Tuesday, February 21, 2006

Rootkit Experience May Lead to Federal Oversight. Rootkit Experience May Lead to Federal Oversight. Officials expresss concern over the security of copy protection software. [PCWorld.com - Latest News Stories] 11:55:42 PM  PermaLink   / trackback []

FBI Director: Cyberthreats 'Fluid and Far-reaching'. FBI Director: Cyberthreats 'Fluid and Far-reaching'. Robert Mueller calls for corporations and law enforcement to improve information sharing on cybercrime. [PCWorld.com - Latest News Stories] 11:53:35 PM  PermaLink   / trackback []

Vista's Encryption Could Vex Investigators. Vista's Encryption Could Vex Investigators. Encryption features could mean law enforcement will face mighty challenges in unlocking data, academic says. [PCWorld.com - Latest News Stories] 11:47:51 PM  PermaLink   / trackback []

Hackers Wanted for UareU Development Efforts. Hackers Wanted for UareU Development Efforts. In More fun with fingerprints, dsd shares that he was given 7 UareU Readers with the intention to share 6 of them with other interested hardware hackers. If this sounds like it may be up your alley, check it out. Thanks from the community goes out to Joaquin Custodio for this gift to dsd. Also of interest, dsd hooked up with Mikko Kiviharhju who has been messing with the readers as well and presented a paper entitled Hacking fingerprint Scanners - Why MicrosoftÂ[base ']s Fingerprint Reader Is not a Security Feature and compared notes on the encryption (if we can still call it that) being used on these devices. Check out dsd's full report: More fun with fingerprints. [LinuxBiometrics.com] 11:40:49 PM  PermaLink   / trackback []

Strict liability for data breaches? A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages. Let's say you open your mailbox, and there is a letter from the financial organization that holds your student loan. "Dear valued customer.." the letter begins, and then it informs you that "due to circumstances beyond their control" your personal information has been compromised. Your name, home address, social security number, credit information, account balances - everything - is now sitting on a computer in Belarus, with the information being hocked for sale on a half a dozen websites. Perhaps thousands of dollars of fraudulent charges have been added to your account. Maybe even a new credit card has been issued in your name to an address in Saskatchewan. You order a credit report, and put yourself on a credit fraud watch list. You pay for a service to inform you whenever there has been any extension of credit in your name. You call all your credit card issuers and get new credit cards. You cancel all automatic payments on your credit cards, including all your online purchases where your card is stored (such as Amazon and PayPal) and give them your new numbers. Dozens of hours later, you may or may not have corrected some of the problems created by your lender's failure to protect your data. Finally, you go to your lawyer, and ask the dumbest question you can ever ask a lawyer: "can I sue?" Of course, the answer is always "yes." But the bigger question is, will you win? A recent case from Minnesota (PDF) raises the question of what the duty is of a regulated entity such as this to actually protect their customer's data. 11:34:57 PM  PermaLink   / trackback []

Private identities become a corporate focus During his keynote during the RSA Conference, Scott McNealy seemed almost apologetic. The CEO of Sun Microsystems,--infamous for his pronouncement, "You have zero privacy anyway--Get over it."--took a conciliatory tone on the stage here, allowing that privacy might be something for which consumers should fight. He warned companies that, unless they protect consumer privacy, they could lose out on significant online growth. "It's going to get scarier if we don't come up with technology and rules to protect appropriately privacy and secure the data, and the most important asset we have is obviously the data on people--our customers and employees and partners," McNealy told attendees last week. "And if we can't protect that, people are not going to go online." McNealy joined the heads of other technology companies at the RSA Conference who called for better protection of privacy and more specific ways of thinking about what data needs to be known to identify partners and customers. Part of McNealy's epiphany: The week before the conference he was notified by a partner company that a lost laptop had his personal information stored on the hard drive. "I wish I could share with you the note I sent back to them," he said, adding that he now better understood the consumer point of view. "It is a personal issue. What am I supposed to do now? They sent me this note, now what do I do?" 11:31:10 PM  PermaLink   / trackback []

Privacy rights of whistleblowers and their accused. Privacy rights of whistleblowers and their accused. EU Working Party reports Workplace whistleblowing schemes that exist to catch office thieves, crooked accountants or general misconduct and skullduggery, present data protection issues that have become the subject of new guidance from an EU Working Party. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:26:10 PM  PermaLink   / trackback []

DVLA to review data access. DVLA to review data access. Clampdown on clampers The agency responsible for drivers' personal information is proposing to stop dodgy clamping firms getting access to its databases [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:23:56 PM  PermaLink   / trackback []

Homeland security urges DRM rootkit ban. Homeland security urges DRM rootkit ban. Give it up US government officials took Sony BMG to task over its controversial use of rootkit-style copy protection at a security conference this week. If the technology proves harmful to consumers, tougher laws and regulations might be proposed, a senior Department of Homeland Security exec warned. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:17:26 PM  PermaLink   / trackback []

