« September 2008 | Main | November 2008 »

October 31, 2008

The Global Network Initiative is a broad coalition of tech companies and assorted human rights stakeholders designed to “provide high-level guidance to the ICT industry on how to respect, protect and advance user rights to freedom of expression and privacy, including when faced with government demands for censorship and disclosure of users’ personal information.”

It launched on Wednesday. Here’s Rebecca MacKinnon’s take:

“Organizations like Human Rights Watch, Human Rights in China, Human Rights First, and the Committee to Protect Journalists would not be putting their reputations behind this thing if they didn’t think it was meaningful.

“That said, the initiative must prove its value in the next couple of years by implementing a meaningful and sufficiently tough process by which companies’ adherence to the principles will be evaluated and benchmarked. If there is a rigorous process that rates the companies’ behavior, then investors who care about social responsibility, and users who want to know how trustworthy a given company is compared to others, can make more informed choices.

“The initiative is based on the reality that there is pretty much no country on earth - including the United States - where governments aren’t pressuring telecoms and Internet companies to do things that potentially violate users’ rights to privacy and free expression. Companies must consider the right to free expression and privacy of users in all markets to be part and parcel of what it means to be socially responsible. Part of the problem is that many telecoms and Internet companies just have not been thinking through these issues as they roll out products and services around the globe, resulting in all kinds of unintended consequences - the TOM-Skype fiasco in which Skype’s Chinese business partner was found to have allowed a huge security breach being the latest example. The Initiative is about getting companies to think ahead and incorporate human rights assessments into new product plans or plans to enter new markets. It’s also about being more transparent and honest with your users about what’s being censored, why and how, and informing them about how and with whom their personal data is being stored and shared. That way, users can make informed choices about how and when it is safe or reliable to use these services - or not.

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 8:05 PM | Add Comment

October 29, 2008

Encouraging news on Wi-Fi security:

“The RSA study also found that 97 percent of New York City’s corporate access points featured some level of encryption — an increase of 21 percent over last year and the greatest growth spike in the seven years of the study. In Paris, 94 percent of business’ Wi-Fi access points had some form of security, while only 80 percent of London’ business access points were secured.

“In many cases, home networks appear to be more security-savvy. According to the report, 97 percent of New York City’s at-home Wi-Fi access points use encryption, with 61 percent of those networks using advanced encryption.

“In Paris, 98 percent of the City of Lights’ at-home Wi-Fi installations were protected by encryption standards, while in London, more than 90 percent of consumers had set up security for their in-home Wi-Fi access points.

“‘This is good news for businesses and consumers alike,’ the study said.

“Another positive security trend is that enterprises and consumers are moving away from basic Wired Equivalent Privacy (WEP) encryption standard, adopting more secure technologies instead, the survey found. As a result, a growing number of businesses and consumers are dropping WEP in favor of Wi-Fi Protected Access (WPA) or a more advanced edition of the protocol, WPA2.

“The report said that New York City-based WPA use reached 49 percent during the year, with 50 percent of all businesses having adopted WPA or stronger security.

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 3:11 PM | Add Comment

October 27, 2008

When experts warned that Second Life and World of Warcraft were potential hotbeds of terrorist recruitment and planning, I shrugged them off. But Twitter?

That fun tool can also be put to nefarious uses, according to an addendum to the 304th Military Intelligence Battalion periodic newsletter, available on the Federation of American Scientists’ (FAS) Web site.

“The paper tracked some of the latest tactics terrorist groups use to organize and described some techniques that are emerging.

“‘The ‘Twitter’ member can send Tweets (messages) near real time to Twitter cell phone groups and to their online Twitter social networking page,’ the author said, adding that ‘there are multiple pro- and anti-Hezbollah Tweets.’

“Twitter members ‘can also mashup their Tweets with a variety of other tools including geo-coordinates and Google Maps or other electronic files/artifacts. Members can direct and re-direct audience members to other Web sites and locations from ‘Tweets’ and can engage in rapid-fire group social interaction,’ the writer said.

“The author outlined three scenarios where Twitter could be used by terrorists, and pointed out that terrorists have also talked about using other technologies, including cell phones, Skype and other internet telephony services.

If I were a member of a crack terrorist team, I think Twitter is the last thing I’d use to carry out an operation. Who needs the x-eyed Fail-Whale just as they’re about to find out where the Stingers are cached?

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 7:37 PM | Add Comment

October 24, 2008

Well, that didn’t take long to produce something unpleasant:

“One day after Microsoft issued a rare emergency Windows security patch, the bad guys have a few new ways to take advantage of the bug.

“By Friday, security researchers had identified a new worm, called Gimmiv, which exploited the vulnerability, and a hacker had posted an early sample of code that could be used to exploit the flaw on the Web.

“Microsoft issued the patch more than two weeks ahead of its next security updates because the bug could be used to create an Internet worm attack and Microsoft had already seen a small number of attacks that exploited the flaw.”

