« November 2007 | Main | January 2008 »
December 31, 2007
Blogger Used to Push Fake Codecs
Sunbelt Blog: Fake codecs on Blogger:
"Fake codec trojans (so-called 'required' components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We've written about them extensively.
"Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they're available to those simply doing American football pools, checking bank hours or searching for New Year's eve clipart. All of these are taking advantage of the free Blogger service."
You may remember this sort of attack from last month's "OMG First Mac-targeting Malwarez!!11!!" hullabaloo (about which Sunbelt also had something to say.
Posted by mhall at 2:39 PM | Add Comment
December 28, 2007
Mobile Privacy: Nobody Has Any, Nobody Cares
Interesting overview from internetnews about location-based mobile service and how the courts balance it against individual privacy:
"Last month, the Washington Post reported that law enforcement officials routinely get court orders requiring mobile network operators to help track suspects. They used to do this by regularly pinging suspects' cell phones; the job has been made even easier with the arrival of GPS in phones.
"While this practice could save a life -- for example, helping to locate a kidnapping victim -- some judges don't require law enforcement to show probable cause that a crime is being committed.
"According to the Post, one judge reasoned that since a suspect was voluntarily carrying a tracking device, no warrant was necessary.
"In August, a New York City employee was fired from his job after the GPS on his city-provided phone showed that he'd been at home before his shift ended on 83 occasions, according to the New York Post.
"The judge in that case, according to the report, said an employer 'is not expected to notify its employees of all the methods it may possibly use to uncover their misconduct.'"
To judge from those two cases, the mood in the courts is dismissive of any notion that our social behavior and expectations haven't had a reasonable amount of time to catch up to the technology we're all using.
In a former job I was told to turn on monitoring software for users and turn off anything that would indicate to them that they were being monitored. I didn't tell the users, but a lot of them noticed my pointed interest in hypothetical employer surveillance scenarios while we were hanging around at the watercooler.
My reasoning at the time for being less than discrete about the quiet introduction of workplace surveillance was that there was no formal code of conduct for the management at that job when it came to using surveillance, and I had reason to believe the monitoring would be used for petty snooping instead of legitimate management concerns. The request to turn on the surveillance software came as the result of no particular concern, and was made because I was stupid enough to mention the capability in passing.
As one of the few hired nerds working in that building, I was pretty inured to the idea that my boss could probably get a pretty good sense of all the activity on my computer; so that incident reminded me that most people don't have that expectation. A lot of people don't understand the technology, they don't understand the capabilities their employers have, and they don't, accordingly, modulate their behavior to reflect how likely it is they're being spied on.
So if you're introducing boss-approved spyware into the environment and disciplining employees for their behavior without giving them a chance to respond to your spying, you're essentially pursuing a moralistic policy, catching "bad" people for the sake of punishment instead of offering maybe bad (but probably just indiscrete or ignorant) people a chance to clean up their act. Considering how reactionary and poorly written a lot of AUPs are, that seems like a bad basis to work from.
Posted by mhall at 1:28 PM | Add Comment
Google Retooling How Sharing Works
Well, I thought it'd take 'em until next week, but the Google Reader team is already addressing issues with the unfortunate decision to make RSS items users marked as "shared," er ... shared for reals:
Official Google Reader Blog: Managing your shared items:
"If you've already shared some items, you can click 'Manage friends' in the upper-left box and then 'move or clear your shared items'; from there you can select a tag to which you can transfer your list of shared items, or you can clear the list completely and start sharing anew. If you haven't logged into Reader in a while you'll be greeted by a pop-up window titled 'Share with Friends', and you'll have the option to move or clear your shared items from there - your items will not be shared with your friends until you've clicked 'Continue' from this window."
That same blog entry says Reader's developers are "looking at ways to make sharing more granular and flexible."
