« September 2007 | Main | November 2007 »

October 31, 2007

China's Great Firewall Is Doomed

Wired — The Great Firewall: China’s Misguided - and Futile - Attempt to Control What Happens Online:

“The Golden Shield - the latest addition to what is widely referred to as the Great Firewall of China - was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country’s stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

“Like its namesake, the Great Firewall consists of hundreds of individual fortifications spread out along a vulnerable frontier. At its core is a giant bank of computers and servers. Traffic generated by China’s 162 million Internet users is routed through the shield, which checks all requested URLs against a blacklist of tens of thousands of Internet addresses. The list includes pages offering political information deemed dangerous by the government, like BBC News and Voice of America. Access to these sites is blocked (at least in theory), and when users attempt to view one of them, they are punished with an involuntary time-out lasting anywhere from 30 seconds to 30 minutes. Search engines are similarly restricted. If you enter the characters for “democracy” or “Tiananmen Square massacre” into Google.cn you will generally get zero results. This is a technological breakthrough for the Chinese government. Until recently, it could not interfere with the inner workings of search engines and instead blocked entire sites, not just individual pages of a site.

“The Golden Shield hardware - supplied by Cisco and other US companies - is supplemented by human censors who are paid about $170 a month. They sit at screens in warehouse - like buildings run by the Public Security Bureau. These foot soldiers in China’s information war monitor domestic news sites, erasing and editing politically sensitive stories. Some sites provide the censors with access so the authorities can alter content directly. Others get an email or a call when changes are required. Similar methods are applied to blogs. Sensitive entries are erased, and in the most egregious cases blogs are shut down altogether.”

As always with these stories, I end up focusing on the part about American companies and their usual willingness to abet practices abroad that we’d find abhorrent here. I think we’re supposed to buy some line about how their involvement in that market “promotes engagement,” which is a marginally debatable point when we’re talking about search companies. It falls apart when the company in question is building and selling hardware designed to prohibit engagement.

Posted by mhall at 6:46 PM | Add Comment

Consumer Advocates Seek a "Do-Not-Track" List

Today’s New York Times reports on a number of consumer groups who are asking for an online analog to the Do-Not-Call list.:

“While advertisers often say that consumers like receiving ads that are relevant to them rather than generic, privacy advocates say that most people do not realize the amount of personal information they are sharing with marketers.

“‘I think this is about consumer knowledge and choice,’ said Leslie Harris, president and chief executive of the Center for Democracy and Technology, in an interview.

“‘A consumer can choose to say, ‘I don’t care that they have all this information about me. These ads are valuable to me,” but a consumer should also be able to say, ”I don’t want them to have all that information,” said Ms. Harris, whose organization is among the nine groups asking for the do-not-track list.

A do-not-track list would not reduce the number of ads people see on Web sites. Instead, people who signed up for the service would simply see ads that are not specialized for them, since advertisers would not be using the consumers’ recent history on the Web to surmise their interests.

The consumer groups also want the government to redefine what information is considered to be personally identifiable to include behavior online, in instances when Web searches can be traced to an individual person.

The groups are asking for quote a bit more than that, as well, including consumer access to collated tracking information and a disclosure system for online ads that utilize behavioral tracking.

With Google moving very quickly to seal the deal on dubious privacy policy frameworks, it’s good to see the consumer and privacy groups getting in there and participating in the conversation. Better yet, even if it seems like they’re asking for the moon, they’re putting online ad outfits in the position of explaining why they would or wouldn’t want to supply the sort of disclosure these groups are asking for.

You can read the entire proposal at the World Privacy Forum’s site. Hit the link to the “consensus document,” which is a PDF.

AOL’s already trying something in this area, too.

Reuters — AOL to let users block targeted Web ads:

“AOL’s program will point consumers to the right place to block such ads. Choosing to opt out sends a cookie to a user’s computer that blocks the ads from appearing. AOL’s system prevents the deletion of the opt-out cookie.

“The program will also send ‘millions’ of public service banner ads explaining the policy across the company’s own Web sites and on those in which it sells ads.

“‘Our goal with this program is to engender greater trust for targeted advertising by communicating with consumers in a more visible way, and by providing them more information about their choices,’ AOL Executive Vice President Curt Viebranz said in a statement.”

