« December 2007 | Main | February 2008 »
January 31, 2008
Updated: Ask on Defensive Over AskEraser
Updated: Just two days ago I linked to a Forbes article exploring a squabble among consumer privacy advocates over Ask.com's Ask Eraser service. In a nutshell, while five privacy groups filed a complaint with the FTC that Ask.com was being misleading about the actual efficacy of the service, one group, the Center for Democracy and Technology (CDT) went the other way, telling the FTC it believed the complaint should be dropped as meritless.
The five complainants didn't think much of that because the CDT recently took a $10,000 donation from Ask.com's parent company. The CDT blew off their charges of conflict of interest by saying $10,000 was chicken feed.
Meanwhile, we get a one-sided, credulous piece about Ask Eraser that prominently features a friendly quote from the CDT's deputy director and somehow misses the fact that there have been two complaints to the FTC about the service, along with some independent notice of of the service's less than total protection of user privacy:
"Hats off to Ask.com for its new hands-off--or eyes-off--search option. The AskEraser feature will prevent the search company from saving your data in its logs.
"Turning it on is just a click away. Select AskEraser at the top-right of any Ask.com page, and you're prompted to enable the feature, which deletes within hours all of your search data activity, including your search terms, your IP address, and any session identifier. Ask.com cookies disappear from your browser as well, save one that reminds the site that you're using AskEraser.
"'It is certainly a large leap in the right direction,' says Ari Schwartz, deputy director of the Center for Democracy and Technology, a consumer advocacy nonprofit in Washington, D.C."
There's no coverage at all of the complaints filed by groups with as much or more standing than the CDT when it comes to privacy issues. After Schwartz is trotted out to give good quote, it meanders off into warmed-over factoids from last summer.
The story bears all the earmarks of the kind of shilling flacks are great at managing. They contact a reporter, offer to provide a list of sources who can give good quote, then seemingly fade into the background to let the source sound like an independent, disinterested voice. $10,000 gifts aside, the CDT may be independent, but it plainly considers Ask's side of the debate over AskEraser worthy of its favorable public intervention. The only person who doesn't seem to get that is the reporter.
(Link)
Previously:
- Ask Eraser Prompts Privacy Squabble, Second FTC Petition
- Ask Unveils History "Eraser"
- Shorter Microsoft: Our Search Privacy Policy is Still Cop-Friendly
Posted by mhall at 1:46 PM | Add Comment
January 30, 2008
Facebook and MySpace Back New York Sex Offender Law
Facebook and MySpace have announced that they're on board with a new bill in the New York state legislature:
"The initiative behind the bill is called the Electronic Security and Targeting of Online Predators Act or E-Stop. The legislation restricts certain sex offenders' (high risk Level 3 offenders defined as those offenders with a 'high risk to commit another sex crime') use of the Internet, updating Megan's Law 'for the Internet age.'
"E-Stop would require sex offenders to register any and all email accounts and Internet identifiers used in instant messaging, chatting and other forms of Internet communication and social networking with the state's Division of Criminal Justice Services just as they would register their home addresses. If the said offender creates an email address and doesn't tell the authorities with 10 days of its creation, he or she is violating the law, Mr. Cuomo said, and could be hit with a violation of their parole or probation.
"The bill also gives the division of criminal justice services to pass along the email addresses and identifiers of some sex offenders to the networking sites (so far MySpace and Facebook have committed to working with New York) so that they can remove any sex offenders that have registered their emails with the sites. MySpace and Facebook officials support the bill and said that they would notify law enforcement of any sex offenders they catch using their site's services."
As the NYT reporter-blogger notes, one of the assemblymen behind the new bill expressed concern about how familiar parents are with MySpace and "Spacebook."
Indeed.
It looks like e-mail registration is a core provision in the bill, which also takes me back to July, when I noted an internetnews.com story quoting someone close to the issue who "told internetnews.com that this won’t be solved until states pass laws forcing predators to register their e-mail addresses the same way they have to register street addresses."
I have no idea how they think they're going to enforce this, or why they think someone enough in the grip of a sexual compulsion to go out looking for victims on the Internet will be deterred by fear that they'll get violated back into jail if they're somehow caught with an unreported e-mail address.
