man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" --- While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

On the operations front, Anderson said airport security "really is top notch in the United States today" and advocated both a trusted traveler program and the second-generation Computer Assisted Passenger Prescreening System, known as CAPPS II. He added that the federal Transportation Security Administration's security process at airport checkpoints "needs to be done in 10 minutes consistently around the United States."Buyers and suppliers continued to seek the real value of negotiated airline contracts. "We look at discounts as a form of investment," said Steve Praven, United Airlines director of global accounts, during the NBTA aviation committee presentation. "We look for a return, for share shift. Everything we have been through in the past two years shows our programs work and provide value." Even so, "we have been our own worst enemy," said Delta Air Lines general manager of corporate national sales Bob Somers, referring to airlines' ability, or inability, to manage account performance. "If accounts are not performing, they will be terminated or adjusted." Though travel managers have heard that threat for 18 months or more, Somers said, "You will see a lot more of that in the future."

Bill Scannell, a former journalist turned political activist who helped put a serious dent in the government's first efforts at implementing the controversial Computer Assisted Passenger Prescreening System (CAPPS II), is launching a new website aimed at further derailing the program.

In late July, the Department of Homeland Security issued new guidelines for the program aimed at defusing the firestorm of criticism that followed the March disclosures that the Transportation Security Administration (TSA) planned to scan government and commercial databases for potential terrorist threats when a passenger makes flight reservations.

Regulation won't stop privacy invasion, says HBS professor John Deighton. What will? What if companies paid us to use our identity? A market approach to privacy problems.

It's a startling idea: Instead of relying on regulators to protect our privacy against telemarketers, data miners, and consumer companies, we should capitalize on the value of our personal information and get something of value in return.

That is the idea put forward by HBS professor John Deighton in a recent working paper, Market Solutions to Privacy Problems? And what would consumers get in return for their personal information? Money perhaps, or price discounts, better customer service, maybe products tailored specifically to their needs.

His point: The information that is gathered about you by stores, researchers, and credit agencies belongs to those companies, not to you. They in turn resell that information to others. So if our personal information is such an asset, shouldn't we benefit from our asset as well? Why shouldn't intelligent consumers sell their identities to stores they trust? And wouldn't those trusted stores in return be motivated to use that information wisely?

"The challenge is to give people a claim on their identities while protecting them from mistreatment," says Deighton. "The solution is to create institutions that allow consumers to build and claim the value of their marketplace identities, and that give producers the incentive to respect them."

We asked Deighton to elaborate on his ideas.

Attorney General John Ashcroft has embarked on a charm offensive on behalf of the USA Patriot Act. He is traveling the country to rally support for the law, which many people, both liberals and conservatives, consider a dangerous assault on civil liberties. Mr. Ashcroft's efforts to promote the law are misguided. He should abandon the roadshow and spend more time in Washington working with those who want to reform the law.

When the Patriot Act raced through Congress after Sept. 11, critics warned that it was an unprecedented expansion of the government's right to spy on ordinary Americans. The more people have learned about the law, the greater the calls have been for overhauling it. One section that has produced particular outrage is the authorization of "sneak and peek" searches, in which the government secretly searches people's homes and delays telling them about the search. The House last month voted 309 to 118 for a Republican-sponsored measure to block the use of federal funds for such searches.

Congressional opponents of the act, on both sides of the aisle, are pushing for other changes. A Senate bill, sponsored by Lisa Murkowski, an Alaska Republican, and Ron Wyden, an Oregon Democrat, addresses many of the law's most troubling aspects. One provision would make it harder for the government to gain access to sensitive data, including medical and library records, and records concerning the purchase or rental of books, music or videos.

[ ... ]

One member of Congress, Representative John Conyers Jr., a Michigan Democrat, has charged that Mr. Ashcroft's lobbying campaign, in which United States attorneys have been asked to participate, may violate the law prohibiting members of the executive branch from engaging in grass-roots lobbying for or against Congressional legislation. Legal or not, the campaign seeks to shore up a deeply flawed piece of legislation. The Patriot Act is the Bush administration's attempt to make the country safe on the cheap. Rather than do the hard work of coming up with effective port security and air cargo checks, and other programs targeted at actual threats, the administration has taken aim at civil liberties.

Forum
American Civil Liberties Union
Washington, District of Columbia (United States)
ID: 177894 - 08/25/2003 - 1:30 - No Sale

Keene, David, Chairman, American Conservative Union
Norquist, Grover, President, Americans for Tax Reform
Barr, Bob, U.S. Representative, R-GA
Murphy, Laura, Director, American Civil Liberties Union, Washington, DC
Shelton, Hilary, Director, NAACP, Washington Office
Dempsey, Jim, Executive Director, Center for Democracy and Technology

BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."

SACRAMENTO - Landmark legislation that would give Californians greater control over their personal financial information sped through the Legislature in a dizzying 24 hours and is on its way to the governor.

With Gov. Gray Davis' signature a lock, privacy rights advocates are prepared to carry the fight to Congress where the financial services industry is waging a ferocious campaign to preempt regulations imposed by states independently.

"We need to look to the California congressional delegation to take the torch," said Shelley Curran, a lobbyist for Consumers Union.

Banks and insurers had used their considerable clout to beat back curbs on how they share customers' financial data for four years, but were recently boxed in by a one-two punch thrown by a federal court judge and a Silicon Valley entrepreneur who was on the verge of taking the issue directly to voters.