Steve Bellovin has some interesting notes on the problems an undertaking like this faces.

Tags: privacy

Posted by mhall at 6:34 PM | Add Comment

October 30, 2007

Some Places, Word Is More Deadly Than Metasploit

Worse Than Failure -- Security by Letterhead:

John O'Rourke wrote in to tell us that as a part of his job, he often has to help clients transfer domain names. He's had to jump through all kinds of crazy hoops to transfer domain names in the past; including just about everything except literally jumping through hoops. After faxing in a transfer request and receiving a rejection fax an hour later, he knew he was in for a fight.

John called the number on the rejection letter to sort things out.

John: Yes, I'm calling to find out why request number 48931258 to transfer somedomain.com was rejected.

ISP: Oh, it was rejected because the request wasn't submitted on company letterhead.

Comedy ensues.

(via)

Posted by mhall at 8:03 PM | Add Comment

October 29, 2007

ICANN Set to Destroy WHOIS to Save It?

The Associated Press — Whois May Be Scrapped to Break Deadlock:

“It will have a tough time winning approval — and could create chaos. But the fact that abandoning Whois is on the table before that committee underscores frustrations among privacy advocates that ICANN appears on the verge of launching new studies and deferring a decision yet again after some six years of debate.

“Ross Rader, a member of ICANN’s generic names council and the sunset proposal’s chief sponsor, said many negotiators are stalling because they prefer the status quo, which gives them the access to Whois that they desire.

An executive with domain registration company Tucows Inc., Rader said he is just trying to break the deadlock and doesn’t necessarily want the databases to disappear.

“‘What removing the status quo will do is force all of the actors to come together without the benefit of a status quo to fall back on and say, ‘We are now all screwed. What will we do?” Rader said. ‘It will lead to better good-faith negotiations.’”

Posted by mhall at 7:36 PM | Add Comment

Is Your Privacy on Facebook a Perk?

Valleywag — Facebook employees know what profiles you look at:

“‘My friend got a call from her friend at Facebook, asking why she kept looking at his profile,’ says a privacy-conscious source at a major tech company. Turns out Facebook employees can (and do) check out anyone’s profile. Not only that, but they also see which profiles a user has viewed — a major privacy violation. If you’ve been obsessed with a workmate or classmate, Facebook employees know. If Barack Obama’s intern has been using the campaign account to troll for hotties, Facebook employees know. Within the company, it’s considered a job perk, and employees check this data for fun.”

It might be fun to indulge in some sort of high dudgeon over this, but whom would I be kidding? How much privacy from employees themselves have you ever assumed on a system you were using? I’ve never assumed any. If there’s someone running a server I’ve got an account on, that person has total access — otherwise that person is not really “running” anything.

If I found out an admin was poking through my stuff or reading my mail, I’d demand an explanation beyond “cuz I want to and I can,” and if I didn’t like what I heard I’d complain bitterly then get my stuff off that server immediately, but that’s probably because when I’ve been in the position to poke around I simply haven’t: That would be creepy.

An anonymous Facebook employee and another anonymous ex-Facebook employee have both written in to dampen some of Valleywag’s initial upset, the current employee writing:

“Most FB employees have the same access to your profiles as everyone else and cannot see anything more than that. Only the select few have full access including those on the security staff and the higher ups.”

Which leaves me wondering if the employee who triggered the anecdote Valleywag shared is a particularly stupid nerd who thinks it’s cool to play the role of “omniscient dude” with acquaintances, or a sign of bigger cultural problems within the company vis a vis its professionalism where user privacy is concerned.

And it’s too bad everyone involved in this story is anonymous. Facebook doesn’t get the opportunity to collect that employee’s scalp brutally and publicly.

Tags: facebook, privacy, social networking

Posted by mhall at 7:00 PM | Add Comment

October 26, 2007

Library Randomization & Other Leopard Security Enhancements

TidBITS Safe Computing: How Leopard Will Improve Your Security:

"The most significant security update in Leopard is one that you'll never notice, but that will cause the bad guys no end of frustration. It's an anti-exploitation technology Apple calls Library Randomization (also known generically as Memory Randomization and as Address Space Layout Randomization in Windows Vista). To understand Library Randomization we need to take talk about vulnerabilities, exploits, and buffer overflows.

