ?consist essentially of looking at genes,? the groups challenging Myriad said in a filing. The groups contend the patents inhibit testing and limit women?s options in medical care. The case has been closely watched by the biotechnology industry and various medical groups. In granting the patents, the PTO went beyond what was allowed in a 1980 Supreme Court decision credited with opening up the biotechnology industry, ACLU said in court filings. It has the support of the American Medical Association and the American Society for Human Genetics. Biotechnology Industry Organization, the trade group of biotech companies that supported Myriad in the case, is reviewing the decision, Stephanie Fischer, a spokeswoman for the group, said. The judge did throw out claims that the patent office acted outside its authority in granting the patents. The judge said that, were an appeals court or the Supreme Court affirm his decision, the patent office would ?conform its examination policies? to the court rulings. The case is Association for Molecular Pathology v. U.S. Patent and Trademark Office, 09cv4515, U.S. District Court for the District of New York. --With assistance from Bill McQuillen in Washington. Editors: Glenn Holdcraft, Mary Romano. To contact the reporters on this story: Susan Decker in Washington at sdecker1 at bloomberg.net; Thom Weidlich in Manhattan federal court at tweidlich at bloomberg.net. To contact the editors responsible for this story: David E. Rovella at drovella at bloomberg.net. From rforno at infowarrior.org Tue Mar 30 00:01:30 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 20:01:30 -0400 Subject: [Infowarrior] - MS to release emergency IE fix on Tuesday Message-ID: <4FD668B0-172B-49F2-A3A6-3AC12158D123@infowarrior.org> MS to release emergency IE fix on Tuesday Drive-by download risk prompts out-of-sequence patch By John Leyden ? Get more from this author Posted in Enterprise Security, 29th March 2010 19:05 GMT http://www.theregister.co.uk/2010/03/29/ie_emergency_fix/ Microsoft has announced plans to release an out-of-sequence patch, designed to resolve a zero-day vulnerability in Internet Explorer. A cumulative update to Internet Explorer (MS10-018) plugs a security hole in IE 6 and IE 7 exploit by hackers over recent weeks. The latest version of Microsoft's browser - IE 8 - is not vulnerable to the flaw, which Microsoft first acknowledged was a problem on 9 March. The vulnerability involves a flaw in the iepeers.dll library involving the handling of invalid values passed to the "setAttribute()" function. Exploits create a means to drop malware onto the PCs of victims, providing they visit booby-trapped website using vulnerable version of IE, as explained in our earlier story here. In a statement, Microsoft said it had taken the unusual but far from unprecedented step of releasing a patch outside its regularly Patch Tuesday update cycle after monitoring the situation and reaching the conclusion that "an out-of-band release is needed to protect customers". The update also includes fixes for nine other vulnerabilities in IE that Redmond had initially planned to release on 13 April. ? From rforno at infowarrior.org Tue Mar 30 02:49:01 2010 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Mar 2010 22:49:01 -0400 Subject: [Infowarrior] - Cyberwar Rhetoric Is Scarier Than Threat of Foreign Attack Message-ID: <0C40CC9E-9AAF-4945-99BB-31555A5C0422@infowarrior.org> Cyberwar Rhetoric Is Scarier Than Threat of Foreign Attack Military industry uses fear to grab money; Americans and the Chinese are not stupid By Marcus Ranum Posted March 29, 2010 http://www.usnews.com/opinion/articles/2010/03/29/cyberwar-rhetoric-is-scarier-than-threat-of-foreign-attack.html Marcus Ranum is an expert on security system design and chief security officer for Tenable Network Security. I've worked on information security for more than 20 years, and during that time, there hasn't been a year that has gone by without news like "hacker breaks into Department of Defense computer networks" or "industrial spies access high-tech plans." Suddenly, the steady drumbeat of computer/network security has been pushed to center stage, and now our government is talking about "cyberwar" and pointing a finger at China. Unless you've been asleep for a decade, you ought to be worried when our government starts using the rhetoric of warfare? especially vocabulary like "pre-emptive" and "deterrence." Why the sudden change? Anyone involved in sales knows the "FUD sell"?based on fear, uncertainty, and doubt. Some of the talking heads who are declaring us to be in danger want to sell billions of dollars of solutions to the problem. They are often the same people who had "ownership" of the problem before they stepped through the revolving door into private- sector executive positions. Now they'll get it right? I'm skeptical. Let's consider what they're saying. The