Sunday, December 25, 2005

The Washington Monthly - More on the NSA program The point is that it appears to be illegal, and if George Bush believed it was genuinely critical to our national security he should have asked Congress to pass legislation authorizing it. The president is simply not allowed to decide for himself to break the law simply because it's inconvenient, and the excuse that he couldn't go to Congress because that would expose valuable secrets to al-Qaeda is laughable. It's tantamount to saying that he never needs to ask Congress for approval of any black program because that might somehow tip off al-Qaeda to its existence. Not only is that untrue (Congress routinely holds closed hearings to discuss sensitive issues), but it's a transparent rationalization for the president to do practically anything he wants with no oversight at all, and that just doesn't fly, wartime or not. 2:28:04 PM  PermaLink   / trackback []

Use Google Earth To Track Santa. Use Google Earth To Track Santa. Kickboy12 writes "Google Earth can be used to track Santa Clause, beginning at 2pm GMT December 24th. From the article: 'While we didn't work a deal for Naughty or Nice data layers, we did negotiate the rights to track this user on his big trip. If you've already got Google Earth, you can too.' So, if you have Google Earth, track Santa!" [Slashdot] 2:12:11 PM  PermaLink   / trackback []

NetBSD v3.0 Released. NetBSD v3.0 Released. FullMetalAlchemist writes "After six release candidates, the NetBSD project has finally released a gold version of a major mile stone; v3.0. I'm looking forward to this release a good deal. If I wanted to, I could build our entire office infrastructure on it thanks to Xen. Major Changes can be found on the NetBSD website, and there are several ways to get the release. Get downloading!"  [Slashdot] 2:06:43 PM  PermaLink   / trackback []

Symantec Confirms AV Library Flaw, Promises Patches Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. One day after private security researcher Alex Wheeler flagged the issue as a serious risk, Symantec issued an advisory of its own, confirming the vulnerability exists in 64 enterprise and consumer-facing products. 2:05:43 PM  PermaLink   / trackback []

Slashdot | Symantec Confirms AV Library Flaw, Promises Patch the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files. 'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh." 2:03:18 PM  PermaLink   / trackback []

Symantec Confirms AV Library Flaw, Promises Patch. Symantec Confirms AV Library Flaw, Promises Patch. the_flyswatter writes "Anti-virus vendor Symantec Corp. has publicly acknowledged that a high-risk buffer overflow vulnerability in its AntiVirus Library could lead to code execution attacks when RAR archive files are scanned. The company confirmed the issue was a buffer overflow in the AntiVirus component used to decompose RAR (Roshal Archive) files. 'A specially crafted RAR file could potentially cause this buffer overflow to occur and execute hostile content from the RAR file,' the advisory read. The bug also affects 15 consumer products, including the widely deployed Symantec Norton AntiVirus, Symantec Norton Internet Security Professional, Norton Personal Firewall and Symantec Norton Internet Security for Macintosh." [Slashdot] 2:00:09 PM  PermaLink   / trackback []

Tracked by cellphone ( securityfocus ) Recent court cases in the United States raise the question of the standard required when the police want to know exactly where you are, using your cell phone to track you down. The issue again raises the question of how new technologies can invade privacy rights, and how quantitative changes in the type and amounts of data collected and stored result in qualitative changes in privacy rights. These require a reexamination of even established laws of privacy and of probable cause. These precedents also apply to entities like ISPs and telephone companies that routinely collect massive amounts of data about individuals which may be subject to eventual discovery or disclosure. It is important that we establish and apply the correct legal standard for obtaining this information now. Whenever you carry (much less use) a cell phone that is turned on, the cellular network is constantly "scanning" to determine where you are so that it can route telephone calls to the appropriate cell location. By examining the relative signal strength of three of these cells, through a process called "triangulation" the cell provider can determine - with relatively low level of precision, where you are at any point in time. Other technologies employed by cell providers, such as those employed with E-911 services, can determine your location with greater precision. Finally, some cell phones are also equipped with GPS capabilities, which passively receive certain data from geosynchronous satellites to enable the phone (but not the provider) to determine its precise locations - often within a matter of feet. 12:28:21 PM  PermaLink   / trackback []