"Buffer overflows are the class of vulnerability that are responsible for most of the successful attacks on computers today. Most malicious programs (worms and viruses) rely on buffer overflows to take control of your system. In security, we define a vulnerability as a flaw or defect that could allow someone to violate confidentiality, integrity, or availability. Think of it as a weak lock or a broken window the bad guy can use to get in. Buffer overflows are a vulnerability where an attack enters more data into an input than expected; if the programmer who wrote the software forgot to limit that input field, the data can flow past the expected limit and overwrite other parts of memory. Since memory on most of our computers is just a big stack of commands mixed with data, if you know exactly how much extra data to put in, you can trick the computer into running an arbitrary command by overwriting a spot where it expects a legitimate instruction with your new instruction."

Also on the list:

• download tagging (so you can tell an app came from the 'net)
• application signing (so you can tell an app hasn't been tampered with)
• sandboxing: limits the reach of certain applications to keep them from being leveraged for privilege escalation attacks

And several other "oh, also" sorts of things, including SMB packet signing, firewall enhancements, keychain improvements and VPN improvements.

There's also a bit more on input managers and whether they'll be permitted or not. Reports vary. Personally, I count on Pith Helmet and would hate to lose it. It also points to a link worth singling out: "Are Input Managers the Work of the Devil? ".

Anyhow, Ed is twittering from his local Apple store, where he's standing in line to get his copy of Leopard. Mine's on pre-order from Amazon and I'm hoping to see it Monday or Tuesday. I have a lot of backups to do before then.

Tags: mac, osx, leopard

Posted by mhall at 5:25 PM | Add Comment

White House Relents on Warrantless Surveillance Documents ... A Little

Congressional Quarterly: Senators Get to See NSA Documents in an Attempt to Break FISA Logjam:

"The White House has offered leaders of the Senate Judiciary Committee access to legal documents related to the National Security Agency's warrantless surveillance program, senators said Thursday.

"But Judiciary Chairman Patrick J. Leahy, D-Vt., said that although the White House had offered the files to both him and the panel's ranking Republican, Arlen Specter of Pennsylvania, he is pushing for the entire committee to have access to the documents."

Tags: congress, fisa, nsa, wiretaps

Posted by mhall at 4:41 PM | Add Comment

October 25, 2007

Storm: p2p and Constantly Mutating

The 'Storm' That Keeps Blowing:

"Part of what makes the Storm worm so hard to eradicate is the fact that it constantly mutates, around every 30 minutes or so. This makes signature-based detection that antivirus software products use fairly useless because it pulls down new code much faster than antivirus vendors can push out signatures to detect it.

"Also, Storm doesn't use the hub-and-spoke method of command and control like most worms. Taking out a few command and control servers is a simple way to take down a standard botnet, but Storm is immune to this tactic.

"Instead, it's a peer-to-peer method of taking a payload and instructions and passing it on to other computers it knows to be infected. They communicate using a modified peer-to-peer file sharing network protocol from eDonkey, the communication between peers is encrypted, and they change the encryption keys constantly, too."

Previously:

• INTEROP: Is the Storm Worm Intimidating Security Researchers?
• Storm Worm Compromising Blogger Pages
• Storm Worm Continues to Wring Fanboy Terminator References from Us
• Storm Botnet Decides Vulnerability Scans Are a Threat, Goes Terminator

Tags: malware, storm worm

Posted by mhall at 3:46 PM | Add Comment

Device Driver Updates Deactivate Vista

APC -- WARNING: device driver updates causing Vista to deactivate:

"After weeks of gruelling troubleshooting, I've finally had it confirmed by Microsoft Australia and USA -- something as small as swapping the video card or updating a device driver can trigger a total Vista deactivation.

"Put simply, your copy of Windows will stop working with very little notice (three days) and your PC will go into 'reduced functionality' mode, where you can't do anything but use the web browser for half an hour.

"You'll then need to reapply to Microsoft to get a new activation code."

