« July 2007 | Main | September 2007 »

August 31, 2007

Mobile Workers: Less Secure Because of Crappy Tools?

With a little thought, it seems like an obvious finding: Trend Micro says the more mobile an end user is, the more likely he is to send confidential information via instant messaging or Web mail.

Having suffered with truly atrocious remote tools, I can see why someone might consider forwarding all his work mail to Gmail while on the go. I haven't ever been offered anything from a company or organization that was nicer to use, and most of it has been far worse. And I have yet to work for anyone where IM was anything other than an ad hoc proposition ... employees just get accounts on public networks and find each other.

This particular article goes in a few directions. It reads like desktop-based workers are less generally aware of security issues than their mobile counterparts -- and in some cases behave in a riskier fashion -- but the security company that wrote the report singled mobile workers out for their use of non-company-provided tools to do company business.

An analyst in the article says "There are still many companies that only deploy AV to all machines. I spend much of my time talking to organizations about the multi-layered protections they need on their laptops, not just their network."

They should also be thinking about the quality of tools they provide.

Posted by mhall at 5:49 PM | Add Comment

August 30, 2007

Storm Worm Compromising Blogger Pages

The BBC reports that the Storm Worm is serving up malware from infected Blogger pages.

Security researcher Alex Eckelberry from Sunbelt Software first noticed the booby-trapped links turning up on Blogger on 27 August.

Now many hundreds of blogs on the site have been updated with a short entry containing the link.

Mr Eckelberry said it was not yet clear how the links were posted to blogs. The bogus entries could have exploited a Blogger feature that lets users e-mail entries to their journal.

The blogs themselves could also be fake and set up solely to act as hosts for spam.

Google's still mum on how it's happening.

Posted by mhall at 5:35 PM | Add Comment

August 29, 2007

EFF FOIA Requests Unveil Workings of FBI Surveillance System

Wired News documents the workings of DCSNet, the FBI's nationwide Eavesdropping Network:

Using information gleaned from documents the EFF obtained using FOIA requests, the report says DCSNet is "far more intricately woven into the nation's telecom infrastructure than observers suspected."

How intricately woven?

The network allows an FBI agent in New York, for example, to remotely set up a wiretap on a cell phone based in Sacramento, California, and immediately learn the phone's location, then begin receiving conversations, text messages and voicemail pass codes in New York. With a few keystrokes, the agent can route the recordings to language specialists for translation.

The numbers dialed are automatically sent to FBI analysts trained to interpret phone-call patterns, and are transferred nightly, by external storage devices, to the bureau's Telephone Application Database, where they're subjected to a type of data mining called link analysis.

FBI endpoints on DCSNet have swelled over the years, from 20 "central monitoring plants" at the program's inception, to 57 in 2005, according to undated pages in the released documents. By 2002, those endpoints connected to more than 350 switches.

Today, most carriers maintain their own central hub, called a "mediation switch," that's networked to all the individual switches owned by that carrier, according to the FBI. The FBI's DCS software links to those mediation switches over the internet, likely using an encrypted VPN. Some carriers run the mediation switch themselves, while others pay companies like VeriSign to handle the whole wiretapping process for them.

(via the EFF's link to the article)

Also via the EFF: Comments from Steve Bellovin on what's so worrying about this particular point-and-click surveillance network:

My biggest concern, though, lies in the words of one of the FBI's own security evaluations: the biggest threat is from insders. The network is properly encrypted for protection against outside attackers. The defenses against insiders � yes, rogue FBI agents or employees � are far too weak.

To sum up: we have a system that accesses very sensitive data, with few technical protections against inside attacks, and generic defenses that don't seem to fit the threat model.

Posted by mhall at 3:00 PM | Add Comment

August 28, 2007

More Yahoo Legal Theory: Some Countries' Laws Are Optional

From Wired's Threat Level, which also noted Yahoo!'s curious invocation of the First Amendment:

Yet two years ago, while citing the First Amendment, Yahoo went to the U.S. courts in a bid to prevent it from having to pay millions in fines levied by a French court for allowing French citizens to barter Nazi paraphernalia on its auction site - a practice against French law.

