Wednesday, January 18, 2006

Fried Fish: ping attribute on anchor and area tags, the browser will send notification pings to the specified URLs after following the link. I've been meaning to blog about a new web platform feature that we've added to trunk builds of Firefox. It is now possible to define a ping attribute on anchor and area tags. When a user follows a link via one of these tags, the browser will send notification pings to the specified URLs after following the link. I'm sure this may raise some eye-brows among privacy conscious folks, but please know that this change is being considered with the utmost regard for user privacy. The point of this feature is to enable link tracking mechanisms commonly employed on the web to get out of the critical path and thereby reduce the time required for users to see the page they clicked on. Many websites will employ redirects to have all link clicks on their site first go back to them so they can know what you are doing and then redirect your browser to the site you thought you were going to. The net result is that you end up waiting for the redirect to occur before your browser even begins to load the site that you want to go to. This can have a significant impact on page load performance. Websites even employ "onmousedown" event handlers that change the href attribute at the very last second before a click occurs. This makes it so that hovering over the link displays the location that you want to go to, but it still ends up taking you someplace else. This change is being considered in large part because some very popular websites have asked for a solution to this problem. The feature itself was designed and specified by the WhatWG. 2:31:46 PM  PermaLink   / trackback []

Firefox 's Ping Attribute: Useful or Spyware? Firefox 's Ping Attribute: Useful or Spyware? An anonymous reader writes  "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."  [Slashdot: Your Rights Online] 2:26:16 PM  PermaLink   / trackback []

Explosive Growth Projected in Next Five Years for RFID Tags. Explosive Growth Projected in Next Five Years for RFID Tags. Over 1.3 billion Radio Frequency Identification (RFID) tags were produced in 2005, and by 2010, that figure will soar to 33 billion, reports In-Stat [GT: Privacy] 2:22:15 PM  PermaLink   / trackback []

It's Just the Key to Your Room. It's Just the Key to Your Room. Computerworld's investigation should set the traveler's mind at ease about the possibility of personal data being placed on hotel card keys.  [Computerworld Privacy News] 2:19:03 PM  PermaLink   / trackback []

Wired News: Devious Tactic Snags Phone Data Online information brokers pried thousands of private cell-phone records from Verizon Wireless by posing as speech-impaired customers and company employees, court documents show. The charges, which appear in a civil suit filed by Verizon in Florida late last year, shed a rare light on the shadowy world of online phone-record vendors -- a cottage industry among private investigators that has operated below the radar for years but is now in the spotlight amid a flurry of private suits and calls for laws restricting phone-record sales. According to the suit, online cell-phone record vendors placed hundreds of thousands of calls to Verizon customer service requesting customer account information while posing as Verizon employees from the company's "special needs group," a nonexistent department. The caller would claim to be making the request on behalf of a voice-impaired customer who was unable to request the records himself. If the service representative asked to speak with the customer directly, the caller would impersonate a voice-impaired customer, using a mechanical device to distort his voice and make it impossible for the service representative to understand him -- a variant of a widely used social-engineering technique known as the "mumble attack." Rob Douglas, a private investigator turned privacy activist, says federal authorities have known about the sale of private phone records since at least 1998 but have done little to address the problem. In the absence of federal action, phone companies have been resorting to civil lawsuits to prevent sellers from obtaining and selling records. "I would put (the sale of) cell-phone records No. 3 as the most invasive after banking and medical records, and the most fraught for harm," says Douglas, who operates PrivacyToday.com. "This stuff has life-or-death consequences and severe investigative consequences for law enforcement." 2:15:58 PM  PermaLink   / trackback []

Spy Agency Data After Sept. 11 Led F.B.I. to Dead Ends - New York Times Sept. 11 attacks, the National Security Agency began sending a steady stream of telephone numbers, e-mail addresses and names to the F.B.I. in search of terrorists. The stream soon became a flood, requiring hundreds of agents to check out thousands of tips a month. But virtually all of them, current and former officials say, led to dead ends or innocent Americans. F.B.I. officials repeatedly complained to the spy agency that the unfiltered information was swamping investigators. The spy agency was collecting much of the data by eavesdropping on some Americans' international communications and conducting computer searches of phone and Internet traffic. Some F.B.I. officials and prosecutors also thought the checks, which sometimes involved interviews by agents, were pointless intrusions on Americans' privacy. As the bureau was running down those leads, its director, Robert S. Mueller III, raised concerns about the legal rationale for a program of eavesdropping without warrants, one government official said. Mr. Mueller asked senior administration officials about "whether the program had a proper legal foundation," but deferred to Justice Department legal opinions, the official said. 2:11:56 PM  PermaLink   / trackback []

Cost, data-protection concerns hamper U.K. ID card bill. Cost, data-protection concerns hamper U.K. ID card bill. The British government's national ID card program is facing opposition from lawmakers concerned about higher-than-expected costs and how personal data will be protected.   [Computerworld Privacy News] 2:09:09 PM  PermaLink   / trackback []