Back in August my Networking Notes column dealt with what happens when a Vista install deactivates itself:

"'The experience of a system that failed validation in this instance was that some features intended for use only on genuine systems were temporarily unavailable. Those features were Windows Aero, ReadyBoost, Windows Defender (which still scanned and identified all threats, but cleaned only the severe ones), and Windows Update (only optional updates were unavailable; security and other critical updates remained available).'

"In other words, Vista took away the eye candy (which is a striking comment on what really matters about Vista, especially when it tops the list), slowed itself down, then refused to remove some kinds of malware and wouldn't let invalidated systems get security patches, though, apparently, Internet Explorer 7 downloads were just fine."

To distill it even further: Your security, optional. Microsoft's ongoing attempt to dominate the browser market: essential. The Internet at large? Whatever.

Here's how I wrapped up in August:

"While I empathize with Microsoft's apparent frustration over wide-spread copyright infringement — as a writer, I would not like people to assume control over the distribution of my work without my say-so — the company has annual revenues that exceed the GDPs of several oil-producing countries. In other words, it's making money. Plenty of it. But in its obsessive quest to protect its intellectual property, it's ignoring the reason we have intellectual property: To promote a collective good.

"If unpatched Windows machines are anything, they are a menace to the collective good. When compromised they become the tools of criminal enterprises. The annual cost of identity theft alone, elements of which involve a large role for compromised Windows systems, exceed Microsoft's annual revenue.

"We would be better off, collectively, if an invalidated copy of Vista stopped working at all rather than the current situation, where it continues to work but slowly accretes an increasingly poor security profile the longer it remains unpatched. Impeding automatic security updates is the last thing Microsoft should be doing.

"Should Microsoft simply give up on its attempts to stop illegal copying of its software? No. But it does need to adopt an anti-piracy policy that acknowledges its copyrights are as much, maybe more, for the common good as they are its own enrichment.

"Smart people work there, they should get to work on a better approach to their problem."

I don't think the sentiment warrants any qualification now, except to point out that the APC link gets a detail I didn't even think about at the time:

"'Additionally, it [Windows activation] has been completely bypassed by pirates, so the one group it's aimed at is sailing blissfully past in a wonderful world where activation doesn't exist.'

(via)

Tags: vista, windows, microsoft, windowsactivation

Posted by mhall at 1:37 PM | Add Comment

October 24, 2007

Security Company Announces Four Vonage Vulnerabilities

Sipera says it has found a number of vulnerabilities in pieces of Vonage’s VoIP implementation:

“Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user’s phone service with a ‘registration replay attack,’ then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of ‘ringing the phone off the hook’ which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.”

• Vonage VoIP phone adapter vulnerable to server impersonation (link)
• Vonage SIP servers vulnerable to registration replay attack (link)
• Vonage voice conversation may be vulnerable to eavesdropping (link)
• Vonage VoIP phone adapter vulnerable to flood Denial of Service attack (link)

(via Reuters, which says Vonage has no comment.)

Posted by mhall at 6:50 PM | Add Comment

INTEROP: NAC Frustration is Mounting

Dark Reading — Is NAC Dying?:

“‘NAC is still a part of enterprises’ strategies, it’s still important,’ says Josh Corman, host protection architect for IBM’s Internet Security Systems unit. ‘But there are some issues with it that are hard to get around.’

“Those issues, in a nutshell, are cost, complexity, and vulnerabilities, experts say. While enterprises are intrigued by the notion of vetting users and devices before allowing them onto the network, they are still struggling with a wide array of products and functionality, time-consuming implementations — and researchers who keep finding ways to beat NAC defenses.

“TheInfoPro (TIP), an independent research organization based here, tomorrow will release a new study, which reports that the number of enterprises using NAC has actually declined over the past 18 months, from 35 percent in early 2006 to 26 percent today. During this same period, the number of organizations that do not plan to implement NAC has risen from 21 percent to 24 percent, the research organization says.

Posted by mhall at 6:42 PM | Add Comment

INTEROP: Is the Storm Worm Intimidating Security Researchers?

Storm worm strikes back at security pros:

“The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday.

“The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Korman, host-protection architect for IBM/ISS, who led a session on network threats.