notion of cyber war is that it would serve as a "force multiplier" for conventional operations. Preparatory to attacking a target, communications networks and command/ control systems would be disrupted, power systems might be temporarily crashed, navigation systems confused, etc. Proponents of cyberwar claim that it might save lives; I've even heard them claim it's more effective to recoverably crash a nation's power grid than to bomb it with precision airstrikes. The misdirection works, however. We're now down into the technical weeds and lose track of the main question: "What war?" When some pundit says that we're losing a cyberwar to China, is he saying that China is preparing to crash our electronic infrastructure so that it can invade? The mind boggles. The last time I asked a cyberwar proponent that question, he quickly explained that, no, we were talking about potential economic warfare. But isn't there already an ongoing economic war we call "the global economy"? Assuming China would try to deliberately crash our economy presupposes that the Chinese are so stupid that they'd want to devalue the huge chunk of the U.S. economy that they already own, and crater their own economy while they were at it. I keep waiting for a spokesperson of the Chinese government to officially say, "Please stop assuming we're idiots." If China wanted to drop the hammer, it would start trading in euros instead of dollars. But who has the time and energy to invade, disrupt, or destroy? We're business partners, we're competitors, and there's money to be made! Isn't it absurd that the FBI announces that our "smart power grid" systems are massively penetrated by cyberwarriors from "hostile powers" even as U.S. energy companies are bidding on multibillion- dollar contracts with the Chinese to sell them their own smart power grid? All websites are constantly probed for weaknesses by robotic worms, spammers, hackers, and maybe even a government agent or two. Complaining will not work. Making threats will not work. If cyberwar changes one thing about the military landscape, it's that we can finally put away the hoary old saying, "The best defense is a strong offense." The only defense in cyber war is having a good defense. Intelligence?cyberespionage, if you will?is not cyberwar. It's just business as usual. But the cyberwar pundits lump every thing in the same bucket, pointing the finger at another nation-state and saying we're under attack. What's scary is that the accusations are coming from places they shouldn't be. I think we're seeing a bureaucratic attempt at budget and turf enlargement by the FBI. But someone needs to ask why the nation's cops are suddenly involved in international diplomacy. That's the State Department's job. And accusations should be accompanied and supported by publicly accessible facts, not just leaked classified reports. The reports apparently contain bizarre inaccuracies. According to journalist Gerald Posner, the FBI's classified report indicates that China has developed an army of 180,000 cyberspies. Were the Chinese planning human-wave attacks? Or did the FBI count every student studying computer science in China as a government-sponsored cyberwarrior? That might seem like a facetious question, but recently we learned that, in one of those reports, a computer science graduate student's paper on power-grid security was magically transformed into a road map for cyberattacks on the United States. Elsewhere, fevered claims that cyberwar could have "WMD-like effects" are offered, an insult to any reader's intelligence. The Estonian cyberwar of 2007 is another good example. Initially, wild claims were that it was a Russian-sponsored attack of incredible sophistication, a possible preparation for a real assault. It turned out to be more a case that the Estonian government's defenses were weak, a handful of individuals caused all the trouble, and Russia wasn't involved. Or consider the July 2009 attacks that initially appeared to come from North Korea, leading Republican Rep. Peter Hoekstra of Michigan to call for U.S. retaliation. Researchers determined that the attacks originated with a handful of individuals in the United Kingdom. If you can't be sure who is attacking you, retaliation is not just stupid, it's immoral. As taxpayers, we have a problem: Give more money to someone who built a disaster, and you'll get a bigger, more expensive disaster. The need for a mature, national-level approach to cybersecurity is painfully clear, and it starts with leadership, rational assessment of our problems, cessation of finger-pointing and yellow-peril screeching, and an honest after-action review of how we got to where we are today. From rforno at infowarrior.org Tue Mar 30 23:06:07 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Mar 2010 19:06:07 -0400 Subject: [Infowarrior] - Google leads call to change privacy law in US