Friday, December 2, 2005

ModSecurity 1.9 article on O'Reilly Network. ModSecurity 1.9 article on O'Reilly Network. My article ("What's New in ModSecurity"), which describes the most important improvements in 1.9, has just been published on O'Reilly Network. It covers the rule engine enhancements, real-time audit log aggregation facilities, and the stateful request monitoring features. It's a good read if you've been running 1.8.x and want to catch-up. [Web Security Blog] 2:27:55 PM  PermaLink   / trackback []

Don't Call It Spyware. Don't Call It Spyware. First the company that created Gator was considered a scourge. Now it's a rising star -- selling virtually the same product. How a pop-up pariah won the adware wars. By Annalee Newitz from Wired magazine. [Wired News] 2:24:52 PM  PermaLink   / trackback []

Freedom to Tinker - Blog Archive - The DMCA Should Not Protect Spyware Yesterday was the deadline to submit requests for limited exemptions from the DMCA's ban on circumvention of access control technologies. This happens every three years. Alex Halderman and I submitted a request, asking for an exemption that would allow the circumvention of compact disk copy protection technologies that have certain spyware-ish features or create security holes. We'd like to thank Aaron Perzanowski and Deirdre Mulligan of the Samuelson Clinic at UC Berkeley, whose great work made this possible. Many people decided not to submit exemption requests in this round, because of the way previous rounds have been handled. For example, the EFF argues that the process is so strongly tilted against exemptions, and the Copyright Office tries so hard to find excuses not to grant exemptions, that there is no point in asking for one. Even Seth Finkelstein, the only person who has had any real record of success in the process, decided to sit out this round. I submitted requests for research-related exemptions in 2000 and 2003; and having seen how those requests were handled, I sympathize with the skeptics' position. Nevertheless, I think it's worth asking for this exemption, if only to see whether the Copyright Office will acknowledge that copy protection technologies that install spyware or otherwise endanger the security or privacy of citizens are harmful. Is that too much to ask? 2:19:28 PM  PermaLink   / trackback []

Researchers Want Right to Bypass Protected Spyware. Researchers Want Right to Bypass Protected Spyware.    Dotnaught writes "Computer security researchers Professor Edward Felten and Alex Halderman have asked the U.S. Copyright Office for an exemption (pdf) to the Digital Millennium Copyright Act (DMCA) so that they can circumvent copy protection technology used to protect spyware. The DMCA currently makes it illegal to bypass digital locks almost regardless of what they protect or the user's intent. As noted by the Electronic Frontier Foundation, the Copyright Office theoretically grants exemptions, but in reality discourages anyone from asking. What's significant about the application submitted by Felten and Halderman is that they knew about the dangers posed by Sony's XCP DRM software a month before the news became public. But they delayed publication for fear of prosecution. During that time, many more consumers fell victim to the spyware propagated by Sony."   [Slashdot] 2:16:40 PM  PermaLink   / trackback []

Homeland security becomes the biggest market opportunity since the dot-com boom Economics 101: Exploiting Fear. Homeland security becomes the biggest market opportunity since the dot-com boom. By Evan Ratliff from Wired magazine. [Wired News] 2:11:31 PM  PermaLink   / trackback []

New FCC report advocates a la carte TV pricing | CNET News.com Viewers of cable and satellite TV may soon have the option of subscribing to only the channels they want to watch, if the Federal Communications Commission gets its way. On Tuesday FCC chairman Kevin Martin spoke to a forum, sponsored by the U.S. Senate Commerce Committee in Washington, which has been examining indecency on radio and television. Martin told the forum that the FCC will soon release a report that concludes that offering TV programming a la carte is economically feasible and in the best interest of consumers. Today, instead of subscribing to the channels they want to watch, cable and satellite TV consumers must buy packages that include a standard set of channels. The new report, not yet released, contradicts an FCC report published in November 2004, under then Chairman Michael Powell. The earlier report concluded that a la carte and tiered pricing models, such as a family tier, would result in higher cable prices. "I had many concerns with this (earlier) report, including the logic and some of the assumptions used," Martin said during his testimony to the Senate forum. "I asked the media bureau, as well as our chief economist, to take a more thorough look at the issue. The staff is now finalizing a report that concludes that the earlier report relied on problematic assumptions and presented incorrect and incomplete analysis." 2:09:44 PM  PermaLink   / trackback []

