« March 2008 | Main | May 2008 »

April 30, 2008

Mass Disappointment as Microsoft Fails to Let Big Brother in Through the USB Port

The Seattle Times reports on the sort of thing your favorite paranoiac is sure to go completely ape over:

“Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

“The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

“The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

“It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

Well, crud … I was all set to go into total hysterics about a Top Secret Federa Windows Backdoor Program when Threat Level went and busted my bubble:

“In reality, COFEE doesn’t need a backdoor to operate. And it’s not a USB memory stick, although agents use a memory stick to run the tool on targeted machines.

“COFEE, according to forensic folk who have used it, is simply a suite of 150 bundled off-the-shelf forensic tools that run from a script. None of the tools are new or were created by Microsoft. Microsoft simply combined existing programs into a portable tool that can be used in the field before agents bring a computer back to their forensic lab.

“Microsoft wouldn’t disclose which tools are in the suite other than that they’re all publicly available, but a forensic expert told me that when he tested the product last year it included standard forensic products like Windows Forensic Toolchest (WFT) and RootkitRevealer.”

It’s maybe a little entertaining that Microsoft won’t tell people what’s in the suite, but then again, if you’re serious enough to care you can probably figure it out for yourself.

Posted by mhall at 4:21 PM | Add Comment

April 29, 2008

Your Chatty, Treasonous iPhone & Notes from Interop

Rich Mogull on his iPhone deciding it liked a stray network:

“Turns out I was connected to ‘tsunami’ which is a common default name on Cisco wireless gear. Like the Cisco gear in our community center, which just a week or so before I was playing with. And that got me thinking.

“Many of you probably connect to wireless networks with common names- like Linksys, 2WIRExx, tsunami, or whatever. In other words, either default networks, or names (like those used at conferences and airports) that are in common use or easy to find. But when you remember those on your iPhone (or computer for that sake), it only remembers the network ID (SSID), not that actual network!

“Your iPhone doesn’t know the difference between ‘tsunami’ in your community center, ‘tsunami’ in an office building, and ‘tsunami’ running on some bad guy’s laptop to see what naive fools will connect to it. When you trust a network you’re just trusting a name anyone can use, not something really unique to that network. Your iPhone will then connect to any network using that name.”

Seeing as how I’m sitting here in the press room at Interop and can count 10 wireless networks, several of which invoke the “interop” brand without any indication of whether they’re “official” or just the preserve of some smirking ponytail, wireless security is on my mind. The air is abuzz back at my hotel, too, where there are two networks named for the hotel and where the one for guests isn’t really labeled as such. The instructions the hotel gives don’t anticipate that condition, which strikes me as a glaring gap in the documentation for any publicly available network in 2008.

Elsewhere at Interop

I had a lot of chats with security companies today. Smaller players are happy with yesterday’s announcement that Cisco is cooperating with the Interface for Metadata Access Point (IF-MAP) specification because they sense the opportunity to operate in a standards-driven market. If the rotting corpse of NAC-the-marketing-initiative will fertilize the ground and make way for NAC-the-thing-everyone-just-does-same-as-any-other-basic-function, then I guess I’m glad the corpse has spent the last year stinking up the place.

I also had a briefing with a company that specializes in identifying which users on a network are the most egregious bandwidth hogs/goof-offs. They were pretty clear about their core users: HR departments who want to put together a list of abuses quickly and easily, and supervisors who want to gather enough evidence of misuse/overuse of the Internet in whatever form so they can go complain to HR in the first place.

Their approach differed from other companies I’ve talked to about user behavior modification. Some take an instructive approach, offering admins the chance to pop up windows telling an abusive user his or her behavior is in violation of some policy or another. This company just throttles targeted services and sites to the point they’re unusable, and lets users draw their own conclusions. Whatever conclusions they haven’t drawn by seeing HR people swooping down from their mountain caves waving sheaves of bandwidth consumption reports, anyhow.

My gut reaction to employee monitoring software is almost invariably negative. I’ve been put in the position of using that kind of software, and I didn’t like it. But a moment’s reflection usually causes me to reconsider. I don’t care about the software that much. I’m just bothered by certain management mentalities. How many HR departments are using this sort of thing to counsel employees, and how many are using it as simple ammo?