Posted by mhall at 1:28 AM | Add Comment
December 27, 2007
Flush Out Rogue WAPs and Weak Passwords with Aircrack-ng and Linux
Paul Rubens is plowing ahead with his series on building a portable network security tool with the eeePC and Ubuntu Linux. This week he hits Aircrack-ng and shows how to use it to ferret out rogue APs, weak WAP passwords and more:
"Rogue access points and weak passwords are the bane of any network administrator's life: all it takes is one user setting up a consumer-grade wireless router somewhere in the cubefarm so he or she can use a PDA or whatever, and you've got yourself a potentially serious security risk. It’s quite possible that the wireless signal is leaking out into the street, and anyone passing by could get access to your network – even if they are using WEP, WPA or WPA2 encryption.
"But it’s not just rogue APs that are a worry. If you're not using WPA-Enterprise or WPA-Enterprise (both of which use a RADIUS server) in your organization, then any wireless networks you are running using WEP, WPA or WPA2 are also at risk.
"That's where Aircrack-ng can be useful. This open source suite of applications can help you locate all the access points in your offices, check that the networks are protected by encryption, and test the strength of the keys or passphrases that are in use. If any networks uses WEP encryption, it will usually find the relevant WEP key in under a couple of minutes, demonstrating that WEP is totally ineffective."
Posted by mhall at 5:10 PM | Add Comment
December 26, 2007
Google Reader Shares Stuff Its Users Shared, Outrage Ensues
A journal entry on Slashdot details how Google Reader's newish 'share' feature actually shares stuff:
"It all started on Friday, December 14. Towards the end of the day Google announced a new feature of their feed reader product: They were going to show all your 'shared' items to all your Gmail contacts, starting now. No need to opt-in, no way to opt-out. If you didn't react fast all the info you previously shared with your chosen parties could be viewable by everyone you had exchanged e-mails (using Gmail data)."
I remember noticing that my Google Reader account had a new bit of flair:
... and I clicked the "Manage friends" link right away to see who, exactly, my "friends" were. The only person I saw listed was my wife, for reasons I'm still not clear on, but it seems that my actual "friends" in the Googleverse are everybody in my address book, including people there solely because I received mail from them I've chatted with over Google Talk.
The personal impact of this whole thing was blunted a little by the fact that I'd been using shared items in Reader to act as a linklog in the sidebar of my personal blog. I'd "shared" nothing I didn't mean to be seen in public. Others, evidently, were "sharing" stuff because the URL Google gave the shared items feed was obfuscated enough to protect their privacy.
Several thoughts spring immediately to mind:
I didn't think much of the obfuscated URL as a security measure. Having no idea how it was generated, I had no idea whether it could be easily divined. That wouldn't have been enough security for me if I'd gone into use of shared items expecting them to be genuinely private.
The "shared" nomenclature should have been enough of a warning, anyhow.
People are still right to be peeved, because Google of all companies should have a sense that its users don't always pay attention to the nomenclature of an option or feature ... they look at what it does. So changing the behavior of the feature without much notice or an easy way to re-catalog large bodies of shared stuff was crummy.
Self-hosted is best with anything like this exactly because of cases like this. There are plenty of ways to share links with a select group of people vs. everybody in the whole wide world that don't depend on the whims of a third party.
I wish Google would drop any ambitions it has to use social networking as the axis upon which its services rotate. I don't want it to use my address book to figure out who my "friends" are, I don't want it to create public profile pages, and I don't want it to create the same sort of creepy, cloying "everyone's up in my business" sociability of Facebook or similar. That's what Facebook is there for, and I cleansed my account there of any meaningful information because I personally don't even want Facebook to handle social networking for me.
Google's clean, spare aesthetic rubbed off on me at some point. I like using its services because they don't imply any larger framework I'll have to contend with. It's enough for me that the information I entrust to Google is related and combined for my personal consumption, not anybody else's.
Hopefully the company's off its responsiveness game because of the holidays, and we'll see a more useful response than what's been forthcoming so far once everybody's back to business next week.
