Internet News - Mozilla Flaw Springs Privacy Leak.
Researchers have found a flaw in Mozilla-based browsers that springs data on the Web surfing movements of users.
Head researcher at Neopoly Sven Neuhaus said the bug, first discovered in May, is a serious privacy issue.
In a demonstration of the flaw, Neuhaus says it exposes the URL of the page a user is viewing to the Web server of the site visited last, allowing a Web site to track where a viewer goes next regardless of whether the URL is entered manually or via a bookmark.
"This bug is still present in the Mozilla 1.1 release... It's been three months," Neuhaus said in a plea for a fix on Bugzilla, the site used to track vulnerabilities in Mozilla releases.
It affects Mozilla browser versions 0.9x, 1.0, 1.0.1, 1.1 and 1.2 alpha; Netscape 6.x and 7; Galeon 1.2.x and Chimera 0.5.
Mozilla users are urged to disable JavaScript as a temporary workaround until a fix is issued. The flaw exists in the "onunload" handler which loads an image from the referring server about a user's surfing movements.
Computerworld - Privacy leak reported in Mozilla-based browses.
A "serious" privacy leak in Mozilla and other browsers based on the open-source technology, such as Netscape and Galeon, discloses users' Web surfing information, according to a recent report.
The Mozilla bug was reported on the Bugtraq mailing list last week by researcher Sven Neuhaus, who said the vulnerability reveals the URL of the page a Web surfer is visiting to the Web server of the last page the user visited. The bug affects Mozilla 1.0, 1.0.1 and 1.1 as well as Mozilla-based browsers such as Netscape 7 and Galeon, Neuhaus said. Older versions of Mozilla could also contain the bug, the researcher added.
According to the report, the vulnerability not only occurs for links followed on the page, but also for manually entered URLs and bookmarks. The problem originates in the HTTP requests that are launched from a page's "onunload" handler, he said.
Although Neuhaus said the bug is a couple of months old, Neuhaus said he was disclosing the vulnerability at this time to prompt a fix.
b2bQ - The e-Commerce Challenge: Protecting Online Privacy.
Have you ever considered what you're losing in online business by not managing security better? It's estimated that electronic commerce would double if people had greater confidence that their privacy was protected on the Web. In fact, the lack of confidence in privacy outpaces all other concerns--including price and ease of use--in inhibiting people from buying on the Web.
Harris Interactive says 70 percent of consumers worry that their online transactions aren't secure, and 75 percent are concerned that companies will share their personal information with others. Those fears reduced U.S. online purchasing by $15 billion last year, according to the latest consumer research.
That's a huge wasted opportunity--and a very clear message that we have some serious work to do to turn these percentages around.
[ ... ]
The good news is that new technologies coming to market give individuals the power to prohibit or limit others from tracking their movements on the Web. For example, some companies make software that will enable businesses to automate the enforcement of company privacy policies. New standards-based technologies are emerging that allow companies to protect privacy while continuing to offer the personalized e-business services that consumers have come to expect from businesses.
These new enterprise-class privacy management tools allow companies to translate written privacy policies into an electronic description of who can access personally identifiable information and for what purpose. CPOs--chief privacy officers--or other IT managers will be able to monitor access to privacy-sensitive resources, enforce the governing privacy policies on those resources, and produce audit trails and compliance reports. In addition, IT staff will be able to deploy policies written by the company and defined by the end user into the IT systems that store privacy-sensitive information.
[ ... ]
In the end, technology is not the only solution. The answer lies in companies instituting strict practices and behavioral standards--and following them. Privacy is, above all, a question of behavior as much as technology. It's a question of finding the best set of motivators and inducements to meet a simple challenge made more complicated by the networked world, but simple nonetheless. And this is the challenge: consumers want businesses to do more than just pay lip service to privacy policy; they want to see it in practice. The ball is in our court.
BW Online | Is Your Web Site Available in China?
Two Harvard researchers have figured out a way to find out just how extensive Beijing's Internet blacklist is
Can Chinese Net surfers see George W. Bush's home page? Jonathan Zittrain wanted to know. The Harvard Law School professor, working with a first-year student, 22-year-old Ben Edelman, recently started researching policies that governments take to censor the Net, and the pair devised a program that allows them to sit in their Cambridge (Mass.) office and see what China's Web cops are up to.
"Law.com " (requires acceptance of cookie to see article, unless you are real quick ) - The New New Evidence.