And more importantly, there's an almost willful blindness present in legislation like this, considering the fact that the vast preponderance of child sexual abuse, somewhere in the neighborhood of 90 percent of known cases, is initiated by people the child knows and trusts.
But a lot of this stuff got rolling last summer, in a drastically different political environment. Back then, I linked to an InformationWeek article that dug up a Texas Republican who was trying to, somehow, turn Internet predation into a wedge issue, trying to accuse Democrats of neglecting the issue. Whenever this kind of thing comes up, politicians can go two ways: They can blow off the demagogues and hope the issue goes away or doesn't really emerge in the public consciousness, or they can decide to just roll with it because, hey, what's the harm?
"Internet predators" are an abstraction that's easy to hate and "fight."
The eventual side effect of laws like this one will be further entrenchment of the surveillance state, because the politicians slapping each other on the back over New York's bill are asking the same question I did: How on Earth are they going to catch sex offenders registering on social networking sites with unreported e-mail addresses? At the moment, they really can't. So next up they'll be asking why AT&T can propose monitoring the Internet to block the unsanctioned transmission of copyrighted material but can't monitor the flow of perv traffic on Gmail.
(Link)
Previously:
Posted by mhall at 6:03 PM | Add Comment
January 29, 2008
Ask Eraser Prompts Privacy Squabble, Second FTC Petition
Forbes' Andy Greenberg has an interesting report on the repercussions from a complaint filed with the FTC last week in which one policy group, the Center for Democracy and Technology (CDT), broke with EPIC and five other groups who argued that Ask.com's "Ask Eraser" service be shutdown for misleading consumers.
The gist of the CDT's issue with EPIC and others is that Ask's service isn't perfect, but is at least incrementally progressive. An EPIC executive says the CDT's defense of Ask.com is dubious, considering the search engine's parent company donated $10,000 to the CDT. $10,000 is a trivial sum for an organization with an annual budget in the millions, but the money was worthwhile enough to take. It make's the CDT's relative isolation from several other major privacy groups on this issue suspect.
Greenberg also reports that EPIC will be filing a second complaint with the FTC over Ask Eraser today.
(Link)
Posted by mhall at 4:40 PM | Add Comment
January 28, 2008
NAC: a nice idea ... err ... collection of ideas ... kind of?
Rich Mogull sums up NAC as it will come to be known in 2008: A bunch of good ideas, wrapped in amorphous and fuzzy language, that turned into a vendor money grab before there was even a "there" there.
"It's a great idea, but like all great ideas a combination of big fish and bottom feeders wanted in. 'NAC' kept getting expanded and integrated with everything from 802.1x for port-based authentication (only letting a computer get a usable IP address after a user is approved- a pretty good idea) to all sorts of real-time monitoring, quarantining, VLAN weirdness, and kitchen sinks. It's a market that Cisco and Microsoft decided they want to control, and early on they started making waves without providing much in terms of functional product. It was a way for Cisco to get their endpoint agents onto desktops and to push clients to upgrade their networking hardware, since parts of their NAC don't work if they aren't built into the switch.
"I like NAC, and if I had more than 6 computers on my network it's the kind of thing I'd look at more closely. But I'd keep myself focused on the basics- protecting my network from malicious guest and mobile systems. I'd want a mix of agent and agentless (for managed and unmanged systems) and keep focused on pre- and post- connection health checks. I wouldn't wait for the big vendors, knowing that in the long term they'll own it all anyway, even if they have to buy it. Yes, Cisco has stuff now, but I hear it's pretty complex to deploy.
"NAC, like much of network security, will eventually be built into the network fabric. At best, we'll have a separate security control plane for separation of duties. This is a hell of a long way out and not something that should affect your buying decisions today."
Uh huh. And now when you talk to vendors who were trying to stake out NAC turf early last year, you hear about how last year's silver bullet is this year's "piece of the puzzle." And it'll be next year's fifth bullet on page three of some marketing presentation.