Posted by mhall at 3:39 PM | Add Comment
December 21, 2007
More on Google/Doubleclick
internetnews.com -- With Google/DoubleClick Approved, is Privacy Dead?:
"So, short of legislation or a legal challenge to the FTC approval of the merger, there's likely only one way to avoid Google knowing even more about you: by turning off cookies on your browser and searching the Web through a proxy to hide your IP address. But what's not to like about giving information to a company whose slogan is 'Don't be evil?'"
That's just the punchline. The rest of the column is a good-if-broad overview of the privacy issues raised by yesterday's FTC approval of the Google's Doubleclick acquisition. Nutshell: Both companies were already tracking a lot, combined they're going to track even more, and when the FTC says none of the privacy issues raised by this particular acquisition are unique to the industry, one has to assume Google and the rest of the advertising industry is going to get its fondest wish: deference to "self regulation," regardless of what that means to our collective privacy.
Posted by mhall at 6:44 PM | Add Comment
December 20, 2007
FTC Approves Google/DoubleClick Merger
internetnews.com -- FTC Approves Google/DoubleClick Merger:
"The approving commissioners also stated that the privacy issues raised by merging the two companies' immense repositories of consumer data are 'not unique to Google and DoubleClick'; moreover, they determined that questions not directly related to antitrust issues are beyond the legal scope of an FTC merger review.
"Still, consumer privacy remains a serious concern in the development of online advertising, the commissioners said. As a companion piece to the majority statement, today they also proposed a set of principles for privacy and behavioral marketing.
"Pamela Jones Harbour, the lone dissenting commissioner, wrote in her statement that an unconditional approval of the merger would fail to adequately address both the anticompetitive and privacy concerns.
Posted by mhall at 6:53 PM | Add Comment
About That Google Ad Trojan ...
I first caught yesterday's story about the Google ad trojan from the Reuters writeup, but was left so thoroughly confused by the eight skimpy grafs of coverage that I went straight to the original press release from BitDefender.
The trojan in question uses the not-unheard-of technique of modifying the victim's hosts file to point requests for "page2.googlesyndication.com" to a different address belonging to a malicious server. In fact, if we think back to last month's omg Apple malwarez!1!! drama, it's the same sort of attack.
The point of the trojan, though, isn't that it's doing anything to Google servers at all. It's redirecting requests for name lookups on Google servers to malicious servers. And that's what made Reuters' coverage so confusing:
"Google said on Wednesday: 'We have cancelled customer accounts that display ads redirecting users to malicious sites or that advertise a product violating our software principles.'
'We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies.'"
It sounds like the Reuters reporter called up Google, expressed the same muddled conceptual issues that spawned the nugget "the trojan, named after the mythic Trojan Horse because of its ability to enter computer systems undetected ..." and got some boilerplate about malicious AdSense buys, which are a different matter altogether.
And now the headline is mutating into confusing things like "Trojan virus takes down Google's AdSense program," and "Google Ads hacked by Trojan software." There's even "Trojan Found in Google Text Ads."
I guess this is part of the price Google pays for its popularity. The idea that Google itself is somehow a menace is too good a hook to resist.
Posted by mhall at 1:06 PM | Add Comment
December 19, 2007
Trojan Targets Google Ads via Hosts File
Ad-hijacking Trojan Cuts into Google Revenues:
"BitDefender antivirus analysts detected a new trojan, which hijacks Google text advertisements, replacing them with ads from a different provider. The threat, which is identified by BitDefender as Trojan.Qhost.WU, modifies the infected computers' Hosts file (a local storage for domain name / IP address mappings, which is consulted before domain name servers and is considered authoritative).
"The modified file contains a line redirecting the host 'page2.googlesyndication.com' which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google."
Posted by mhall at 5:08 PM | Add Comment
December 18, 2007
Apple Issues OS X, Safari Security Updates
internetnews.com -- Apple Patches Tiger and Leopard:
"Apple Mac users: It's time to patch your systems. Yes, again, after a whole lot of patches this year.
"Security Update 2007-009 from Apple provides updates for both OS 10.4 Tiger as well as the new OS 10.5 Leopard. In total there are 31 fixes for issues ranging in severity from information disclosure to arbitrary code execution. As an added bonus, if you're running Apple's Safari browser for Windows XP or Vista, you also need to update."