FCC Report Supports a la Carte TV Pricing. FCC Report Supports a la Carte TV Pricing. An anonymous reader writes "The FCC may soon allow cable/sat companies to sell individually customized TV channel packages. From the article: ' FCC chairman Kevin Martin spoke to a forum, sponsored by the U.S. Senate Commerce Committee in Washington, which has been examining indecency on radio and television. Martin told the forum that the FCC will soon release a report that concludes that offering TV programming a la carte is economically feasible and in the best interest of consumers.'" [Slashdot] 2:06:52 PM  PermaLink   / trackback []

Trojan exploits unpatched IE flaw | The Register The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. The Delf-DH Trojan downloader uses an Internet Explorer vulnerability to infect unprotected Windows users who stray onto maliciously constructed websites. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites. The attack relies on a flaw in the way IE handles requests to the window() object, highlighted by proof-of-concept code last week and now used in anger by VXers. Even fully patched Windows 2000 and Windows XP systems are vulnerable. Until a patch is available to address this vulnerability, US-CERT strongly encourages Windows users to disable Active Scripting. 2:03:14 PM  PermaLink   / trackback []

Trojan Exploits Unpatched IE Flaw. Trojan Exploits Unpatched IE Flaw. onebuttonmouse writes "The Register reports on a trojan spotted in the wild that takes advantage of the so-far unpatched IE vulnerability mentioned on Slashdot earlier this week. From the article: 'The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites. The attack relies on a flaw in the way IE handles requests to the window() object.'"  [Slashdot] 2:00:37 PM  PermaLink   / trackback []

Why can't Microsoft just patch everything? | George Ou | ZDNet.com Apple, Mozilla, and Oracle have all recently been plagued with significantly more vulnerabilities and flaws than Microsoft, but Microsoft seems to be the only one that leaves a few vulnerabilities unpatched here and there. Granted that almost all of these unpatched problems are minor to moderately minor problems, but it leaves the perception that Microsoft leaves holes in their software and just doesn't care enough to patch all their flaws. Take this detailed comparison of Firefox versus Internet Explorer, it clearly shows Microsoft having fewer vulnerabilities this last year but has far more vulnerabilities unpatched, that's 6 (7 if you count this latest serious vulnerability) unpatched flaws for IE 6 and 0 for Firefox. Even though Firefox has been hit with many more vulnerabilities compared to IE, Firefox proponents can take the high road and claim victory because at least their vulnerabilities are patched If we look at Secunia's database for Windows XP vulnerabilities, we see that 22% of the vulnerabilities are unpatched. Although most of these issues are minor or moderate, the most serious one is "highly critical". It boggles my mind how Microsoft could allow this to badly mar their vastly improved security record with Windows XP SP2, Windows 2003 server, and IIS 6.0. With Microsoft's delicate reputation on security, you would think that some Product Manager would be cracking some heads open somewhere in Redmond over this. IT Managers and CIOs should be giving their Microsoft Rep an earful over this 1:57:44 PM  PermaLink   / trackback []

Why Can't Microsoft Just Patch Everything? Why Can't Microsoft Just Patch Everything?  paneraboy writes "If smaller software companies can patch all of their bugs serious or minor, ZDNet's George Ou asks, why can't Microsoft -- with its massive army of programmers and massive budget -- patch all of its vulnerabilities? Had Microsoft fixed a low risk browser vulnerability six months ago, perhaps we could have avoided last week's zero-day exploit. Currently, more than two dozen Windows XP issues remain unpatched. Ou thinks Microsoft ought to fix them all." From the article: "Almost 4 years after the launch of Trustworthy Computing, I found myself wondering why am I staying up till 4:00 AM to deliver an emergency set of instructions (Home and Enterprise) to my readers because Microsoft felt it unnecessary to patch a flaw six months ago that was originally low risk but mutated in to something extremely dangerous."  [Slashdot] 1:53:12 PM  PermaLink   / trackback []

Firefox 1.5 has hit the servers for Download. Firefox 1.5 Is Ready for Download. Mozilla adds cool new features to the browser. Plus: Free tool called Rollyo lets you roll your own search. From the Wired News blog Monkey Bites. [Wired News] Editor: If you use GreaseMonkey or any other extensions you might want to wait a bit for them to catchup. 1:49:18 PM  PermaLink   / trackback []

LXer: Preventing DVD Playback on Linux Like Prohibition in the 1920's The Digital Millennium Copyright Act of 1998 has much in common with the 18th Amendment. It attempts to enforce an absolute value advantage where none exists and eventually prohibits mutually beneficial exchanges. All those who have lined up on the side of Microsoft will soon discover that they are fighting battles they can never win. So they stoop to creating the BSA, influencing politicians and undermining whoever they perceive as their enemies. 1:45:50 PM  PermaLink   / trackback []