My own experience with a manager eager to deploy surveillance software was a poor one: She wanted a cudgel, and she didn’t want anyone knowing the software was in use so her cudgel would be that much more shocking when it was applied. I don’t think much of that kind of gotcha management.

Posted by mhall at 7:00 PM | Add Comment

April 28, 2008

Jobs.com Says Profiles Are Permanent

The Consumerist on an unfortunate situation between Jobs.com and someone who has found his information being used elsewhere:

"Dan is pissed because Jobs.com won't remove his name, email address, phone number, and home address from their servers. For reasons unknown, someone else set up a profile with his personal info on Jobs.com. When Dan contacted Jobs.com, they said that because they 'must account for all transactions and account histories' they couldn't delete the info. They also assured him that since he didn't have a resume posted, recruiters can't search or view his information. Dan feels Jobs.com internal 'requirements' shouldn't have any bearing on his right to privacy. What do you think?"

This summary isn't quite in sync with the transcript provided in the entry. It reads a little more clearly if you replace the second sentence with:

"For reasons unknown, someone else set up a profile with his personal info from Jobs.com."

Dan apparently set up a Jobs.com profile at some point, then found that the information he provided there was being put to use elsewhere. Whether by one of Jobs.com's "partners," a ubiquitous out in a lot of privacy policies, or by someone who just came along and scraped the information, is unclear.

Now, Dan's unhappy that his profile is being scraped/reused/whatever, and he wants Jobs.com to take it down. Jobs.com is acting about like Facebook was acting a few months ago, before the New York Times came along and took up the cause.

If Jobs.com truly does have to keep information around in perpetuity, it seems to me that its engineers should figure out how to keep a record in the database while making it unavailable for public consumption. That's the very least Jobs.com can do, and it's still inadequate. "Adequate" would involve a records log that sits independent of the active user database.

The answer for "Dan," however, is one Consumerist readers have already suggested: He needs to overwrite his profile with information that effectively decouples his profile from his personal identity. Even if he can't completely z out the profile, he can make it less harmful to his privacy.

(Link)

Posted by mhall at 2:52 PM | Add Comment

April 24, 2008

.arpa, .org and .uk Soon to Go DNSSEC

Huh:

“ICANN officials said the organization plans to add DNSSEC to its .arpa Internet domain servers, and that the .org domain servers (run by PIR) as well as the .uk servers also will go DNSSEC soon. Country domains .swe (Sweden), .br (Brazil), and .bg (Bulgaria ) already run the secure version of DNS for their domain servers.

“DNSSEC, which stands for DNS Security Extensions, digitally signs DNS records so that DNS responses are validated as legitimate and not hacked or tampered with. That ensures users don’t get sent to phishing sites, for example, when requesting a legitimate Website. DNS security increasingly has become a concern, with DNS prone to these so-called cache poisoning attacks, as well as distributed denial-of-service (DDOS) attacks like the one last year that temporarily crippled two of the Internet’s 13 DNS root servers. (See DNS Attack: Only a Warning Shot?, DNS Attack: Possible Botnet Sales Pitch , and DNS Servers in Harm’s Way.)

“But DNSSEC adoption has been slow in coming, mainly due the complexity of managing the keys. Converting .arpa — a domain mostly relegated to Internet research sites — to DNSSEC isn’t quite the same as securing .com, but it could signal that DNSSEC is finally ready for prime time, experts say. Still, DNSSEC isn’t completely useful unless all domains have deployed it.

“ICANN says its latest DNSSEC move doesn’t signal an all-out move to DNSSEC, but it’s a start. ‘Every time another top-level domain signs on, that’s progress,’ says Richard Lamb, an engineer with ICANN who helped build its DNSSEC testbed. ‘Whether it means the DNS root servers [will go DNSSEC] in the near future, I don’t know.’”

Charlie’s also worth reading on DNSSEC in general:

• DNSSEC: What Is It Good For?
• DNSSEC: Still Just Out of Reach?

