Friday, December 23, 2005

News from Agape Press - Top Stories of 2005: Privacy Advocate Feels Student Radio Tracking System Sets Bad Precedent A privacy rights advocate is criticizing the use of radio frequency identification badges to take attendance in some schools. A school district in Sutter, California, briefly implemented a program that had students carry tags containing what is known as "radio frequency identification" technology, or RFID, in order to help monitor student attendance. The program was a pilot project for a small start-up company called InCom, which had developed its "InClass" system to help elementary and secondary schools automate attendance-taking. Along with the passive RFID tags attached to student ID card holders, the InClass system uses ultra high-frequency "readers" mounted in the doorways of school classrooms. As students pass through the a doorway, the reader sends the tags' unique ID numbers to a central computer server. A software program installed on the server then collects the tag data and wirelessly uploads a list of present, absent and tardy students (based on when each student enters the classroom) to a personal digital assistance (PDA) device that is issued to the teacher. The teacher can then perform a visual check on the InClass-generated attendance list. After he or she confirms the information, the list is submitted wirelessly via the same PDA to school administrators, who are required to file attendance records with a state board of education. 1:36:01 PM  PermaLink   / trackback []

Valuating Privacy. Valuating Privacy. Because people can easily obtain, aggregate, and disperse personal data electronically, privacy is a central concern in the information age. This concern is clear in relation to financial data and genetic information, both of which can lead to identity abuse and discrimination. However, other relatively harmless information can also be abused, including a person's gender, salary, age, marital status, or shopping preferences. What's unclear is whether it's the fear of such abuse that actually causes people's stated hesitance to reveal their data. [ITPapers.com - Recent Privacy Issues White Papers] 1:32:03 PM  PermaLink   / trackback []

NYPD's Data Exposed in Hacker Raid. NYPD's Data Exposed in Hacker Raid. Credit card files not encrypted [GT: Privacy] 1:26:09 PM  PermaLink   / trackback []

Police Infiltrate Protests, Videotapes Show - New York Times Undercover New York City police officers have conducted covert surveillance in the last 16 months of people protesting the Iraq war, bicycle riders taking part in mass rallies and even mourners at a street vigil for a cyclist killed in an accident, a series of videotapes show. In glimpses and in glaring detail, the videotape images reveal the robust presence of disguised officers or others working with them at seven public gatherings since August 2004. The officers hoist protest signs. They hold flowers with mourners. They ride in bicycle events. At the vigil for the cyclist, an officer in biking gear wore a button that said, "I am a shameless agitator." She also carried a camera and videotaped the roughly 15 people present. Beyond collecting information, some of the undercover officers or their associates are seen on the tape having influence on events. At a demonstration last year during the Republican National Convention, the sham arrest of a man secretly working with the police led to a bruising confrontation between officers in riot gear and bystanders. Until Sept. 11, the secret monitoring of events where people expressed their opinions was among the most tightly limited of police powers. Provided with images from the tape, the Police Department's chief spokesman, Paul J. Browne, did not dispute that they showed officers at work but said that disguised officers had always attended such gatherings - not to investigate political activities but to keep order and protect free speech. Activists, however, say that police officers masquerading as protesters and bicycle riders distort their messages and provoke trouble. The pictures of the undercover officers were culled from an unofficial archive of civilian and police videotapes by Eileen Clancy, a forensic video analyst who is critical of the tactics. She gave the tapes to The New York Times. Based on what the individuals said, the equipment they carried and their almost immediate release after they had been arrested amid protesters or bicycle riders, The Times concluded that at least 10 officers were incognito at the events. 1:23:44 PM  PermaLink   / trackback []

If spy court so compliant, why did Bush bypass it? The highly secretive Foreign Intelligence Surveillance Court approved nearly all of the 1,758 applications last year for covert surveillance of suspected foreign spies and terrorists. The court's compliant track record raises questions about why President Bush needed to secretly authorize the National Security Agency to eavesdrop on calls and e-mails between American citizens and foreigners overseas without first obtaining a warrant. The Bush administration on Thursday formally defended its domestic spying program in a letter from the Justice Department to the chairmen of the House and Senate intelligence committees late Thursday. It asserts that the importance of protecting the nation's security since the Sept. 11, 2001, terrorist attacks outweighs privacy concerns of individuals who are monitored. Bush himself has argued that authorizing the NSA to spy without a warrant on American communications sent overseas gave law enforcement the ability to move faster. Many legal experts disagree. They offer several reasons for why Bush may have decided to bypass the court since issuing the secret order four years ago and resissuing it more than 30 times. The most common reason cited is that the eavesdropping program does not meet the threshold of proof. A warrant under the Foreign Intelligence Surveillance Act requires that there is probable cause to believe that a person is acting as an agent for a foreign government or is a terrorist. "They must want to conduct surveillance of people where they don't have anything close to probable cause that they are agents of a foreign power engaged in preparation for terrorist activities," said Morton Halperin, who helped create the legislation in 1978 that created the FISA court. He is now director of the Washington office of the Open Society Institute, a nonpartisan public policy think tank. There is no legitimate reason for bypassing the court, Halperin said. 1:17:25 PM  PermaLink   / trackback []