London Oyster card - a tool for spouse stalkers? London Oyster card - a tool for spouse stalkers? Marriages down the tubes... Transport for London's (TfL) 'ID card lite', the Oyster travelcard, is already being illicitly used to snoop on people's movements, according to the Independent on Sunday. The problem stems from the fact that TfL records the journeys made using the card, and gives owners easy internet access to their personal audit trail. But it's perhaps too easy. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:14:28 PM  PermaLink   / trackback []

RSA: Gates outlines ID management for Vista, XP. RSA: Gates outlines ID management for Vista, XP. Microsoft plans to include technology in Windows Vista and Windows XP for allowing users to manage their passwords and identities across multiple Web sites, according to the company's Chairman and Chief Software Architect Bill Gates. [Identity mangement news] 11:11:47 PM  PermaLink   / trackback []

Data Storage Security. [Infosec Writers Latest Security Papers] Data Storage Security. Tom Olzak explores data storage vulnerabilities, the risks these vulnerabilities present to an organization, and ways to effectively manage those risks. By Tom Olzak. [Infosec Writers Latest Security Papers] 11:10:06 PM  PermaLink   / trackback []

No refund on Northwest Airlines if you won't produce ID. No refund on Northwest Airlines if you won't produce ID. I mentioned in a recent article that airlines' rules explicitly require them to give you a full and unconditional refund -- even if your ticket was otherwise compeletely nonrefundable -- if they refuse to transport you because (among other reasons) you refuse to permit your person or belongings to be searched for weapons or explosives, or you refuse to provide evidence of your identity that the airline deems sufficient. That's still true for almost every airline whose rules I re-checked, but it has begun to change. The most reason version of Northwest Airlines' Contract of Carriage effective 10 February 2006 . See Rule 35 (G) on page 37 of this PDF : IN SITUATIONS ARISING UNDER PARAGRAPHS B), C), D), OR E) ABOVE EXCEPT E)1 AND E)4-5 AND E)7-8, A PASSENGER SHALL NOT BE ENTITLED TO A REFUND IF THE PASSENGER'S TICKET IS NONREFUNDABLE. I don't know when the change was first made. If anyone has any archived copies of Northwest's terms and conditions, please let me know the date of your copy and whether it includes this rule. As of today, there is no such clause in the contracts of carriage or general tariff rules of American Airlines , Delta Air Lines , United Airlines , Continental Airlines , or US Airways . But check before you buy a ticket -- I won't be surprised if they follow Northwest's lead. [The Practical Nomad] 11:08:05 PM  PermaLink   / trackback []

Senate Committee Declines NSA Inquiry; House Promises One. Senate Committee Declines NSA Inquiry; House Promises One. The Senate Intelligence Committee decided yesterday not to investigate the administration's warrantless wiretapping program, at least for now. Ranking Member John Rockefeller called the decision an abdication of the committee's responsibility to oversee the nation's intelligence activities. The House Intelligence Committee members have indicated that committee will conduct an inquiry, but it is unclear whether it will focus on the operational facts or the legality of the program. CDT believes Congress must learn the details of the program before it attempts to pass any legislation weakening surveillance laws. [Center for Democracy and Technology] 11:03:26 PM  PermaLink   / trackback []

EFF - RIAA Says Ripping CDs to Your iPod is NOT Fair Use. RIAA Says Ripping CDs to Your iPod is NOT Fair Use. It is no secret that the entertainment oligopolists are not happy about space-shifting and format-shifting. But surely ripping your own CDs to your own iPod passes muster, right? In fact, didn't they admit as much in front of the Supreme Court during the MGM v. Grokster argument last year? Apparently not. As part of the on-going DMCA rule-making proceedings, the RIAA and other copyright industry associations submitted a filing that included this gem as part of their argument that space-shifting and format-shifting do not count as noninfringing uses, even when you are talking about making copies of your own CDs: "Nor does the fact that permission to make a copy in particular circumstances is often or even routinely granted, necessarily establish that the copying is a fair use when the copyright owner withholds that authorization. In this regard, the statement attributed to counsel for copyright owners in the MGM v. Grokster case is simply a statement about authorization, not about fair use." For those who may not remember, here's what Don Verrilli said to the Supreme Court last year: "The record companies, my clients, have said, for some time now, and it's been on their website for some time now, that it's perfectly lawful to take a CD that you've purchased, upload it [EFF: Deep Links] 10:58:34 PM  PermaLink   / trackback []