"This is extremely ironic. They're saying free speech protections apply to Yahoo, but they don't apply to the Yahoo users of the Internet," said Morton Sklar, a lawyer for the World Organization for Human Rights USA who is one of the dissidents' attorneys.

A Yahoo spokeswoman said the company was not immediately prepared to comment.

I'll bet not. I'd be too embarrassed to comment, too.

Posted by mhall at 8:46 PM | Add Comment

Yahoo! Says Giving Dissidents Up to Torturers Is Its First Amendment Right

The Washington Post writes that Yahoo! is asking the court to "dismiss a lawsuit accusing the Internet giant of abetting torture and abuse of pro-democracy writers in China."

The company's rationale:

"The real issue here is the plaintiffs' outrage at the behavior and laws of the Chinese government," she said. "The U.S. court system is not the forum for addressing these political concerns."

No.

The real issue is that the Chinese government behaves in violation of international law when it tortures its citizens. By handing over personal information that helps get people tortured, Yahoo! is complying with a law that's, by international standards, illegal. It's not that hard a concept to grasp, and it's appalling that Yahoo! is seeking shelter under the umbrella of institutionalized torture and repression.

Rebecca MacKinnon at RConversation has a number of links to court documents and past reporting on the story, including the original complaint and Yahoo!'s motions to dismiss.

If you're in for a sick laugh, check out the one entitled "SPECIAL MOTION TO STRIKE PLAINTIFFS’ STATE LAW CAUSES OF ACTION PURSUANT TO THE CALIFORNIA ANTI-SLAPP STATUTE." Among other things, it says Yahoo! shouldn't be sued for telling the Chinese government what it needs to know to arrest people practicing their right to free speech because that's a violation of Yahoo!'s right to practice free speech by snitching to whomever it pleases.

Posted by mhall at 3:31 PM | Add Comment

August 27, 2007

Microsoft White Hats Launch a New Blog

hackers @ microsoft is a new security blog featuring some of Redmond's house white hats. From its inaugural entry:

Microsoft employs some of the best hackers in the world and actively recruits them and develops them. They work on all kinds of projects, whether it be in development, research, testing, management and of course security.

and

We employ "white hat hackers" who spend their time pentesting and code reviewing applications and software looking for weaknesses and vulnerabilities so that others don't once we've released that code into the wild. We employ many many smart testers who know more about some of our software then perhaps the architects who designed it. We also employ some of the top researchers in their industry, dedicated people working on the bleeding edge of whats going to be common place in the next 5 or 10 years of computing. So yes, Microsoft does have hackers, and its time to introduce you to some of them and show you what it is, exactly that they do.

(via)

Posted by mhall at 1:55 PM | Add Comment

August 26, 2007

Microsoft's WGA Service Croaks

Ars Technica: Windows Genuine Advantage suffers worldwide outage, problems galore:

If you use Windows, do your best to avoid anything that requires a ping to WGA. That means you should stay away from patches and add-ons until the coast is clear. WGA will not reach out across the Internet and deactivate your copy of Windows, but you should avoid talking to a WGA server for any reason.

Stay away from patches and add-ons? On a Windows machine? Just pull whatever cable your 'net connection arrives through out of the wall while you're at it.

After an initial estimate of Tuesday the issue is now fixed. I'll be until Tuesday wrapping my head around the wisdom of offering any disincentive at all to patching a Windows box. I don't think there's any to be found. Keeping "pirates" from getting patches is just closing the barn door after the horse is out, then burning the barn down around all the innocent horses when those unpatched machines roll over that much more easily when confronted with malware.