Message-ID: Google leads call to change privacy law in US By David Gelles in San Francisco Published: March 30 2010 20:45 | Last updated: March 30 2010 20:45 http://www.ft.com/cms/s/2/d2093266-3c32-11df-b40c-00144feabdc0.html An unlikely coalition of technology companies and campaign groups is calling for an overhaul of digital privacy laws in the US, a move it says would better safeguard businesses and individuals from the prying eyes of the government. The group, which includes Google, Microsoft, the American Civil Liberties Union and others, on Tuesday launched a campaign called Digital Due Process, which it described as ?an effort to modernise surveillance laws for the internet age?. The coalition is looking to rework the Electronic Communications Privacy Act, which was passed in 1986 and governs what kinds of private digital information the government has access to and how they may obtain it. The act was passed long before the internet became popular. Businesses and individuals are using it to store sensitive data, and it has become outdated, the coalition says. ?Due to dramatic changes in technology, particularly the emergence in location- based services, the transfer of huge amounts of data to the cloud (remote storage), [and the wide use of e-mail], the law has become outdated and needs to be updated,? said Jim Dempsey, vice-president for public policy at the Center for Democracy and Technology. Richard Salgado, Google?s senior counsel, said the need for reform was growing more pressing as individuals and businesses embraced cloud-based storage solutions. ?We?re seeing a tremendous change in the volume of data people are uploading to services, the sensitivity of that data and how that data play a role in the day-to-day lives of people,? he said. Under existing laws, the US government grants a great deal of protection to digital information stored on local personal or business computers. Mike Hintze, associate General Counsel for Microsoft, said the same protections should apply to private data stored in the cloud. ?As that technological reality permeates our society and people start moving documents from their file drawers and into the cloud, we just don?t believe that the balance between privacy and law enforcement should be fundamentally turned on its head,? he said. The coalition is calling for laws stating that the government must obtain a search warrant before obtaining any private communications stored online, or tracking an individual?s location using data from a mobile device. It also wants the government to demonstrate to a court that the data it seeks are relevant to a criminal investigation before monitoring individual communications or obtaining data about a group of people. Mr Dempsey said the coalition had already had meetings with the White House, the Federal Bureau of Investigation and the justice and commerce departments. But he said law enforcement agencies were not ready to embrace these proposals, as it might impede some of their intelligence-gathering efforts. Copyright The Financial Times Limited 2010. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web. From rforno at infowarrior.org Tue Mar 30 23:36:34 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Mar 2010 19:36:34 -0400 Subject: [Infowarrior] - New litigation campaign quietly targets tens of thousands of movie downloaders Message-ID: <57FB44C5-10C5-49AF-BEA3-8F1174C9B3A7@infowarrior.org> New litigation campaign quietly targets tens of thousands of movie downloaders By Eriq Gardner http://thresq.hollywoodreporter.com/2010/03/new-litigation-campaign-targets-tens-of-thousands-of-bittorrent-users.html EXCLUSIVE: In what may be a sign of things to come, more than 20,000 individual movie torrent downloaders have been sued in the past few weeks in Washington D.C. federal court for copyright infringement. A handful of cases have already settled, and those that haven't are creating some havoc for major ISPs. The lawsuits were filed by an enterprising D.C.-based venture, the US Copyright Group, on behalf of an ad hoc coalition of independent film producers and with the encouragement of the Independent Film & Television Alliance. So far, five lawsuits have been filed against tens of thousands of alleged infringers of the films "Steam Experiment," "Far Cry," "Uncross the Stars," "Gray Man" and "Call of the Wild 3D." Here's an example of one of the lawsuits -- over Uwe Boll's "Far Cry." Another lawsuit targeting 30,000 more torrent downloaders on five more films is forthcoming, we're told, and all this could be a test run that opens up the floodgates to massive litigation against the millions of individuals who use BitTorrent to download movies. The genesis of this legal campaign occurred in Germany when lawyers from the US Copyright Group were introduced to a new proprietary technology by German-based Guardaley IT that allows for real-time monitoring