"Among the issues fixes are three that deal with Apple's use of CUPS (Common UNIX Printing System) CUPS>. For both Tiger and Leopard users, a memory corruption issue that could enable an attacker to crash a system or execute arbitrary code."
Posted by mhall at 6:05 PM | Add Comment
Greenwald: FISA Delay Was a Grassroots Success
Salon's Glenn Greenwald provides a good summary of what happened yesterday as the Senate considered a FISA overhaul that would have granted telecommunications companies immunity for participating in warrantless wiretapping.
Here's his recap of events on October 18:
"On October 18, it was announced that Dick Cheney and Jay Rockefeller had reached an agreement on a new FISA bill that would dramatically expand the President's warrantless surveillance powers beyond what the original FISA law provided. It also would provide full-scale retroactive immunity for all telecoms which participated in the President's illegal spying efforts, a gift that would effectively end all efforts to investigate the administration's illegal spying programs and hold the lawbreakers accountable."
[...]
"Earlier that morning, Big Tent Democrat had noted that Chris Dodd had issued a strongly worded statement against Jay Rockefeller's bill, and he urged Dodd to announce he would lead a filibuster against the bill. Based on all of that, it was quickly recognized, both in comments and in that email group, that the obvious choice to target for a "hold" was Dodd, who had made constitutional and oversight issues the centerpiece of his presidential campaign.
"Within literally a matter of minutes, numerous blogs began urging their readers to contact the Dodd campaign to ask Dodd to place a "hold" on any bill containing immunity. MoveOn sent out an email to its membership list urging the same. Blog readers and others then deluged the Dodd campaign by the thousands, tying up their telephones and overflowing their email boxes.
"It was exclusively in response to that blog-based outpouring of citizen passion that Dodd -- within a matter of a few hours -- emphatically vowed that he would do something he has almost never done during his 24-year Senate career: place a "hold" on this bill and, if necessary, lead a filibuster against it on the floor of the Senate. Dodd's responsiveness, and the all-too-rare leadership he displayed, prompted an outpouring of support for his campaign from citizens hungry for any sort of Democratic leadership, as he raised $200,000 in small donations over the next 24 hours alone, exceeding the total he had raised for the preceding many months."
The other key takeaway is that while anti-telco-immunity advocates may be chalking this up as a win, it's a temporary one: Everything's back up for consideration in January. It'll be interesting to see if the grassroots opposition can continue to make an impression on Democrats who are aware of the importance of the issue to some of their base but resentful that they can't just let the telcos off the hook and get on with riding out the Bush presidency.
Posted by mhall at 5:35 PM | Add Comment
December 17, 2007
Filibuster Is On to Block Telco Immunity
Glenn Greenwald on the filibuster:
"Chris Dodd left Iowa in order to lead a real filibuster on the floor of the Senate today in an attempt to stop Dick Cheney and Jay Rockefeller's telecom amnesty gift -- a move necessitated by Harry Reid's refusal to honor Dodd's hold (even while he reverently honors pro-torture holds from Lindsay Graham and countless similar holds from Tom Coburn). Reid's procedural conniving was supported by numerous Democratic Senators, including Pat Leahy, Dick Durbin and others (though against the wishes of 14 Democrats, including all presidential candidates in the Senate). In sum, Senate Democrats -- yet again -- are taking affirmative steps to ensure that Bush's demands are met in full, that he is vested with vast new surveillance powers, and that the rule of law in the United States is further eviscerated."
Update: Make that "filibuster was on," since all but 10 Democrats voted to advance the bill. On the other hand:
"But not all of the 76 senators who voted to advance the bill necessarily agree entirely with the administration. Some do, but others voted to advance the bill so they can criticize it or offer amendments."
Update 2: It looks like Dodd won after all, to the extent the Senate's now doing nothing until next year.