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 7:58 PM | Add Comment

October 23, 2008

Windows XP and below are affected by a “critical” vulnerability Microsoft patched earlier today. Vista and newer are affected to, but the same bug is rated “important” on those platforms.

Christopher Budd on the update:

Because the vulnerability is potentially wormable on those older versions of Windows, we’re encouraging customers to test and deploy the update as soon as possible. To help you better understand the details around the vulnerability, my colleagues over at the Security Vulnerability Research & Defense blog have provided some more information here. Also, Michael Howard has provided some background on the vulnerability from the Security Development Lifecycle perspective here.

There’s a webcast scheduled for 1pm PDT to take questions.

(Webcast Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 3:47 PM | Add Comment

October 21, 2008

I just posted Charlie Schluting’s review of Shimo over on ENP. It’s a VPN client for Macs I’ve been using it for a while, primarily as a replacement for Cisco’s execrable software.

With Shimo you get a handy menubar app, you can save your passwords in your Mac keychain (horrors!), and it does post-connection scripting. I have to post a few links to a page on a server behind a VPN every day, which entails firing up Transmit and opening a bookmarked directory. For Shimo’s post-connect script, I wrote a simple one:

tell application "Transmit"

    set theDoc to (make new document at end)
    tell current session of theDoc
        connect to favorite with name "PracNet News"
    end tell

end tell

Once Shimo connects, it runs that script, which opens a new window in Transmit that opens my bookmark. Once that’s done, I can just highlight the two files I have to update in Transmit and ⌘↓ to load them into TextMate for a quick edit. Yep … it’s pretty simple and it doesn’t save a ton of time, but it’s a few clicks I don’t have to bother with.

If you’re wondering why I didn’t go the second step and just tell it to open the files in TextMate, too, well, it’s complicated. The time I would have spent writing a workaround for a peculiarity in this particular workflow wouldn’t have saved me much time and it would have made my life harder about five days out of each month. I don’t think Transmit exposes editing in its scripting dictionary, either.

While I’m on the subject:

The other pain-point in VPN access is a mandatory 45-day password reset. AppleScript helped with that, too: When In Doubt … Script!.

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 9:23 PM | Add Comment

October 16, 2008

First off, my apologies for being away this week. Despite being in one of the most bicycle-friendly cities in the world, Portland has its share of thoughtless citizens, one of whom decided to throw an apple at me from his or her car while I was biking to pick up my son at preschool. I spent eight hours in the emergency room for a lacerated eyelid, and I win a trip to a plastics specialist tomorrow to see if they’ll have to cut my eyelid back open and sew it back up. The whole thing put a crimp in my blog output.

Faced with a stack of piled up security and privacy news, I can only be mildly regretful that this is several days old:

“Registered sex offenders will have to start providing their e-mail addresses to a national database available to social networking sites, under the misleadingly titled ‘Keeping the Internet Devoid of Sexual Predators Act of 2008’ - a bill authored by Senator John McCain and signed by President Bush on Monday.”

O.k. Quick pause before getting to the rest of the excerpt:

That’s the “Keeping the Internet Devoid of Sexual Predators Act” … KIDS! Gettit!?

Some day when I’m able to see out of both eyes I’ll take some time to research whether insipid law-naming came before or after asinine military operation names. Anyhow …

The law requires registered sex offenders to register their e-mail addresses in a national registry so the likes of MySpace can programatically vet new users and weed out “predators.” This came up in January, and the idea has apparently survived ten months of opportunity for someone to scratch their head and say “but what if they, like, just go out and get another address and go on predatin’?”

Senator McCain’s interest resonates with one of the more odious distortions his campaign trotted out this season. Reports Wired:

“In television ads he ran last month, McCain slammed a 2003 Illinois measure once supported by presidential rival Barack Obama that would have taught children how to recognize, and avoid, sexual predators. McCain called the plan ‘comprehensive sex education” for kindergartners.’”

“In other words, to McCain, teaching children to avoid predators is as bad as teaching sexually active teenagers about contraception. But setting up an e-mail database that relies on pedophiles being honest and respectful of the law — well, we can all live with that.”

Indeed.

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 9:31 PM | Add Comment

October 13, 2008

More on that “GPUs as cracker tools” item from last week from Rich Mogull, who says “Your WPA-PSK wireless network is at risk … if you are an idiot”:

“These guys are forgetting two things- first, this method doesn’t work AT ALL against an enterprise installation (RADIUS) of WPA. George Ou has more on this.

“Second, as the original article added as an update, this attack only speeds up brute forcing. Use a long, strong passphrase for your WPA key and you’re fine. Rob Graham also has more on this.

“WPA-PSK still sucks to manage, and keys go stale, but use a good one and you’re fine. GCC should go back to playing Team Fortress or something with those video cards, because they were either misquoted, or clueless.”

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 1:02 PM | Add Comment

October 10, 2008

If NVIDIA ever needs to diversify, it can get into cracking:

“The latest graphics cards have been used to break Wi-Fi encryption far quicker than was previously possible. Some security consultants are already suggesting the development blows Wi-Fi security out of the water and that corporations ought to apply tighter VPN controls, or abandon wireless networks altogether, in response.

