The federal government will have to justify its detention of the so-called "Dirty Bomber" as an enemy combatant in the war on terrorism.

Over the objection of the U.S. Department of Justice, Chief U.S. District Judge Michael B. Mukasey of the Southern District of New York said Wednesday that he wanted briefs from both sides on the legality of holding accused bomber Jose Padilla, who was arrested at Chicago's O'Hare International Airport as a material witness in May and brought to New York. Once in Manhattan, Padilla, who is accused by prosecutors of planning a bomb that would disburse radioactive materials, was then transferred into the custody of the U.S. military and shipped to a Navy brig in Charleston, S.C.

[ ... ]

Newman said she learned on Monday, June 10, that President Bush had signed an order the day before designating Padilla an enemy combatant, and that Padilla was immediately transferred from the Metropolitan Detention Center in Brooklyn into the hands of the U.S. Department of Defense. She said he had been held "incommunicado" since that time, unable to meet with family members or Newman, who had been appointed as his lawyer by Judge Mukasey.

Newman contends that Padilla's detention is illegal and, as a U.S. citizen, his case is far different from those of the al-Qaida and Taliban soldiers seized in Afghanistan and Pakistan and now held at a special facility for detainees at Guantanamo Bay, Cuba.

But the government has argued from the beginning that the authority to seize and detain enemy combatants is "well settled," and that Padilla's designation as a combatant makes him ineligible for habeas relief.

They also contend that Newman no longer has the right to petition the court for his release because of Padilla's new status.

[ ... ]

Newman and Patel said in court Wednesday that the ban on access to Padilla is so complete that they even have been denied access to the order issued by the president. And they insisted that the habeas petition should be heard on it merits in New York.

Slashdot | Defcon X - Live in Las Vegas.

Navisto writes: "DEFCON X gathering has begun in Las Vegas already as everyone begins to prepare for the start of Friday's event at the Alexis Park. The hacking convention is in its' 10th year and this is said to be the largest yet. This year there are dozens of speeches happening ranging from wireless, .Net security all the way to Mac OS X AppleScript security issues and hacks. Gathering in Las Vegas brings all the hackers together. This year the official events of Defcon include DC Shoot, Capture the Flag,Hacker Jeopardy, Scavenger Hunt, and this year's first WarDriving Contest. When Live Streams are activated the information will be posted on defcon.org and on the Defcon Forums... PS - E-Mail the Alexis Park letting them know their site isn't cross-browser compatible. Not everyone uses IE and NS ;)"

CNET NEWS.COM - Car-tracking system: Promises, potholes.

General Motors plans to begin installing new sensors and communications systems into vehicles next year in a move that could save lives but that also raises privacy concerns.

At a news conference Wednesday, emergency medical doctors and highway safety advocates praised the GM's Advanced Automatic Crash Notification (AACN) as a life-saving system. AACN is one of the auto industry's most high-profile attempts to use telematics--the emerging field of dashboard-embedded communication devices--to help emergency dispatchers better understand the nature of an accident and determine what equipment or procedures medics might need to administer.

[ ... ]

But privacy advocates and attorneys question whether the powerful system could become an agent for continual surveillance. Although drivers must agree to have the hardware installed and must pay $16.95 per month for service, privacy advocates worry that the data GM collects could fall into the hands of third parties that range from police or government agents to research firms trying to track consumer habits.

Lee Tien, a senior staff attorney for the San Francisco-based Electronic Frontier Foundation, applauded GM for its effort to reduce automobile-related casualties. But he also said the technology could fall victim to "function creep"--eventually morphing into a 24-hour surveillance system for authorities.

"This represents a very significant opportunity to track people in their cars," Tien said. "I'd be concerned not only that GM could have to turn in historical data it has collected under a court order or subpoena, but also whether eventually cops could use this technology to tap into a car's signal in real time."

GM executives insist that lawyers have carefully vetted AACN, and they're betting that safety advantages will trump privacy issues for most consumers. Although the luster has worn off the telematics concept since it was introduced in the late 1990s, the giant automaker has more than 2 million customers of its OnStar communication services, and the auto industry still perceives the niche as a source of new revenue.