Posted by mhall at 4:43 PM | Add Comment
Four Ways to Keep LAMP Secure
Enterprise Networking Planet -- Four Ways to Keep LAMP Secure:
"There are untold thousands of sites still running on PHP3 and PHP4, and untold thousands more that never apply so much as a bugfix or security patch. PHP5 was released in 2004, and PHP3 way back in 1998. Yes, this is foolish and unsafe, but updating to newer PHP releases almost always requires significant code rewrites. Adding to the fun is Apache, PHP, and MySQL are always at war; you have to have the correct, compatible versions all at the same time or they don't work together. There are many options for easy fresh installations, such as XAMMP and Ubuntu's LAMP packages. But the real fun comes later, when you try to update your system and they're out of sync.
"In my occasionally-humble opinion, you're better off using Perl, Python or Ruby. A little more work up front for a lot less work and worry over the long haul. Hosting services are notorious for clinging to antique, unsafe LAMP installations, so check out WebHosting Talk to help find a Web hosting service that doesn't suck."
Posted by mhall at 4:35 PM | Add Comment
PGP Keys Safe Under Fifth Amendment?
A little late on this one, but it's interesting:
The Volokh Conspiracy -- Magistrate Judge Finds Fifth Amendment Right Not to Enter Encryption Passphrase:
"Imagine the government seizes a suspect's hard drive and finds encrypted files inside. Can the government force the suspect to enter in his encryption passphrase so the government can view the decrypted files? Or does the Fifth Amendment privilege give the suspect a legal right not to enter in the passphrase? On November 29, Magistrate Judge Jerome Niedermeier in Vermont handed down the first opinion to squarely address the issue: In re Boucher. Judge Niedermeier ruled that the defendant did have a Fifth Amendment privilege in such circumstances"
This is one of those "better legal minds than mine" sorts of stories, because my "legal mind" is largely relegated to whatever I got out of a semester on law for editors, the AP manual and a few books on copyright law.
It's also a flawed story in terms of the setup: The owner of the laptop is, to judge from reports, something of an idiot. He admitted to having child pornography on his computer, let police see it, then got some religion about his rights.
No one is acting like PGP specifically has ever been put to the legal test in this way, though, and the current climate around child pornography is such (see today's Washington Post on the topic) that you have to wonder how long we have before PGP-specific laws are enacted to handle instances like this, or much less ungainly stories where the police have their suspicions but are confronted with a PGP-protected drive or folder.
Posted by mhall at 3:00 PM | Add Comment
December 14, 2007
Warrantless Wiretaps Up for Debate on Monday
Warrantless Spying Showdown Postponed to Monday | Threat Level from Wired.com:
"Senate Majority leader Harry Reid announced Friday that he will start debate Monday on bills that will let the nation's spies use American telecom facilities and services for warrantless wiretapping, choosing to start with the most expansive bill and then letting a second version be considered as an amendment. Congress is moving quickly on the legislation, since the Democrats are seeking to reverse some of the extensive surveillance powers it handed to the Administration this summer in rush legislation known as the Protect America Act.
"Action could have started as soon as today, forcing a promised filibuster to happen over the weekend, but today Reid indicated on the Senate floor that he would wait until Monday..."
Posted by mhall at 5:50 PM | Add Comment
December 13, 2007
Master Port Scanning with Nmap
Master Port Scanning with Nmap:
What's on your network and how vulnerable is it to a hacker attack? Having a clear picture of this is a vital part of effective network administration, and one way to build up such a picture is by network mapping using a port scanner.
Port scanning is the art of sending packets onto the network and analyzing what comes back – and what doesn't. By sending packets to specific ports and IP addresses it's possible to build up a picture of the IP addresses of devices that are connected, what OSes they are running, what ports they have open, and the services running on those ports. (Of course there are other ways of doing this, but since port mapping is one of the first types of reconnaissance a hacker is likely to perform, doing your own port mapping will give you a clear idea of what hackers may find out.)
