Thursday, December 1, 2005

Security Flaws Allow Wiretaps to be Evaded. Security Flaws Allow Wiretaps to be Evaded. An anonymous reader writes  "The New York Times is reporting that a team of researchers led by Matt Blaze has discovered that technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely. It is also possible to falsify the numbers dialed. The flaws are detailed in a paper being published by the IEEE. Someone who thinks he's being wiretapped can apparently just send a low tone down the line that turns off the recorder. The link has a demo."  [Slashdot: Your Rights Online] 2:54:05 PM  PermaLink   / trackback []

Security Flaw Allows Wiretaps to Be Evaded, Study Finds - New York Times The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely, according to research by computer security experts who studied the system. It is also possible to falsify the numbers dialed, they said. Someone being wiretapped can easily employ these "devastating countermeasures" with off-the-shelf equipment, said the lead researcher, Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania. "This has implications not only for the accuracy of the intelligence that can be obtained from these taps, but also for the acceptability and weight of legal evidence derived from it," Mr. Blaze and his colleagues wrote in a paper that will be published today in Security & Privacy, a journal of the Institute of Electrical and Electronics Engineers. A spokeswoman for the F.B.I. said "we're aware of the possibility" that older wiretap systems may be foiled through the techniques described in the paper. Catherine Milhoan, the spokeswoman, said after consulting with bureau wiretap experts that the vulnerability existed in only about 10 percent of state and federal wiretaps today. "It is not considered an issue within the F.B.I.," Ms. Milhoan said. According to the Justice Department's most recent wiretap report, state and federal courts authorized 1,710 "interceptions" of communications in 2004. 2:52:09 PM  PermaLink   / trackback []

Pentagon spying on Americans During the 9/11 hearings, administration officials asserted the "wall" between domestic and foreign intelligence agencies was in part responsible for the terrorist attack. Whether or not that was the case, that "wall" has come down in the years since, to the point where some are starting to think about rebuilding. It's an interesting commentary on post-9/11 America to see just what that means. Earlier this month Senator Wyden (D-OR) placed a "hold" on the Intelligence Authorization bill for 2006 over his concerns. "When Congress steamrolls privacy rights in the name of national security, it's the American people who lose." That "steamrolling" includes an exemption to the Privacy Act which would allow intelligence sharing between domestic law enforcement agencies (FBI), foreign intelligence agencies (CIA), and the Department of Defense (DoD). "We are deputizing the military to spy on law-abiding Americans in America. This is a huge leap without even a [congressional] hearing," deplored Senator Wyden. To his credit, kind of, Senator Wyden did force changes. The original legislation allowed agencies to share information after "asserting that the information was relevant to terrorism or weapons of mass destruction." The revision now requires them to explain why the requested information is relevant. The Director of National Intelligence will now have to approve data sharing between agencies, and Congress will receive regular reports all about who is being spied on. Also, military intelligence agents will not be allowed to lie about who they work for when interviewing potential sources of information (interrogating people). Senator Wyden, while still calling for hearings, feels better. 2:35:03 PM  PermaLink   / trackback []

The Reality-Based Community: Suits and civil libertarians According to the Wall Street Journal's European edition, the ACLU's lonely fight against extending the Patriot Act has picked up an unexpected ally: the business community, as represented by the U.S. Chamber of Commerce, the National Association of Manufacturers, the National Association of Realtors, and something called the Financial Services Roundtable. The most troublesome provision is the National Security Letter, a sort of latter-day Writ of Assistance under which, without obtaining a warrant or even specifying a reason, the government can demand that firms give up information about their clients' financial activity, Internet usage, and so on, and do without telling the client. (That's right. If someone at DHS decided it would be fun to see what websites you'd visited recently, what you'd charged to your credit card, or what deposits and withdrawals you had made to your bank account, you would never know, even if in the end no charge was brought; in fact, it would be a crime for your ISP to tell you that your records had been rifled.) 2:31:25 PM  PermaLink   / trackback []

The Miami police have apparently come up with a novel approach to fighting terrorists: Staging high-profile police exercises in public places. Miami's Terror. The Miami police have apparently come up with a novel approach to fighting terrorists: Staging high-profile police exercises in public places. There is apparently some confusion over how these exercises will affect citizens, since some reports indicate that, as part of the exercise, officers might check the IDs of everyone going in and out of a building, while other sources state that there will be no random checks of identification. Can the police harass the terrorists without also harassing the law-abiding citizens? We'll see. [PrivacySpot.com - Privacy Law and Data Protection - nothing but privacy] 2:29:29 PM  PermaLink   / trackback []

GE Leadership Breakfast Series - government's efforts to update policies on privacy and information security. Timothy B. Clark , Editor and President of Government Executive, will lead a discussion to examine the government's efforts to update policies on privacy and information security. 2:26:12 PM  PermaLink   / trackback []

Airline Security a Waste of Cash. Airline Security a Waste of Cash. The U.S. government squanders millions on failed programs that hope to nab terrorists as they board airplanes. It should be investing in real security that isn't tangled in yesterday's threats. Commentary by Bruce Schneier. [Wired News: Security Blanket] 2:22:43 PM  PermaLink   / trackback []

