« May 2008 | Main | July 2008 »
June 30, 2008
Is That a Broad Sword in Your Pocket or ... er ... a Spiffy Authentication Token?
Robert Graham of Errata Security on Blizzard’s announcement from last week that it has adopted two-factor authentication tokens for World of Warcraft:
“Blizzard is charging $6 for the tokens. This sounds like they are providing these ‘at cost’. There are other costs to Blizzard, too. They need to maintain software on the backend that works with the keys. They also need to deal with support costs, as users break the keys and lose them. The users themselves will also experience costs. They have to learn how to use they keys, and it makes logging onto their account more annoying. That last item is an important cost - WoW makes money when their games are fun, annoyances caused by security make games less fun.
“The benefits would be big. Users who use the same username/password on multiple accounts would no longer be danger. Phishing attacks would similarly be broken. Keyloggers in malware would no longer be a threat. Hackers could update their malware from simple keyloggers to hacks that would allow them to hijack WoW sessions, but that would be very costly. Keyloggers hack a wide range of applications, not just WoW - custom software for each application may not be worth it. Moreover, if hackers do come up with techniques to hijack sessions, Blizzard could quickly counter them with their famous ‘Warden’ program.
“Blizzard’s experiment is an interest for all of us. Bank’s [sic] are trying out jury-rigged authentication schemes to avoid the difficulties of hardware devices like Blizzard’s. In our experience as pentesters and system evaluators, these schemes suck. It is our belief that no system can be successful that relies upon people being smart about their authentication credentials. If Blizzard can show success with this system in the gaming community, it’ll be a huge boost for the approach in other areas as well.”
(Link)
Blizzard has a FAQ about the new tokens, and it so happens that Paul Rubens handed in an assignment about just this sort of thing late last week. It went up today at ENP:
Enterprise Networking Planet: User Authentication Beyond the Password
Posted by mhall at 5:50 PM | Add Comment
June 27, 2008
When Journalists Attack
This morning I read about ICANN relaxing rules on TLDs, which will allow for a number of new dot-somethings like “.ebay” or “.some-other-brand.”
ICANN has, evidently, also approved an extension to IPv4 that will allow letters AND numbers to appear in dotted quads. Or something. You tell me:
“With the stock of available web addresses under the current IPv4 protocol set to run out by 2011, ICANN has been under pressure to find a solution for burgeoning demand.
“In theory, an infinite number of new domain names could be born, which would prove a boon for ICANN because it would receive payment for each one.”
Er … ?
(Link)
Oh … speaking of journalists, be sure to read the self-pitying flameout of the week. Maybe he’ll be able to spend his newfound free time helping AFP reporters understand the difference between a dotted quad and a domain name.
Posted by mhall at 6:49 PM | Add Comment
Facebook: If You Build It, They Will Come and Screw It Up
Facebook places an awful lot of trust in third party app developers:
“Until Facebook suspended the Top Friends app, created by Slide, anyone could browse partial profiles of anyone else on Facebook who had added Top Friends to their page. CNET News.com confirmed that the security hole exposed the birthdays, gender, and relationship status of strangers, including Facebook executives, the wife of Google co-founder Larry Page, and one profile that seemed to belong to Paris Hilton that used her middle name ‘Whitney.’
“Basically, the app was not obeying the privacy settings specified by the user, enabling anyone with the know-how to bypass the security once they obtained someone’s Facebook ID number.
“‘We expect third-party apps to follow the rules the users set,’ Ben Ling, director of platform product management at Facebook, said in a phone interview Wednesday. ‘With Top Friends, the privacy settings of the user were not being respected according to the privacy policy terms of use.’”
Well, if we’re going to talk about expectations as an expression of what we most fondly wish, I guess I expect a platform that takes steps to keep this sort of thing from happening at the API level, not at the “we told the darned developer, what else can we do?” level.
If we want to talk about expectations as an expression of what we think we’re going to get regardless of our fondest wishes, I don’t know whether Ling or I should be wearing the dunce cap. Because I pretty much expect this sort of thing is going to be the norm until the Conjoiners take over and we no longer need Facebook since we’ll be able to SuperPoke each other with brain waves. That doesn’t make me a dunce. What makes me a dunce is that I fully expect that sort of thing and I’m still using Facebook.
(Link)
Posted by mhall at 3:28 PM | Add Comment
June 26, 2008
What Was I Saying About Charter and NebuAd?