“‘As you try to investigate [Storm], it knows, and it punishes,’ he says. ‘It fights back.’

“As a result, researchers who have managed to glean facts about the worm are reluctant to publish their findings. ‘They’re afraid. I’ve never seen this before,’ Korman says. ‘They find these things but never say anything about them.’

“And not without good reason, he says. Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered DDoS attacks that have knocked them off the Internet for days, he says.’

Posted by mhall at 6:40 PM | Add Comment

Updated: Obama & Clinton Come Down Against Telecom Immunity

Barack Obama and Hillary Clinton have both issued statements regarding telecom immunity. Talking Points Memo has bits on each:

MoveOn and a dozen top liberal bloggers were preparing to wage an aggressive campaign today to pressure Obama and Hillary to say that they’ll support Chris Dodd’s vow to filibuster any Senate FISA bill containing telecom immunity. And late yesterday both Obama and Hillary put out statements saying that they’d back Dodd’s threatened filibuster of the current legislation that’s just come out of the Senate intel committee.

Obama Camp Says It: He’ll Support Filibuster Of Any Bill Containing Telecom Immunity:

”To be clear: Barack will support a filibuster of any bill that includes retroactive immunity for telecommunications companies.

Hillary Says She Would Support Filibuster Of Intel Committee’s Telecom Immunity Bill:

Q: Can you discuss your position on the reauthorization of the FISA bill?

HRC: I am troubled by the concerns that have been raised by the recent legislation reported out of the Intelligence Committee. I haven’t seen it so I can’t express an opinion about it. But I don’t trust the Bush Administration with our civil rights and liberties. So I’m going to study it very hard. As matters stand now, I could not support it and I would support a filibuster absent additional information coming forward that would convince me differently.

Update: So has Bill Richardson. Glenn Greenwald is, as usual, excellent.

Previously:

• Verizon Says It Handed Over Customer Data Hundreds of Times
• Congress Urged to Shut Up and Make With the Telco Immunity
• Updated Followup: Democrats Introduce Surveillance Bill Rewrite Sans Retroactive Telco Immunity
• Some Coverage on the Telco Spying Immunity Campaign
• Telcos Scrambling for Wiretapping Immunity

Tags: congress, fisa, nsa, privacy, wiretaps, telecoms

Posted by mhall at 6:12 PM | Add Comment

October 23, 2007

Bill Would Sanction 'Net Companies Who Consort With Dictators

CNET: Politicos OK limits for U.S. firms in Net-censoring countries:

“Sponsored by Rep. Chris Smith (R-N.J.), it’s a broad effort to hold American firms accountable for their practices in countries deemed by the U.S. government to be ‘Internet-restricting’—that is, locales where it’s determined that the government is ‘directly or indirectly responsible for a systematic pattern of substantial restrictions on Internet freedom.’

“‘Dictatorships need two pillars to survive—propaganda and secret police,’ Smith said in a statement. ‘The Internet—if misused—gives them both in spades.’

“U.S. firms would face a host of new restrictions and obligations under the bill. For instance, they wouldn’t be allowed to store any e-mails or other electronic communications containing ‘personally identifiable information’ about their users on servers in any of the designated countries. And they’d be obligated to give the State Department a detailed breakdown of how their products’ search results have been filtered and all URLs that have been removed or blocked at the request of foreign governments known to be restrictive.

“If approached by local authorities with requests for users’ personal information, American companies wouldn’t be allowed to turn it over except for ‘legitimate law enforcement purposes,’ as determined by the U.S. Department of Justice. That provision, which enjoys support from human rights groups like Reporters Without Borders, appears to be a response to allegations that Yahoo divulged information to Chinese authorities about pro-democratic online writings by a couple of its citizens, leading to their convictions and imprisonment.

“Failure to comply with any of those rules could result in fines of up to $2 million.”

All of which raises an interesting question: Will Yahoo! sue the government because it has a First Amendment right to hoard information that helps make political torture more likely?