(Link)
Posted by mhall at 6:10 PM | Add Comment
Senate Spikes FISA Bill Cloture Vote
A few Democrats defected, but it didn't give Republicans the 60 votes needed to break a Democratic filibuster and quash debate over contested amendments to the FISA overhaul. Glenn Greenwald:
"In one sense, this is an extremely mild victory, to put that generously. All this really means is that they will now proceed to debate and vote on the pending amendemnts to the bill, almost certainly defeat all of the meaningfully good ones, approve a couple of amendments which improve the bill in the most marginal ways, and then end up ultimately voting for a bill that contains both telecom immunity and warrantless eavesdropping. Moreover, it seems clear that Senate Republicans deliberately provoked this outcome and were hoping for it, by sabotaging what looked to be imminent Democratic capitulation so that Bush could accuse Democrats tonight of failing to pass a new FISA bill, thus helping their friend Osama."Still, in another sense, this is significant. Preventing a vote today means that there is more time to work on opposing immunity, including by working on ensuring that the House stays firm behind its relatively decent bill. It also means that the Senate -- for once -- has refused to capitulate to brazen White House pressure tactics, whereby the President demanded that the Senate give the administration everything it wants before the Friday expiration of the PAA. Also, the presidential candidates responded to public pressure by joining in the filibuster, which is encouraging.
"And, perhaps most significantly, this slight stirring of resolve might carry over into the next vote, to extend the PAA by 30 days and thus force Bush's hand either to veto the extension or back down (they will need 60 votes just to vote on that proposal). Again, anything that prevents quick and quiet resolution of telecom immunity and new FISA powers is a real benefit."
(Link)
Posted by mhall at 5:56 PM | Add Comment
January 25, 2008
Facebook Apps Have Access to More Info Than They Need
Chris Soghoian has some interesting thoughts on a recent University of Virginia study on Facebook application security. Nutshell: Facebook apps have access to way more information than they need to do their jobs.
"Some applications may make use of all this data, but as researchers from the University of Virginia have detailed in a recent report, Facebook provides applications with access to far more private user information than they need to function. Adrienne Felt, a student and lead researcher on the project, told me that of the top 150 applications they examined in October 2007, '8.7 percent didn't need any information; 82 percent used public data (name, network, list of friends); and only 9.3 percent needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7 percent of applications are being given more privileges than they need.'
"Felt condemned this practice, and said that it violated the the idea of least authority, an important security design principle that states that an actor should only be given the privileges needed to perform a job. In other words, she said, an application that doesn't need private information shouldn't be given any.
"'Regardless of the click-through disclaimer that Facebook makes users accept, I don't think people understand what's happening to their data behind the scenes. If applications don't appear to use private data--but then they all have this same standard click-through screen--how can users differentiate between applications that really need access to data and all the rest?'"
And I think, based on this comment from Facebook Chief Privacy Officer Chris Kelly, that it's time to start punishing ill-considered "wisdom of the crowds" invocations:
"Kelly said that users can determine a developer's trustworthiness by looking at their profile page, and that somehow, users can combine to form some kind of intelligent hive mind. 'One of the factors is what applications your friends are installing. Untrusted applications don't get added very often as the collective mind is choosing what is trusted in real time.' He further added that it is 'up to your friends to make that determination in real time. If an application is going to give them some utility, they'll know that the applications have to obey the rules.'"
Soghoian says "I fail to see how thousands of 18-year-olds can collectively assess the data protection practices of some random developer in a foreign land. Remember, these are the same 18-year-olds who post photos of themselves passed out drunk on their public profile pages."
Uh huh.
Hell ... these are the same people, let alone 18-year-olds, who are using Facebook to begin with. The UVa student researcher Soghoian spoke with admitted to installing an app she didn't want to install because she "had a hard time saying no."
Maybe someday, when we have to have the little blue and white "f" logo tattooed to our foreheads to buy groceries or travel in commercial airplanes I'll regret dumping my account. Until then .... eh.
(Link)
Posted by mhall at 5:19 PM | Add Comment
January 24, 2008
Senate Pushes FISA Overhaul to the Wire
"On a strong 60-36 vote, senators rejected an amendment that would have killed the immunity provision and strengthened the powers of a secret court to oversee the surveillance of phone calls and e-mails that involve people inside the United States.
"Further action on the legislation was delayed until Monday, pushing Congress closer to a Feb. 1 deadline for enacting a new law. If a new law is not signed by the president by then, some eavesdropping practices that are now legal would be prohibited.
"The Bush administration is insisting that any new law also protect from potentially crippling civil lawsuits those telecommunications companies that helped the government eavesdrop on Americans after the Sept. 11 terrorist attacks.