“NebuAd suffered another splash of bad press when the U.K. tech tabloid The Register scoured the professional networking sites LinkedIn and LinkSV and found that five executives at the company used to work at Claria (formerly Gator Corp.), a company that has been widely criticized as a distributor of advertising spyware.
“The controversy around NebuAd may come as a blow to ISPs hoping to cash in on the online advertising market.
“Increasingly, cable companies are looking to harness their users’ data to serve more targeted ads and create a lucrative business line. Several of the nation’s largest cable providers, including Charter (NASDAQ: CHTR), are working together to sell targeted ads across their networks under the aegis of a group called Canoe Ventures.
“A Charter spokeswoman told InternetNews.com that the company still plans to go forward with the NebuAd trial once the privacy issues have been resolved.”
Like I was saying two days ago, when Charter was using much more obfuscatory flack-speak to say about the same thing, we can read “once the privacy issues have been resolved” to mean “once we’re sure J. Random Congressguy won’t come sniffing around again.”
NebuAd isn’t some new kid on the block. Just go searching for the company in the news and you’ll see it has been around for a little while now and has taken in millions in VC. It won’t go away particularly easily, and it operates in the context of an industry that’s already overwhelmingly hostile to your privacy. Look for a few incremental changes in the overall approach that result in the same thing: Yet another entity following you around the ‘net, warehousing your browsing habits, and insisting that you trust its patent-pending technology to keep that information safe.
Claria/Gator ring a bell? Read up.
(Link)
Posted by mhall at 6:10 PM | Add Comment
June 25, 2008
FISA Reform in a Nutshell
Slate explains why the new wiretapping legislation “is a lot worse than you think.”:
“Here, then, is the bitter joke of the new legislation: From 2001 to 2007, the NSA engaged in a secret program that was a straightforward violation of America’s wiretapping laws. Since the program was revealed, the administration has succeeded in preventing the judiciary from making a definitive declaration that the wiretapping was a crime. Suits against the government get dismissed on state-secrets grounds, because while the program may have been illegal, it was also so highly classified that its legality can never be litigated in open court. And now suits against the telecoms will by dismissed en masse as well. Meanwhile, the new law moves the goal posts, taking illegal things the administration was doing and making them legal.
“Whatever Hoyer and Pelosi—and even Obama—say, this amounts to a retroactive blessing of the illegal program, and historically it means that the country will probably be deprived of any rigorous assessment of what precisely the administration did between 2001 and 2007. No judge will have an opportunity to call the president’s willful violation of a federal statute a crime, and no landmark ruling by the courts can serve as a warning for future generations about government excesses in dangerous times. What’s more, because the proposal so completely plays into the Bush conception of executive power, it renders meaningless any of its own provisions.”
Regardless of how I might feel about the law itself, or the NSA’s program, it’s the second graf of the text above that bothers me the worst. There will never be any real accounting and there will never be any resolution of the legal issues, except to the extent they’re “resolved” by pretending they never arose in the name of their sensitive nature.
Christopher Dodd’s speech on the matter is also good reading.
Posted by mhall at 5:24 PM | Add Comment
June 24, 2008
Charter Halts NebuAd Trial
Congressional involvement seems to have helped Charter along in its decision to drop a controversial user profiling service. You may remember NebuAd from a string of entries here last month (see “Previously,” below). The company makes its money by pushing ads based on behavioral data it skims from Internet users via little black boxes installed at partner ISPs.
“NebuAd pays the ISP to be able to eavesdrop on customers’ surfing in order to build profiles that can be used to serve targeted advertising on third-party websites.
“But citing customer feedback from the notifications sent to the trial areas, Charter decided not to test the technology right now, the company announced Tuesday.
“But a spokeswoman emphasized that Charter wasn’t finished with the idea of tapping into the online advertising market, something that cable companies have traditionally done with television.
“We are not moving forward with the pilots at this time. We will continue to take a thoughtful, deliberate approach with the goal to ultimately structure an advertising service that enhances the internet experience for our customers and addresses questions and concerns they’ve raised.”
NebuAd has gone to Washington to make the case that its user surveillance technology isn’t particularly dangerous or unusual for the ad industry, so I’d take Charter’s statement to mean “once NebuAd can assure us that it won’t be attracting any more unwanted attention from people besides our outraged customers, we’ll get right back down to business.”
(Link)
Previously
- Shorter Charter: We’d Rather You Just Not Read the Privacy Advisory in the First Place
- Charter Officially Speaks on NebuAd
- NebuAd Opt-Out Promises Are Nebu-Lous
Posted by mhall at 7:52 PM | Add Comment
June 20, 2008
Would Companies Stand for Actual Electronic Privacy?