(via)

Posted by mhall at 3:25 AM | Add Comment

August 25, 2007

Yahoo! Will Respond to Chinese Journalist's Lawsuit on Monday

Boing Boing: Yahoo to respond to lawsuit over jailed Chinese 'net dissidents:

Yahoo! acknowledged that it provided Chinese officials with identifying information of its Yahoo! service users that made these arbitrary arrests and long-term imprisonments possible, but the company claims that it had to provide the information in compliance with Chinese law. Sklar noted that “the language of China’s requests to Yahoo! make it clear that these individuals were being targeted for their exercise of free speech and free press rights, and not for any legitimate law enforcement reasons.” During Congressional hearings held in February 2006, Yahoo! also defended its actions by claiming that it was not aware of the purpose for which the information was requested. Recent information has surfaced, however, indicating that Yahoo! was, in fact, aware of the repressive purposes of the requests. On August 3, Tom Lantos (D-CA), Chairman of the House Foreign Affairs Committee, announced that Congress would investigate Yahoo!’s conflicting statements to determine whether the internet company lied under oath about what it knew during last year’s Congressional hearings.

Several preliminary procedural motions led up to Monday’s filing. One of these motions was an effort by Yahoo! to divide the case into multiple parts, which would have caused significant delays in reaching the merits of the case. The court denied Yahoo!’s motion, but did agree to seek the U.S. State Department’s views on potential foreign policy impacts of the case. Yahoo! also asked the court to grant a protective order of evidence to allow Yahoo! to keep major portions of its submissions secret.

Posted by mhall at 2:11 AM | Add Comment

August 24, 2007

Money, Bureaucracy Kill WHOIS Privacy Reform

Ars Technica reports that WHOIS privacy reforms have reached a dead end, thanks in part to attempts by intellectual property lawyers, law enforcement and bankers to ensure registrant information could be exposed on demand to "pursue bad actors" which I'll take to mean "find copyright infringers."

Compounding the issue: Registrars make good money selling registrants back their own privacy in the form of proxy services. "[A]s long as the registrars have a commercial interest in the outcome, reform to the current system will be very slow," concludes the writeup.

Posted by mhall at 4:24 PM | Add Comment

August 23, 2007

Monster Cops to a Breach, But Not Before Being Idiots About It

PC World - Monster Shuts Down Rogue Server:

Monster Worldwide Inc., whose job-hunting sites suffered a massive data breach caused by hackers, has shut down a rogue server that had been used to gather personal details of job seekers.

The server contained the stolen names, addresses, phone numbers and e-mail addresses of people who used Monster's service. The company was still determining the number of people affected by the breech on Wednesday. It did not disclose the location of the server.

via Valleywag, which points out Monster's initial response was tone-deaf and blindingly stupid: "In fact, the information that is gathered from Monster is no different than that displayed in a phone book."

Right ... except the part about e-mail addresses, which are useful things to have when you're sending someone an e-mail with site-specific information that puts the user at ease enough to maybe launch the malware you thoughtfully attached because it looks like a legitimate tool.

Just this morning I got a promotional mail from a company offering a free trial download of some new software. Because I use plussed addresses, my first thought on receiving the mail was "well ... it came from their address list, so it's not a random spam." Which was true enough. But as the Monster case points out, that didn't mean it was any safer.

Posted by mhall at 3:09 PM | Add Comment

August 22, 2007

Bob Barr: "Congress Trashes Your Privacy"

Bob Barr, former Republican lawmaker turned Libertarian and ACLU member, nutshellizes the FISA revisions:

Thanks to the fact that a majority of members of Congress apparently cared more for starting their August recess on time than for protecting the Fourth Amendment-based privacy rights of the citizens they represent, this administration now is able to intercept any telephone or e-mail communication by anyone in this country, based on nothing more than an assertion that it believes one of the parties is overseas. No evidence or belief that one party to such conversations is a known or suspected terrorist -- the rationale for the legislation that the administration declared publicly -- is needed.