Rebecca MacKinnon doesn’t think much of the bill:

"I think many of the people who support it certainly have honorable intentions. I know and respect many of them, despite having had some pretty heated arguments with some members of the human rights groups who say they support it for strategic reasons. But from where I sit in Hong Kong, this proposed legislation comes off as something that my Chinese friends who hate censorship and surveillance would find arrogant, patronizing, and interventionist, with the likely result that it would kill U.S. tech companies’ ability to do business in China in the first place - a result which by the way they don’t think would enhance their freedom."

Previously:

• Yahoo! Says Giving Dissidents Up to Torturers Is Its First Amendment Right
• Did Yahoo! Know More About Chinese Dissident Cases?
• More Yahoo Legal Theory: Some Countries’ Laws Are Optional

Posted by mhall at 5:22 PM | Add Comment

October 22, 2007

IM Figures in "Greynets" Report

FaceTime just released its third annual "Greynets" report.

I put "greynets" in quotes because it's a bit of a neologism and I'm not sure it's in wide use outside of FaceTime reports and articles that cover them. However common the term, the thrust of the report is predictable coming from a security company: Employees like to run software like instant messaging and other non-approved stuff, and there's a security risk inherent in their activity.

Meanwhile, Chris Soghoian chats up OTR, which allows users to encrypt IM traffic:

While the popular Trillian multinetwork client does offer encryption, its design is flawed, and is subject to a number of attacks. The tool of choice for privacy-conscious geeks everwhere is a protocol known as Off The Record (OTR). This scheme, designed by a team of security researchers including professors Ian Goldberg and Nikita Borisov, provides a number of really cool features. The benefits of OTR include:

• Encryption: No one else can read your instant messages.
• Authentication: You are assured the correspondent is who you think it is.
• Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
• Perfect forward secrecy: If you lose control of your private keys (such as if your computer is hacked, for example), no previous conversation is compromised.

I don't know which would drive a security-conscious company batty more quickly: All those "greynet" apps or tools that make their traffic impenetrable to hard-working corporate network snoops. Maybe some snoops can comment.

Posted by mhall at 8:13 PM | Add Comment

October 19, 2007

Firefox for Good and Evil

Two interesting roundups of Firefox add-ons:

First is “Five must-have security/privacy extensions for Firefox” I use a couple of these myself, and intend to look in on some of the others.

Second is the less benignly titled “How to Turn Your Browser Into a Weapon,” which offers a number of add-ons one might consider for penetration testing (or plain old penetrating).

Posted by mhall at 12:32 PM | Add Comment

October 18, 2007

Your Privacy: Opt Out of Just About Anything

The World Privacy Forum has a handy list of privacy-enhancing opt-outs.

1. National Do Not Call Registry
2. Prescreened offers of credit and insurance
3. DMA opt outs
4. Financial institution opt outs
5. CAN SPAM
6. Credit freeze
7. FERPA
8. Data broker opt outs
9. Internet portal opt outs
10. NAI opt out

I’ve done a few of these. The rest are on my to-do list now.

One word of caution, though. The entry on CAN SPAM mentions how to tell if someone who sends you e-mail is legitimately in compliance with CAN SPAM, then says:

“If all three elements are present in the email, then there is at least a chance that the opt out is offered in good faith. You have to use your own judgment about each email.”

I don’t think that I’d bother even then. None of the criteria listed offer any guarantees about why it’s a bad idea to follow opt-out links: You’re just validating an e-mail address for the spammer.

Posted by mhall at 7:23 PM | Add Comment

October 17, 2007

Lawyers Love Social Networking Sites

Law.com - MySpace Is a Treasure Chest for Cases:

“‘It’s an everyday occasion,’ said Joan Malbrough, a partner at the three-attorney firm, which handles family law, personal injury and corporate law matters. ‘Every new client we do a MySpace and Facebook search on to see if they or their spouse have any useful information.’

“In one case, Malbrough said she helped secure shared custody for the father after finding his wife had posted sexually explicit comments on her boyfriend’s MySpace page. In another case, a husband’s credibility was questioned because, on his MySpace page, he said he was single and looking.

“Lawyers in civil and criminal cases are increasingly finding that social networking sites can contain treasure chests of information for their cases. Armed with printouts from sites such as Facebook and MySpace, attorneys have used pictures, comments and connections from these sites as powerful evidence in the courtroom.”