In the year 2000, office workers in the United States exchanged approximately 7 trillion e-mail messages, reports Wired magazine. Just about everyone uses e-mail now, and we are all slowly waking up to the realization that nothing we say in e-mail is private, anything is potentially admissible as evidence, and deleting e-mail doesn't necessarily destroy it.
The smoking gun of the future consists not of fingerprints and gunpowder residue on metal, but of ones and zeroes.
As corporations and law firms rely increasingly on computerized communication and information management, electronic records and files played a greater role -- sometimes a central role -- in litigation. And it's not just e-mail: Key documents can include correspondence, memos, reports and other plain text files; databases and spreadsheets; digital art and photos; medical records, tax returns, Internet browsing patterns, inventory, proprietary mailing lists and any other data that is created or stored on a computer or network of computers.
eWeek - Microsoft to Expand DRM Push With Server.
Microsoft Corp. is pushing further into digital rights management with a plan for a DRM server due to go into beta testing later this year.
[ ... ]
Microsoft's goal is to find a way to incorporate a set of interfaces around DRM and its real-time communications server--code-named Greenwich--into the platform while still being able to develop and charge for solutions or services built on top of that.
[ ... ]
"But, of course, any technology can be twisted and misdirected. Anyone proclaiming to protect assets for others is scary. We typically feel safer guarding our own chicken coop," DeBona said. "We will evaluate Microsoft's DRM offering, with extra attention paid to security. A healthy dose of skepticism never hurts."
John Persinger, an internal network administrator for Source4 Inc., in Roanoke, Va., said Microsoft will likely try to "crush any DRM competition." If successful, that would leave some 80 percent of those "digital assets" in its control, Persinger said. "While I won't use the word 'monopoly,' you can see the dangers of that type of widespread control," he said. ´
Slashdot | Microsoft Planning Digital Restrictions Server.
Jon James writes "Microsoft is pushing further into digital rights management with a plan for a DRM server due to go into beta testing later this year, eWeek is reporting. Microsoft has already applied for a patent for a DRM operating system but would not say if the DRM server would be based on this. In an interview last week with eWeek, Jim Allchin, Microsoft's group vice president for platforms, said a DRM server is but one of three server infrastructure applications coming next year."
InfoWorld - Headed in reverse.
Suppose you're A software developer with the good habit of keeping an eye on what the competition is doing. And suppose you find a new feature in your competitor's latest release that your customers would probably like. Can you implement a similar feature, or would that make you guilty of violating the "no reverse engineering" clause in your competitor's shrink-wrap license?
Outlandish as it may seem, a recent federal appellate court ruling appears to be saying that you indeed would be guilty of violating a contractual obligation in such circumstances. On Aug. 20, the Federal Circuit Court of Appeals issued a decision in the Massachusetts case of Bowers vs. Baystate Technologies, upholding the enforceability of a standard on reverse engineering in Bowers' shrink-wrap agreement. Quite simply, if the court's decision truly becomes the law of the land, it has the potential to destroy the software industry in this country.
[ ... ]
What's really important here is not whether Bowers or Baystate/CadKey wins, but the precedent the court is setting with the facts as it presents them. This decision flies in the face of some well-known Federal Circuit Court decisions that have basically said that, in a case like this, the reverse engineering clause would apply only to aspects of Baystate's product that infringed Bowers' intellectual property rights. Instead, this court held federal copyright law would not "preempt or narrow the scope of Mr. Bowers' contract claim. Courts respect freedom of contract and do not lightly set aside freely entered agreements."
The implications of this interpretation of a shrink-wrap license being a real contract are pretty staggering. As Bowers' law firm, Banner & Witcoff, Ltd. of Washington, D.C., put it in a press release after the decision was issued, "This decision is important for software companies that routinely analyze the features of competitors' products when making an improved version of their own product ... a company, which analyzes a competitor's product in violation of a shrink-wrap license agreement, may be liable for substantial damages."
[ ... ]
Still, it's a step in a very dangerous direction. It's somewhat ironic that the court chose to take such a UCITA-like approach to treating a shrink-wrap as an example of "freedom of contract." I suspect even some of UCITA's biggest supporters will be less than overjoyed with this decision. Under the criteria this court applied, wouldn't Microsoft be as guilty of reverse engineering Netscape to create Internet Explorer as Baystate was of reverse engineering Bowers' product?
Slashdot | Court Addresses Legality of Shrinkwrap Licenses.
NullProg writes "This article here comments on a legal case where a shrink-wrap license may be binding. This a scary precedent for any developer who has added a feature to their software already present in a competitors version."