"Senate Majority Leader Harry Reid, R-Nev., blamed Republicans for the delay, saying they were trying to block a series of amendments majority Democrats sought to offer."
"'It appears the president and Republicans want failure. They don't want a bill,' Reid said."
(Link)
Other reactions:
Threat Level: "Even if the Senate passes the Intel committee bill on Tuesday, it will need to work out a compromise with the House, before sending the bill to the president for signature. The House version, known as the Restore Act, doesn't include immunity for telecoms and severely constrains when the government can spy in America without warrants -- essentially blocking bulk collection activities allowed in the Protect American Act and the Senate Intel bill."
Glenn Greenwald: "Supposedly, the obstructionism angered Reid and other Democrats and now Reid will not only support Dodd's filibuster but urge his caucus to do so as well."
Posted by mhall at 7:42 PM | Add Comment
January 23, 2008
Ask.com's Eraser in FTC Complaint Crosshairs
EPIC and five other privacy advocacy groups have filed a complaint against Ask.com over its "AskEraser" service. AskEraser, in a nutshell, was supposed to be a toggle switch that would effectively remove an end user's Ask.com search history. Ask.com announced the service in the midst of a Google/Doubleclick-inspired data retention policy frenzy, and got some notice because it seemed to be the most radically pro-privacy policy of any major commercial search engine.
AskEraser launched last month, and it took about a day for people to read the fine print and realize it might not be all that awesome. Ask.com is still keeping information around even with the service enabled, since it can't deprive partners like Google of certain usage data.
There are a number of points under each major element of the complaint, but here are the core issues the group has:
- "The opt-out cookie is a flawed technique for privacy protection," to the extent it requires users to permit cookies on their computers and provides Ask with a tracking mechanism for the very people who don't want their usage to be tracked.
- "The persistent identifier enables permanent tracking of Internet users," because each AskEraser cookie timestamps the user, meaning there's no meaningful anonymization of user data.
- "Ask.com reserves the right to disable the service without notice, even while telling users it's still activated," meaning a user can never be sure if the service is actually working.
- "Third party data protection is non-existent," meaning Ask's assorted partners still get a lot of usage data.
The entire complaint is available as a PDF from EPIC.
Threat Level has some protest boilerplate from Ask.com in which a lot of assertions are made without any backing.
Previously:
Posted by mhall at 2:32 PM | Add Comment
January 22, 2008
EU Privacy Leader: IP Addresses Are Personal Information
"IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.
"Germany's data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.
"He told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address 'then it has to be regarded as personal data.'
"His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is — something strictly true but which does not recognize that many people regularly use the same computer terminal and IP address."
(Link)
Posted by mhall at 3:51 PM | Add Comment
January 18, 2008
Yahoo + OpenID = The Underpants Gnomes' Missing Step
As internetnews.com reported, Yahoo has decided to implement OpenID for its user accounts. You probably already know about OpenID, but the internetnews nutshell will work if you don't:
"The brainchild of LiveJournal creator Brad Fitzpatrick, who is now with Google, OpenID is designed to provide Web users with a universal identifier so they can sign into social networks, blogs and other Web sites with a single login.
"When Yahoo launches its OpenID service in public beta form on Jan. 30, anyone with an OpenID identifier will be able to log into Yahoo's Web sites.
"On non-Yahoo sites, Yahoo users will be able to type 'www.yahoo.com' into the login prompt of a site that uses OpenID. The company Yahoo said that it is also working with several OpenID partners to include a 'Sign in with Your Yahoo ID' button on their sites to further streamline the process."
Tech Crunch called Yahoo's implementation a massive win for the project, and provided a quote from Yahoo's Director of Membership and Registration:
"'This is just the first step in working with OpenID,' Yahoo Director of Membership and Registration Raj Mata said to me on a phone interview yesterday. But he would not confirm when (or if) Yahoo would also become what is called a 'relying party' (allowing users with third party OpenIDs to log in to Yahoo). He did say that the goal was to move in that direction, but gave no further guidance."
Which make this kind of a weird "win" for OpenID, which stresses the notion that your OpenID is portable among services:
"You get to choose the OpenID Provider that best meets your needs and most importantly that you trust. At the same time, your OpenID can stay with you, no matter which Provider you move to. And best of all, the OpenID technology is not proprietary and is completely free."