Lawbreaker in Chief. Lawbreaker in Chief. President Bush's warrantless wiretapping of American citizens isn't supported by a shred of law, and his attempt to justify it amounts to little more than a confession. Commentary by Jennifer Granick. [Wired News: Security Blanket] 1:12:46 PM  PermaLink   / trackback []

Encryption: A nice idea that few want to implement? Encryption: A nice idea that few want to implement?  Security pros see encryption as a useful tool but appear to be balking at implementation issues, according to a recent Ponemon Institute survey. Computerworld Privacy News] 1:10:04 PM  PermaLink   / trackback []

New spyware claim against Sony BMG | CNET News.com Critics have said the MediaMax software lets the company track customers' listening habits even if customers reject maker SunnComm's terms in a licensing agreement that appears upon installation. The Texas attorney general said both the MediaMax and XCP software can put customers' computers at risk. 1:03:38 PM  PermaLink   / trackback []

Sony DRM Installed Even When EULA Declined. Sony DRM Installed Even When EULA Declined. HikingStick writes "News.com is reporting that the Texas attorney general is expanding the allegations against Sony. It seems the software would install even if users declined the EULA. From the article: 'The Texas attorney general said on Wednesday that he added a new claim to a lawsuit charging Sony BMG Music Entertainment with violating the state's laws on deceptive trade practices by hiding 'spyware' on its compact discs ... The new charges brought by Abbott contend that MediaMax software used by Sony BMG to thwart illegal copying of music on CDs violated state laws because it was downloaded even if users rejected a license agreement.'" [Slashdot: Your Rights Online] 1:00:30 PM  PermaLink   / trackback []

Linux News: Software : Nessus 3.0: The End of the Age of Open-Source Innocence? "Here's the danger we are running into," said Alan Shimel, Chief Strategy Officer for StillSecure. "People contribute resources to these communities, whether it be time, money, or code. When they see everything they give converted for the commercial success of an individual rather than as a community as a whole, how long do you think they are going to want to keep giving?" Nessus, maker of one of the most popular open-source vulnerability scanner programs available, changed its licensing agreement with the release of version 3.0.0 on December 12, causing a bit of a stir among security Free Trial: Eliminate IM compliance and security threats with policy and enforcement. industry players that rely on the code as a component of their commercial solutions. The latest version is not available under the GPL Latest News about GPL license, but instead will be sold as a commercial product. The recent licensing changes affect a broad spectrum of users, including corporations, the open-source community, and even businesses using services that use Nessus. So what exactly does this mean for open source? Get Linux or Windows Managed Hosting Services with Industry Leading Fanatical Support. Latest News about open source Is it the end of the age of innocence? What options do interested parties have going forward? 12:26:16 PM  PermaLink   / trackback []

TaoSecurity - Pre-Review: Penetration Tester's Open Source Toolkit Today I received a copy of the new Syngress book Penetration Tester's Open Source Toolkit by Johnny Long, Chris Hurley, SensePost, Mark Wolfgang, Mike Petruzzi, et al. This book appears unnecessarily massive; it's probably 1/2 thicker than my first book, but at 704 pages it's nearly 100 pages shorter than Tao. I think Syngress used thicker, "softer" paper, if that makes sense to anyone. The majority of the book appears to be the standard sort of hacker stuff one finds in books like Hacking Exposed, with some exceptions. The book contains two chapters on Metasploit which look helpful. I do not know yet how well these Metasploit 2.0-based chapters apply to the new Metasploit 3.0, whose alpha stage was announced last week. Similarly, chapters on Nessus may not hold up well for Nessus 3.0, also recently released. A major selling point of the new book is its integration of the Auditor live CD. I learned that Auditor is going to merge with "competitor" IWHAX to produce BackTrack in early 2006. Consolidation among similar open source projects to pool resources and create better results? Heresy! Editor: Buy Penetration Tester's Open Source Toolkit from our Amazon Associate store 12:05:35 PM  PermaLink   / trackback []