There are many open source port mappers, the best known one of which is called Nmap (short for network mapper.) Nmap is available for Linux, Windows, Solaris and other platforms, from http://insecure.org/nmap/ . It's a very flexible scanner with stealth scan options designed to evade intrusion detection systems (IDS), and by using these you can get practice in spotting the signs of intrusion attempts in your logs.
In this article we'll be looking at some of the more straightforward uses of Nmap. The examples used are based on Nmap 4.20 running on Linux, but the same commands should work on any other platform. If you read our article about building a portable security tool with the ASUS Eee PC and Ubuntu, Nmap is an excellent candidate for immediate installation.
This is the next in a series Paul's been working on explaining how some of the more common network security tools you can find in the open source world work. Good practical examples to get the budding pen tester started.
Posted by mhall at 7:01 PM | Add Comment
December 12, 2007
Ask's Unseen Partners Aren't Losing Anything with AskEraser
This is a nice nutshell of just what it is search engines are after, where they're heading, and why Ask's AskEraser is novel but not entirely meaningful:
NYT -- As Ask Erases Little, Google and Others Keep Writing About You:
"... Google is a lightning rod for debate about privacy because it is extending so quickly into so many areas. But there are so many other companies that are far nosier about what you do online and are unafraid to exploit that information. (I wrote about this last year, and activity in targeting has gotten more intense since then.)
"From the start, Yahoo has seen itself as a company that uses data about users for the benefit of advertisers. And Yahoo already uses what you search for to pick which ads to show you on other parts of its site.
"What's more, there are advertising networks most people have never heard of (including Tacoda and Advertising.com, both owned by AOL, and BlueLithium, recently bought by Yahoo) that are in the business of collecting data about Internet users for advertising. Even creepier, Internet service providers are starting to monitor everything their users do to funnel ads to them.
"All this is not to say that there is anything wrong with what Ask is doing. Some people may well want to search on a site that says it won't remember anything about what they do. But the issues of what data is collected and how it is used is are far more relevant for Google, Yahoo, and a bunch of firms that are hidden from view."
Previously:
Posted by mhall at 5:57 PM | Add Comment
December 11, 2007
Patch Tuesday Rollup
The December black tuesday overview from SANS lists seven patches.
Four are 'critical,' with one of those, a patch for IE, marked 'PATCH NOW' in big, bold letters on a red background with the words 'Actively exploited' next to it. Macrovision's copyright enforcement components are also being actively exploited.
Posted by mhall at 4:18 PM | Add Comment
Ask Unveils History "Eraser"
Ask.com's 'AskEraser' went live earlier this evening. It's a setting that will allow Ask.com search users to cover any footprints they leave on the site pretty quickly. From the AskEraser FAQ
"'When enabled, AskEraser will completely delete your search queries and data from Ask.com servers, including: your IP address, User ID and Session ID cookies, as well as the complete text of your search query--all within a matter of hours.'
There's a good writeup at the NYT that gets down to the nut of AskEraser's value to Ask.com:
"'Some privacy experts doubt that concerns about privacy are significant enough to turn a feature like AskEraser into a major selling point for Ask.com. The search engine accounted for 4.7 percent of all searches conducted in the United States in October, according to comScore, which ranks Internet traffic. By comparison, Google accounted for 58.5 percent, Yahoo for 22.9 percent and Microsoft for 9.7 percent.
"'My gut tells me that basically it is not going to be a competitive advantage,' said Larry Ponemon, chairman and founder of the Ponemon Institute, an independent research company 'I think people will look at it and see it as a cool thing, and they may use it. But I don't think it will be a market differentiator.'
"Mr. Ponemon said many surveys showed that while about three in four Americans said they were concerned about privacy, their concern was not sufficient to make them change their behavior toward sharing personal information. About 8 percent of Americans were concerned enough about privacy to routinely take steps to protect it, the surveys showed.
"'Privacy only becomes important to the average consumer when something blows up,' Mr. Ponemon said.
Of course, there are also some caveats. From the FAQ:
Is there any reason Ask.com will stop deleting my search activity?