With Yahoo's implementation, your previously existing OpenID isn't any good, which means anyone who already has an OpenID now needs to have a second one to deal with Yahoo's properties.
Leslie Poston goes into quite a bit more detail on that, and Jeremy Zawodny got preemptively defensive:
"Oh, and before anyone jumps on me about this not being 'full' (meaning bi-directional) OpenID support, I'm quite aware of that. Consuming OpenID is a different beast that can't happen overnight. Give it some time. I'm optimistic that we'll get there."
Well, "full" meaning "full," I think.
The main point is, of course, that all Yahoo needs to do is drag its feet for a quarter or so and scoop up everyone who doesn't have an OpenID already, then implement the part I'm sure it could've managed anyhow given a few more weeks to launch. Then we'll all get scolded for ever doubting. Unless we include Jason Snyder, who took the time to write it all out:
"... OpenID's success as a whole hinges on the channel of authentication queries being a two-way street -- unless, of course, identity is to evolve into a service offered by a handful of providers.
"Which, on the face of things, could be what this announcement is ultimately about -- a pitch for users to put Yahoo in their longed-for single sign-on wallet before Google offers a competing alternative to the multitudes already splitting their time between Google and Yahoo log-ins."
Posted by mhall at 4:52 PM | Add Comment
January 17, 2008
Telco Immunity Back in Play as Early as Next Week
The brief respite from the issue of telco immunity is, apparently, just about over. Glenn Greenwald:
"Contrary to the completely erroneous claims by the Wall St. Journal Editorial Page that Senate Democrats intend to enact an 18-month extension of the Protect America Act without telecom immunity (false claims that produced some premature blogospheric declarations of victory last week), Reid has spent the last two weeks making abundantly clear that his intention is to bring to the Senate floor as early as next week the Bush-compliant Senate Intelligence Committee bill, and has further made clear that it's his expectation that that bill -- complete with warrantless eavesdropping powers and telecom immunity -- will pass. Because the Protect America Act is scheduled to expire in early February, it will be necessary to extend it by 30 to 60 days, but that is seen by the Senate Democratic leadership only as a tool to enable them to work out a deal with the House to ensure that a bill acceptable to the President is sent to the White House promptly."
(Link)
Previously:
- Greenwald: FISA Delay Was a Grassroots Success
- Some Coverage on the Telco Spying Immunity Campaign
- Telcos Scrambling for Wiretapping Immunity
- Wiretap Bill is Telco Immunity Without the Words "Telco Immunity."
- Filibuster Is On to Block Telco Immunity
Posted by mhall at 1:28 PM | Add Comment
Study: Online Shopping Sparking Consumer Privacy Concerns
"Privacy concerns stemming from online shopping rose in 2007, a new study finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels.
"Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Before last year, that figure had largely been dropping since 2001.
"People who do not shop online tend to be more worried, as are newer Internet users, regardless of whether they buy things on the Internet, according to the survey from the University of Southern California's Center for the Digital Future.
"The study, to be released Thursday, comes as privacy and security groups report that an increasing number of personal records are being compromised because of data breaches at online retailers, banks, government agencies and corporations."
(Link)
Posted by mhall at 1:26 PM | Add Comment
January 16, 2008
New Yorker: NSA's McConnell Still Sort of Creepy
Wired has some nuggets from a New Yorker interview with Director of National Intelligence Michael McConnell:
"In the piece, McConnell returns, in flamboyant style, to his exaggerating ways, hyping threats and statistics to further his bureaucratic aims. For example, McConnell regurgitates the hoary myth that computer crime costs America $100 billion a year. THREAT LEVEL traced down the source of that fake-factoid in September to a former privacy officer for the state of Colorado.
"Presumably using unsupported stats like that, in May 2007 McConnell convinced President Bush that a massive cyber-attack on a singe U.S. bank would be worse for the economy than than the deadly terrorist attacks of September 11, the article reports. In response, the NSA developed a mind-boggling, but still incomplete, plan to eavesdrop on the internet in order to protect it.
...
"It says something ominous about McConnell's priorities if he believes a DDOS attack on Bank of America, or even a computer intrusion that wiped out its database (and magically purged its backup tapes), would be worse than an attack that killed 3,000 Americans."