of movie downloads on torrents. According to Thomas Dunlap, a lawyer at the firm, the program captures IP addresses based on the time stamp that a download has occurred and then checks against a spreadsheet to make sure the downloading content is the copyright protected film and not a misnamed film or trailer. For the past couple of years, using the technology, content producers have been taking to German and UK courts to identify and sue pirates using torrents. Jeffrey Weaver, another lawyer at the firm, claims those efforts have been successful. One example cited is a limited-release German film whose producers recovered $800,000 through litigation. Gurdalay and its German lawyers agreed to let the US Copyright Group try out the system in the United States, where BitTorrent users have gotten a pass up until now. Before doing so, however, Dunlap talked with the IFTA, which wouldn't explicitly endorse the litigation, but which agreed to be generally supportive. Dunlap also talked with the MPAA and other big studios, which expressed interest but wanted to see proof that ISPs would be cooperative. And so, in the past few weeks on behalf of some low-key indie films, the first lawsuits were filed. "We're creating a revenue stream and monetizing the equivalent of an alternative distribution channel," says Weaver. Right now, there may be three big reasons why the movie industry hasn't been more aggressive against individual pirates. First, there may still be lingering debates about the general wisdom of a strategy that targets individuals rather than the technology companies that make infringement possible. In December, 2008, after suing some 35,000 individuals, the RIAA announced it was abandoning mass litigation against individual song pirates. Many believed the campaign to be a PR disaster. Second, there are tricky issues involving technology and liability. BitTorrent users only receive and host small packets of data at a single time. In addition, there are questions about IP addresses being an identifier of a pirate since users can steal or borrow another's IP address to commit file infringement. Third, and perhaps most importantly, ISPs present a roadblock as they are less than enthusiastic about turning off customers by handing over sensitive information to copyright holders. To get past ISPs, a copyright holder needs to file a "John Doe" case and get a court to issue a subpoena that orders the ISP to hand over information. This can be costly. According to Dunlap, ISPs are charging $32 to $60 for each IP address account requested. ISPs cite the cost of notifying the account holder and giving them opportunity to file a motion to quash the subpoena. When the U.S. Copyright Group filed its recent lawsuits and approached AT&T and other ISPs for account information, the lawyers say they were stunned at the reaction. "Their subpoena compliance group said, 'We thought we had shut this (approach) down with the MPAA before,'" says Dunlap. The difference between the MPAA's past approach and the new one being offered by the US Copyright Group could come down to numbers. Weaver says the MPAA took a less targeted approach going after a smaller sampling of infringers in a single suit for multiple films, to send a message that would hopefully resonate to a much larger crowd. In contrast, Dunlap and his partners are using the new monitoring technology to go after tens of thousands of infringers at a time on a contingency basis in hopes of coming up with the right cost-benefit incentive to pursue individual pirates. The firm is following in the footsteps of lawyers in the UK who have crafted a business out of being IP cops. So far, the US Copyright Group says that one ISP has cooperated, handing over 71 names and addresses. These individuals will be sent settlement offers. Eight of those cases have already settled. The other less cooperative ISPs are in the midst of fighting in court or reaching out to their respective customers. The US Copyright Group plans to issue a press release soon touting the success of this program. The lawyers are also traveling to the Festival de Cannes in May with hopes of convincing other producers -- and perhaps major studios -- to try their luck suing hundreds of thousands of pirates. From rforno at infowarrior.org Tue Mar 30 23:55:25 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Mar 2010 19:55:25 -0400 Subject: [Infowarrior] - SCO loses again - Linux safe for now Message-ID: More @ Growkaw: http://www.groklaw.net/article.php?story=20100330152829622 SCO loses again: jury says Novell owns UNIX SVRX copyrights By Ryan Paul | Last updated about 4 hours ago http://arstechnica.com/open-source/news/2010/03/sco-loses-again-jury-says-novell-owns-unix-svrx-copyrights.ars The SCO Group was dealt a serious, potentially fatal blow today in its courtroom battle against Linux. The jury in the trial between SCO and Novell