Friday, January 13, 2006

National ID law poses unique technological challenges State government officials claim that implementing the Real ID Act within the federal government's established timeline is technologically impossible. Passed in May of 2005, the Real ID Act creates a set of uniform standards for state-issued ID cards, and mandates the construction of a centralized national identification database that will contain the personal information of every citizen in America. Condemned as a wasteful and self-defeating piece of reactionary legislation, critics argue that the Real ID Act will make it easier for criminals to perpetrate identity theft while actively degrading national security rather than improving it. The burden of implementation has been placed entirely on state government agencies as a dreaded "unfunded mandate," none of which have the resources or personel required to fulfill the requirements of the ill-concieved law. Opposed by more than 600 independent organizations (including the National Governors Association) and hidden in the depths of a military spending bill in order to make passage easier, the Real ID Act has received heavy criticism from concerned citizens and state government agencies. Despite the fact that relatively sound and effective improvements to driver's license security had already been implemented as part of the Intelligence Reform and Terrorism Prevention Act, the federal government felt that it was necessary to go well beyond the recommendations of the 9/11 Comission Report by passing a costly and invasive law. Described by an Illinois official as "a nightmare for all states," the Real ID Act presents a number of extreme logistical and technological challenges. Deputy secratary of the Pennsylvania Department of Transportation, Betty Serian, remarks that: "It is just flat out impossible and unrealistic to meet the prescriptive provisions of this law by 2008." The consequences for not meeting the law's provisions are severe: those holding licenses from States that fail to meet the requirements by 2008 will not be permitted to fly on airplanes or enter federal buildings. 7:42:01 PM  PermaLink   / trackback []

Real ID Act Poses Technical Challenges. Real ID Act Poses Technical Challenges. segphault writes "Ars Technica has an article about some of the financial and technological challenges associated with implementing the Real ID Act." From the article: "Opposed by more than 600 independent organizations (including the National Governors Association) and hidden in the depths of a military spending bill in order to make passage easier, the Real ID Act has received heavy criticism from concerned citizens and state government agencies. Despite the fact that relatively sound and effective improvements to driver's license security had already been implemented as part of the Intelligence Reform and Terrorism Prevention Act, the federal government felt that it was necessary to go well beyond the recommendations of the 9/11 Comission Report by passing a costly and invasive law."  [Slashdot: Your Rights Online] 7:39:19 PM  PermaLink   / trackback []

Companies are accused of using rootkit-like techniques to hide information from users. Symantec, Kaspersky Criticized for Cloaking Software. Companies are accused of using rootkit-like techniques to hide information from users. [PCWorld.com - Latest News Stories] 7:18:53 PM  PermaLink   / trackback []

iTunes MiniStore "phone home" feature part of a dangerous trend in data collection. iTunes MiniStore "phone home" feature part of a dangerous trend in data collection. This week at MacWorld, Apple unveiled version 6.0.2 of iTunes, which it simply claimed "includes stability and performance improvements over iTunes 6.0.1." Among these so-called improvements is the Apple iTunes MiniStore -- a localized "recommendation" engine that would look at what you listen to and then suggest additional songs and artists you might like. The MiniStore arrives turned on by default without asking a user's permission first. However, as news reports have revealed this week, it appears that the MiniStore also automatically transmits your listening information over the Internet back to the Apple Mothership. What Apple does with this information is unknown, although Apple has represented that they are not collecting data on its users -- yet. Nor has Apple disclosed the steps they take to prevent disclosure or leakage of the information to third parties. Ironically, this news comes on the heels of the recent Sony BMG DRM fiasco, a part of which included an undisclosed "phone home" feature of its own. Is the Apple MiniStore a rootkit DRM? Not from what we can tell, but it is part of a dangerous trend EFF has been witnessing in the digital music space market. When companies like Apple and Sony BMG start adjusting or installing software to micro-monitor our personal and private actions, even under the rubric of convenience, it is just one short stop down the road toward attempting to condition and control our behavior. All it takes is an enforcement protocol to turn recommendations into restrictions overnight. If companies like Apple are truly about user empowerment, they must watch this trend closely and remain on the right side of it. Allowing users to upload information voluntarily and expressly with adequate privacy protections is pro-user; surreptitiously siphoning it into a remote database without any privacy guarantees is not. It's time for Apple to pick a side of the line and walk it. Note: You can turn off the Apple MiniStore by hitting Shift-Command-M, or choose Edit: Hide MiniStore. EFF recommends that iTunes users do so until Apple at least comes clean about its MiniStore data practices. [EFF: Deep Links] 7:17:20 PM  PermaLink   / trackback []

Conning the Con. Conning the Con. Security Fix is getting ready to spend a few days camped out at the Marriott Wardman Park Hotel in Washington, D.C., the site of the second annual ShmooCon hacker conference, a gathering of nearly 500 hackers (and probably more than a few federal law enforcement types). I missed the inaugural conference last year because I was out of town, and... [Security Fix] 7:15:38 PM  PermaLink   / trackback []