Privacy Concerns May Impact Google Analytics Business is up for one web analytics provider after Google rebranded Urchin and launched a version of it as a free service, and that could be due to privacy questions. How can free be good for the fee-based competitors in an industry? In the case of Google Analytics, it can be good when potential customers want to know as much about the privacy of their information along with the usefulness of the analytics tool. MediaPost reported how the CEO of analytics firm ClickTracks, John Marshall, described the Google effect to writer Gord Hotchkiss: First of all, people don't seem comfortable with the fact that Google is holding all this data about their sites and its performance. "The privacy backlash has expanded in online forums and is creating a groundswell of concerns. Interest in our products is quantifiably higher than before!" wrote John. "Customers are simultaneously aware of Web analytics AND aware of data privacy concerns. The degree to which customers are coming in the doors here at ClickTracks and opening discussions with 'is my data private?' has surprised us." US customers are not the only ones asking questions about privacy before looking over the shiny sales brochures. Marshall noted that customers in Japan have similar worries about "centralized data collection." Google does have a lengthy privacy policy in place. The policy is a blanket one that does not specifically address services like Analytics. However, as Nathan Weinberg posted, use of Google Analytics requires the site publisher to have a privacy policy, per the Analytics' terms of service. 2:21:00 PM  PermaLink   / trackback []

DMCA Triennial Rulemaking: Failing Consumers Completely. ( December 1 is the last day to submit proposals (by 5p EST) to the Copyright Office ) DMCA Triennial Rulemaking: Failing Consumers Completely. December 1 is the last day to submit proposals (by 5p EST) to the Copyright Office seeking a 3-year DMCA exemption for noninfringing activities that are otherwise squelched by "digital rights management" (DRM) restrictions. As we mentioned back in October, Congress has instructed the U.S. Copyright Office to consider every three years whether we need temporary exemptions to the DMCA's blanket ban on circumventing "technological protection measures" (aka DRM) used to lock up copyrighted works. EFF has participated in each of the two prior rulemakings (in 2000 and 2003), each time asking the Copyright Office to create exemptions for perfectly lawful consumer uses for digital media that are encumbered by DRM restrictions. For example, we asked that DVD owners be allowed to skip those "unskippable" ads at the beginning of DVDs. We asked that people who bought copy-protected CDs be allowed to get them to play on their computer. We asked that consumers be allowed to bypass region coding to play a DVD purchased in another part of the world. The Copyright Office rejected all of these proposals. This year, we are not submitting any proposals. Where consumer interests are concerned, the rulemaking process is simply too broken. For example: No Tools. You can get an exemption for acts of circumvention, but the Copyright Office lacks the power to legalize circumvention tools. So, unless you are an engineer, a computer scientists, or can afford to hire them, you're not likely to be able to take advantage of any exemptions granted. Impenetrable Complexity, Impossible Burdens. In order to effectively participate in the rulemaking, you need to wade through >200 pages of bureaucratic legalese and have graduate level understanding of copyright law. You have to persuade the Copyright Office that your activity is noninfringing and gather evidence that demonstrates a "substantially adverse effect" on noninfringing uses beyond [base "]mere inconveniences or individual cases." "Mere Inconvenience" = Ignoring Consumers. Where consumers are concerned, the Copyright Office discounts their concerns as "mere inconveniences." So region coding is no problem, according to the Copyright Office, because you could just buy a separate DVD player from every region. Copy-protected CDs are no problem because you can play them on CD players, even if they won't work in your computer. Where the copyright industries are concerned, in contrast, the Copyright Office presumes that DRM is the only thing that stands between them and financial ruin. We have assembled a short report documenting why we believe the process is so broken that we have decided not to propose any exemptions this time. (We may support narrower, non-consumer proposals made by others during the reply period, which closes on Feb. 2, 2006.) If you want to see meaningful DMCA reforms intended to protect the kinds of fair uses that consumers care about, it will have to come from Congress. Fortunately, the DMCRA, H.R. 1201, is pending before Congress right now and would go a long way toward fixing the DMCA/DRM mess (although not all the way, as it fails to address the ban on circumvention tools). Be sure to write your member of Congress urging her to cosponsor it! [EFF: Deep Links] 2:13:23 PM  PermaLink   / trackback []

Bloggers Sign up for Safer E-Voting. Bloggers Sign up for Safer E-Voting. Rep. Rush Holt's non-partisan e-voting reform bill, H.R. 550 continues to gather support and momentum among individual members of Congress. And rightly so: it's a well-considered package of fixes to the vulnerabilities of electronic voting machines, requiring voter-verified paper ballots, manual audits to confirm that voting machines are operating correctly, better security requirements, full software disclosure, and more. Thousands of EFF supporters have lobbied for the bill; many have joined us in visiting Washington to lobby for the bill in person. The bill is now waiting its turn in the House Administration Committee. To urge matters along, bloggers are joining with Rep. Holt to petition the committee to vote and pass it onto the House. Add your name to the chorus of politicians and citizens calling for better e-voting. Then write to your own representative using our Action Center, and ask him or her to lobby on your behalf. If you write a blog, add your own link to the petition and explanation of how important verified e-voting will be. Every little push the Holt Bill gets moves us closer to safe and secure e-voting. [EFF: Deep Links] 2:10:49 PM  PermaLink   / trackback []