Despite such bipartisan clarity in the preamendment FISA law, we now know that this president decided in late 2001 to ignore this requirement of the law. He did not seek at the time to change it if he believed it to improperly limit his power as "commander in chief," but simply ignored it. Now, the Congress has given its blessing -- at least temporarily -- to Bush's violations of the old law. In so doing, it has subjected virtually every international call a person makes or e-mail anyone sends overseas to potential surveillance. The Congress did this by removing from the entire FISA mechanism -- and from any court oversight -- all calls, regardless of who makes them, if the government has reason to suspect that one of the parties is overseas. In other words, all international communications. The sweep of such power is indeed breathtaking. However, the Congress did get to leave for its August recess on time.

He goes on to note hopefully that there is, at least, a six-month sunset provision in the new law.

I don't know if anyone who has a problem with the way FISA was rewritten should expect the six-month do-over to make things any better. Barr chose to frame Congress's actions as motivated by sloth -- eagerness to start August recess -- which sounds funny, but isn't quite right. It seems a lot more likely that many Democrats acted out of timidity, not wanting the inevitable attack ad talking points to read "Then, in 2007, he voted against laws to keep us safe from terrorists!"

Fear of attack ads isn't going to lessen between now and next February. Moreover, there's a disturbing unspoken premise in debate around all privacy-eroding legislation, which is that it's o.k. to build a massive surveillance apparatus as long as the people building it have good intentions and as long as people who aren't "the bad guys" aren't waking up in interment camps.

That's a pretty complacent view of state power that says quite a bit about the trajectory of American thinking.

Posted by mhall at 12:43 PM | Add Comment

August 21, 2007

Storm Worm Continues to Wring Fanboy Terminator References from Us

Security Focus reports that the Storm Worm has changed up its game a little, sending e-mail masquerading as legitimate membership notifications:

The e-mail messages use a fairly regular format, including a brief greeting, a supposed temporary login name and password, and a link to a malicious Web site, according to antivirus firms. The destination site will tell the user that, to log on, they need to download a secure login applet. Victims that do install the software will become infected with the Storm Worm bot software.

So, on Friday it was sort of Skynet-esque. Today it’s more like a T1000. Doesn’t that mean it’s gonna be teh hawt in its next incarnation?

Posted by mhall at 11:40 PM | Add Comment

Ginned Up Facebook "Security Backlash" Is a Marketing Coup

"Most trendspotting articles–especially those appearing in newsless August–are bunk." — Jack Shafer, Slate

Last week Sophos announced that a study it conducted on Facebook users found that 41 percent would "divulge personal information - such as email address, date of birth and phone number - to a complete stranger."

"Divulging" in this case meant "accepting a stranger's friend request" with the attendant possibility that the new "friend" might gather up profile information the user has provided on his or her profile.

In other words, less than half of Facebook users accepted friend requests from total strangers, though Sophos preferred the headline "Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves."

It's not even worth complaining about a security company's flacks getting a little imaginative. That's what they do, and Sophos is hardly alone in the scare story industry.

What's more, the fear-mongering headline gave way to a press release that was much milder than its own headline, with the company's "senior technology consultant" offering up this summary of what, exactly, Sophos' study really meant:

"While accepting friend requests is unlikely to result directly in theft, it is an enabler, giving cybercriminals many of the building blocks they need to spoof identities, to gain access to online user accounts, or potentially, to infiltrate their employers' computer networks."

and

"It's important to remember that Facebook's privacy features go far beyond those of many competing social networking sites." (Translation: You came here in a panic over Facebook, but that's not even the beginning!)

The tech press' response was a bit more disheartening, though not new either: Reporters promptly went to work churning out single-source regurgitations of the Sophos press release under headlines like "Study: Facebook users are easy targets for identity theft" with writeups that weren't interested, with some exceptions, in even mentioning Sophos' own qualifications.

In an odd show of scruples, one reporter bypassed the canned quotes from the press release in favor of calling someone else at Sophos to provide a few "spontaneous" ones calling the findings "extremely alarming," but otherwise matching the press release's language almost word for word.