Copyright Laws Severely Limit Availability of Music. Copyright Laws Severely Limit Availability of Music. Archivists and collectors have long lamented the lack of access to older recordings. So the Library of Congress commissioned a team to find out just how many are out of print. The report -- released in August -- suggests that over 70 percent of American music recorded before 1965 is not legally available in the United States. [Public Knowledge - Breaking News] 7:13:33 PM  PermaLink   / trackback []

Court Overturns Decision Protecting U.S. Speech Against French Law. Court Overturns Decision Protecting U.S. Speech Against French Law. The Ninth Circuit Court of Appeals has overturned a lower court decision that protected Yahoo! Inc. from liability under a French law banning online content that is constitutionally protected in the United States. After a French court attempted to impose fines on Yahoo! -- a US-based company -- for hosting content that is unlawful in France, a lower court ruled that enforcing those fines would violate the First Amendment, a position CDT supported. Although most of the Appeals Court judges agreed that the case raised serious First Amendment concerns, the court nevertheless decided that it was too early for Yahoo! to assert its free speech arguments. [Center for Democracy and Technology] 7:11:54 PM  PermaLink   / trackback []

Trusted computing? Nothing to do with us, says UK IT. Trusted computing? Nothing to do with us, says UK IT. Lack of support for conference reveals an awful truth... How interested is the computer industry in trusted computing? Not as much as you might think, suggests Eddie Bleasdale of netproject. "They've nothing to sell in this area," he told The Register, "so they're not interested." Bleasdale is mounting a reprise of netrproject's successful 2002 Trusted Computing conference at the end of this month with support from the Department of Trade & Industry, which intended that the event would also attract sponsorship from the UK computer industry, but none has been forthcoming. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 7:09:06 PM  PermaLink   / trackback []

CCTV Peeping Toms jailed. CCTV Peeping Toms jailed. Merseyside pair spied on woman's flat Two members of a trio of municipal "Peeping Toms" from Merseyside have been jailed for training a street safety CCTV camera on a woman's flat in Liverpool's Bootle district in November 2004. Over several hours, the BBC reports, she was filmed from the Sefton CCTV centre - which controls 70 such cameras - "cuddling her boyfriend before undressing, using the toilet, having a bath and watching television dressed only in a towel". [The Register - Internet and Law: Digital Rights/Digital Wrongs] 7:07:05 PM  PermaLink   / trackback []

DCA goes all bashful on ID card voting linkage. DCA goes all bashful on ID card voting linkage. Odd, considering the obvious answer was 'none' Despite rumours to the contrary, the Government has as yet not announced plans to harvest the UK's electoral rolls for ID card defaulters, or to make voting dependent on having an ID card. But an answer to a parliamentary question given by the Department of Constitutional Affairs earlier this week makes it reasonable to suspect the existence of unannounced plans, or perhaps just partially-formed dreams, to this effect. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 7:05:22 PM  PermaLink   / trackback []

LinuxPlanet - Tutorials - Preventing Buffer Overflow Exploits Using the Linux Distributed Security Module, Part 2 - Existing Solutions to Buffer Overflow Exploits The sad thing about buffer overflow exploits is that good programming practices could wipe out even potential exploits, however, that simply has not happened. The own defence against such exploits should revolve around controlling access to sensitive systems, installing software updates that replace exploitable software, and being aware of what a buffer overflow exploit looks like when your system is the intended victim. 7:03:27 PM  PermaLink   / trackback []

SC Magazine US - RSS malware plague predicted for 2006 The fast growing popularity of RSS (really simple syndication) means that the technology will pose increasingly significant problems for IT security professionals this year, new research has warned. ScanSafe's latest web security report notes an explosive growth in the use of RSS feeds to pull updated content via HTTP and XML rather than having it being pushed to them by SMTP. "With this trend expected to increase in 2006, malicious code writers are expected to take advantage by hijacking existing feed clients, causing automatic downloads of new worms and other web threats," the report warned. According to figures taken from the study, there was a 265-percent increase in the volume of spyware and adware during the second half of 2005, compared with the same period in 2004. The report also notes there was a 165-percent increase in new web viruses in 2005 compared to 2004. In addition the research indicates that web browser vulnerabilities are proliferating as attackers focus on the web as an area of network vulnerability. Protection of the web by companies was found to be weaker relative to email, network and desktop security. Areas of concern highlighted by ScanSafe are: the emergence of vulnerabilities in Microsoft Internet Explorer, the administrative struggle to update patches in browser software and advent of "zero day" exploits. 7:01:06 PM  PermaLink   / trackback []

Annoying Online Posts Could Be Illegal. Annoying Online Posts Could Be Illegal. Free speech advocates say a new law geared to stop cyberstalking could be cause for concern. [PCWorld.com - Latest News Stories] 6:56:41 PM  PermaLink   / trackback []

San Francisco Airport Begins E-Passport Test. San Francisco Airport Begins E-Passport Test. U.S. Department of Homeland Security checks biometric passports. [PCWorld.com - Latest News Stories] 6:53:43 PM  PermaLink   / trackback []