Suits Seek End to Domestic Spying. Suits Seek End to Domestic Spying. Twin legal challenges call the Bush administration's electronic surveillance program a violation of average Americans' rights. The White House maintains that the eavesdropping is legal and vital to the war on terror. [Wired News: Security Blanket] 2:06:27 PM  PermaLink   / trackback []

Nominee splits hairs on 'privacy rights' - The Boston Globe For example, Alito has declared that he believes in a right to privacy -- but cited a different kind of privacy than the Supreme Court has cited in recognizing abortion rights. After being asked about privacy for the first time, Alito immediately brought up the Fourth Amendment's protection against having one's home searched, not the 14th Amendment's protection of liberty. Both amendments create protections sometimes referred to as ''privacy rights," but only the 14th Amendment is relevant to abortion, said Richard Fallon, a Harvard professor of constitutional law. The Fourth Amendment protects only people's personal space, while the 14th protects their liberty to control their personal lives. Pressed for his views about the kind of privacy right that relates to abortion, Alito repeatedly demurred. For example, he carefully couched his answers about two related privacy cases involving contraception, which paved the way for the abortion decision of Roe v. Wade. In 1965's Griswold v. Connecticut, the Supreme Court recognized a privacy right for married people to use contraception. In 1972's Eisenstadt v. Baird, the court ruled that single people also have a privacy right to contraception. The next year, basing its decision in part on the two contraception precedents, the court declared that women have a constitutional right to abortion. When Alito was asked about the contraception cases, he offered no objection to their ''result." But he also avoided endorsing the legal reasoning behind the cases -- that people have a privacy-based right to control their reproductive lives. Alito seemed to choose his words carefully, legal specialists said, when pressed on the issue by Senate Judiciary Committee Chairman Arlen Specter, Republican of Pennsylvania: 2:05:15 PM  PermaLink   / trackback []

Mass Spying Means Gross Errors. Mass Spying Means Gross Errors. President Bush's domestic eavesdropping program sparks debate over the legality and wisdom of conducting wholesale surveillance of Americans. The technology is there, but the results are worse than useless. Commentary by Jennifer Granick. [Wired News: Security Blanket] 2:00:02 PM  PermaLink   / trackback []

Viagra Tag Could Be Bitter Pill. Viagra Tag Could Be Bitter Pill. As radio-frequency tracking chips pop up on bottles of impotency drugs and painkillers, privacy watchdogs say consumers could end up taking the tags home. By Randy Dotinga. [Wired News: Security Blanket] 1:58:16 PM  PermaLink   / trackback []

BellSouth wants new Net fees. BellSouth wants new Net fees. WASHINGTON (MarketWatch) -- BellSouth Corp. confirmed Monday that it is pursuing discussions with Internet content companies to levy charges to reliably and speedily deliver their content and services. Bill Smith, chief technology officer at BellSouth (BLS27.17, -0.26, -0.9%) , justified content charging companies by saying they are using the telco's network without paying for it. [Public Knowledge - Breaking News] Editor: Ahem ... Excuse me but the Bell South DSL customer has already paid for the bandwidth. Thats like saying they get to charge both ends of a phone call and not just the person who initiates it. 1:31:58 PM  PermaLink   / trackback []

NewsForge | Novell opens AppArmour source code  Looking to spread the usage of the AppArmour application security software it acquired when it bought Immunix, Novell announced last week that it would release the software's source code under the GNU General Public License (GPL) and sponsor a project to maintain and improve it. Novell will sell support service subscriptions to companies and users of AppArmour. Frank Rego, product manager for platform security at Novell, said AppArmour was the primary motivation behind Novell's purchase of Immunix last May. The software is also included with Novell's openSUSE 10.0 Linux distribution. AppArmour is a Linux security framework designed to protect applications from being exploited by an attacker. It does this by profiling applications on a system, looking at which users need them, and applying the principle of least privilege to applications, according to the project's detail page. AppArmour scans a single machine, or an entire network, for individual open ports, generating security reports on individual pieces of the system, explained Crispin Cowan, director of software engineering at Novell and the former chief technology officer for Immunix. According to Cowan, Novell is releasing AppArmour under the GPL to put the software in the hands of more users and developers, a problem he said Immunix had when the software was proprietary. 1:27:22 PM  PermaLink   / trackback []

Hacks From Pax: A Linux Security Look To The Future. Hacks From Pax: A Linux Security Look To The Future. Today in Hacks From Pax we're going to shift gears a little, step back for a higher level view and talk about the year in security from a Linux standpoint, both the good and the bad, and have a brief discussion of trends for the coming year.  [LinuxSecurity.com] 1:21:19 PM  PermaLink   / trackback []