(Link)
Posted by mhall at 3:07 PM | Add Comment
January 15, 2008
US-CERT: Attack Vector Targets UPnP
"US-CERT is aware of an attack vector targeting networking devices that support UPnP (Universal Plug and Play). This specific attack occurs via a maliciously crafted SWF file that is contained in a web site. When the web site is visited, changes may occur to a router's configuration via UPnP. This may allow an attacker to change any parameter on the router or device that can be set by UPnP.
"US-CERT recommends that users consider disabling UPnP. (Note: Disabling UPnP may cause applications that rely on UPnP to fail or operate with reduced functionality.)"
(Link)
GNUCitizen published details on the vector as well as a demonstration: http://www.gnucitizen.org/projects/hacking-the-interwebs/Test.mxml
Posted by mhall at 1:40 PM | Add Comment
Mac Users Celebrate Macworld Keynote With Their Own Scam Security App
F-Secure says it has found "the first Mac rogue application and it's called MacSweeper:"
"It claims to clean your Mac from compromising files and it will always find something to fix/clean but the only way to do so is to buy the program.
"Once installed it will also randomly show a big popup window stating that your privacy is compromised and again prompt you to buy the program.
"Even more telling that it's a scam is the fact that when you visit the MacSweeper website with a PC and click on 'Scan', it will tell you that you have security vulnerabilities in folders that only exist on Mac like system_root/home. ...
"Looking more at their website we found that they have copied the text describing the company directly from Symantec and just changed the name."
(Link)
Posted by mhall at 1:01 PM | Add Comment
January 14, 2008
MySpace Reaches Anti-Predator Accord With States
"MySpace already reviews all images and videos that users post on their pages, mostly through technological filtering. The site also deletes the profiles of registered sex offenders and makes the profiles of 14- and 15-year-olds automatically private.
"Under the agreement announced Monday, MySpace will classify as private all profiles of users under the age of 18, strengthen its response to complaints of inappropriate content on the site; and organize a task force of Internet businesses, nonprofit organizations and technology companies to review and develop online safety tools. The site will also accept independent monitoring. The agreement is not a binding legal document, and users will likely be able to circumvent some of the changes."
(Link)
Previously:
Posted by mhall at 3:05 PM | Add Comment
January 11, 2008
Congress: Big Brother Might Be Broke, But His Cronies Get Paid
Have you ever been to a government security trade show? I have. There was one running next to Interop a few years ago, and I wandered in to see what I was missing. It was surreal.
My immediate impression was informed by the utter sobriety of the show floor. Interop and its ilk have a whole layer of participants who premise their entire booth's appeal on the widespread networking nerd delusion that booth babes might actually be, you know, available. The ones they can't hook with sex they rope in with a chance to win an iPod. Or a line conditioning UPS.
At that security show? No booth babes. No free stuff. Just unfriendly men with crew cuts and maroon jackets selling stuff like remote controlled submersible harbor cameras and bomb-sniffing dog training. Oh ... and an overwhelming vibe that, spoken or unspoken, every pitch begins with "In the post-9/11 world." The people manning the booths at that show are far too sober in bearing and mien to actually yell "Yahoo! Gold rush time!" but come on ... in the past six years The Security Industry has gotten a whole new lease on life, and the government's homeland security apparatus is its bread and butter.
Wired's Threat Level has some of the details on what appears to be cronyism at the Transportation Security Administration, centered around a Web site the organization developed in 2006:
"Trying to handle the thousands of paper requests from travelers being inconvenienced by the government's bloated watch lists (more than 800,000 names-long at last count) the TSA launched the website in October 2006 with the approval of its chief information security officer, who failed to notice blatant security holes.
"The TSA took the site down in February 2007, after security researcher Christopher Soghoian first noticed problems with the site and THREAT LEVEL detailed the 15 reasons the site looked like a phishing scam.
... "TSA denied there were any vulnerabilities -- saying it was "just a small glitch." But House Oversight Committee Chairman Henry Waxman (D-Ca.) decided to look into the matter and requested documents from the TSA."
According to Wired, in the end, they found nobody at the TSA had any idea the site had numerous vulnerabilities, that the site was built as the result of a no-bid contract awarded the former employer of a TSA employee who utterly failed to ensure the job was done right. Nobody was disciplined, the company that botched the work held on to another contract, and it even got another contract for the kind of work it bungled.