EFF - Don't Mess With Texas Part II. SONY installs software even if you decline the agreement Don't Mess With Texas Part II. The Texas Attorney General announced today that Texas is expanding its lawsuit against Sony BMG to include the SunnComm MediaMax CDs, which are also part of EFF's lawsuit against Sony BMG. The Texas AG's press release explained: The Attorney General alleges the company[base ']s [base "]MediaMax[per thou] technology for copy protection violates the state[base ']s spyware and deceptive trade practices laws in that consumers who use these CDs are offered a license agreement, but even if consumers reject that agreement, files are secretly installed on their computers that pose additional security risks to those systems. In addition, today the Texas AG sent a letter to retailers, warning them against continuing to sell Sony BMG's CDs with the XCP technology. This comes on top of the Illinois Attorney General's Consumer Alert about XCP and MediaMax CDs released last week. [EFF: Deep Links] 11:59:24 AM  PermaLink   / trackback []

EFF - Bad Ruling on Cell Phone Tracking: What a Difference a G Makes. Bad Ruling on Cell Phone Tracking: What a Difference a G Makes. Yesterday, Magistrate Judge Gorenstein of the federal court for the Southern District of New York issued an opinion permitting the government to use cell site data to track a cell phone's physical location, without the government having to obtain a search warrant based on probable cause. Judge Gorenstein's flawed legal analysis is in sharp contrast to three other federal court opinions strongly rejecting the government[base ']s legal arguments, including a decision by Magistrate Judge Orenstein in the Eastern District of New York. While Judge Orenstein referred to the government's legal arguments variously as "unsupported," "misleading," and "contrived," and a Texas court called the convolutions of the government[base ']s theory [base "]perverse[per thou] and likened its twists and turns to a "three-rail bank shot," Judge Gorenstein bought the government's arguments hook, line and sinker. Unfortunately, this dangerous new opinion falls into a procedural black hole. Because the DOJ is the only party in these surveillance cases, there's no one left to appeal the decision. Meanwhile, the DOJ has refused to appeal all three times it has lost, despite emphatic requests by the Texas and Eastern District magistrates. The result is that other magistrates across the country won't get clear guidance from the appeals courts on this issue. That's why EFF will continue to follow this issue closely, and continue to urge other magistrates who face this question to follow the clear and convincing logic of the three courageous judges who stood up for civil liberties and said no to warrantless cell phone tracking. P.S. The DOJ[base ']s practice of monitoring cell phone location without probable cause previously inspired us to ask: "What other new surveillance powers has the government been creating out of whole cloth and how long have they been getting away with it?" Recent revelations about President Bush authorizing warrantless wiretaps of Americans by the National Security Agency have given us the beginnings of an answer. Let's hope that's not just the tip of the surveillance iceberg. [EFF: Deep Links] 11:55:52 AM  PermaLink   / trackback []

EFF - Take Action: Demand that Congress Investigate the Bush Administration's Illegal Wiretapping. Take Action: Demand that Congress Investigate the Bush Administration's Illegal Wiretapping. Last week, the New York Times reported that President Bush personally authorized the National Security Agency (NSA) to wiretap the international phone and email communications of people within the U.S., all without getting search warrants. We've gotten several inquiries from people wondering what EFF thinks about it, and whether we plan on suing anyone. The short answer is that we think the newly-revealed NSA wiretapping is completely illegal, violating both the Fourth Amendment and criminal statutes that prohibit unauthorized electronic surveillance. However, without a client who has actually been spied on as part of the NSA program, it is possible that neither we nor anyone else will be able to bring a civil lawsuit. There's still the possibility of a criminal prosecution, but the Attorney General has argued that the wiretapping is legal and clearly doesn't plan on pursuing a criminal investigation, and the White House has made clear that it intends to continue the wiretapping program. So what can be done? The most important step now is to make sure that Congress holds full hearings on the matter and gets to the bottom of this illegal scheme to invade Americans' privacy. Such hearings may generate enough political pressure to force Attorney General Gonzales to appoint a special prosecutor, who would be authorized to conduct an independent investigation and bring criminal charges against those who violated the law. There's already some bipartisan support in Congress for hearings after the holiday recess, but we could use your help to ensure that those hearings actually happen. So visit our Action Center today to send a message to Congress showing your support for hearings and your opposition to illegal eavesdropping by the NSA. After you've done that, pop on over to Bruce Schneier's blog. In addition to providing his own insights, he's been collecting links to all the best news reports and blogger commentary, along with links to relevant legal authorities. Also keep an eye on Deep Links, as we'll be blogging more on the NSA scandal after the holiday. [EFF: Deep Links] 11:52:52 AM  PermaLink   / trackback []