(Link)

Posted by mhall at 8:40 PM | Add Comment

April 22, 2008

XSS Watch, PA Primary Special Edition

“XSS Watch - Inaugural and Probably Last Edition,” more likely, but it’s primary day and I’m all out of red, white and blue bunting clip art.

Anyhow, a hacker found an exploit in the Obama campaign’s Web site and used it to send visitors to Hillary Clinton’s.

Netcraft’s Paul Mutton has some information on what appears to have been a prank.

Someone claiming to be the hacker posted a community blog entry on the Obama site claiming that he or she used a common cross-site scripting exploit to pull off the redirects.

CNET’s Elinor Mills says an e-mail sent to CNET late last night from someone claiming to be the hacker read: “this exploit was not at all politically motivated, and it was simply an immature prank meant purely for fun. Senator Clinton had no hand whatsoever.”

Except we all know that Senator Clinton is totally elite!

Xssed has more details on the exploit itself.

If that’s not enough political stuff for you, go play with Google’s election map, which is explained in a little detail over at the Official Google Blog.

Posted by mhall at 6:50 PM | Add Comment

April 21, 2008

URL Typo Correction Services Kill

ISPs eager to monetize their users’ mistyped URLs are setting them up for trouble as the servers that handle the typo correction prove vulnerable to assorted attacks.

Being an OpenDNS user, I haven’t noticed whether my particular ISP does this or not. I’d guess it doesn’t, just because it’s pretty hands-off. If yours is, maybe OpenDNS is an alternative to consider.

“That fat-fingered URL could result in more than just a page error: Major broadband ISPs such Earthlink, Comcast, and Verizon, are running advertising servers that capture such error traffic, but these servers are also are putting major Websites as well as their visitors at risk of cross-site scripting (XSS) and other attacks, according to researchers.

“Dan Kaminsky, director of penetration testing for IOActive, at ToorCon in Seattle this weekend demonstrated what he calls a ‘Provider-in-the Middle Attack’ or PITMA, an attack that steals cookies and injects content into legitimate Web pages via an ad server — in the demo, an Earthlink ad server — that contained a cross-site scripting flaw. He showed the attack to illustrate how these ad servers, which redirect a user that types in an incorrect URL, can be abused by the bad guys to compromise the Associated Press, Facebook, MySpace, and other Websites.

“Kaminsky said in an interview prior to his demo at ToorCon that the ad servers, which are run by the advertisers on behalf of the ISPs, impersonate some trademarked domains via DNS. But ISPs aren’t intentionally putting legitimate sites such at risk, and the problem is more a side effect of this ad server model. ‘They are trying to monetize the vast number of eyeballs that go through them but don’t stop along the way… I don’t think the [security problem] is intentional. No one set out to make the Web less secure,’ Kaminsky says.

“But that’s just what this arrangement has done, he says. ISPs are working with error-resolution services, such as Barefruit, that help squeeze ad revenue out of URL typos so that when a user mistypes www.facebook.com, for example, his ISP sends him to a URL that’s an available subdomain of Facebook that contains ads for alternative sites to Facebook on the page, for instance. ‘They say [to the ISP]: ‘You deploy this box, and we’ll dynamically register and create these records when a user mistypes something,” Kaminsky says.”

(Link)

Previously:

• DNS Advantage Phish Blocking: Lame?

Posted by mhall at 6:29 PM | Add Comment

April 20, 2008

The Problem With EV SSL

PayPal’s “get tough on insecure browsers” stance sounds good, but a SANS blogger argues that a browser’s support of EV SSL certificates is hardly the criterium by which PayPal should be judging browser security:

“The question remains, is a user able to discern an EV Signed site from other SSL signed sites to know the difference. Academic research indicates that, no, EV certificates make no impact on users spotting fraudulent sites or not.

“The purpose of an EV SSL certificate is to authenticate a website to a user, period. PayPal, however, is wanting to use EV SSL support as a way of authenticated a user to PayPal. That makes no sense. PayPal has an interest in authenticating people who want to use their service are valid. The presence or absence of EV SSL support in their browser is irrelevant. Does anyone really think that say, the Russian Mob, won’t be able to use IE to process PayPal transactions with stolen credentials?