Posted by mhall at 7:31 PM | Add Comment

Security and Privacy Links (10/17/07): Did Yahoo! Lie to Congress? Will the GOP Derail FISA Reform?

• Yahoo summoned to Washington over Chinese arrests — "Chairman Tom Lantos has asked Yang and Yahoo General Counsel Michael Callahan to appear at a hearing on November 6. 'Our committee has established that Yahoo provided false information to Congress in early 2006,' Lantos said in the statement."
• House GOPers Make Bid To Derail FISA Legislation — "Today the House of Representatives is scheduled to vote on its FISA legislation. Members have been speaking on the floor throughout the day, and the vote was supposed to happen around now."
• Facebook settles New York child safety probe — "Under the terms of the settlement, Facebook has agreed to begin addressing any complaint within 24 hours of being told of inappropriate content -- involving such things as nudity, profanity or harassment -- by a user or e-mail correspondent."
• Crackdowns On Bloggers Increasing, Survey Finds — "Government repression in some countries has shifted from journalists to bloggers, with the vitality of the Internet triggering a more focused crackdown as blogs increasingly take the place of mainstream news media, according to Lucie Morillon, Washington director of the advocacy group Reporters Without Borders."
• Wiretapping Lies Continue, This Time in the NY Post — "Does the law really require probable cause to listen in to an Al Qaeda operative's cell phone?"

Posted by mhall at 7:26 PM | Add Comment

October 16, 2007

Verizon Says It Handed Over Customer Data Hundreds of Times

Spencer Ackerman writes:

“Just in time for this week’s Senate intelligence committee’s fight over telecom immunity: Verizon disclosed to three Democratic lawmakers that it turned over subscriber information, such as IP addresses or phone records, to the FBI in emergency situations more than 720 times. In making such warrant-free demands of Verizon — and surely other telecommunications companies — the FBI wanted not just information on whom the target of its investigation contacted, but also the people whom the contacts contacted.

“That’s called ‘community of interest’ information. Last month, The New York Times reported that the FBI has suspended seeking such data pending an inspector general’s investigation into the use of national security letters. Verizon did not comply with the community-of-interest request, but only because it doesn’t store such information. Presumably other telecom providers — who did not respond to Congressional requests for details about their compliance with the FBI — do. (Verizon would only discuss what it disclosed to the FBI, not anything having to do with warrantless NSA surveillance. And the relationship between those agencies’ surveillance programs is still a big unknown.) Quick, has anyone you know emailed anyone who’s called Pakistan lately?”

I’m beginning to think we can add “national security” to that list that ends with sausage and politics. I don’t want to know what’s going on, but if we don’t collectively look we’ll be a lot more unhappy with the results.

Tags: privacy, verizon, fbi

Posted by mhall at 10:47 PM | Add Comment

October 15, 2007

AT&T: Just Following Orders

Wired—Telcos Respond to Spying Questions; AT&T Says Blame the Government:

[I]t’s unfair to hold carriers responsible for decisions and judgments made by government officials, and inimical to the public interest to discourage companies from providing prompt cooperation to law enforcement and intelligence agencies that require assistance.

It’s inimical to the public interest for companies to go along with illegal requests. As is growing more clear, though, a nascent law-n-order streak was hardly the motivator, as Glenn Greenwald notes:

There is no governmental oversight or regulation of these companies. Quite the contrary, they work in secret and in tandem — as one consortium — with no oversight at all.

And contrary to the indescribably moronic claim by Fred Hiatt yesterday that telecoms were acting as “patriotic corporate citizens” when they turned over to the Bush administration full access to their customers’s calls and other data, the Nacchio documents leave no doubt that these telecoms were viciously competing with one another for the right to cooperate with the Federal Government — long before 9/11 — because they were hungry for the multi-billion dollar contracts for this work.

There is obviously nothing inherently wrong with corporations competing for lucrative government contracts. But the work they were to perform here — in providing unfettered data and other information regarding the communications of Americans — was illegal under multiple federal laws enacted precisely to prohibit telecoms from providing access without warrants to the data and content of their customers’s calls.

Posted by mhall at 7:58 PM | Add Comment