USA government goal: Gather and use "Travel Intelligence". USA government goal: Gather and use "Travel Intelligence". At a joint news conference today in Washington, DC, USA Secretary of Homeland Security Michael Chertoff and Secretary of State Condoleezza Rice announced a joint vision to "Develop and use 'Travel Intelligence' before travelers arrive" in the USA (and after, it appears from the descriptions of the planned programs). It's not clear that this newly-announced "vision" is anything really new, but it is the most explicit acknowledgement yet of the USA government's intention to create a comprehensive system of surveillance of travellers , wherever they go and by whatever means they travel. While today's announcement brought out the common surveillance and travel control purposes behind a wide range of initiatives by both federal government Departments (Homeland Security and State), including "An Enhanced Partnership with the Private Sector", it failed to mention the extent to which the transportation industry is being compelled by the government to spend billions of dollars to build surveillance capabilities into its infrastructure -- just as has the communications industry under laws like the Communications Assistance to law Enforcement Act ("CALEA"), and over similarly strong industry protests at these unfunded mandates. (Neither the communications nor transportation industry, unfortunately, has stood up for their customers against these surveillance mandates on privacy or civil liberties grounds. Industry has objected only on the basis of their own financial interests, making it easy for government to buy their support by giving them free use for their marketing and other commercial purposes of the data coerced from their customers by government order.) The one seeming "concession" today was the announcement that a new alternative identity credential would be made available to those wishing to cross the USA-Mexico and/or USA-Canada borders without a passport. The USA government has thus "backed down" from its previously-adopted requirment for all border crossers to have passports by 2008. The new " biometric passport card" will supposedly be cheaper than a regular passport, but there's no indication that it will be any easier to obtain, less susceptible to government or commercial misuse for surveillance, or in any other way less of a burden on travellers than a standard passport. [The Practical Nomad] 12:50:18 PM  PermaLink   / trackback []

NSA Warrantless Wiretaps: Whatís the Point?. NSA Warrantless Wiretaps: What's the Point?. The administration has justified the secret National Security Agency (NSA) warrantless domestic surveillance program by contending that going around the Foreign Intelligence Surveillance Act (FISA) is necessary to conduct the war against terrorism. Attorney General Gonzalez claimed "[t]he operators out at NSA tell me that we don't have the speed and the agility that we need[sigma]" The claim seems to be that the Foreign Intelligence Surveillance Court (FISC) is too slow, and the government needs to be able to tap phone calls and email immediately. But this argument clearly does not hold water. Under FISA, the Attorney General may authorize surveillance without a court order, so long as the government applies for a court order within 72 hours after surveillance begins. Moreover, it would be a far simpler matter (and less legally problematic) to provide additional administrative resources to the FISC if the real problem was merely bureaucratic inefficiency. And, given that only five out of 19 thousand FISC requests were denied, the problem, in the eyes of the administration, was not that FISA was not granting requests under the FISA legal standards. So what is the real reason to ignore the statutory mandates of FISA? While we wait for Congressional hearings to find out, we offer some speculation: [EFF: Deep Links] 12:45:16 PM  PermaLink   / trackback []

Consumer group calls for anti-DRM laws. Consumer group calls for anti-DRM laws. Fight the power A UK-based consumer rights group has called for MPs to introduce new laws to ensure consumers' rights to use digital content are protected. The use of digital rights management technology on CDs, DVDs and music downloads to control or restrict the use of copyrighted digital works shows that the current regime of self-regulation is failing to protect consumers' rights, according to the National Consumer Council (NCC). [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:39:11 PM  PermaLink   / trackback []

Pestered by nosy do-gooders? Use the privacy defence Data Protection used as smokescreen. Pestered by nosy do-gooders? Use the privacy defence Privacy laws have become a convenient excuse for authorities who want to keep secrets, say medical researchers. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:37:23 PM  PermaLink   / trackback []

ID Cards jinxed by lefties. - Big companies are bound to bodge it ID Cards jinxed by lefties. Big companies are bound to bodge it Privacy is not the only reason to be worried about ID cards - there's also the bozos the government is getting to install the system that runs them, says Corporate Watch. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:35:36 PM  PermaLink   / trackback []

IT security industry 'to be professionalised' - ZDNet UK News An organisation is being set up to ensure that IT security officers are competent, but it won't have the power to stop people working if they make mistakes IT security officers are to get their own professional body in the UK with the launch of the Institute of Information Security Professionals (IISP) next month. The IISP, which was given the go-ahead by the Department for Trade and Industry at the end of last year, is due to officially launch in February. Nick Coleman, the interim chief executive of the Institute, who is also IBM's head of security, told ZDNet UK that the goal of the institute is to "professionalise the industry" and ensure IT security officers reach a certain standard. 12:33:22 PM  PermaLink   / trackback []

You've Got Problems: AOL Patches Photo Flaw. You've Got Problems: AOL Patches Photo Flaw. Users are urged to upgrade their software after a critical vulnerability is found. [PCWorld.com - Latest News Stories] 12:28:31 PM  PermaLink   / trackback []

Service Pack 3? Maybe Next Year. Service Pack 3? Maybe Next Year. Microsoft Corp. is pushing back its timetable for releasing the next bundle of security fixes and tweaks or service pack for Windows XP users until sometime in the latter half of 2007 in order to concentrate on development work for Windows Vista, the long-promised next new version of its flagship operating system.   [Security Fix] 12:27:28 PM  PermaLink   / trackback []