In the mean time, researchers who exposed problems with the TSA's security procedures found their homes being raided in the night. Christopher Soghoian was on the receiving end of one of those raids, and he's feeling justifiably vindicated.
Wired and Soghoian both contacted officials involved in this scandal, and the comments they got in return are reflective of the sort of unaccountable mindset you find deep in bureaucracies like the TSA.
Here's the thing: Our collective security depends not on private citizens or the government acting independently of each other, but both working as genuine partners. You can't create a bureaucracy that'll make everything safe and secure, and you can't turn vigilantes loose. You have to have a competent government initiative that earns trust and cooperation. The TSA has squandered most of the trust people gave it, both with things like this and the sheer ineptitude involved required for shenanigans like detaining five-year-old boys because their names are on no-fly lists.
Hopefully Congressional oversight will bring a little accountability to the TSA.
Posted by mhall at 4:20 PM | Add Comment
January 10, 2008
Justice Dept: Don't Sweat FISA: Big Brother's Broke Anyway
Not to get too political about it, but there's something mildly amusing about an administration that panders to the "starve the beast" crowd, yet has a yen for establishing a surveillance state, having to drop wiretaps because it can't pay its phone bills on time:
"Telephone companies have cut off FBI wiretaps used to eavesdrop on suspected criminals because of the bureau's repeated failures to pay phone bills on time.
"A Justice Department audit released Thursday blamed the lost connections on the FBI's lax oversight of money used in undercover investigations. Poor supervision of the program also allowed one agent to steal $25,000, the audit said.
"In at least one case, a wiretap used in a Foreign Intelligence Surveillance Act investigation 'was halted due to untimely payment,' the audit found. FISA wiretaps are used in the government's most sensitive and secretive criminal investigations, and allow eavesdropping on suspected terrorists or spies."
Mildly amusing if you think having to drop wiretaps on terrorists is funny, anyhow.
(Link)
Posted by mhall at 4:50 PM | Add Comment
Bruce Schneier: "Securing my wireless network isn't worth it."
Security dude Bruce Schneier says he doesn't bother enabling encryption on his home wireless network:
"To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.
"I'm told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door.
"While this is technically true, I don't think it's much of a risk. I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence."
I have a friend here in Portland who runs an open wireless network on the same principles of mutualism and neighborliness. The only thing I'm aware of that she's suffered from is one persistent bandwidth hog somewhere in close proximity.
I'm not very interested in leaving my own network open for a few reasons, the biggest one being a testbed server I've got sitting here on the network. If it's too much trouble to Schneier to configure his network security, it's too much trouble to me to secure that one, continually changing box. How good are the chances someone could come along and find it, exploit it and use it for evil purposes? Astronomically poor. I think I don't care.
He also mentions that evildoers are more likely to use any of the "five open wireless networks in coffee shops within a mile" of his house.
The proliferation of open wireless access also blunts my enthusiasm for leaving the front door of my network open.
Points to him for honesty when he reports the reactions of lawyers to his approach:
"While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive. You might have your computer equipment seized, and if you have any contraband of your own on your machine, it could be a delicate situation. Also, prosecutors aren't always the most technically savvy bunch, and you might end up being charged despite your innocence. The lawyers I spoke with say most defense attorneys will advise you to reach a plea agreement rather than risk going to trial on child-pornography charges.
Finally, he offers this, which is really the root of the problem:
"If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."
So: there are lots of open access points businesses are happy to provide, and unless you're the type to shrug off stuff like "cops impound all your computer stuff and you end up having to cop a plea for something that'll end up getting you on a registered sex offender list," the consequences of not flipping the encryption switch will be brutal, and besides ... you're Bruce Freaking Schneier, so just ... you know ... secure your computer!
I'm not there yet.
(Link)
Posted by mhall at 4:44 PM | Add Comment
January 9, 2008
Nugache Overhauled, Overtaking Storm Worm?
I recently read "A Fire Upon the Deep," so the notion that we might have multiple enormous botnets roaming the 'net, slowly working toward some transcendent state, tickles me ever so slightly. In this case, it looks like Nugache, which didn't appear to have the legs Storm did, has helped itself to some of Storm's tricks and techniques.
"An upgraded spam-blasting worm could be poised to surpass the durable Storm worm as the nastiest botnet on the Internet. Or not. Therein lies the uncertainty of predicting how malware evolves.