Formal legal request -- Ask.com must abide by the laws and regulations of local, state and federal authorities. Even when Ask Eraser is enabled, we may store your search activity data if so requested by law enforcement or legal authority pursuant to due process. In such case, we will retain your search data even if AskEraser appears to be turned on.
Hoping to use AskEraser to escape the clutches of the Google Empire? lawlz:
"'But underscoring how difficult it is to completely erase one's digital footprints, the information typed by users of AskEraser into Ask.com will not disappear completely. Ask.com relies on Google to deliver many of the ads that appear next to its search results. Under an agreement between the two companies, Ask.com will continue to pass query information on to Google. Mr. Leeds acknowledged that AskEraser cannot promise complete anonymity, but said it would greatly increase privacy protections for users who want them, as Google is contractually constrained in what it can do with that information. A Google spokesman said the company uses the information to place relevant ads and to fight certain online scams.'
In other words, your search information is still going to end up in a big silo somewhere.
Previously:
Posted by mhall at 1:57 AM | Add Comment
December 10, 2007
CAPTCHA Still Rocks, When It Doesn't Suck
Coding Horror: Has CAPTCHA Been "Broken"?:
"Ticketmaster's problem is that their CAPTCHA is not good enough. Programmers don't seem to understand what makes a CAPTCHA difficult to 'break'. But it's not difficult to find out. Heck, the hackers themselves will tell you how to do CAPTCHA correctly if you just know where to look."
Nice chart demonstrating security economics right underneath: A Chinese hacker charges anywhere from $500 to $6,000 for software that cracks assorted CAPTCHA methods. Google, Yahoo and MSN are listed as "unbreakable," and he claims a 50 percent success rate with Ticketmaster.
Posted by mhall at 5:37 PM | Add Comment
December 7, 2007
Will SAFE Force You to Packet Sniff Your Open WAP? Well ...
Declan McCullagh:
"The U.S. House of Representatives on Wednesday overwhelmingly approved a bill saying that anyone offering an open Wi-Fi connection to the public must report illegal images including "obscene" cartoons and drawings--or face fines of up to $300,000.
"That broad definition would cover individuals, coffee shops, libraries, hotels, and even some government agencies that provide Wi-Fi. It also sweeps in social-networking sites, domain name registrars, Internet service providers, and e-mail service providers such as Hotmail and Gmail, and it may require that the complete contents of the user's account be retained for subsequent police inspection."
The representative behind the bill responded, saying McCullagh's "broad definition" was overbroad, seeing as it hinges on the idea that by having a WAP in my office, I've become an ISP.
McCullagh does raise a good point, though:
"The definition of which images qualify as illegal is expansive. It includes obvious child pornography, meaning photographs and videos of children being molested. It also includes photographs of fully clothed minors in unlawfully 'lascivious' poses, and certain obscene visual depictions including a 'drawing, cartoon, sculpture, or painting.'"
...
"Most reasonable adults, including home Wi-Fi providers or the Web sites affected by this legislation, can figure out what actual child pornography is. But when it comes to photographs of fully clothed minors in 'lascivious' poses, and overly risque cartoon anime that might be 'obscene' in one area of the country and permissible in another, it becomes trickier--especially when, legally, only a jury can determine whether an image violates local community standards."
Ars Technica says "don't start searching the skies for the black helicopters yet."
SAFE Act won't turn mom-and-pop shops into WiFi cops:
"WiFi isn't mentioned in the bill. Neither are coffee shops, libraries, or individuals running access points in their basements. The bill's provisions apply to anyone 'engaged in providing an electronic communication service or a remote computing service to the public through a facility or means of interstate or foreign commerce.' Parse that as you will."
"I contacted the office of Rep. Nick Lampson (D-TX), who introduced the bill, to see whether he understood it to cover hundreds of thousands of Americans and small businesses who offer WiFi. A spokesperson told me that, in his view, that broad interpretation was incorrect, but he had to check in with policy staffers before confirming it. We did not hear back by press time."