Reacting to an appeals court decision that limited employer access to some forms of employee communications, Mike Elgan of Datamation says it’s time to take things a step further by adding a layer to all communications inside a company.
Personally, the whole issue is somewhat alien to me. I cringe on behalf of friends of mine who use work addresses for personal mail because it just seems like a bad idea. At the very least, if something were to happen as in the case that was ruled on this week, I’d be faced with having to argue for a right to privacy I could have just as effectively kept by taking some common sense steps.
Anyhow, here’s Mike Elgan’s solution:
“The software industry could create stand-alone memo software, or build in memo functionality into e-mail software, that very clearly brands or labels e-mails as official company memoranda. (In fact this already exists to some degree.) The sender — and the receiver — would understand the status of these electronic documents because they would be clearly marked as such. These would be backed up and retained in perpetuity, available to management and others in the company and admissible in court as evidence. Further, they would be encrypted and unavailable, including to IT staff (a recent survey revealed that one third of IT staff routinely use their admin privileges to read employee e-mail and other sensitive documents).
“Then, the courts should go further than the 9th U.S. Circuit Court of Appeals did this week and rule that all regular e-mail and all text, including e-mail provided directly by employers, is protected, private speech. Only sender and receiver could legally read it. In other words, it would be treated exactly as many people assume it’s already treated, which is like casual spoken conversation.
“This system would remove the current, unacceptable state of affairs where people believe their communication is private, then later someone comes along and says ‘gotcha! — we recorded everything!’
One problem with that is the way companies and organizations word their acceptable use policies. Theoretically, under the terms of a lot of them, there’s no need for a special “official” bit to be flipped on each communication, because it’s against the AUP for any communications over the company network to be anything but official in the first place.
And most AUPs, even the one involved in the case the court just ruled on, effectively remove any expectation of privacy. The police department that just lost the appeal had a problem partially because its own supervisors ignored the AUP they were supposed to be enforcing for a very long time before suddenly reversing themselves.
Elgan points out that most people don’t really understand how compromised their workplace privacy is, and I agree with that assertion. At the same time, I don’t think the onus lies on employers to subsidize a software layer to help employees out in that regard, and I don’t understand how any company in an industry with strict records retention requirements or with a need to ensure trade secrets or other sensitive information could live with a solution like this.
(Link)
Posted by mhall at 7:58 PM | Add Comment
June 19, 2008
Federal Appeals Court Ruling Limits Employer Access to Some Communications
Privacy groups are pleased with an appeals court ruling that limits the access employers have to employees’ electronic communications:
“Under Wednesday’s ruling by the 9th U.S. Circuit Court of Appeals, employers that contract an outside business to transmit text messages can’t read them unless the worker agrees.
“Users of text-messaging services ‘have a reasonable expectation of privacy’ regarding messages stored on the service provider’s network, Judge Kim Wardlaw wrote in the three-judge panel’s unanimous opinion.
“The ruling limits employers’ access to employee e-mail on internal servers.
“The text-message part of the ruling will affect more employers than the e-mail portion because most U.S. companies pay outside parties for text-messaging but keep e-mail on internal servers, analysts said.” — (Link) (via)
The thing is, once you read the decision (136KB PDF), it becomes clear there were more than a few extenuating circumstances.
The police department involved in the ruling, for instance, had supervisors who assured employees that their communications wouldn’t be audited. Consequently, the court reasoned, the department’s subsequent decision to read the text messages in question constituted an unreasonable search.
Past cases the ruling cites also indicate some sense of its underlying logic, including one that read “We conclude that [the employee] would enjoy a reasonable expectation of privacy in areas given over to his exclusive use, unless he was on notice from his employer that searches of the type to which he was subjected might occur from time to time for work-related purposes.”
On the other hand, the EFF’s Jennifer Granick thinks the ruling is about as expansive as the AP describes. Here are the grafs from her entry that answer any qualifications I thought I sensed:
“This ruling has two privacy friendly results. First, the police need a warrant to get your email and text messages if stored for less than 180 days. Second, even if your employer pays for your use of third party text or email services, your boss can’t get copies of your messages from that provider without your permission. Wow.
“The next issue the Ninth Circuit decides is that text messages are protected by the Fourth Amendment. The DOJ and others have argued that because email and text messages are stored by third parties that have the practical ability to read them, senders and recipients have no expectation of privacy in those messages and thus they receive no constitutional protection from unreasonable searches and seizures. The Ninth Circuit rejects this view, as a panel of the Sixth Circuit did in a landmark ruling last year, Warshak v. US. It holds that text messages, and presumably emails, are like letters or packages, and are protected even though the shipper could open them.