has issued a verdict affirming that Novell is the rightful owner of the UNIX SVRX copyrights. This verdict will make it difficult for SCO to continue pursuing its baseless assault on the open source operating system. The SCO saga began in 2003 when the company claimed that Linux is an unauthorized derivative of UNIX. SCO filed a lawsuit against IBM, alleging that Big Blue misappropriated UNIX code and included it in the Linux kernel. Although SCO repeatedly claimed to have compelling evidence to support its accusations, the company has yet to provide proof in the seven years since. Internal SCO memos that came to light during the discovery process of SCO's conflict with IBM revealed that SCO's own internal code audits did not identify any evidence infringement. The dispute over infringement and misappropriation was put on hold when Novell issued a public statement in 2004 asserting that it is the rightful owner of the SVRX copyrights and never sold the IP to SCO. The 1995 sale agreement, says Novell, gave SCO the right to sell SVRX licenses on behalf of Novell, but did not transfer ownership of the copyrights. As such, Novell claims that SCO does not have proper standing to pursue litigation pertaining to alleged copyright infringement. The matter of ownership was adjudicated in a bench trial that concluded in 2007 when Judge Dale A. Kimball ruled in favor of Novell. SCO's stock value plummeted and the company appeared to be on the brink of annihilation. SCO managed to avoid oblivion by engaging in a series of stalling tactics and pursuing a number of ill-fated reorganization attempts during the bankruptcy proceedings in order to avoid liquidation. SCO finally got a chance to make its case before a jury when Kimball's ruling was overturned by the US Court of Appeals for the Tenth Circuit last year. The jury heard detailed arguments from the legal representatives of SCO and Novell. SCO argued that the SVRX copyrights, which were not included in the original agreement, were added later in an amendment. They claim that a term sheet associated with the deal shows that the SVRX IP was intended to change hands. Novell argued that the term sheet is irrelevant, as the asset purchase agreement itself did not transfer the SVRX copyrights. The jury heard the closing arguments on Friday and reconvened this morning to deliberate. The jurors were required to reach unanimous decision on the matter of ownership. As the burden of proof was on SCO, the jurors were instructed to issue a verdict in SCO's favor only if SCO presented clear and convincing evidence to support its position. SCO failed to prove its case, as the jury declared that Novell is the rightful owner of the SVRX copyrights. Novell expressed satisfaction with the verdict in a statement today. SCO has not responded to our request for comment. "Novell is very pleased with the jury's decision confirming Novell's ownership of the Unix copyrights, which SCO had asserted to own in its attack on Linux," a Novell spokesperson said. "Novell remains committed to promoting Linux, including by defending Linux on the intellectual property front." SCO cannot continue pursuing its infringement litigation against IBM or assorted Linux users because it doesn't own the copyrights that it claims are infringed by Linux. Even if the jury had ruled in SCO's favor, the overwhelming lack of evidence of infringement would still likely make it impossible for SCO to achieve victory in its litigation campaign. It's unclear if the company will be able to evade liquidation following this latest failure in court. From rforno at infowarrior.org Wed Mar 31 03:55:45 2010 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Mar 2010 23:55:45 -0400 Subject: [Infowarrior] - Yale delays switch to Gmail Message-ID: <5C6281E6-BD6A-4D7E-88A3-5F99F6B217FA@infowarrior.org> ITS delays switch to Gmail By David Tidmarsh Staff Reporter Published Tuesday, March 30, 2010 http://www.yaledailynews.com/news/university-news/2010/03/30/its-delays-switch-gmail-community-input/ The changeover to Google as Yale?s e-mail provider has been put on hold. Information Technology Services has decided to postpone the University?s move from the Horde Webmail service to Google Apps for Education, a suite of communication and collaboration tools for universities, pending a University-wide review process to seek input from faculty and students. After a series of meetings with faculty and administrators in February, ITS officials decided to put the move on hold, Deputy Provost for Science and Technology Steven Girvin said. ?There were enough concerns expressed by faculty that we felt more consultation and input from the community was necessary,? he said in an e-mail to the News. The idea to switch to Google Apps for Education ? which includes popular programs such as Gmail, Google Calendar and Google Docs ? arose during an ITS internal meeting