It's not surprising that Sophos, buoyed by its successful mini-scare, decided to go back to the same well, so this week the company has results from a new survey:

In a Sophos poll of 600 workers, 43 percent revealed that their company was blocking access to Facebook, while an additional seven percent reported that usage of the social networking website was restricted and only those with a specific business requirement were allowed to access it.

In contrast, 50 percent of respondents said that their company did not block access to Facebook, with eight percent specifying that the reason was fear of employee backlash.

And reporters once again oblige, with headlines like "Worried companies block Facebook" appearing over stories that refer to "the security backlash against Facebook" and dutifully link back to last week's regurgitations of Sophos' press releases, referring to them as "publicity" about "the information theft peril presented by Facebook."

Somewhere a Sophos flack is toasting the health of reporters everywhere.

Posted by mhall at 6:42 PM | Add Comment

Google Phishing Scam Offers Storage Upgrades

Nothing beats a topical phish.

CopiaTech has an example of a Gmail phishing scam that offers free storage updates and domain registrations. The link leads to a convincing facsimile of the Gmail site under the domain "gmailupgrades.com."

Google is, of course, selling storage upgrades.

OpenDNS has already got the domain in the phishtank.

Posted by mhall at 2:40 PM | Add Comment

August 20, 2007

Data Breach Chronology Is a Privacy Bodycount

“A Chronology of Data Breaches” from the Privacy Rights Clearinghouse records incidents that “have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver’s license numbers” along with some that haven’t.

Total number of records that have involved information useful to identity thieves? 159,105,898.

And that’s what makes calling people who are parsimonious with their personal information “paranoid” or “zealous” so galling. You don’t have to believe the NSA has microphones in the walls of your apartment to realize that asking why someone needs some information is a simple act of self defense. The more you spread your personal information around, the more likely it is to end up in the wrong hands.

Posted by mhall at 5:58 PM | Add Comment

August 17, 2007

Storm Botnet Decides Vulnerability Scans Are a Threat, Goes Terminator

Dark Reading says the botnet the Storm worm has been building "is set up to launch a distributed denial-of-service (DDoS) attack against any computer that is scanning a network for vulnerabilities or malware," just like Skynet probably did when it became self aware at 2:14 a.m. Eastern time, August 29th, 1997.

Ren-Isac, which is supported largely through Indiana University, recently issued a warning to about 200 member educational institutions and then put out a much broader alert, warning colleges and universities that their networks could come under heavy attack.

The warning noted that researchers have seen "numerous" Storm-related DDoS attacks recently. As the new school year is about to get underway, Ren-Isac is advising security professionals that the new attack "represents a significant risk" for the educational sector. With students returning to campus in the next few weeks, schools are expected to scan the servers on their network to find vulnerabilities and malware that the students are bringing back with them. When the scanner hits an infected computer that is part of the Storm botnet, the rest of the botnet directs a DDoS attack back against the computer running the scan, explained [Ren-Isac Technical Director Doug] Pearson in an interview with InformationWeek. The attacks can last more than a day, and can involve "very significant" traffic.

"It's a new behavior for a botnet," said Pearson. "It's acting in a defensive manner. It is a little [scary], isn't it?"

A little, if you're the type to get all worked up over computers rising up to throw off the oppressive chains of malware scans so they can make us their slaves. Or inundate us with "Paris Hilton bra-less" spam.

But I got something cool to go with my fear, too:

Ren-Isac also has a page that monitors port traffic on the Abilene backbone and draws graphs that map which CERT-tracked advisories might be attracting malicious traffic over that port. Hit the "best practices" link for one of the entries like, say, port 135, and you get a rundown of what that port does and how best to secure it.

Posted by mhall at 7:59 PM | Add Comment

August 16, 2007

Talking Points Memo: Followup on Yesterday's 9th Circuit Hearings

TPM Muckracker summarizes yesterday’s 9th Circuit Court hearings on warrantless wiretaps.