“One of the more complicated Fourth Amendment issues is the effect of acceptable use policies, monitoring policies or other terms of service that say that the service provider or employer reserves the right to monitor or audit the messages. While those policies may give employers or service providers the right to read messages, the question was whether law enforcement therefore could do so as well. Here, the Ninth Circuit followed its prior ruling in United States v. Heckenkamp which held that a student did not lose his reasonable expectation of privacy in information stored on his computer, despite a university policy that it could access his computer in limited circumstances while connected to the university’s network. (Full disclosure: Granick represented Heckenkamp in the first round of motions to suppress in the case.) The Court thus rejected a binary view of privacy, that user consent to access for some purposes destroyed the expectation of privacy for every purpose, including warrantless or unreasonable government searches. Unless there is regular monitoring and access, people retain a legitimate expectation of privacy in their messages.”
She also links to Orin Kerr, who notes that there are some potential points of confusion in the ruling.
Posted by mhall at 5:21 PM | Add Comment
Telco Immunity Flies, With an Extra Helping of Secrecy
Glenn Greenwald on the compromise FISA legislation that Congress is, apparently, set to approve:
“Perhaps the most repellent part of this bill (though that’s obviously a close competition) is 802(c) of the telecom amnesty section. That says that the Attorney General can declare that the documents he submits to the court in order to get these lawsuits dismissed are secret, and once he declares that, then: (a) the plaintiffs and their lawyers won’t ever see the documents and (b) the court is barred from referencing them in any way when it dismisses the lawsuit. All the court can do is issue an order saying that the lawsuits are dismissed, but it is barred from saying why they’re being dismissed or what the basis is for the dismissal.
“So basically, one day in the near future, we’re all going to learn that one of our federal courts dismissed all of the lawsuits against the telecoms. But we’re never going to be able to know why the lawsuits were dismissed or what documents were given by the Government to force the court to dismiss the lawsuits. Not only won’t we, the public, know that, neither will the plaintiffs’ lawyers. Nobody will know except the Judge and the Government because it will all be shrouded in compelled secrecy, and the Judge will be barred by this law from describing or even referencing the grounds for dismissal in any way. Freedom is on the march.”
(Link)
Posted by mhall at 4:18 PM | Add Comment
June 18, 2008
Strange Bedfellows Fight FISA Deal
A “compromise” on warrantless wiretapping is about to emerge from Congress. Indications are it will let telecommunications companies that participated in illegal surveillance avoid any legal responsibility for what they did by granting amnesty for their activities. A group calling itself “Strange Bedfellows” is organizing a fundraising campaign designed to fight the compromise:
“The ACLU is joining with activists from the Ron Paul campaign, represented by Break the Matrix, Rick Williams and Trevor Lyman, and civil liberties writer Glenn Greenwald of Salon, and leading liberal bloggers including, Jane Hamsher of firedoglake, Matt Stoller of Open Left, John Amato of Crooks and Liars, Howie Klein of Down with Tyranny, Digby, Josh Nelson of The Seminal and activist Josh Koster to tell Congress that we will not let them ignore the Constitution or give immunity to telecoms which deliberately broke our laws for years.
“This group of Strange Bedfellows is mobilizing a broad-based left-right coalition of office holders and candidates, public interest groups and individuals who are devoted to preserving basic constitutional liberties to join in the fight. The goal is to work together to impede the corrupt FISA/telecom amnesty deal.”
(Link)
I got that link from Glenn Greenwald, who wrote up a detailed summary of the campaign’s goals, which include electoral punishment of pro-amnesty Democrats.
Nutshell:
“So Phase I, to begin immediately, will focus on ad campaigns against two Democratic pro-amnesty incumbents with no primary challenger (Hoyer and Carney), and one pro-amnesty Democratic incumbent with a credible primary challenge very shortly. Phase II will involve a massive money bomb, to be planned by the same people who were behind the money bombs that raised millions and millions of dollars for the Ron Paul presidential campaign. The dates and other details for that will be announced shortly.
“The plan there is to raise an extraordinary amount of money — dwarfing the $90,000 raised in the last 24 hours — by going to all of the various constituents of each member of this coalition in order to fuel a real campaign in defense of civil liberties, constitutional protections and the rule of law. The money raised will be used to oppose and punish those vulnerable members of Congress who continue to support the evisceration of our constitutional framework and core civil liberties, while supporting candidates and office-holders who meaningfully oppose that assault.