“This stance won’t, for instance, prevent users from getting keyloggers on their machines to steal the information, being infected with a trojan that will silently process transactions while the user is logged-in, money mules from doing the heavy lifting for malicious individuals, cross-site scripting, or from a user giving up their credentials in a phishing attack to another website. In short, an EV SSL enabled browser proves nothing.”

(Link)

Previously:

• Safari in PayPal’s Crosshairs?
• PayPal: Avoid Safari

Posted by mhall at 3:53 PM | Add Comment

April 18, 2008

Safari in PayPal's Crosshairs?

Some followup from PayPal’s February rumblings about Safari:

“‘In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,’ said PayPal Chief Information Security Officer Michael Barrett.

“In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there’s a ‘significant set of [PayPal customers] who use very old and vulnerable browsers’ and made it clear that any browser that falls into the ‘unsafe’ category will be banned.

“‘At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe—usually the oldest—browsers,’ he declared.

“Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of ‘unsafe browsers,’ but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.”

(Link)

Larry Dignan says PayPal will lose this confrontation:

“So what are the motives here? PayPal–a huge phishing target–obviously wants more protection. It obviously wants EV SSLs, but Apple won’t budge. The solution: Go public.

“But is Apple really going to be pressured this way? Highly unlikely. PayPal seems to be hung-up on EV SSL certificates, but couldn’t Apple meet anti-phishing requirements another way? Why wouldn’t Apple just create lists of offending sites or warn users if a page is sketchy? Does Apple really have to buy into EV SSL?

“Meanwhile, it’s unclear whether PayPal would actually follow through on a Safari ban. PayPal isn’t going to annoy Apple users. And it isn’t going to turn off transactions on the iPhone either. In this stand-off I’d say the advantage is all Apple.”

Posted by mhall at 4:17 PM | Add Comment

April 17, 2008

Do We Need More Studies on Reused Passwords?

“Using the same password for multiple Web pages is the Internet-era equivalent of having the same key for your home, car and bank safe-deposit box.

“Even though a universal password is like gold for cyber crooks because they can use it to steal all of a person’s sensitive data at once, nearly half the Internet users queried in a new survey said they use just one password for all their online accounts.

“At the same time, 88 percent of the 800 people interviewed in the U.S. and the U.K. for the survey by the Accenture consultancy, which is to be released Thursday, said personal irresponsibility is the key cause of identity theft and fraud.

“Researchers say the findings suggest that many users underestimate the growing threat from organized cyber criminals who can reap big profits from selling stolen identities.”

Blogger says the findings suggest that we all have too many passwords to deal with and adapt accordingly.

And there’s always Password Composer.

(Link)

Posted by mhall at 6:55 PM | Add Comment

April 16, 2008

FTC Asked for "Do Not Track" List

“Two consumer groups asked the Federal Trade Commission (FTC) on Tuesday to create a ‘do not track list’ that would allow computer users to bar advertisers from collecting information about them.

“The Consumer Federation of America and the Consumers Union also urged the FTC to bar collection of health information and other sensitive data by companies that do business on the Internet unless a consumer consents.

“The call echoed those of other privacy advocates who filed statements with the FTC on Internet companies’ use of behavioral advertising, which is the practice of tracking a computer user’s activities online, including Web searches and sites visited, to target advertisements to the individual consumer.”

(Link)

You can read the letter in PDF format(121kb). It has some proposed implementation details, which the Reuters article avoids altogether:

“Any advertising entity that sets a persistent identifier on a user device would be required to provide to the FTC the domain names of the servers or other devices used to place the identifier. Companies providing Web, video, and other forms of browser applications would provide functionality (i.e., a browser feature, plug-in, or extension) that allows users to import or otherwise use the ‘Do Not Track’ registry of domain names, keep the registry up-to-date, and block domains on the registry from tracking their Internet activity.

“Advertisements from servers or other technologies that do not employ persistent identifiers would still be displayed on consumers’ computers. Thus, consumers who sign up for the ‘Do Not Track’ registry would still receive advertising.

“The ‘Do Not Track’ registry would be available on the FTC Web site for download by consumers who wish to use the list to limit tracking. We would expect the FTC to undertake broad educational efforts aimed at both consumers and industry members about the ‘Do Not Track’ registry and how to use it. It would also be important for the FTC to actively encourage all creators of browsing and other relevant technology to incorporate facilities that would enable consumers to use the registry.”