“If yesterday’s grilling session was any indication, those secrets might actually be aired. Since the Bush administration is resisting subpoenas from the Senate Judiciary Committee over internal documentation establishing the legal basis for surveillance efforts, that would make San Francisco the only public forum for insight into one of the controversial national-security programs of the post-9/11 era.”

But there’s this qualification:

“The 9th Circuit is known as one of the most liberal appellate courts. Hearing the cases were three judges appointed by Presidents Bill Clinton and Jimmy Carter. Should it lose, the Justice Department will surely appeal, in the not-unreasonable expectation that a higher court will be more solicitous of the government’s predicament.”

Posted by mhall at 12:56 PM | Add Comment

August 15, 2007

Liveblogging of NSA/AT&T Court Hearing

Wired bloggers are liveblogging a Ninth Circuit Court of Appeals hearing on AT&T's alleged datamining on behalf of the government, and a warrantless wiretapping program.

Says Jennifer Granick, executive director of the Stanford Law School Center for Internet and Society on this hearing:

Supporters of the Bush administration's position on warrantless surveillance are often heard arguing that we must use any means necessary to fight terrorism. But "any means necessary" is not the guiding principle of a civilized, democratic nation, especially when the tools we are implementing are often more distracting than effective -- never mind "necessary." When the 9th Circuit rules in these two cases, we will find out if we are a nation at risk of losing its soul, or one that will be governed by the rule of law, and will seek to protect people from arbitrary and harmful government monitoring.

Posted by mhall at 6:27 PM | Add Comment

August 14, 2007

Cryptome's Spooky Anti-Spook

My first visit to Cryptome was sort of like the first time I ever heard a numbers station. I realized there was a conversation going on out there that was a little spooky.

Radar has an interview with Cryptome founder John Young, who is also a little spooky.

When cypherpunks, many of whom were engineers and mathematicians working as government contractors, needed a way to leak classified technical documents about encryption, Young volunteered as a conduit, first using the small hosting space that his ISP provided and later launching Cryptome as a stand-alone site. "My defense is, I don't know what these documents are," he says. "It was pretty arcane stuff. We said, 'We'll put up anything that no one else wants to put up.' That was our motto."

Within months, he started to see daily visits from NSA computers. He'd gotten their attention. The site quickly shed its focus on cryptography, becoming a catch basin for random bits of information—data—about national security and government secrecy. Young and his wife, Deborah Natsios, who helps him run Cryptome, assembled it all in one permanent archive, where readers can fall through the rabbit hole for hours, scanning presidential motorcade security procedures, reading declassified CIA case files, and viewing enhanced photos of that mysterious bulge in the back of President Bush's suit jacket caught on camera during the 2004 debates. Young has posted 41,000 files so far and averages roughly 50,000 visitors per day.

"There's a massive organization of hundreds of thousands of people around the world totally counting on secrecy," he says of the intelligence agencies he covers. "They are the most unreliable people in the world. And it's corrupted our culture. There's nothing that should be secret. Period."

Then it starts getting weird.

Posted by mhall at 6:19 PM | Add Comment

Who's Been Editing Wikipedia?

This is cool:

Wikipedia Scanner -- the brainchild of Cal Tech computation and neural-systems graduate student Virgil Griffith -- offers users a searchable database that ties millions of anonymous Wikipedia edits to organizations where those edits apparently originated, by cross-referencing the edits with data on who owns the associated block of internet IP addresses.

Some highlight-reel edits are recounted at Wired.

It's interesting to see which organizations will just go through and eradicate information they don't like (Diebold) and which will modify the entry to bring what they no doubt imagine to be a more balanced view (Wal-Mart).

And someone at the CIA is a "Buffy the Vampire Slayer" fan.

Wired is also tracking the best (where best is "most shameful") edits. Like this one:

Microsoft's MSN Search is now "a major competitor to Google". Take it from this anonymous contributor, whose IP address belongs to Waggener Edstrom, Microsoft's PR firm.