“Russian firm ElcomSoft has applied GPU acceleration technology to its password recovery tool to allow PCs or servers running supported NVIDIA video cards to break Wi-Fi encryption up to 100 times faster than is possible by using conventional microprocessors. Recovery times for Wi-Fi keys are increased by a factor between 10 to 15 in the use of Elcomsoft Distributed Password Recovery in combination with a regular laptop featuring NVIDIA GeForce 8800M or 9800M series GPUs.

“By running the same software on a desktop with two or more NVIDIA GTX 280 boards installed, this figure increases to a factor of 100.

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 6:43 PM | Add Comment

October 8, 2008

The 20-year-old accused of illegally accessing Gov. Palin’s Yahoo mail account faces up to five years in prison and a $250,000 fine. He’s also been forbidden to own a computer or use any computer for more than classwork or checking his e-mail:

“Kernell pleaded not guilty, officials involved in the case said, and he was released without posting bond. However, the court imposed restrictions on his computer usage. He is not allowed to own a computer and can use the Internet only for checking e-mail and doing class work. A copy of his indictment can be found here.

“If convicted, Kernell faces up to five years in prison and a fine of $250,000.

“Kernell became the target almost immediately after the contents of Palin’s Yahoo Mail account were posted on 4chan, an image sharing site. When the hacker posted information about his accomplishments on 4chan, he did so under a nickname, ‘rubico.’ There was a hotlink to the ‘rubico’ name to the e-mail address ‘rubico10@yahoo.com,’ which in turn was traced back to Kernell.

“If that didn’t get him, another slip up would have. The hacker who broke into Palin’s account posted full screen shots of his accomplishment, including the address bar of his browser without the address obfuscated.

“There in the address bar for all to see was proof he had use CTunnel, an anonymous Web surfing site that hides one’s IP address. However, CTunnel logs the addresses of all who use the service, and its owner cooperated with the FBI to track down who was responsible. Within days the IP address was traced to and Internet Service Provider that serves the Knoxville apartment complex where Kernell lives.

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 5:59 PM | Add Comment

October 6, 2008

MacWorld makes the case for third-party firewall apps on the Mac:

“So why would you want to buy and install a third-party firewall when OS X’s seem to cover the bases pretty well? The primary reasons are more flexibility and better protection.

“For example, Intego’s $50 NetBarrier X5 () lets you set rules based on where connections are coming from. You can get similar firewall control from free tools such as WaterRoof, but they don’t offer those extra privacy features.

“Another limitation of Leopard’s built-in socket filter is that it can’t change rules when you change locations. For example, you might want to leave your laptop’s iTunes sharing turned on at home but shut it off when you use your laptop on the road. Open Door Networks’ $80 DoorStop X Security Suite () lets you define locations and quickly set the firewall to preset rules for where you are. NetBarrier also allows you to create different rules for local network addresses and for addresses on the Internet—a remarkably simple and useful distinction.

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 9:50 PM | Add Comment

October 2, 2008

Monday’s Fresh Air has a great interview with the author of “The Numerati,” a book about demographic profiling and the mathematical modeling of consumer information.

There are a lot of pieces to the privacy puzzle, and they don’t always seem to be that closely related. We tend to compartmentalize a lot of privacy issues:

“Do I care if Fred Meyer knows my preferences in breakfast cereal?”

“Do I want AT&T engineering datamining into its network?”

“Is it o.k. if a company I do business with sells my address to a partner?”

“How happy am I that even if I avoid things like Facebook, a marketing profile can be built about me merely by assessing the people who don’t avoid Facebook but fed it their address books, which include me?”

You can find people adamantly opposed to any of those things, including the first. But we tend to look at each of those issues as somewhat discrete from the others.

In the interview, Stephen Baker starts with the supermarket loyalty card, explaining how RFID will be combined with those cards to make them more effective for both keeping desirable customers and discouraging undesirable ones. From there he moves on to the way the statistical science applied to things like loyalty cards can work for political marketing, helping campaigns micro-target voter types who’d otherwise be overlooked because their districts are broadly understood to “belong” to the other party. And then he takes all of that and rolls it into the way demographic profiling and mathematical modeling are finding their way into the national security apparatus.

The interviewer (Dave Davies in this case) asks, during the political marketing segment of the conversation, what the point is of finding a handful of voters of one persuasion in a district dominated by voters of the other persuasion, and whether it’s worth the expense to find them at all, to which Baker replies “How much would Al Gore have paid for 300 of those voters in Florida in 2000?”

I’m reserving a copy of the book. The author sounds reasonable, and his presentation didn’t involve the sort of flustered, paranoid fulminating that makes talking about these issues so frustrating sometimes.

(Link)

E-mail   0 Comments    Digg This  add to del.icio.us

Posted by mhall at 2:31 PM | Add Comment