At that point, it seems fair to me for Google et al to also use the plugin/feature/extension as a “do not provide services” flag. Somehow, I don’t imagine them getting away with that.

Posted by mhall at 5:52 PM | Add Comment

April 15, 2008

Microsoft Argues for More Consumer Information Control

Microsoft is arguing in favor of privacy controls that would give customers a little more control over how their information is used:

“Companies that keep records of page views or collect other information about consumers for the purpose of delivering ads should post a privacy policy on the home page, implement reasonable security procedures, and retain data only as long as necessary to fulfill a legitimate business need.

“Companies that deliver ads or services to unrelated third-party sites should ensure that consumers receive notice of the privacy practices of those sites.

“Companies that develop profiles of consumer activity to deliver advertising across unrelated third-party sites should also offer consumers a choice about the use of that information.

“Third parties should be required to obtain consent from consumers before using sensitive, personally identifiable information, such as health conditions, sexual behavior or religious belief, for behavioral advertising.”

Sounds good, and perhaps slightly more expansive than what Google and others would prefer. But it also sounds like the sort of thing that could devolve into a single checkbox on a Web form, just like all the other checkboxes people click to get at something that interests them.

(Link)

Posted by mhall at 3:36 PM | Add Comment

April 14, 2008

If You Heart Your Privacy, Thank a Librarian

The librarian at my high school reportedly locked herself in the library to keep a group of parents from getting in and confiscating “Slaughterhouse 5.” I have no idea how true that story was. The book hadn’t been taught for some time, we could see stacks of it sitting in the English office, and when those of us who read it independently asked why it wasn’t taught, we were told the school board had ordered it off the curriculum thanks to the protests of some parents.

Either way, I took the story as true at the time and it gave me the beginnings of an appreciation for how librarians can end up out front on civil liberties issues. Here’s a brief piece on how they’re involved in privacy issues in the age of PATRIOT:

“Librarians will go a long way to defend the privacy of their patrons’ reading habits. How far will you go to defend the privacy of your customers’ information and your employees’ personal data?

“In 2003, the chief librarian of the city of Santa Cruz, Calif., was able to warn her patrons about whether the FBI had served a National Security Letter (NSL) demanding information about who was reading what books. She managed that task despite specific provisions in the USA Patriot Act at the time that prohibited librarians or booksellers from revealing to anyone that they’d been issued an NSL.

“So, how did the librarian get the word out? By regularly reporting to the library board that no NSL had been issued to any of the city’s 10 branches, which was perfectly legal. Everyone knew that if the chief librarian failed to report that nothing had happened, then indeed an NSL had been served.”

(Link)

Posted by mhall at 8:46 PM | Add Comment

April 11, 2008

So Long, Attrition

Attrition.org is calling it quits:

“Much like Attrition.org’s past defacement mirror, the time has come for us to say ‘no mas’. In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation. For those who aren’t familiar with Attrition, we’re a non-profit hobby site that takes on ‘projects’ as we see fit, when we want to, and when we have time. For those who are familiar with Attrition, you probably know that we don’t take kindly to being dealt with unfairly. Commercial entities, including ‘identity-theft prevention’ upstarts and book authors, will gladly contact us, ask for information and advice, and then not even offer us the equivalent of a reach-around when selling their materials. We don’t pimp our resources to others; they come to us. Unfortunately, more often than not, they won’t even send us a ‘thank you’. We’ve mentioned it in the past, but we’re not going to mention it in the future. This is the last mention.”

Too bad. Time to update the blogroll.

(Link) (via)

_Update: Or not..

At least I don’t have to update the blogroll.

Posted by mhall at 6:09 PM | Add Comment

April 10, 2008

Don't Blame the Sub-Prime Meltdown for the NAC Market's Underperformance

"RSA 2008 Conference -- Roiled in equal parts by a troubled economy and a market sector in retrenchment, network access control vendors are regrouping with cheaper options to entice IT users to buy.