Posted by mhall at 6:03 PM | Add Comment

August 13, 2007

Talking Points Memo: Newsweek Gets "Shrill" Over FISA

Talking Points memo has a short list of reactions to the FISA update, including a quote from Newsweek’s Jonathan Alter:

I hate to sound melodramatic about it, but while everyone was at the beach or “The Simpsons Movie” on the first weekend in August, the U.S. government shredded the Fourth Amendment to the Constitution, the one requiring court-approved “probable cause” before Americans can be searched or spied upon. This is not the feverish imagination of left-wing bloggers and the ACLU. It’s the plain truth of where we’ve come as a country, at the behest of a president who has betrayed his oath to defend the Constitution and with the acquiescence of Democratic congressional leaders who know better. Historians will likely see this episode as a classic case of fear — both physical and political — trumping principle amid the ancient tension between personal freedom and national security. […]

Democrats obtained a sunset clause that requires the whole thing to be reauthorized in six months. But real damage has been done. At a minimum, we have suspended the Fourth Amendment for the time being.

Previously:

• What Did We Get With the Protect America Act?
• NYTimes: Telecoms Had Their Own Reasons for Pushing Back Against Illegal Wiretaps
• Senate Intel Committee Member Knows More About FISA from Newspapers Than His Job

Posted by mhall at 2:58 PM | Add Comment

August 10, 2007

UK: ISPs Might Need to Be Prodded Into Endpoint Remediation

So, Charlie says ISPs have no responsibility for endpoint remediation, and the British House of Lords waits a day or two before issuing a 120 page report (PDF, 2.9MB) begging to differ:

"ISPs, on the other hand, are well placed to monitor and, if necessary, filter outgoing traffic from customers. If unusual amounts of email traffic are observed this could indicate that a customer's machine is being controlled by a botnet sending out spam. At the moment, although ISPs could easily disconnect infected machines from their networks, there is no incentive for them to do so. Indeed, there is a disincentive, since customers, once disconnected, are likely to call help-lines and take up the time of call-centre staff, imposing additional costs on the ISP.

"[...] Doug Cavit, at Microsoft, told us that while most (though not all) ISPs isolated infected machines, they generally found it too expensive actually to contact customers to fix the problem. Nor is this service well advertised—indeed, any ISP which advertised a policy of disconnecting infected machines would risk losing rather than gaining customers.

Which is a point Charlie made, without perhaps anticipating what a government bureaucrat might propose as a fix to that lack of economic incentive:

"[W]e see no reason why the sort of good practice described by Mr Henton should not, by means of regulation if necessary, be made the industry norm."

Ouch!

But Charlie was a step ahead on this one: Even if ISPs were to be given or assume the responsibility of quarantining and helping to remediate infected customer endpoints, the machine will probably have to be patched. And Microsoft isn't interested in letting ISPs redistribute its patches. So we're left with an ISP that can either let the customer out of quarantine and wait around for him to call back in a week after he's gone off and gotten reinfected, or simply tell him he's a menace and he's staying in the shallow end of the pool until he can get his patches from somewhere besides over the ISPs network.

If a governmental body wants to spread around the responsibility (and the costs) of mandating ISP remediation, it seems only fair to tell Redmond to cough up the patches, even if it means pirated Windows installations can get at them, too.

Posted by mhall at 7:01 PM | Add Comment

August 9, 2007

Search Privacy Report Says "Bring in the Feds."

The Center for Democracy and Technology has issued a new report on search privacy (267kb PDF).

It's short at six pages. Page two provides a useful table of privacy policies from all the major search engines, including how long each keeps IP addresses, cookies and query data, and what methods each uses to anonymize records after the expiration date.

The report's entitled "Search Privacy Practices: A Work in Progress," so you can guess the CDT would like things to improve more than they already have. Its bottom line:

"No amount of self-regulation in the search privacy space can replace the need for a comprehensive federal privacy law to protect consumers from bad actors. With consumers sharing more data than ever before online, the time has come to harmonize our nation's privacy laws into a simple, flexible framework."