EFF - Who Wants to Kick Macrovision's Tires? Who Wants to Kick Macrovision's Tires? In the wake of the scandals regarding the XCP and MediaMax CD copy protection mechanisms used by Sony-BMG and several independent labels, EFF asked EMI if it would allow security researchers to examine the Macrovision copy protection technologies that it uses. The goal would be to verify that Macrovision's CD copy protection software does not create security vulnerabilities for music fans. Although EMI and Macrovision claim confidence in the security of the technology, there's nothing like independent testing to verify such claims. And unless EMI and Macrovision waive their DMCA and EULA claims, researchers could face legal action for certain kinds of security testing. Responding to our open letter, EMI has invited security researchers interested in doing security testing on its CD copy protection technologies to come forward: However, without knowing more details about - among other things - the type of research intended, by whom and for what purpose, we cannot accept your invitation to give a public, blanket declaration in the manner you suggest. Again, we are happy to assist in advancing legitimate, focused research, but we cannot provide protection to unnamed and uncounted "security researchers." We at EFF would like to take EMI up on its offer "to assist in legitimate, focused research." If you are a researcher interested in doing security testing on Macrovision's CD copy protection software, please contact fred@eff.org. [EFF: Deep Links] 10:55:32 PM  PermaLink   / trackback []

EFF - Time to Settle Up with Sony BMG. Time to Settle Up with Sony BMG. If you were upset about Sony BMG's dangerous digital rights management (DRM) released in millions of CDs last year, now is the time show that you care. The settlement process has begun in EFF's class action lawsuit against the entertainment giant. Music fans who bought the affected CDs can submit claims for clean CDs. Some customers are also eligible for extra downloads. There are two big reasons you should take the time to fill out the claim forms. First, it will get you what you thought you were buying in the first place: music that will play on all your electronic devices without installing sneaky software. But this is also a way to show Sony BMG -- and the entire entertainment industry -- how important this issue is to you. If you take the time to claim the product you deserve, maybe other music labels will think twice before wrapping songs in DRM. [EFF: Deep Links] 10:52:16 PM  PermaLink   / trackback []

EFF - DMCA Used to Block Cellphone Secondary Market. DMCA Used to Block Cellphone Secondary Market. Here we go again, another example of the DMCA being used to block competition in secondary markets. First we had the lawsuit to block refilling of Lexmark toner cartridges. Then the lawsuit to block interoperable clickers for garage door openers. Then the lawsuit to block independent service vendors from servicing enterprise data storage systems. Now we have TracFone, "the largest provider of prepaid wireless telephone service in the United States," invoking the DMCA [complaint, PDF] against a company that reprograms locked TracFone handsets so that you can use other network providers. (The Wireless Alliance has asked the Copyright Office for a DMCA exemption for cellphone unlocking, thanks in part to lawsuits like this.) TracFone gives away locked Nokia handsets at below cost, hoping to make it back by selling you minutes. The rest is obvious to anyone who paid attention when vendors tried the same thing with CueCat bar code scanners and Ritz digital disposable cameras. A competitor jumped in, bought the below-cost handsets, unlocked them, and started selling them. So TracFone has called in the lawyers, hoping the DMCA will shut down the secondary market and prop up their business model (there are also trademark, unfair competition, and tortious interference claims). Reasonable minds may differ about whether the defendant here, Sol Wireless Group, deserves to be punished for its business practices. But it is hard not to conclude that this is another unintended consequence of the DMCA, and another example of the DMCA impeding competition in a realm far removed from movies and music. [EFF: Deep Links] 10:50:18 PM  PermaLink   / trackback []

The New Yorker: THE MEMO How an internal effort to ban the abuse and torture of detainees was thwarted. The day after Mora's first meeting with Brant, they met again, and Brant showed him parts of the transcript of Qahtani's interrogation. Mora was shocked when Brant told him that the abuse wasn't "rogue activity" but was "rumored to have been authorized at a high level in Washington." The mood in the room, Mora wrote, was one of "dismay." He added, "I was under the opinion that the interrogation activities described would be unlawful and unworthy of the military services." Mora told me, "I was appalled by the whole thing. It was clearly abusive, and it was clearly contrary to everything we were ever taught about American values." Mora thinks that the media has focussed too narrowly on allegations of U.S.-sanctioned torture. As he sees it, the authorization of cruelty is equally pernicious. "To my mind, there's no moral or practical distinction," he told me. "If cruelty is no longer declared unlawful, but instead is applied as a matter of policy, it alters the fundamental relationship of man to government. It destroys the whole notion of individual rights. The Constitution recognizes that man has an inherent right, not bestowed by the state or laws, to personal dignity, including the right to be free of cruelty. It applies to all human beings, not just in America--even those designated as 'unlawful enemy combatants.' If you make this exception, the whole Constitution crumbles. It's a transformative issue." Mora said that he did not fear reprisal for stating his opposition to the Administration's emerging policy. "It never crossed my mind," he said. "Besides, my mother would have killed me if I hadn't spoken up. No Hungarian after Communism, or Cuban after Castro, is not aware that human rights are incompatible with cruelty." He added, "The debate here isn't only how to protect the country. It's how to protect our values." 10:45:19 PM  PermaLink   / trackback []