[ ... ]

Although few people doubt GM's intentions to help save lives, privacy advocates say the technology could have negative consequences. Lawyers say AACN could spark a number of interesting legal debates.

For instance, could a crash victim get the data to prove that he or she was driving within the speed limit--but that the person who struck the car was driving too fast? If the data showed that a person frequently parked the car outside bars or liquor stores, then drove away at extreme speeds or swerved erratically, could that person be accused of drunk-driving--even if that person wasn't stopped by the police at the time?

David Sobel, general council for the Washington-based Electronic Privacy Information Center, also had concerns about the nature of AACN registration. The feature is one of many services offered by OnStar, including automated stock quotes, driving directions and concierge services for ticket buying and restaurant reservations. Sobel said many people might opt for AACN because of safety perks but not be aware of the tracking function.

"Many people are likely to give consent in case of an accident, but the point is to make sure that the driver understands what data is being collected, what triggers the data collection and where it's reported," Sobel said.

GM executives said Wednesday they have no intention of selling the data collected by OnStar, or using it for nonemergency purposes. But Lange acknowledged that the data could leave GM if the company were subpoenaed.

Privacy News from Wired News - BN.com: Insecure About Security?.

BarnesandNoble.com is not unlike many e-commerce sites: Holes exist because bulletproof security is almost impossible to maintain. Why, then, do they not own up to some pretty big holes?

[ ... ]

Half a dozen security holes that could allow a malicious hacker easy access to sensitive customer data riddled the bookseller's e-commerce site as of early this week. Some of the holes have been quietly closed over the past two days, but others remain wide open.

The site's security problems don't surprise experts who believe that no website's security is ever completely bulletproof. What disturbs and frustrates them the most, however, is the company's reaction to security researcher Steve Manzuik's repeated attempts to warn the company of the problems.

Manzuik discovered the holes and said he first attempted to contact Barnes & Noble two weeks ago. He said he has received no response to three e-mails he sent to a dozen different contacts at the company. His offers to fix the site's problems for free were also met with silence.

"I have always said that the true test of a company's security posture isn't if they manage to not ever be compromised but how they deal with a compromise after it happens," Manzuik said. "Barnes & Noble has dropped the ball."

[ ... ]

A source close to the company, who requested anonymity, said Barnes & Noble began dealing with the security problem only after being contacted for comment by Wired News last Friday. Manzuik first reported the problems to Barnes & Noble on July 15.

According to internal memos supplied by the source, company management has been aware of most of the security issues Manzuik reported for at least three months. The security breaches were to be rectified in a new website interface due to be released in December.

[ ... ]

Following a previous story on another hole that was discovered in BN.com, Wired News was contacted by several BN.com customers who reported odd little glitches in the site that allowed them to occasionally access other customers' purchase records. According to the customers, their e-mails to Barnes & Noble on the problems also went unanswered.

Little, a security activist, said he was confounded by the company's apparent lack of concern for their customers' privacy.

Ummm I guess this is where I should let you know that the book offers that you see in the left hand column are done via Barnes & Noble. I would be more concerned but according to the reports no one has actually bought any of the books mentioned. At least not via the link on my site. I guess you are going the brick and mortar route. That's one of the problems with trying to recover costs via advertising on a privacy site. We're all to nervous to release our information.

Culture News from Wired News - Vegas Braces for the Hackers.

It's time once again for Defcon, the infamous hacking convention where mysterious incidents -- like smoking swimming pools and FBI arrests of Russian programmers -- are more commonplace than not.

New York Times - free registration required Cybercafe Crackdown May Trip Up Leering Boys.

In this sense cybercafes in Pakistan are not too different from those in the rest of the world. But in this strict Islamic society of segregation between the sexes and strict bans on sexual content in the media, privacy on the Internet is highly prized. So there is more than a little worry about new government rules, set down in the name of fighting terrorism, that would keep track of cybercafe users.

Under the rules, Pakistan's thousands of unregulated cybercafes -- often no more than a hot hallway with a few computers and no refreshments -- will be required to register with the government. Then, starting a month from now, the cafes will have to ask every customer for proof of identity.

Slashdot | OpenSSH Package Trojaned.

cperciva writes "The original story is here. And more details are available from the guy's weblog here." --- Here's a mirror of that email message. Another reader writes, --- "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." --- Still another writes --- "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." --- There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available.