EFF - Smart Card Research Threatened in DirecTV Case. Smart Card Research Threatened in DirecTV Case. EFF Fights Heavy-Handed Tactics From Satellite TV Giant San Francisco - The Electronic Frontier Foundation (EFF) and the Center for Internet and Society Cyberlaw Clinic at Stanford University Law School filed an amicus brief in the Ninth Circuit Court of Appeals Wednesday, asking judges to protect legitimate researchers from the heavy-handed tactics of the DirecTV Group, Inc., a worldwide provider of digital television entertainment, broadband satellite networks and services, and global video and data broadcasting. Federal law makes it illegal to intercept satellite TV signals without authorization and also bans modifying or assembling interception tools for sale or distribution. In the case before the Ninth Circuit, DirecTV claims that it can sue individuals for both interception of its signal as well as modification of receiving equipment in cases where altered smart cards are simply inserted into standard television equipment. DirecTV claims that inserting a smart card into preexisting television equipment constitutes "assembling" a pirate device. The amicus brief claims that DirecTV is overreaching and also points out that legitimate security researchers would be threatened under the proposed misreading of the law. A lower court has already ruled that DirecTV cannot sue on this theory and dismissed DirecTV's attempt to "double-dip" by punishing individuals twice for a single offense. "Researchers are constantly assembling, modifying, and building smart card components in furtherance of scientific knowledge and innovation," said EFF Staff Attorney Jason Schultz. "Congress clearly meant to exclude these beneficial activities from any legal liability. The court below understood this, and we hope the Appeals Court agrees." Over the past few years, DirecTV has orchestrated a nationwide legal campaign against hundreds of thousands of individuals, claiming that they were illegally intercepting its satellite TV signal. The company began its crusade by raiding smart card device distributors to obtain their customer lists, then sent over 170,000 demand letters to customers and eventually filed more than 24,000 federal lawsuits against them. Because DirecTV made little effort to distinguish legal uses of smart card technology from illegal ones, EFF and the Cyberlaw Clinic received hundreds of calls and emails from panicked device purchasers. We worked with DirecTV to get them to limit their lawsuits to only those people they could prove were illegally receiving their signal. The two groups co-sponsor a website at http://www.directvdefense.org to help people defend themselves. For the full brief filed in the case: http://directvdefense.org/files/hunyh_amicus_brief_final.pdf Contacts: Jason Schultz Staff Attorney Electronic Frontier Foundation jason@eff.org Jennifer Granick Executive Director Stanford Law School Center for Internet and Society Cyber Law Clinic jennifer@law.stanford.edu [EFF: Breaking News] 2:08:51 PM  PermaLink   / trackback []

Why Posting Your Email Address On A Website May Get You Spammed. Why Posting Your Email Address On A Website May Get You Spammed. Posted by Thomas R. Burke Email addresses that are available on website pages remain the richest target for SPAMMers who "harvest" addresses using automated systems that easily search for the "@" symbol. In a study released this month by the... [Privacy and Security Law Blog] 2:06:20 PM  PermaLink   / trackback []

EU ministers approve biometric ID, fingerprint data sharing. EU ministers approve biometric ID, fingerprint data sharing. All this and record retention too! The European biometric ID card takes another step forward this week, with the European Justice and Home Affairs Council set to approve "minimum security standards" for national ID cards. Alongside this the Council will be roadmapping the rollout of Europe's biometric visa system, which will contain the fingerprints of 70 million people within the next few years, and hearing European Commission proposals for greater sharing of fingerprint data. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 2:03:52 PM  PermaLink   / trackback []

Apple Update Patches 13 Flaws. Apple Update Patches 13 Flaws. Apple has issued a bundle of security fixes to mend 13 separate security flaws in several versions of its Mac OS X operating system, including quite a few holes that attackers could use to seize control over vulnerable machines. Nine of the 13 vulnerabilities reside in various Web-facing applications, including the Apache Web server.  [Security Fix] 2:01:01 PM  PermaLink   / trackback []

Attackers Target Unpatched IE Bug. Attackers Target Unpatched IE Bug. Microsoft warns of browser flaw that surfaces with Web sites that use JavaScript. [PCWorld.com - Latest News Stories] 1:57:12 PM  PermaLink   / trackback []

Phishers Pose as IRS Agents. Phishers Pose as IRS Agents. Security glitch enables hackers to usurp government sites and mislead users into revealing personal data. [PCWorld.com - Latest News Stories] 1:55:17 PM  PermaLink   / trackback []

HP buys identity vendor. HP buys identity vendor. HP Wednesday turned a licensing agreement into an acquisition when it signed a deal to buy Trustgenix, which develops a federated identity server. [Identity mangement news] 1:53:49 PM  PermaLink   / trackback []