San Jose Mercury News By Dan Gillmor- Issues that will shape the Internet.
It took a series of smart decisions to create the Internet as an open network where innovation could thrive, as I noted in this space a week ago. Now let's look at some upcoming decisions that will shape communications for the next 50 years -- and ponder the consequences for openness and innovation if we make the wrong choices this time.
Computerworld New Zealand - Erosion of privacy causes concern.
The Auckland Council for Civil Liberties has "grave concerns" over the atmosphere of increased tolerance to privacy invasion that has developed in the year since September 11.
The most severe consequences are naturally in the US, with, for example, a resurgence of government interest in the FBI's Carnivore email surveillance technology.
New Zealand's environment is rather less aggressive on that front, says ACCL lawyer Graeme Minchin, but the Crimes Amendment No 6 Bill, with its provisions for police and the Security Intelligence Service to intercept digital communications, still gives cause for worry, he says. Pressure to adopt such measures was strengthened in the wake of September 11.
Minchin questions whether new procedures and laws are needed, suggesting there is strong evidence that September 11 happened because of the practical failure of existing security and not the lack of any regulatory or legal measures.
[ ... ]
Civil liberty concerns are also being raised in Europe. Digital rights advocates say European citizens are having their civil liberties stripped away to a far greater extent than people in the US, but that the general public hasn't awakened to the legal changes being pushed through the European Parliament.
The September 11 have been used as an excuse to push through legislation that European, and particularly UK, politicians have been looking at for some time, says Maurice Wessling, spokesman for EDRi (European Digital Rights), a rights group set up to draw attention to the laws being passed in the European Union. Wessling also runs Bits of Freedom, a Netherlands-based group that is part of EDRi.
"A lot of the issues, like data retention, aren't new since September 11, they were planned before. But all the plans now have higher priority and we've seen all kinds of proposals meet less resistance than they would have otherwise," Wessling says.
The Advertiser: Phone tap rate high.
Australian police are tapping telephones at twice the rate in the US prompting calls for an agency to oversight the use of listening devices.
CNET NEWS.COM By Declan McCullagh - Microsoft's new deal with Uncle Sam.
Why does the White House refuse to tell Microsoft to get tough on security?
On Wednesday, the Bush administration is scheduled to publish its proposal to increase the security of the Internet. Properly titled the "National Strategy to Secure Cyberspace," it's said to talk with great earnestness about helping home users safeguard their computers, about thwarting online intrusions into business systems, and about providing better training to federal network administrators.
But, according to people familiar with the draft report, it pays scant attention to Microsoft, which has been responsible for more online security woes than any other company in history.
Such an omission would be glaring. Intentional design choices and unintentional bugs in Microsoft Windows, Outlook, Word and Explorer have created vulnerabilities so numerous they've become legendary. Shoddy default settings have practically begged intruders to plunder Windows-equipped PCs. Any serious look at Internet security has to start with the world's largest software company.
But the Bush administration appears to have punted. During an invitation-only briefing last Thursday, a National Security Council official told about two dozen attendees from civil liberties groups and trade associations that the White House had no problem with the Internet's "monoculture" environment. Biologists warn against plant monoculture, which permits pathogens to spread like wildfire. The same principle applies to malicious code and our largely-Microsoft Internet environment.
Computer Economics, a research firm, estimated early this year that the cost for four Windows-based infections--Nimda, Code Red, SirCam and Love Bug--was perhaps $13 billion. And Microsoft IIS servers are typically defaced at perhaps four times the rate of servers running open-source Apache software
Culture News from Wired News - A Call to Jail the Spammers.
It's a torrent, a flood, an avalanche. It clogs servers and makes gigabit fibers perform like dialup modems. It's a cross between the postal service and Darth Vader.
Studies routinely show spam accounting for as much as 50 percent of all e-mail traffic on the Internet. Sadly, spam is everywhere.
If the trend continues, spam may soon disrupt the usability of the Internet more effectively than any al-Qaida cyberterrorist. The Internet is too important to permit it to be ruined by spam and the trash who generate it.
[ ... ]
Voluntary control attempts, like the milquetoast offerings of the Direct Marketing Association (DMA), are comparatively useless. At best they only impact those legitimate firms that choose to associate themselves with these organizations -- just a drop in the massive spam bucket.
But even as the spam problem has escalated, getting effective laws on the books to prosecute spammers has been an exercise in futility.