around Christmas, computer science professor Michael Fischer said. After ITS notified faculty members and administrators of the plan in February, several expressed reservations about the move, and ITS officials decided to convene a committee to discuss the situation. Chuck Powell, the ITS senior director of academic media and technology, did not respond to multiple requests for comment. Several members of the committee thought ITS had made the decision to move to Gmail too quickly and without University approval, Fischer said. ?People were mainly interested in technical questions like the mechanics of moving, wondering ?Could we do it?? ? he said. ?But nobody asked the question of ?Should we do it?? ? Fischer said concerns about the switch to Gmail fell into three main categories: problems with ?cloud computing? (the transfer of information between virtual servers on the Internet), technological risks and downsides, and ideological issues. Google stores every piece of data in three centers randomly chosen from the many it operates worldwide in order to guard the company?s ability to recover lost information ? but that also makes the data subject to the vagaries of foreign laws and governments, Fischer said. He added that Google was not willing to provide ITS with a list of countries to which the University?s data could be sent, but only a list of about 15 countries to which the data would not be sent. ?Yale is an international, multicultural community of scholars,? he said. ?Students deserve to have rights to their information while on campus.? But even if all data were kept on American soil, Google?s size and visibility as a company makes it more susceptible to attack from individuals, ranging from hackers to company insiders, Fischer said. Under the proposed switch, Yale might lose control over its data or could seem to endorse Google corporate policy and the large carbon footprint left by the company?s massive data centers. In addition, Fischer said, Google has a ?one size fits all? customer service policy for its Google Apps clients, and the creation of a Google ?monoculture? among e-mail users would cause severe problems when the company?s servers experience downtime or crashes. Deputy Provost Charles Long said last Wednesday that he did not know about the committee?s decision but noted that several faculty members had concerns about communications security under the proposed Google system. ?I thought that students were all on it,? he said. ?But there was some concern about its capacity to maintain confidentiality with respect to regulations.? ITS plans to propose procedures for getting input from the community and making a more informed decision in the coming months, Fischer said. Originally, ITS had planned to make a gradual transition from Horde to Gmail by next spring, moving current freshmen, sophomores and incoming students to the new system but giving upperclassmen the option to remain with Horde. But at this point, Fischer estimated, the earliest move to Google Apps for Education could be made in spring of next year, with the class of 2015 being the first to adopt the new system at the beginning of its freshman year. Google has been at the center of a number of recent controversies relating to privacy, security and intellectual property issues. The introduction of the Google Buzz social networking service in February, which automatically allowed Gmail users to view the contacts of members in their address books, raised concerns among privacy advocates. The company has also come under fire for its censorship of search results, most notably in cooperation with the Chinese government. Google recently reversed its policy, shutting down its Chinese Web site. From rforno at infowarrior.org Wed Mar 31 18:17:07 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Mar 2010 14:17:07 -0400 Subject: [Infowarrior] - DOD: Updates to 'cyber' policy references Message-ID: Attached is a recent CJCS Instruction regarding updated terminology for "information operations" and related concepts for use by DOD. Apparently this is part of a broader and ongoing process to update JP 1-02, the ?DOD Dictionary of Military and Associated Terms? --- which is the Pentagon's "dictionary" of all terms military, if you didn't know. Much to my surprise, I am shocked that DOD actually makes some *very* good definitions here. I guess after fifteen years, they're finally starting move past much of the FUD and hype surrounding "cyberwar".... especially the deafening cacophony that's been plaguing DC over the past year or two. Well done, DOD! A copy of the CJCS memorandum is mirrored here: http://www.infowarrior.org/users/rforno/CJCSI.6504.01.pdf Cheers -rick From rforno at infowarrior.org Wed Mar 31 18:21:14 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Mar 2010 14:21:14 -0400 Subject: [Infowarrior] - PIR: The Impact of the Internet on Institutions