RIAA vs Linux and DVDs. RIAA vs Linux and DVDs. PlayfullyClever writes "The entertainment industry has put itself on the fast-track to destruction, using well-proven tactics as explained in Preventing DVD Playback on Linux Like Prohibition in the 1920's. Are their heavy-handed tactics to lock up and control everything we touch signs of plain old human stubborness?" Or more likely- greed. [Slashdot] 1:42:39 PM  PermaLink   / trackback []

DSW to beef up computer security in FTC settlement. DSW to beef up computer security in FTC settlement. Shoe retailer DSW Inc. agreed to improve its computer security to settle charges that it did not adequately protect customers' credit cards and checking accounts, the Federal Trade Commission said. [Computerworld Privacy News] 1:36:50 PM  PermaLink   / trackback []

DMA - Online Shoppers Concerns: ID Theft, Spam, and Spyware: Survey TRUSTe, the independent online trust authority, and TNS announced the results of their 2005 Holiday Shopping/Online Trust Survey. It revealed that while 78 percent of American Internet users plan to conduct some shopping online this year, 69 percent of those shoppers will limit their online purchasing because of fears associated with misuse of personal information. The 1,005 consumers surveyed also indicated that concerns about privacy issues will deter more than 40 percent of consumers from shopping at smaller online retailers. The survey, conducted by TNS and sponsored by TRUSTe, indicates that based on these concerns, 22 percent of shoppers will not make any purchases online and an additional 14 percent will substantially limit their online spending. Among those willing to use e-commerce, nearly 42 percent prefer using the large, well-known online brands they believe will keep them safer from privacy-related threats. "More than three out of four shoppers feel more comfortable purchasing at sites that display a privacy statement or privacy seal. Among these consumers, two-thirds are more likely to stick with well known brands because they fear that lesser known e-tailers might misuse their personal information," said David Stark, North America privacy officer of TNS. "The data overwhelmingly show that privacy concerns continue to hinder the growth of e-commerce." 1:35:06 PM  PermaLink   / trackback []

HOTELS magazine - Eateries, inns meet privacy concerns As people become more conscious of their privacy--even while in public places--restaurants and ryokan inns are coming up with ways to keep their guests happy and find a new niche for their businesses. [...] The domestic hotel industry is holding its breath as foreign hotels are expected to open one after another in 2007. Creating these kinds of private environments might just be one strategy to compete with their foreign counterparts. 1:33:18 PM  PermaLink   / trackback []

Executive Wants to Charge for Web Speed. Executive Wants to Charge for Web Speed. A senior telecommunications executive said yesterday that Internet service providers should be allowed to strike deals to give certain Web sites or services priority in reaching computer users, a controversial system that would significantly change how the Internet operates. [Public Knowledge - Breaking News] 1:21:46 PM  PermaLink   / trackback []

Diebold, North Carolina, and the Immaculate Certification. Diebold, North Carolina, and the Immaculate Certification. On Monday, EFF went to superior court in North Carolina in order to challenge e-voting recidivist Diebold and their attempt to skirt the state's strong new election transparency rules. Diebold pleaded with the court for an exemption from the statute's requirement to escrow "all software that is relevant to functionality, setup, configuration, and operation of the voting system" and to release a list of all programmers who worked on the code because... well... it simply couldn't do it. It would likely be impossible, said Diebold, to escrow all of the third party software that its system relied on (including Windows). What a difference a few days make. Despite Diebold's asserted inability to meet the requirements of state law, the North Carolina Board of Elections today happily certified Diebold without condition. Never mind all of that third party software. Never mind the impossibility of obtaining a list of programmers who had contributed to that code. And never mind the Board of Election's obligation to subject all candidate voting system to rigorous review before certification: "Prior to certifying a voting system, the State Board of Elections shall review, or designate an independent expert to review, all source code made available by the vendor pursuant to this section and certify only those voting systems compliant with State and federal law. At a minimum, the State Board's review shall include a review of security, application vulnerability, application code, wireless security, security policy and processes, security/privacy program management, technology infrastructure and security controls, security organization and governance, and operational effectiveness, as applicable to that voting system." (See updated 163-165.7(c)). What's next? As a result of EFF's successful court challenge on Monday, Diebold is still on the hook for criminal and civil liability for failing to meet the escrow and programmer disclosure requirements of the statute. But as today's developments indicate, the North Carolina state government apparently doesn't have the stomach to resist the full-court press of Diebold, even if it means utterly ignoring statutory obligations. [EFF: Deep Links] 1:20:17 PM  PermaLink   / trackback []