“The Beltway establishment needs to be trained to understand that there is a real constituency for defending our constitutional framework. Thus far, that constituency has been dormant and fragmented, and thus ignored. That, more than anything, is what needs to change, and this coalition and the initial two-phase strategy is intended to be merely a start towards changing that, and will continue regardless of the outcome of this FISA/amnesty vote.”
The entire entry is worth a read. Greenwald notes that Barack Obama has been mailing this response to people inquiring about his stance on telco immunity:
“Giving retroactive immunity to telecom companies is simply wrong. Thankfully, the most recent effort to pass this legislation at the end of the legislative year failed. I unequivocally oppose this grant of immunity and support the filibuster of it. I have cosponsored Senator Dodd’s proposal that would remove it from the current FISA bill and continue to follow this debate closely. In order to prevail, the proponents of retroactive immunity still have to convince 60 or more senators to vote to end a filibuster of this bill. I will not be one of them.”
The New York Times has called on Obama to consider expending some effort on the issue.
Posted by mhall at 7:19 PM | Add Comment
June 17, 2008
More on the Malware/Child Porn Case
The Boston Herald covered yesterday’s news that a Massachusetts state employee had child porn charges against him dropped after a forensic analyst found his laptop had been infected with malware.
Best quote:
“Nationally recognized computer forensic analyst Tami Loehrs told the Herald Michael Fiola’s ordeal was ‘one of the most horrific cases I’ve seen.’
“‘As soon as you mention child pornography, everybody’s senses go out the window,’ she said.”
(Link)
If you’re the type to enjoy this sort of thing, Robert McMillan posted a link to the 30-page-long forensic report. It’s chock full of log entries like “Pornographic images appear with no origin and continue for approximately one hour; sites include lolitas, urinelove and scat sites.”
It gets really good around page 25, when investigator Loehrs begins to bring the hammer down on the IT department responsible for the incident. Or rather, the IT department that should be held responsible for the incident, having utterly failed one of its users. Here’s a sample:
“On June 26, 2007, John Glennon testified at an administrative hearing regarding the investigation of the Laptop. He stated that he is responsible for all information technology resources for the company and he is in charge of tracking the computers and he was involved in the investigation of the misuse of the Laptop. Mr. Glennon testified that there is no evidence that anyone else other than the Administrator had ever accessed the Laptop. However, a review of the computer revealed several other accounts that had been created on the Laptop prior to Michael Fiola including diauser, user, test and test2. Unfortunately, all previous accounts had been deleted, thereby eliminating potentially relevant evidence. A review of the SMS and Symantec logs also revealed that the computer was previously setup for BOLLE04 and was actively used prior to the Laptop being issued to Michael Fiola.
“Mr. Glennon went on to testify that it is highly unlikely for Internet files to be on the computer without activity by the user and that there is no way for files to be in the Internet folder without browsing the Internet. A review of the Symantec logs by Mr. Glennon would have revealed the viruses and Trojans that were attacking the Laptop for four and a half months. A review of those viruses and Trojans by Mr. Glennon would have provided an explanation regarding how temporary Internet files can be created on the computer without the user’s knowledge. A review of the temporary Internet files themselves would have revealed suspicious patterns such as pornography appearing with no preceding event; pornography appearing immediately after viruses and Trojans appearing; and 40 website files all created at the same time, a scenario likely impossible for a user to create by browsing the Internet. If Mr. Glennon had discovered the suspicious JavaScript files on the Laptop, he would have learned of additional methods in which files can appear in one’s temporary Internet files folder without their action or knowledge. At the very minimum, Mr. Glennon, as the head of the IT department, must be aware of spam and Internet pop-ups that cause files to be placed in the temporary Internet files folder without any action or knowledge by the user.
“Mr. Glennon also testified that ‘our networks are very secure and they’re monitored’ so it is highly unlikely that the system was hacked. A review of the SMS logs by Mr. Glennon would have revealed that the SMS software was not functioning and as a result, there was no communication with the Laptop while it was in the field for four and a half months leaving the Laptop unmonitored. If, in fact, the networks are monitored, why were the SMS logs riddled with errors - highlighted in yellow and red by the software for easy detection – and unresolved for four and a half months? If the networks are monitored, why did the virus attacks on the Laptop recorded by Symantec go unnoticed and unresolved for four and a half months?”