in the Future Message-ID: <335A9524-A98F-4089-B3E3-C8822527EC16@infowarrior.org> The Impact of the Internet on Institutions in the Future by Janna Anderson, Lee Rainie Mar 31, 2010 http://www.pewinternet.org/Reports/2010/Impact-of-the-Internet-on-Institutions-in-the-Future.aspx By an overwhelming margin, technology experts and stakeholders participating in a survey fielded by the Pew Research Center?s Internet & American Life Project and Elon University?s Imagining the Internet Center believe that innovative forms of online cooperation could result in more efficient and responsive for-profit firms, non- profit organizations, and government agencies by the year 2020. A highly engaged set of respondents that included 895 technology stakeholders and critics participated in the online, opt-in survey. In this canvassing of a diverse number of experts, 72% agreed with the statement: ?By 2020, innovative forms of online cooperation will result in significantly more efficient and responsive governments, business, non- profits, and other mainstream institutions.? Some 26% agreed with the opposite statement, which posited: ?By 2020, governments, businesses, non-profits and other mainstream institutions will primarily retain familiar 20th century models for conduct of relationships with citizens and consumers online and offline.? While their overall assessment anticipates that humans? use of the internet will prompt institutional change, many elaborated with written explanations that expressed significant concerns over organization?s resistance to change. They cited fears that bureaucracies of all stripes ? especially government agencies ? can resist outside encouragement to evolve. Some wrote that the level of change will affect different kinds of institutions at different times. The consensus among them was that businesses will transform themselves much more quickly than public and non-profit agencies. Read more... About the Survey The survey results are based on a non-random online sample of 895 internet experts and other internet users, recruited via email invitation, Twitter or Facebook from the Pew Research Center?s Internet & American Life Project and Elon University. Since the data are based on a non-random sample, a margin of error cannot be computed, and the results are not projectable to any population other than the experts in this sample. From rforno at infowarrior.org Wed Mar 31 18:22:51 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Mar 2010 14:22:51 -0400 Subject: [Infowarrior] - US lawmakers ask for FTC investigation of Google Buzz Message-ID: <43441AD8-074F-429A-97A1-BB8F31DE5B9D@infowarrior.org> US lawmakers ask for FTC investigation of Google Buzz Eleven representatives question whether the launch of Buzz breached consumer privacy Grant Gross (IDG News Service) 30 March, 2010 06:43 http://www.goodgearguide.com.au/article/341341/us_lawmakers_ask_ftc_investigation_google_buzz/ Eleven U.S. lawmakers have asked the U.S. Federal Trade Commission to investigate Google's launch of its Buzz social-networking product for breaches of consumer privacy. The representatives -- six Democrats and five Republicans from the House Energy and Commerce Committee -- noted in their letter that Google's roll-out of Buzz exposed private information of users to Google's Gmail service to outsiders. In one case, a 9-year-old girl accidentally shared her contact list in Gmail with a person who has a "sexually charged" username, the lawmakers said in the letter, sent to the FTC Friday and released Monday. "Due to the high number of individuals whose online privacy is affected by tools like this -- either directly or indirectly --- we feel that these claims warrant the commission's review of Google's public disclosure of personal information of consumers through Google Buzz," said the letter, organized by Representative John Barrow, a Georgia Democrat. In the original public version of Buzz, launched in February, the program compiled a list of the Gmail contacts the users most frequently e-mailed or chatted with and automatically started following those people. Those lists were made public, giving strangers access to the contacts of Buzz users. There were a flurry of complaints from Gmail users, and Google made changes to Buzz within a couple of days. Asked for a response to the letter, a Google spokeswoman said user transparency and control are important to the company. "When we realized that we'd unintentionally made many of our users unhappy, we moved quickly to make significant product improvements to address their concerns," she said, repeating Google's past statements on Buzz. "Our door is always open to discuss additional ways to improve our products and services moving forward. " The lawmakers asked the FTC to get answers to four questions from Google, including whether the company will revise its Gmail privacy policy to obtain consent