Congress (Finally) Agrees on PATRIOT Extension Deal. Congress (Finally) Agrees on PATRIOT Extension Deal. The suspense is over. After a weeks-long game of brinksmanship, the Senate and House have agreed to extend the sunsetting provisions of PATRIOT--which were scheduled to expire on December 31st--until February 3rd. The President plans on signing the bill. We'd prefer that these PATRIOT provisions not be extended at all, but this is still a major victory for those who want Congress to add new checks and balances against abuse of the broad PATRIOT surveillance powers. The Administration and the DOJ, despite their best efforts, could not garner enough support for the sham "compromise" bill that would have renewed everything with mostly cosmetic reforms. As Senator Feingold said in a statement this evening, right before the Senate vote: "No one should make the mistake of thinking that a shorter extension will make it possible to jam the unacceptable conference report through the Congress. That bill is dead and cannot be revived." [EFF: Deep Links] 11:50:19 AM  PermaLink   / trackback []

With Nowhere Left to Hide, Diebold Pulls Out of North Carolina. With Nowhere Left to Hide, Diebold Pulls Out of North Carolina. Following a flurry of litigation that found EFF fighting both alongside and against the state Board of Elections, Diebold on Thursday withdrew from the North Carolina procurement process, ceding the state[base ']s voting machine business to rival ES&S. In November, Diebold filed suit against the North Carolina Board of Elections in an effort to be exempted from a state requirement that vendors place into escrow (among other things) all source code [base "]that is relevant to functionality, setup, configuration, and operation of the voting system.[per thou] The code would be available to the Board of Elections and the chairs of the state political parties for review so that they could look for security vulnerabilities, to the extent they wanted to make such an effort. Diebold argued to the Superior Court that it simply couldn[base ']t meet that requirement, at least in part because they relied so extensively on third party software for critical system functions. EFF intervened in the case on behalf of local voter integrity advocate Joyce McCloy and succeeded in convincing the judge to dismiss the case, leaving Diebold on the hook for criminal and civil penalties if they failed to comply. Undaunted, and despite Diebold[base ']s admission that it could not meet these requirements, the Board of Elections agreed three days later to certify Diebold. EFF filed suit against the Board of Elections the next week, arguing that the Board had violated its own obligations to perform extensive security-related tests of all of the code on all certified systems prior to certification. The Board of Elections argued that even though the statute refers to a mandatory pre-certification review of [base "]all[per thou] source code, third party software should for some reason be exempted from this process. The court, faced with conceding that the Board of Elections had bungled their certification obligations from the start of the process, denied EFF[base ']s motion. But for Diebold, the damage was already done. [EFF: Deep Links] 11:47:40 AM  PermaLink   / trackback []

What the Liberty Alliance could learn from UDDI. What the Liberty Alliance could learn from UDDI. It's been suggested to me that one reason why the Liberty Alliance is looking to "diversify" (see the last issue of this newsletter) is that it's feeling some heat from the marketplace regarding the Microsoft/IBM Web Services Initiative (WS-*) and its WS-Federation technology. Now that Windows Server 2003 R2 is just about to ship with the new Active Directory Federation Services, many observers think that most people will be inclined to go down the WS-* road. [Identity mangement news] 11:45:07 AM  PermaLink   / trackback []

Undelete those deleted emails, FOIA ruling tells Government. Undelete those deleted emails, FOIA ruling tells Government. But only if it's not too much trouble... 'Deleted' Government records needn't necessarily be treated as deleted after all, according to a ruling by the Information Tribunal, which deals with appeals against rulings under the Freedom of Information Act. But don't get too excited - although in theory this means that data that can be undeleted, restored from backups or reconstructed by specialists can still be supplied in response to FOIA requests, in practice the whole show will still collapse when it encounters the haphazard shambles that UK Government backup regimes amount to. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:42:11 AM  PermaLink   / trackback []

France votes to legalize flat-fee P2P downloads. France votes to legalize flat-fee P2P downloads. Zut alors! The French legislature has voted to amend the nation's copyright law to legalize internet file sharing with a pot of money being raised, and divided up, to compensate artists and other right holders. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:39:54 AM  PermaLink   / trackback []

Tracked by cellphone. Tracked by cellphone. The astounding arguments of the US government Comment We know that technology can be used to track people's location via a cellphone, but how difficult is it for law enforcement to get a court order and do this legally? [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:38:18 AM  PermaLink   / trackback []