"Whatever the bill applies to, though, the law is quite clear that those who offer Internet access don't have to do any additional monitoring. There are no 'restrictions' on their services. The bill updates an already-existing notifcation requirement and stiffens the penalties, but only for those presented with clear evidence of child porn who make a 'knowing and willful failure' to report it."
Posted by mhall at 4:44 PM | Add Comment
December 6, 2007
Howto: Turn Off Beacon
Valleywag: How to turn off Facebook's Grinch
As commenters there seem to discern, "not sending stories to your profile" means the information is still floating around to be deleted by Facebook at some unspecified time.
Posted by mhall at 5:02 PM | Add Comment
Botnets As an Ecosystem
Last night I posted "The Botnet Ecosystem: What's a Botnet?" over at Enterprise Networking Planet.
It's the first in a series on all the components of the average botnet, including the compromised clients that compose them, the malicious servers (intentional and otherwise) that help feed them, and the people who control them.
It got its start from a column on the responsibility ISPs bear to fight botnets Charlie wrote in August. His take at the time:
"The real cause of botnet infestations, where the responsibility should lie, is Microsoft. Some people actually argue that this is not true, but Microsoft does not. At great expense to its bottom line, Microsoft offers free technical support to all Windows users who have virus issues. Really! Give them a call at 1-866-PC-SAFETY. Some companies will charge up to $300 for cleaning up viruses, and when Dell sells $400 computers that are quite usable for most people, $300 in maintenance is difficult to justify.
"The blame isn't 100 percent attributable to Microsoft, but it's close. Nobody is denying that poorly secured Web sites, usually PHP applications, play a role. But Microsoft's poor security model, coupled with its overwhelming market dominance, created the foundations on which botnet spam is built."
He was right, but when he said "the blame isn't 100 percent attributable to Microsoft," he inadvertently suggested the new series on the botnet ecosystem:
Did you know the average human brain represents about two percent of the average human's mass? Me neither. I had to go look it up just now so I could make the point that if the average botnet is 98 percent compromised Windows clients and two percent compromised or malicious servers and controllers, then blaming Microsoft is kind of like yelling at someone's navel when they wrong you. There has to be a brain somewhere in that botnet, and just like a human brain it's probably more complex and interesting than any other part.
And beyond that, there's the fact that botnets represent an interesting development in the bigger question of malware. They aren't about ransacking your hard drive and deleting your stuff then mocking you to your face. They're stealthier now because their owners have bigger fish to fry than screwing over people who don't make regular backups.
In other words, the entire point of botnets is living somewhere in that other one or two percent.
So Charlie and I batted the idea back and forth, coming up with the idea of botnets as an ecosystem along the way and we're underway now.
The first article is an introduction. Charlie's going to dig deeper in coming installments.
Posted by mhall at 12:41 PM | Add Comment
December 5, 2007
Wiretap Bill is Telco Immunity Without the Words "Telco Immunity."
Threat Level: Senator Proposes Substituting Feds for Spying Telcos in Wiretapping Cases:
"On Monday, Senator Arlen Specter (R-Pennsylvania) announced a bill (.pdf) that would substitute the government for the companies in the suit so long as all of the wiretapping help done by the telcos happened after a written request from the government. The government would still get to play its state secrets card under Specter's proposal, which has successfully squashed almost every lawsuit filed directly against the government for its warrantless wiretapping program.
"The Electronic Frontier Foundation issued a statement Wednesday, proposing that immunity be handled separately from the larger bill expanding the government's traditional surveillance powers.
"'While EFF appreciates the attempt by Senator Specter to craft a compromise to save the litigation, the bill contains serious flaws that undermine the goal of allowing the courts to decide whether the carriers and the president broke the law when they engaged in over five years of warrantless surveillance of millions of ordinary Americans,' said EFF Legal Director Cindy Cohn. 'Given the gravity and unprecedented complexities of the issues raised by the carriers' demand for amnesty, Congress should not be rushed into action by an arbitrary deadline and should instead take the time to carefully consider Senator Specter's proposal as well as others.'"