[ ... ]
This is not to suggest we throw spammers in jail. As appealing as the thought might be, we need to save space in our institutional cages for corrupt politicians and corporate executives.
Political News from Wired News - Private Info Becoming Plane Truth.
Soon, when travelers pass through an airport's security system, a powerful database will scan their records and rank their terrorist potential. Not surprisingly, some worry the system's not foolproof.
[ ... ]
Initial rollout of what may eventually become the world's largest silicon repository of personal data could be less than 90 days away. As expected, civil liberties groups aren't happy about it.
The Computer Assisted Passenger Prescreening System II (CAPPS II) is designed to scan multiple public and private databases for information on individuals traveling into and out of the United States. The system will feed the results to an analysis application that mathematically ranks travelers' potential as security threats.
A brainchild of the Transportation Department's Transportation Security Administration (TSA), CAPPS II is a quantum expansion of the current system used to identify potential terrorists attempting to board airplanes. In addition to accessing FBI, National Crime Information Center ("NCIC") and "State Department" databases, CAPPS II is expected to spider IRS, Social Security Administration, state motor vehicle and corrections department, credit bureau and bank records.
Scheduled to go into limited service by the year's end, its deployment could be delayed if Congress decides to uproot the TSA and replant it in the Homeland Security Department.
Though the TSA has stated that people whose records are pockmarked with unpaid parking tickets, unfiled tax returns and overdue child-support payments have nothing to fear from CAPPS II when trying to fly from point A to point B, civil liberties advocates aren't so sure.
"A basic issue in privacy is 'function creep,'" said Lee Tien, senior staff attorney for the Electronic Frontier Foundation. "Once a surveillance system is put in place for a particular function, for example, aviation security ... it can be used for many other functions as well. We've seen this with Social Security numbers on the government side and, of course, with customer databases on the private side.
[ ... ]
Tien notes that CAPPS II also raises backend issues such as an individual's right to view and correct errors in files and securing the database against hacking by outsiders and misuse by insiders.
Technology News from Wired News - Video-Conferencing Hole Exposed.
Several popular video-conferencing systems are found to have a hole that could allow malicious hackers to snoop and distribute private broadcasts.
The Australian: We're bugged more than US.
Police are being given authority to tap telephone conversations at such an unprecedented rate that Australians are 20 times more likely to be bugged than Americans.
But despite the rate of tapping increasing ninefold over the past decade, the ability of Australian authorities to secure convictions as a result of listening to telephone calls is lower than in the US.
In the past four years alone, the number of phone-tap warrants approved by the courts and the Administrative Appeals Tribunal has tripled from 675 to 2157 - one-third more than all state and federal taps approved in the US.
Sydney Morning Herald - Rampant phone tapping puts US in the shade.
Australian authorities use telephone taps at 20 times the rate of their counterparts in the United States, figures that the Opposition says raise concerns about privacy and oversight of call tapping.
With legislation before Parliament to give ASIO greater policing powers, Labor says the phone-tap figures call into question whether law enforcement agencies need their powers bolstered.
Figures released by the Federal Opposition, and taken from annual reports of the United States and Australian governments, show that in the financial year ending in June 2001, more than 2150 warrants were issued for phone taps in Australia, but only 1490 in the US. Taking into account the population difference - 284 million compared to just over 19 million - Australia's rate of phone interception was 20 times that of the US.
The data also reveals that the number of phone taps used in Australia has increased threefold in four years, and ninefold in just over a decade.
Slashdot | Your Rights Online - Australia Taps More Phones Than Entire U.S..
An anonymous reader writes "Last year Australian authorities tapped more phones all United States authorities combined. Australian phones were tapped at 20 times the rate of phones in the US according to this article in the Sydney Morning herald. The fact was revealed during a debate in the Australian parliament. The government is attempting to pass new legislation to to make it even easier for the country's domestic spy agency ASIO to tap phones." --- Update: 09/16 14:07 GMT by T: Julian Assange writes --- "The Australian is also running the story and has better stats." --- Thanks for the link.
Slashdot | Cryptogram: AES Broken?
bcrowell writes "The latest CryptoGram reports that AES (Rijndael) and Serpent may have been broken. The good news is that when cryptographers say 'broken' they don't necessarily mean broken in a way that is practical to exploit right now. Still, maybe we need to assume that any given type of crypto is only temporary. All of cryptography depends on a small number of problems that are believed to be hard. And all bets are definitely off when quantum computers arrive on the scene. Maybe someday we'll look back fondly on the golden age of privacy."
|