“At the very minimum, Mr. Glennon, as the head of the IT department, must be aware of spam and Internet pop-ups that cause files to be placed in the temporary Internet files folder without any action or knowledge by the user.”
It doesn’t sound like Mr. Glennon is aware of much. If, by the way, that John Glennon of the Mass. Dept. of Industrial Accidents is the same as this John Glennon, formerly of the Mass. Dept. of Industrial Accidents, it appears he’s enjoying a recent promotion, having left behind a department that “stands by its handling” of the case. And Michael Fiola, the person who was wrongfully accused and fired, is still out of a job.
Shameful.
Posted by mhall at 6:48 PM | Add Comment
June 16, 2008
Mass. Man Avoids Malware-Induced Child Porn Trial
"What if you unknowingly harbored child pornography on your work laptop? A child pornography possession charge against a former Massachusetts state government employee has been dropped after forensic evidence showed that his machine was infected with various forms of malware that silently drove his browser to the unsavory sites and files.
"The case of Massachusetts Department of Industrial Accidents investigator Michael Fiola has some chilling ramifications for unwitting, innocent users whose machines may be hiding incriminating evidence that could be used against them.
"Fiola lost his job and friends, and suffered a major blow to his reputation during the investigation that began after he was fired in March 2007 after IT found traces of child pornography on his laptop. IT got suspicious after noting that his wireless usage was four times more than that of his co-workers. His case was dropped before making it to court, after forensic experts found that the child porn traffic and files were driven by malware on his agency-issued laptop."
The good part is that the charges were dropped. The bad part is that thus far that hasn't swayed Massachusetts to give him his job back.
Then there's this:
"Fiola, 53, who family and others say was no technophile, was in the worst-possible situation: His IT department issued him the machine in November 2006 after his previous laptop was stolen, but apparently it wasn't properly configured for the agency's server-based software and security maintenance. Plus, the Symantec Corporate Edition antivirus software on the laptop was never operating correctly while Fiola used the machine."
I wonder if the IT workers who "got suspicious" still have their jobs?
(Link)
Posted by mhall at 7:34 PM | Add Comment
June 12, 2008
A Contrarian Take on LifeLock
Bruce Schneier has an interesting and contrarian take on LifeLock, the identity theft protection service, which was recently the source of much schadenfreude when its CEO was reported to have had his identity stolen:
"In December 2003, as part of the Fair and Accurate Credit Transactions Act, or Facta (.pdf), credit bureaus were forced to allow you to put a fraud alert on their credit reports, requiring lenders to verify your identity before issuing a credit card in your name. This alert is temporary, and expires after 90 days. Several companies have sprung up -- LifeLock, Debix, LoudSiren, TrustedID -- that automatically renew these alerts and effectively make them permanent.
"This service pisses off the credit bureaus and their financial customers. The reason lenders don't routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy -- it's the American way.) So in the eyes of credit bureaus, LifeLock's customers are inferior goods; selling their data isn't as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.
"And, so began a smear campaign on the part of the credit bureaus. You can read their points of view in this New York Times article, written by a reporter who didn't do much more than regurgitate their talking points. And the class action lawsuits have piled on, accusing LifeLock of deceptive business practices, fraudulent advertising and so on. The biggest smear is that LifeLock didn't even protect Todd Davis, and that his identity was allegedly stolen.
"It wasn't."
Posted by mhall at 8:05 PM | Add Comment
June 11, 2008
Speaking of Gnus ...
It's good to know "spook" is still banging around in Emacs:
M-x spook:
Exon Shell SAPO Cocaine corporate security Leuken-Baden Dick Cheney
Merlin Kosovo Panama Uzbekistan EuroFed event security warfare Saudi
Arabia colonel
From 1995: "Coat-trailing the cyberspooks"
Now that all the mystery about ECHELON is cleared up, how do geek parents scare their children?
Posted by mhall at 7:22 PM | Add Comment
We Had to Destroy alt.* to Save It
CNET's Declan McCullagh says an anti-child-porn deal between ISPs and the New York Attorney General will involve a curtailment of Usenet access, with Time Warner Cable eliminating all access and Sprint going after the entire alt hierarchy:
"Time Warner Cable said it will cease to offer customers access to any Usenet newsgroups, a decision that will affect customers nationwide. Sprint said it would no longer offer any of the tens of thousands of alt.* Usenet newsgroups. Verizon's plan is to eliminate some 'fairly broad newsgroup areas.'