Congress never authorized U.S. wartime wiretaps, Daschle says The use of warrantless wiretaps on U.S. citizens was never discussed when Congress authorized the White House to use force against al-Qaida after the Sept. 11, 2001, attacks, said former Senate Majority Leader Tom Daschle. In an article printed today on the op-ed page of The Washington Post, Daschle also wrote that Congress explicitly denied a White House request for war-making authority in the United States. "The Bush administration now argues those powers were inherently contained in the resolution adopted by Congress - but at the time, the administration clearly felt they weren't, or it wouldn't have tried to insert the additional language," the Democrat wrote. Daschle was Senate Democratic leader at the time of the Sept. 11, 2001, terrorist attacks on New York City and Washington. The administration formally defended its domestic spying program late yesterday in a letter to Congress, saying the nation's security outweighs privacy concerns of individuals who are monitored. In a letter to the leaders of the House and Senate intelligence committees, the Department of Justice said President George W. Bush authorized electronic surveillance without first obtaining a warrant in an effort to thwart terrorist acts against the country. "There is undeniably an important and legitimate privacy interest at stake with respect to the activities described by the president," Assistant Attorney General William Moschella wrote. "That must be balanced, however, against the government's compelling interest in the security of the nation." 12:25:38 PM  PermaLink   / trackback []

Wapakoneta Daily News Online - Oxley defends wiretaps While many politicians in the nation's capital believe President Bush infringed upon the privacy rights of Americans when he authorized wiretaps without obtaining the proper warrants, area elected officials say they believe the president acted in the interest of national security. "These are not phone calls between Boy Scouts," U.S. Rep. Mike Oxley, R--Findlay, said during a recent teleconference. "These are phone calls to known al-Qaida members and I'm glad we have the capability to intercept those calls." Opponents to the wiretaps claim Bush overstepped his constitutional authority when he told members of the National Security Agency (NSA) to eavesdrop on phone calls that originated in America. Detractors argued Bush violated the law by authorizing the wiretaps without obtaining a court order. Oxley rebuffed that argument by noting Bush did nothing illegal by ordering the surveillance. "It didn't go beyond the Patriot Act," Oxley said. "It was well within the law and I'm thankful the President has the courage and leadership to take these guys on and try and stop (terrorists)." During an appearance on "Meet the Press" Sunday, Secretary of State Condoleezza Rice mentioned Bush legally has the power to order surveillance due to the Foreign Intelligence Surveillance Act (FISA). The order, created in 1978, describes the procedures and protocol for gathering foreign intelligence. 12:23:01 PM  PermaLink   / trackback []

Hospital ID theft: How to protect yourself - The Red Tape Chronicles - MSNBC.com It is an almost unthinkable crime, to steal from the sick and dying. And yet we all know it happens. I remember as a child hearing my parents discuss leaving a family member at home during funerals, to ward off any would-be burglars. Burglars, they said, read the obituaries, too -- and know exactly when the entire family will be busy elsewhere. So it should not be surprising that identity criminals target the dying or the dead. Still, it's hard to imagine until you see it for yourself. On Christmas night, you will. Dateline NBC will tell the incredible story of a man sick with a terrible form of leukemia, a man literally days from his death -- and the repulsive crime he suffered while enduring everything else that comes with cancer. Eric Drew's identity was stolen by a hospital worker. While Drew was gasping for life, his imposter was living it up on fraudulent credit cards. After all, the criminal must have thought, Drew was hardly in a position to complain. This might not seem like happy holiday material, the story of this despicable deed, but au contraire. Dateline's Josh Mankiewicz will take you on a redeeming tale of hope, persistence and eventually, justice. I won't give away too much, but you'll be amazed at how this time, the good guys come out on top. But when you watch, you will no doubt be wondering: Could this happen to me? The answer is, quite clearly, yes. Stories of nurses, patients, and visitors stealing identities from the sick can be ripped from the headlines across America, like the story of a nurse in a Philadelphia hospital who gave terminally ill patients' identities to a crime ring. They drained the patients' accounts and obtained $10 million in fraudulent mortgages using the stolen personal information. 12:18:03 PM  PermaLink   / trackback []

The greater common good There is much concern raised these days about the data that gets collected by various services offered by the likes of Google, and on the ends to which it can be used for. Most people talk about the privacy of the data collected. I have a different take on this. Individual privacy concerns are of course there, and to a large extent valid. But seriously, do you expect someone unknown, employed by Google to sit down and analyze the traffic pattern at myblog.blog-spot.com or for someone at Amazon, or eBay or Microsoft or Yahoo or Apple to analyze one Krishna Kumar's online purchase patterns? Sure, the analysis can be done, but to what extent? For how many individuals and for what use? The privacy issue is whether, the data could fall into the hands of others who would have vested interests in understanding the behavior patterns of specific people, much like some may be interested in knowing your credit card number. The fact is that your cell-phone company, your bank and your credit card company already know much more about your earning capacity, your spending patterns and your likes and dislikes, than Google or Microsoft probably cares to find out. And worse still, they are already sharing that information around, and possibly selling it to others too. The utility of this data to companies like Google, Amazon, Yahoo, Microsoft or Apple is completely different. 12:13:38 PM  PermaLink   / trackback []