In self-defense mode, banks and insurers unleashed their legislative allies to vote for a compromise carried by Sen. Jackie Speier, D-Daly City.

If you've ever built a Website that collects credit card or personal information, then you understand the importance of securing that communication with a digital certificate. If you work for a large corporation that is selling their catalog items online, no problem. Just fork over $500, $800, $1000 of their money to a company like Verisign and whala! ...You have your own digital certificate. But let's say you are a small business that wants to give your customers access to delicate information on your Website. Can you afford to dish out the cost for a digital certificate? Probably not. Which brings up the question...? Should only large corporations have a right to privacy? CAcert Inc (cacert.org) doesn't think so.

The California Assembly, having just approved the nation's strongest financial-privacy protections, now has a chance to take another vital step in consumer protection.

SB27, by state Sen. Liz Figueroa, D-Fremont, would require businesses to disclose -- upon customer request -- where they have shared confidential information for direct-marketing purposes.

The financial-services industry is reportedly working behind the scenes for an amendment to exempt banks from the Figueroa bill. Their argument is that the passage of SB1, state Sen. Jackie Speier's bill to give consumers a right to block such information sharing, makes the Figueroa bill unnecessary.

We disagree. The two bills are complementary. Californians have made it plain that they are fed up with the unauthorized sharing of their personal information. They should have a right to know about it and they should have a right to stop it.

When a computer consultant buys a used wireless pager -- once the property of a former Morgan Stanley executive -- on eBay, he ends up with an unexpected bonus: a trove of sensitive corporate data.

[ ... ]

After popping a battery into the BlackBerry's back panel, Sacks discovered a few things the previous owner wouldn't have wanted him to see -- more than 200 internal company e-mails from financial services firm Morgan Stanley and a database of more than 1,000 names, job titles (from vice presidents to managing directors), e-mail addresses and phone numbers (some of them home numbers) for Morgan Stanley executives worldwide.

It was all there to read, Sacks said, the minute he turned on the device.

[ ... ]

The incident serves as a cautionary tale about the ways companies fail to manage sensitive data despite public assurances to the contrary. It also shows how employees who are entrusted with confidential information are often insufficiently trained about the simple yet sophisticated technologies they use.

In addition to personal e-mails that reveal the VP's own Charles Schwab IRA account numbers, the name and phone number of his mother and the amounts he paid for his monthly mortgage, car and Visa bills, the e-mails discuss confidential information about loan terms for Morgan Stanley clients, debt-restructuring strategies for specific companies, preliminary talks for potential merger deals and even some creative ways of interpreting contracts.

Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics.

This is not a coincidence.

The usual theory has been that Windows gets all the attacks because almost everybody uses it. But millions of people do use Mac OS X and Linux, a sufficiently big market for plenty of legitimate software developers -- so why do the authors of viruses and worms rarely take aim at either system?

Even if that changed, Windows would still be an easier target. In its default setup, Windows XP on the Internet amounts to a car parked in a bad part of town, with the doors unlocked, the key in the ignition and a Post-It note on the dashboard saying, "Please don't steal this."

Not opening strange e-mail attachments helps to keep Windows secure (not to mention it's plain common sense), but it isn't enough.

The vulnerabilities built in: Security starts with closing doors that don't need to be open. On a PC, these doors are called "ports" -- channels to the Internet reserved for specific tasks, such as publishing a Web page.

These ports are what network worms like Blaster crawl in through, exploiting bugs in an operating system to implant themselves. (Viruses can't move on their own and need other mechanisms, such as e-mail or floppy disks, to spread.) It's canonical among security experts that unneeded ports should be closed.

Windows XP Home Edition, however, ships with five ports open, behind which run "services" that serve no purpose except on a computer network.

"Messenger Service," for instance, is designed to listen for alerts sent out by a network's owner, but on a home computer all it does is receive ads broadcast by spammers. The "Remote Procedure Call" feature exploited by Blaster is, to quote a Microsoft advisory, "not intended to be used in hostile environments such as the Internet."

Jeff Jones, Microsoft's senior director for "trustworthy computing," said the company was heeding user requests when XP was designed: "What customers were demanding was network compatibility, application compatibility."

But they weren't asking for easily cracked PCs either. Now, Jones said, Microsoft believes it's better to leave ports shut until users open the ones they need. But any change to this dangerous default configuration will only come in some future update.

In comparison, Mac OS X ships with zero ports open to the Internet.

[ ... ]

Windows XP, by default, provides unrestricted, "administrator" access to a computer. This sounds like a good thing but is not, because any program, worms and viruses included, also has unrestricted access.

Yet administrator mode is the only realistic choice: XP Home's "limited account," the only other option, doesn't even let you adjust a PC's clock.

Mac OS X and Linux get this right: Users get broad rights, but critical system tasks require entering a password. If, for instance, a virus wants to install a "backdoor" for further intrusions, you'll have to authorize it. This fail-safe isn't immune to user gullibility and still allows the total loss or theft of your data, but it beats Windows' anything-goes approach.

Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"

lump writes "A notorious spammer, based in New Zealand, who had his name and other personal info released first in a national newspaper, and then on the web, has shut down his operation, citing harassment. What interests me about this case is that, in the 5 or 6 days since he has supposedly stopped operating, I personally have had one (1) spam email, to an address which had previously averaged around fifty per day. Colleagues report a similar reduction in spam. All I can say is 'excellent.' Hate to say it, but in this case, vigilante type action seems to have had the desired result. This needs to be publicised, as anything which slows down spam can only be a good thing."