"It's not quite the death of Usenet (which has been predicted, incorrectly, countless times). But if a politician can pressure three of the largest Internet providers into censorial acquiescence, it may only be a matter of time before smaller ones like Supernews, Giganews, and Usenet.com feel the squeeze.
"Cuomo's office said it had 'reviewed millions of pictures over several months' and found only '88 different newsgroups' containing child pornography."
So naturally it's best to just eliminate Usenet.
I recently started using Gnus again and that meant it was as easy as not to subscribe to a few newsgroups (I tried to love Unison, but it just wasn't happening). Usenet does not feel to me like it did when I was first reading groups in 1991, but it's a nice thing to have around. news.answers alone provides plenty of entertainment.
The thought of alt.folklore.urban being tossed along with a handful of bad actors has me hoping my own ISP keeps its head on this.
Posted by mhall at 6:59 PM | Add Comment
June 10, 2008
Google Supports "Comprehensive Federal Privacy Law." Should You?
Google responded to a letter from Texas Rep. Joe Barton, the senior Republican on the House Energy and Commerce Committee, asking for details about the company’s privacy practices:
“Google told Barton in a letter dated June 6 that it would support creation of a federal Internet privacy law. A copy of the letter was obtained by Reuters on Tuesday.
“‘Google supports the adoption of a comprehensive federal privacy law that would accomplish several goals such as building consumer trust and protections; creating a uniform framework for privacy, which would create consistent levels of privacy from one jurisdiction to another; and putting penalties in place to punish and dissuade bad actors,’ the letter said. It was signed by Alan Davidson, Google’s chief lobbyist.
[…]
“Marc Rotenberg, executive director of the Electronic Privacy Information Center, was skeptical of Google’s endorsement of a federal privacy law. Rotenberg said that when companies push for a ‘comprehensive’ law, they often want something that would preempt more stringent state laws.
“‘We do not want the states to have their hands tied,’ he said Rotenberg, citing California and New York as examples of states with tough privacy laws.”
(Link)
Posted by mhall at 7:56 PM | Add Comment
June 9, 2008
IM Survey: Half of Major Providers Encrypt Entire Session
A CNET survey found that half of the instant messaging services covered provide encryption from the first login to signout:
“We found that only half of the services provide complete encryption: AOL Instant Messenger, Google Talk, IBM’s Lotus Sametime, and Skype do. To their credit, not one service says it keeps logs of the content of users’ communications (a certain lure for federal investigators or snoopy divorce attorneys). For connection logs, Microsoft alone said it keeps none at all—though Google and Skype said their logs were deleted after a short time.”
Not to pick too many nits, but …
Though Google may not store something called “joesmithschats.log” on its servers, if you don’t take care to toggle a conversation held over Talk as “off the record,” a copy is kept in both participants’ Gmail accounts, accessible under “Chats” within Gmail. Google says as much in its response to this survey, as well as its help page on the subject.
As a general rule, whether a chat service keeps a log around or not is hardly a deterrent to the hypothetical federale or divorce attorney: Most IM software keeps some sort of conversation log, as Congressman Foley learned (and as I got to explain to the nation on the Kojo Nnamdi show at the time.) Therein lies the value of OTR:
“OTR is designed to make past communications unencryptable (even if a key is eventually compromised) as well as provide the ability to authenticate that a message is coming from the right person without being able to prove such in the future. OTR’s authors liken the privacy it offers to a conversation held between two people in a secure room: Free from prying outsiders, authenticated in a way only face-to-face communications can offer, and without any proof other than the other participant’s word about the specifics of the conversation.”
(Link)
Posted by mhall at 8:03 PM | Add Comment
June 5, 2008
ACLU Keeps FiSA Story Alive
“As news continues to trickle down from Capitol Hill regarding a deal on surveillance legislation, the American Civil Liberties Union once again voiced its fervent opposition to any attempt to undercut the Fourth Amendment or allow the telecommunications companies to gain blanket immunity for illegal spying. Before the Memorial Day recess the ranking member of the Senate Select Committee on Intelligence, Senator Christopher Bond (R-MO) floated what he claims is a compromise on surveillance legislation that will allow for sham court proceedings, virtually guaranteeing immunity to telecommunications companies. The ACLU strongly opposes this unconstitutional proposal.
“‘Congress should remember that the majority of Americans are against unwarranted and warrantless surveillance,’ said Caroline Fredrickson, director of the ACLU Washington Legislative Office. ‘They are against slamming the courthouse doors and letting the phone companies off the hook for selling out their privacy. If that’s where most Americans stand, who exactly is Congress representing?’