"The worm, called Nugache, has been around since before Storm. However, Nugache never proved particularly powerful or widespread.
"In recent weeks, however, malware researcher Secure Computing noticed that Nugache has been revised and updated, making it as powerful as Storm in many ways.
And there are some market considerations at work, evidently:
"Despite concerted efforts to eradicate it, Storm has hung on. What may be helping Nugache's rise is that the operators of the Storm worm seem to be reducing its size and selling off chunks of it to spammers, thus breaking it up.
"Nugache's operators, meanwhile, are filling the void by massively undercutting Storm's prices, according to Secure Computing."
(Link)
Posted by mhall at 5:34 PM | Add Comment
January 8, 2008
Trust Me, I'm From the Computer Forensics Guild!
There are all sorts of computer "experts" who give me the willies, especially when you get cases where school teachers face jail time because a malware infection spawned some porn on their classroom machine. It points to the need for real expertise in sorting things out, and not the sort that we see running around non-IT organizations, where some blowhard who happens to know a bit more than those around him can ensconce himself as the house guru.
So some states are doing something about the issue of just who gets to be a "computer forensics expert" in court:
"Historically, the definition of what constitutes a "computer forensics expert" has been a loose one. Now, however, a number of states have taken action to tighten the rules and regulations that must be met in order for such an investigator to testify in court. South Carolina is one state considering such changes; a bill is up for consideration there that would only allow computer forensic experts to testify in court if those experts are employed by (or own, presumably) businesses that primarily engage in legal work or divorce cases. In essence, the bill would require digital forensic analysts to obtain a PI (private investigator) license if they wish to testify in court.
...
"... Critics, however, worry that the new South Carolina legislation will put the title of computer forensic expert in the hands of PIs across the state who are utterly unequipped to handle real computer forensics. Such an outcome would lower the quality of digital forensic analysis available to both the state and to defendants; it could potentially affect trial outcome."
Yeah ... that seems like a potential problem. You can sense the desire to keep from creating a whole new licensing agency with all the attendant headaches that would come from hammering out how you validate "expertise," but then again you've still got school teachers who come within inches of jail time because of the testimony of self-styled experts.
Rather than treating computer forensics like some sort of weird contingency concern, maybe licensing should get its own agency and the attendant headaches that come from hammering out how you validate "expertise."
(Link)
Posted by mhall at 5:41 PM | Add Comment
January 7, 2008
Followup: Facebook "Secret Crush" Spyware Report Contested
Zango says that the Secret Crush Facebook app Fortinet reported was spreading its software is not affiliated with it:
"Fortinet's so-called 'Advisory,' issued Wednesday with the attention-seeking headline 'Facebook Widget Installing Spyware,' is completely false as it relates to Zango. A thorough investigation by Zango security personnel reveals no silent or surreptitious installation of any software, much less any 'spyware,' by or in connection with the 'Secret Crush' widget. Zango has attempted in multiple ways to communicate with Fortinet, all of which have been substantively unsuccessful. The Secret Crush widget is not affiliated with Zango."
(Link)
Posted by mhall at 7:25 PM | Add Comment
Followup: Sears Sued for Privacy Blunder
Remember just last week, when people said Sears was installing spyware on their computers and Sears said "Nuh uh! And anyhow, everything Sears collects is completely anonymous?"
Well ...
"A class action lawsuit was filed against Sears Roebuck last Friday, alleging that one of the company's Websites was exposing the personal information of the retail giant's warranty customers.
"According to a filing in Cook County court in Illinois, the Sears Website, called Manage My Home, allowed users to enter others' addresses into a database and collect information about their purchasing habits, as well as all of the Sears-warrantied products in the home.
"The lawsuit was filed just days after two researchers alleged that Sears was distributing spyware from its customer community Website. (See Is Sears Sending Spyware to Customers?)
"According to the court filing, the Manage My Home site provided a simple login that could easily be faked, and then offered fields that enabled the user to type in any street address -- and collect all of the information about warrantied products at that address."
I don't know if Sears is still insisting that its privacy safeguards are top notch, but I'm still saying this:
"... the issue with this stuff is almost never 'What is Sears up to?' so much as it is 'Why does Sears need so much information, and what steps has it taken to make sure that information is useless if it's compromised?'"
(Link)