"NAC 'appliances' are now the order of the day, essentially smaller scale boxes for authentication and access priced under $10,000 apiece, and a far cry from the grander schemes of health checks via multi-vendor end points that comprised a security management framework.

"The once high-flying NAC sector has fallen on harder times of late. NAC vendor Lockdown Networks shut its doors late last month; Caymas Systems went out of business last year. Vernier Networks, is reportedly going to relaunch itself outside the NAC market. (See Lockdown Networks Shuts Down.)

"'Lockdown had strong technology, but I guess the market for NAC didn't take off as fast as people expected to,' says Amith Krishnan, Microsoft's senior product manager for network access protection (NAP), Redmond's flavor of NAC. 'But I think the market has started to mature and people understand it's not just enforcement that's going to drive NAC.'"

NAC as a "market" or "industry" was a terrible idea to begin with. It was a marketing excuse to consolidate customers on one platform, and it flew out of control. If some of these companies had targeted the Web economy 10 years ago, they would have been trying to sell browser back buttons.

(Link)

Previously:

• NAC: a nice idea ... err ... collection of ideas ... kind of ...
• INTEROP: NAC Frustration is Mounting
• Symantec Tops NAC Roundup

Posted by mhall at 2:02 PM | Add Comment

Tech Company 101: When In Doubt, Form a "Coalition."

What do AOL, Comcast, eBay, EDS, Facebook, Google, Internet Alliance, Monster, NAi, NetChoice, Reed Elsevier and Yahoo! all have in common?

They’re members of the State Privacy and Security Coalition, which is deeply, deeply concerned about proposed privacy legislation in New York.

I think I read somewhere that they originally called themselves the “Pesky Gubmint Butt Out of Our Bidness Coz We’re Tryin’ ta Make a Buck Here Coalition,” but it didn’t test well, so they opted for preemptive brand dilution instead.

(Link)

Posted by mhall at 1:32 PM | Add Comment

April 8, 2008

Symantec Threat Report: Web Threats Outnumber Traditional Malware

There aren't a lot of surprises to be found in the semi-annual Internet Security Threat Report from Symantec.  The trend is still with Web-based vulnerabilities:

"In the past, traditional attack activity primarily used widespread, broadcast attacks aimed at computers deployed on networks. However, as administrators and vendors fortified perimeter defenses with tools such as firewalls and intrusion detection/prevention systems (IDS/IP S), attackers responded by adopting new tactics. Instead of trying to penetrate networks with high-volume broadcast attacks, attackers have adopted stealthier, more focused techniques that target individual computers through the World Wide Web. This may be driven, in part, by the fact that compromises that affect computers on enterprise networks are increasingly likely to be discovered and shut down. On the other hand, activity that takes place on end users’ computers and/or Web sites is less likely to be detected. As a result of these considerations, Symantec has observed that the majority of effective malicious activity has become Web-based: the Web is now the primary conduit for attack activity.

"Site-specific vulnerabilities are perhaps the most telling indication of this trend. These are vulnerabilities that affect custom or proprietary code for a specific Web site. During the last six months of 2007, 11,253 site-specific cross-site scripting vulnerabilities were documented. This is considerably higher than the 2,134 traditional vulnerabilities documented by Symantec during this period."

[Link]

Posted by mhall at 4:59 PM | Add Comment

April 7, 2008

Technorati Trying Tough Love With Broken Blogs

WordPress might be one of the most drop-dead simple upgrades going, but there are still a lot of aging WordPress installs out there showing symptoms of a vulnerability that allows malicious types to hide spam links on blogs such that they can't be seen through casual observation.

Spam links aren't there to be read, of course. Not by humans, anyhow. They're there to be crawled by search engine spiders, lending the credibility of an inbound link to some shady enterprise.  So I think I'm in favor of Technorati cutting negligent bloggers off at the knees:

"Because of this ongoing problem, we're discontinuing processing crawls of blogs that exhibit common symptoms of being compromised. We strongly recommend upgrading your WordPress installation. Even if you haven't been afflicted by a compromise, by the time you are aware that you have been a number of negative consequences may have already occurred (for instance, flagged spam by Technorati, Google or Yahoo!) -- this has been reported by many WordPress users."