“In a troubling recent report, House Intelligence Committee Chairman Silvestre Reyes (D-TX) was quoted as saying he was ‘fine’ with Senator Bond’s surveillance proposal and immunity provision, and wanted to ‘get on with’ FISA legislation. If true, it is a disappointing turn from someone who once said, ‘As someone who has been briefed on our most sensitive intelligence programs, I can see no argument why the future security of our country depends on whether past actions of telecommunications companies are immunized.’
“‘Bond’s immunity provision, at its heart, is saying it’s okay to break the law if the president tells you it’s okay,’ said Michelle Richardson, ACLU Legislative Counsel. ‘It would allow telecom companies to walk into a secret court, present a piece of paper – legally binding or not – and walk out without consequences. What kind of justice takes place entirely behind closed doors, is hinged entirely on a note from the president and revolves around the interpretation of the law and not the law itself? Where is our system of checks and balances in this scenario?’”
(Link)
Posted by mhall at 7:33 PM | Add Comment
June 4, 2008
Hey, Good News, Tokelau!
“In its report, Mapping the Mal Web Revisited, the company found that the top-level domains with the largest proportion of malicious sites belonged to Hong Kong (.hk) and China (.cn) with the Philippines (.ph) and Romania (.ro) tied for fourth. The company surveyed nearly 10 million heavily-trafficked Web sites around the world and found that 19.2 percent of all Web sites ending in the .hk posed a danger to visitors. Approximately 11 percent of Web sites in mainland China’s top-level domain were rated as risky by SiteAdvisor.
“In 2007, the domain for the tiny South-Pacific island of Tokelau accounted for the greatest proportion of risky Web sites, McAfee stated.
“‘For administrators of top-level domains this study should act as a wake-up call,’ Jeff Green, senior vice president of product development at McAfee, said in a statement. ‘Last year’s report spurred Tokelau’s domain manager to reexamine its policies. Not all domain managers are as accommodating so our mission is to educate consumers of the dangers and protect them in every way they enjoy the Web whether through their PC, the Web itself, or mobile phone.’”
(Link)
Not exactly related, but interesting enough to mention: “The Billion-Dollar Shack,” or its radiofied version from “This American Life”:
“Nauru is a tiny island, population 12,000, a third of the size of Manhattan and far from anywhere: yet at the center of several of the decade’s biggest global events. Contributing editor Jack Hitt tells the untold story of this dot in the middle of the Pacific and its involvement in the bankrupting of the Russian economy, global terrorism, North Korean defectors, the end of the world, and the late 1980s theatrical flop of a London musical based on the life of Leonardo da Vinci called Leonardo, A Portrait of Love.”
That’s an older episode, but it was rerun late last year.
Posted by mhall at 7:08 PM | Add Comment
June 3, 2008
Apple Releases Leopard Security Guide
“The Security Configuration Guides provide an overview of features in Mac OS X that can be used to enhance security, known as hardening your computer.
“The guides are designed to give instructions and recommendations for securing Mac OS X and for maintaining a secure computer.
“To use these guides, you should be an experienced Mac OS X user, be familiar with the Mac OS X user interface, and have at least some experience using the Terminal application’s command-line interface. You should also be familiar with basic networking concepts.
“Certain instructions in the guides are complex, and deviation could result in serious adverse effects on the computer and its security. The guides should only be used by experienced Mac OS X users, and any changes made to your settings should be thoroughly tested.”
They left out “Do Not Taunt Happy Fun Mac.”
There are six pages (124-130) devoted just to explaining POSIX permissions, ACLs and umask.
All in all it’s an interesting guide.
Not to be a total nanny, but it would be nice if this information were refactored for users who are not particularly experienced and don’t have “at least some experience using the Terminal application’s command-line interface.” Those people are told to get bent before they even bother to download the guide, but it’s got a lot of useful information.
The problem is, some of that useful information would probably scare less security-aware users away, and some of it is the kind of t-crossing and i-dotting that rapidly induces fatigue:
“One method to secure appearance preferences is to change the number of recent items displayed in the Apple menu to None.”
“If intruders gain access to your computer, they can use recent items to quickly view your most recently accessed files. Additionally, intruders can use recent items to access authentication mechanisms for servers if the corresponding keychains are unlocked. Removing recent items provides a minimal increase in security, but it can deter unsophisticated intruders.”
x 240 pages.
(Link)
Posted by mhall at 6:49 PM | Add Comment