LAS VEGAS--Security researchers and black-hat hackers could face legal troubles if they publish detailed information about vulnerabilities and exploits, according to a presentation at a conference here.

Jennifer Granick, director of Stanford University's Center for Internet and Society, warned the audience at the Black Hat security conference late Thursday that they could run afoul of recent laws like the Digital Millennium Copyright Act, as well as centuries-old common law restrictions.

One possible way for researchers to escape liability is to be careful not just of what they say, but how they say it. "How you market what you publish could be just as important as what you're publishing," said Granick, a criminal defense lawyer. "The law may treat that circumstance differently if you're sending this information out to help people."

The federal government says there is new evidence that an attack is being planned on computers using Microsoft's Windows.

The Department of Homeland Security issued an updated advisory this week about possible hacker attacks on computers running Microsoft operating systems. The advisory warns that several working exploits are now in widespread distribution on the Internet.

"These exploits provide full remote system level access to vulnerable computers," the advisory states.

[ ... ]

No worm code has been reported so far. But the Homeland Security Department said there is evidence to show an increase in searches for vulnerable computers on the Internet over the past week. This reinforces the urgency to install patches on computers that use Windows operating systems as soon as possible, the advisory said.

A new mass-mailing virus, which disguises itself as a file sent by a computer user's network administrator, began infecting systems Friday.

The worm, which is being dubbed "mimail," attempts to exploit a vulnerability in Internet Explorer that allows a script to be executed by an infected computer. The worm then tries to use that script to mass e-mail itself, potentially clogging mail servers or slowing down networks, according to antivirus company Symantec.

The arrival of Mimail comes amid heightened fears that a large-scale attack on the Internet could be looming. The federal government warned this week that a widespread flaw in Windows could be used to generate an attack.

NEW YORK, July 31 (UPI) -- Even if the only evidence forensic analysts can pull from a crime scene is a fingerprint smudged beyond recognition, a new technique developed by Canadian scientists soon could harvest enough DNA from the print to produce a genetic identity.

The novel system can extract DNA in only 15 minutes, even if a print has been stored for a year. Scientists expect the invention to help crime-fighters solve mysteries, and already are in talks with the Royal Canadian Mounted Police. In addition, researchers predict the technology could be at least twice as cheap as existing DNA collection methods.

"If you wanted to use blood as a source of DNA, you have fear of contamination, people who don't want to give it, storage issues, and you have to sign a lot of paperwork to get it," research scientist Maria Viaznikova of the Ottawa University Heart Institute in Canada told United Press International. "We can now have DNA reliably and simply with our method."

[ ... ]

Because the method is so simple and cheap, with far less overhead required than needle-based DNA sampling, experts say this could help make DNA gathering a commonplace activity -- thereby also raising privacy issues.

"DNA is unique, extremely revealing about you and your family members," privacy specialist Jay Stanley of the American Civil Liberties Union in Washington, D.C., told UPI. "This advance really highlights the need for laws to protect the privacy in the face of these kinds of technologies."

Stanley said because genetics experts have told him it inevitably will become easier to test DNA, "we need legal frameworks to figure out how to protect privacy in the face of this." For example, silicone chips from biophysicist Stephen Quake's lab at the California Institute of Technology, in Pasadena, could in the next 10 years sequence an entire person's genetic code cheaply and in a few days, he noted.

"I don't think anybody objects to samples from crime scenes. I think using DNA to catch murderers is a fine thing," Stanley said. "But we need to be cognizant of greater implications. We're going to be facing issues about how to keep DNA private from lawyers, governments, insurance companies, even nosy neighbors. It raises issues of employment discrimination, because employers have a natural incentive to hire healthy workers, and always have an incentive to discriminate against you by DNA, as long as health insurance is provided by the workplace."

[ ... ]

Electronic Frontier Foundation staff technologist Dan Moniz said he thinks the technique could be helpful to nab crooks, but he wonders about further implications in law.

"People already have fingerprints taken of them. Will it just become part of the standard booking procedure? Will you be notified that they're taking DNA? Can you refuse to give fingerprints if you don't want DNA taken?" he asked.

Moniz told UPI there are four directions he would like to see the question of DNA collection from prints go. "First, I want to know who's using this technology. I want to be notified right up front, at the police department, hospital, HMO, anything. No surreptitious extraction," he said.

"I should have a right of refusal and I should receive no special treatment if I do refuse it," he continued. "Finally, I should have a clear statement of who has full control of it, to make sure it does not get (contracted) out."

Myriad writes "A Canadian scientist has developed a new way of gathering DNA evidence for analysis using fingerprints. The new test can extract DNA in 15 minutes - even from a print stored for many years and in varying conditions. The patented extraction technique consistently produces ~10 nanograms of DNA. Analysis generally requires 5-10 nanograms, although it is possible with as little as 0.1 nanogram."

W33dz writes "WIRED magazine has released an article detailing the Transportation Safety Administration's latest guidelines for the second-generation Computer Assisted Passenger Prescreening System, or CAPPS II. As outlined in a notice to be published Friday in the Federal Register, CAPPS II will rate every passenger by checking dates of birth, home addresses and phone numbers against commercial databases and the government's terrorist watch lists. This is a pullback from the original plan which called for wide dissemination of data including financial and medical history."