Maybe they should extend the ban to cut off anyone with an outdated version, regardless of whether their site seems to be compromised or not. It's not like Technorati juice is some kind of entitlement.

Posted by mhall at 11:39 PM | Add Comment

April 4, 2008

Our Privacy Policy Is Posted Behind the Door That Says "Beware the Tiger."

"The online behavior of a small but growing number of computer users in the United States is monitored by their Internet service providers, who have access to every click and keystroke that comes down the line.

"The companies harvest the stream of data for clues to a person's interests, making money from advertisers who use the information to target their online pitches.

"The practice represents a significant expansion in the ability to track a household's Web use because it taps into Internet connections, and critics liken it to a phone company listening in on conversations. But the companies involved say customers' privacy is protected because no personally identifying details are released.

"The extent of the practice is difficult to gauge because some service providers involved have declined to discuss their practices. Many Web surfers, moreover, probably have little idea they are being monitored."

So, to review:

• They're gathering information, in at least some of these cases, without any useful consent from the trackees (read further into the article and the reporter notes that there's little mention of the practice in a 27 page document).
• They won't talk about it with anyone.
• They say it's o.k. because no information is being "released."

We already know they've got a taste for surveillance, so I think it's the dumb arrogance involved in saying "well, if we don't give any information away, then there are no privacy implications" that most irritates.

[Link]

Oh ... I had this one sitting in another tab:

BT admits spying on 36,000 internet users

"BT tested secret 'spyware' on tens of thousands of its broadband customers without their knowledge, it admitted yesterday.

"It carried out covert trials of a system which monitors every internet page a user visits. "

The best part of that story:  Its support techs told users who thought something strange was going on that they probably had a virus.

Stay classy, BT.

Posted by mhall at 11:06 AM | Add Comment

April 2, 2008

Is Wanting Privacy an Evolutionary Throwback?

“But maybe it’s a cheap shot to talk about reality television and Paris Hilton. Because what we’re discussing is something more radical if only because it is more ordinary: the fact that we are in the sticky center of a vast psychological experiment, one that’s only just begun to show results. More young people are putting more personal information out in public than any older person ever would—and yet they seem mysteriously healthy and normal, save for an entirely different definition of privacy. From their perspective, it’s the extreme caution of the earlier generation that’s the narcissistic thing. Or, as Kitty put it to me, ‘Why not? What’s the worst that’s going to happen? Twenty years down the road, someone’s gonna find your picture? Just make sure it’s a great picture.’

“And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street in New York has a surveillance camera. Each time you swipe your debit card at Duane Reade or use your MetroCard, that transaction is tracked. Your employer owns your e-mails. The NSA owns your phone calls. Your life is being lived in public whether you choose to acknowledge it or not.

“So it may be time to consider the possibility that young people who behave as if privacy doesn’t exist are actually the sane people, not the insane ones. For someone like me, who grew up sealing my diary with a literal lock, this may be tough to accept. But under current circumstances, a defiant belief in holding things close to your chest might not be high-minded. It might be an artifact—quaint and naive, like a determined faith that virginity keeps ladies pure. Or at least that might be true for someone who has grown up ‘putting themselves out there’ and found that the benefits of being transparent make the risks worth it.”

(Link) (ht: nerdmeyr &k )

Posted by mhall at 6:15 PM | Add Comment

April 1, 2008

Curiosity Wouldn't Be Such a Bad Trait for a Legislator

“You rise to become the top Democrat on the House Intelligence committee. When you get this position you become part of the elite ‘Gang of Eight,’ and as part of your intel briefings, you are told that under orders from the president, the National Security Agency set up ‘unique access points inside the U.S. telecommunications infrastructure.’ You are assured that this is legal. You are a trained lawyer.

“What do you do?

“Well, if you are one particular Congresswoman, you don’t think that’s its highly suspicious that the NSA is operating inside the United States. You don’t find a way to research the legality of the program, by getting hypothetical answers from constitutional and intelligence experts. You don’t read the Foreign Intelligence Surveillance Act to see if the program sounds legal.

“Instead, you wait until 2004 when a reporter comes sniffing around and then you warn him not run a story.”

(Link)

Posted by mhall at 4:45 PM | Add Comment