Report: Gov't Spying Broader. Report: Gov't Spying Broader. American telecommunications companies aided the National Security Agency in a much broader surveillance of e-mails and phone calls without court orders than the Bush administration has let on, according to The New York Times' website. [Wired News: Security Blanket] 12:09:55 PM  PermaLink   / trackback []

DesMoinesRegister.com - Computer security breaches raise identity theft concerns Scoggin, who works at the Iowa State University Book Store, was one of about 3,000 ISU employees whose personal data might have been viewed by hackers who infiltrated two computers earlier this month. One held about 2,500 encrypted credit card numbers of athletic department donors. The second computer contained Social Security numbers for more than 3,000 ISU employees. "I'm very leery about giving the information out anymore," Scoggin said. "Iowa State is a little bit more vulnerable than we thought it was." Such intrusions cause sleepless nights for technical workers at universities, corporations and other keepers of massive amounts of information. The Privacy Rights Clearinghouse, an organization in San Diego that pushes for privacy of consumer information, reports nearly 50 campus data breaches since February. Many of the incidents were attributed to hackers. Stolen laptops and mistakenly sent e-mails with sensitive information were included in the number. 12:08:14 PM  PermaLink   / trackback []

Spy Agency Mined Vast Data Trove, Officials Report - New York Times The National Security Agency has traced and analyzed large volumes of telephone and Internet communications flowing into and out of the United States as part of the eavesdropping program that President Bush approved after the Sept. 11, 2001, attacks to hunt for evidence of terrorist activity, according to current and former government officials. The volume of information harvested from telecommunication data and voice networks, without court-approved warrants, is much larger than the White House has acknowledged, the officials said. It was collected by tapping directly into some of the American telecommunication system's main arteries, they said. As part of the program approved by President Bush for domestic surveillance without warrants, the N.S.A. has gained the cooperation of American telecommunications companies to obtain backdoor access to streams of domestic and international communications, the officials said. The government's collection and analysis of phone and Internet traffic have raised questions among some law enforcement and judicial officials familiar with the program. One issue of concern to the Foreign Intelligence Surveillance Court, which has reviewed some separate warrant applications growing out of the N.S.A.'s surveillance program, is whether the court has legal authority over calls outside the United States that happen to pass through American-based telephonic "switches," according to officials familiar with the matter. "There was a lot of discussion about the switches" in conversations with the court, a Justice Department official said, referring to the gateways through which much of the communications traffic flows. "You're talking about access to such a vast amount of communications, and the question was, How do you minimize something that's on a switch that's carrying such large volumes of traffic? The court was very, very concerned about that." Since the disclosure last week of the N.S.A.'s domestic surveillance program, President Bush and his senior aides have stressed that his executive order allowing eavesdropping without warrants was limited to the monitoring of international phone and e-mail communications involving people with known links to Al Qaeda. What has not been publicly acknowledged is that N.S.A. technicians, besides actually eavesdropping on specific conversations, have combed through large volumes of phone and Internet traffic in search of patterns that might point to terrorism suspects. Some officials describe the program as a large data-mining operation. The current and former government officials who discussed the program were granted anonymity because it remains classified. Bush administration officials declined to comment on Friday on the technical aspects of the operation and the N.S.A.'s use of broad searches to look for clues on terrorists. Because the program is highly classified, many details of how the N.S.A. is conducting it remain unknown, and members of Congress who have pressed for a full Congressional inquiry say they are eager to learn more about the program's operational details, as well as its legality. 11:51:45 AM  PermaLink   / trackback []

NSA Data Mining Much Larger Than Reported. NSA Data Mining Much Larger Than Reported. silassewell writes to tell us The New York Times is reporting that the "volume of information harvested from telecommunication data and voice networks, without court-approved warrants, is much larger than the White House has acknowledged." The NSA gained the cooperation of many American telecommunication companies after 9/11 to access streams of communication, both domestic and international, as a part of a presidentially approved program to hunt for evidence of terrorist activity.  [Slashdot: Your Rights Online] 11:47:14 AM  PermaLink   / trackback []

VMWare: Virtual Machine Security Flaw 'Very Serious' Virtual infrastructure software maker VMWare Inc. has rushed out fixes for a "very serious" security flaw that put users of its product line at risk of code execution attacks. The vulnerability, which affects both Windows and Linux systems, affects VMware Workstation 5.5, VMware GSX Server 3.2, VMware ACE 1.0.1 and the free VMware Player 1.0. All previous versions of these products are also affected. VMWare, of Palo Alto, Calif., acknowledged the vulnerability in a published advisory and warned that it is possible for a malicious guest using a NAT networking configuration to execute unwanted code on the host machine. The company rates the vulnerability as "very serious" and recommends that affected users apply the updates provided or change the configuration of the virtual machine so it does not use NAT networking. 11:40:49 AM  PermaLink   / trackback []