SecurityFocus News: When Dreamcasts Attack. White hat hackers use game consoles, handheld PCs to crack networks from the inside out.

LAS VEGAS--Cyberpunks will be toting cheap game consoles on their utility belts this fall if they follow the lead of a pair of white hat hackers who demonstrated Wednesday how to turn the defunct Sega Dreamcast into a disposable attack box designed to be dropped like a bug on corporate networks during covert black bag jobs.

The "phone home" technique presented by Aaron Higbee of Foundstone and Chris Davis from RedSiren Technologies at the Black Hat Briefings here takes advantage of the fact that firewalls effective in blocking entry into a private network, are generally permissive in allowing connections the other way around.

[ ... ]

They chose the Dreamcast for its small size, availability of an Ethernet adapter, and affordability -- the console was discontinued last year, and now sells used for under $100 on eBay. Loaded with custom Linux-based software and covertly plugged into a spare network port under a desk or above a ceiling, the harmless-looking toy becomes the enemy within, probing the company firewall for a way out to Internet.

The box cycles through the ports used for common services like SSH, Web surfing, and e-mail, which tend to be permitted by firewall configurations. Failing that, it tries getting "ping" packets out to the Internet, and finally looks for proxy servers bridging the network to the outside world.

Whatever it finds, it uses to establish a tunnel through the firewall to the intruder's home machine. "Most organizations focus on the perimeter," said Davis. "Once you get through the outside, there's a soft chewy center."

Slashdot | Attack Of The Dreamcasts.

kevin_conaway writes "A pair of coders are now suggesting that it is possible, with a modified dreamcast system running Linux to sneek into an office building and stick it on a network drop and leave. The dreamcast will then probe for ways to connect to the outside world. They say they have created similar software for iPAQs and a special bootable cdroms for print servers and similar boxes. Just a reminder that are networks need to be as secure on the inside as they should be on the outside. Get the story here."

itweb.co.za - Industry gets an ECT Act breather.

President Thabo Mbeki yesterday signed the controversial Electronic Communications and Transactions (ECT) Bill into law, putting an end to last-ditch attempts by various interest groups to persuade him not to do so.

[ ... ]

The presidential legal advisors had examined the law and "did not find anything they think unconstitutional or problematic" in it, she said to questions on possible legal challenges to it. "We see ourselves working together with those with differences in future."

Although the new Act officially comes into effect with its publication in the Government Gazette, its more controversial sections will not immediately be implemented, says Andile Ngcaba, director-general of the Department of Communications.

"We will publish a schedule in about one week and there will be a window for registration," he said, referring to a requirement that all cryptography service providers register with his department. Other provisions will equally have to wait on relevant structures and organisations to be established.

Slashdot | Your Rights Online - South African Gov And ECT Bill.

GothicManSlut writes "South Africa's ITWeb(http://www.itweb.co.za) has released this article (http://www.itweb.co.za/sections/internet/2002/020 8011154.asp?O=FPT) in regards to the controversial ECT Bill being passed now as law. This is sure to provoke the industry in South Africa as it expects the public to hand over all cryptography keys the SA public has just to name a few of the problems with it. I wonder who will actually obide to these laws."

Yahoo News - Bush Adviser Encourages Hacking.

LAS VEGAS (AP) - A presidential advisor encouraged the nation's top computer security professionals and hackers Wednesday to try to break computer programs, but said they might need protection from the legal wrath of software makers.

Richard Clarke, President Bush's computer security advisor, told hackers at the Black Hat conference that most security holes in software are not found by the software maker.

"Some of us, here in this room, have an obligation to find the vulnerabilities," Clarke said.

Clarke said the hackers should be responsible about reporting the programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker doesn't respond soon.

Hackers commonly share their findings with others in their community through e-mail lists or Web sites. But how much they should disclose is an ongoing debate among computer security professionals. Some argue that full disclosure is best, while others say a hacker should only warn that a problem exists without showing how to take advantage of it.

Slashdot | Your Rights Online - U.S. Computer Security Advisor Encourages Hackers.

DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." --- As the folks at Ars point out, though, --- "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."