I agree, but I think I'd prefer to let the market work on this one for a bit longer. Not because the market is magical in all things, but because once this sort of thing tumbles into the sausage factory that is our nation's legislature, what comes out will need to be seasoned by a much more freewheeling, open and competitive debate.

Forcing the search engine companies to stay on the PR defensive for a while will do a better job of setting some sense of the public's standards than a collection of tech lobbyists and their lawyers deciding what's best for the search industry.

Posted by mhall at 5:12 PM | Add Comment

August 8, 2007

Botnets on the Brain

I've had botnets on my mind the past couple of days.

Charlie wrote a column about botnets for Enterprise Networking Planet that went live just today. His big issue is the quickness with which people argue ISPs are the obvious point of quarantine and remediation for infected computers:

An ISP sells a vehicle to the Internet. What a customer does while using these services is at the discretion of the customer. A few exceptions to the rule exist, such as a customer interrupting service for others. At times, an ISP will have to intervene, but for the most part an ISP should simply be a channel. Many frustrations people feel when using Internet services are a direct result of ISPs trying to protect themselves, and even their users. Blocked ports are the best example of a standard practice that results in high frustration levels for users.

More interesting stuff in the column. He points to a Microsoft policy I wasn't aware of, or at least not as it applies to this situation:

Microsoft will not allow ISPs to distribute Windows patches the way that universities can. If an ISP wants to allow access to only certain trusted Web sites from their quarantine, such as their own, and perhaps Windows Update, they're still stuck. Microsoft uses content providers to serve up Windows patches, and it's impossible to tell where a user will be downloading a patch from. Therefore, ISPs who wish to help their users are really stuck, all because Microsoft doesn't want to provide patches for pirated versions of Windows.

That doesn't seem like a sensible policy to me.

Because Charlie and I spent some time talking about that column, when it came time for me to do my weekly item for Practically Networked yesterday, I was primed.

Charlie's focus was on what ISPs should or shouldn't be doing; and on Microsoft's culpability when it comes to dealing with the botnet mess. On PracNet we're supposed to be thinking about the SOHO and enthusiast users, so my focus went to that level and the ways in which the tech press has bungled its overall approach to malware coverage.

By concentrating on virus outbreaks that involve deleted or ransomed files, or simple credit card scams, we're missing the bigger picture. Online threats are shifting from the mindlessly destructive "eat all your files" viruses of a decade or even five years ago to attacks that work better when the user has no idea that his PC is infected.

We, and by "we" I mean people in the press and plain old people who get this stuff, should be doing a better job explaining how the consequences of a compromised machine extend beyond losing a file or having to reinstall Windows.

Here's the whole column.

Posted by mhall at 6:39 PM | Add Comment

August 7, 2007

What Did We Get With the Protect America Act?

Wired has some analysis on what we got with Protect America Act:

Prior to the law's passage, the nation's spy agencies, such as the National Security Agency and the Defense Intelligence Agency, didn't need any court approval to spy on foreigners so long as the wiretaps were outside the United States.

Now, those agencies are free to order services like Skype, cell phone companies and arguably even search engines to comply with secret spy orders to create back doors in domestic communication networks for the nation's spooks. While it's unclear whether the wiretapping can be used for domestic purposes, the law only requires that the programs that give rise to such orders have a "significant purpose" of foreign intelligence gathering.

Read the whole article. Regarding yesterday's post on telecom compliance, there's this provision:

"Forces Communication Service providers to comply secretly ... Individuals or companies given such orders will be paid for their cooperation and can not be sued for complying."

Protection from lawsuits and they get to wet their beaks. Nice.

And The Onion's folks on the street remind us of the real setback:

"The privacy issues are troubling, but what really bothers me is that the government is going to be getting my phone sex for free."

Posted by mhall at 11:33 AM | Add Comment