from consumers for sharing their information. The lawmakers also want to know if Google was using the personal information collected through Buzz to deliver targeted advertising. The representatives also questioned how Google's planned acquisition of mobile advertising vendor AdMob will affect consumer privacy. In mid-March, outgoing FTC member Pamela Jones Harbour ripped into Google for its handling of Buzz, calling the product's launch "irresponsible conduct." In February, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC, saying that Google Buzz engaged in unfair and deceptive practices that violated Google's privacy policy and federal wiretap laws. From rforno at infowarrior.org Wed Mar 31 20:45:35 2010 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Mar 2010 16:45:35 -0400 Subject: [Infowarrior] - Court Says Bush Illegally Wiretapped Two Americans Message-ID: Court Says Bush Illegally Wiretapped Two Americans ? By David Kravets ? March 31, 2010 | ? 1:26 pm | http://www.wired.com/threatlevel/2010/03/bush-spied/ A federal judge on Wednesday said the George W. Bush administration illegally eavesdropped on the telephone conversations of two American lawyers who represented a now-defunct Saudi charity. The lawyers alleged some of their 2004 telephone conversations to Saudi Arabia were siphoned to the National Security Agency without warrants. The allegations were initially based on a classified document the government accidentally mailed to the former Al-Haramain Islamic Foundation lawyers. The document was later declared a state secret and removed from the long-running lawsuit weighing whether a sitting U.S. president may create a spying program to eavesdrop on Americans? electronic communications without warrants ?Plaintiffs must, and have, put forward enough evidence to establish a prima facie case that they were subjected to warrantless electronic surveillance,? U.S. District Judge Vaughn Walker ruled, in a landmark decision. Even without the classified document, the judge said he believed the lawyers ?were subjected to unlawful electronic surveillance? (.pdf) in violation of the Foreign Terror Surveillance Act, which requires warrants in terror investigations. It?s the first ruling addressing how Bush?s once-secret spy program was carried out against American citizens. Other cases considered the program?s overall constitutionality, absent any evidence of specific eavesdropping. The Obama administration?s Justice Department staunchly defended against the lawsuit, which challenged the so-called Terror Surveillance Program that Bush adopted in the aftermath of the 2001 terror attacks. The classified document was removed from the case at the behest of both the Bush and Obama administrations which declared it a state secret. The Justice Department said it was reviewing the decision. Judge Walker likened the department?s legal tactics as ?argumentative acrobatics.? He said counsel for attorneys Wendell Belew and Asim Gafoor are free to request monetary damages. Their lawyer, Jon Eisenberg, said in a telephone interview that ?the case is not about recovering money.? ?What this tells the president, or the next president, is, you don?t have the power to disregard an act of Congress in the name of national security,? Eisenberg said. Because of the evocation of the states secret privilege, Walker had ruled the lawyers must make their case without the classified document. So Eisenberg amended the case and cited a bevy of circumstantial evidence (.pdf). Walker ruled that evidence shows that the government illegally wiretapped the two lawyers as they spoke on U.S. soil to Saudi Arabia. Walker said the amended lawsuit pieces together snippets of public statements from government investigations into Al-Haramain, the Islamic charity the for which the lawyers were working, including a speech about their case by an FBI official. Under Bush?s so-called Terrorist Surveillance Program, which The New York Times disclosed in December 2005, the NSA was eavesdropping on Americans? telephone calls without warrants if the government believed the person on the other line was overseas and associated with terrorism. Congress, with the vote of Obama ? who was an Illinois senator at the time ? subsequently authorized such warrantless spying in the summer of 2008. The legislation also provided the nation?s telecommunication companies immunity from lawsuits accusing them of being complicit with the Bush administration in illegal wiretapping. It?s uncertain whether the decision will withstand an appeal. In 2006, for example a Detroit federal judge declared Bush?s spy program unconstitutional. But a federal appeals court quickly reversed, ruling that the plaintiffs did not have legal standing to bring a case, because they had no evidence to show that their telephone calls specifically were intercepted. The Supreme Court declined to review that ruling.