Thursday, September 14, 2006

German Tor Network Just Fine, Tor Director Says. German Tor Network Just Fine, Tor Director Says. While German police have seized several Tor servers, Tor executive director Shava Nerad says that Tor itself is not under attack, that the police haven't charged any Tor server operators and the organization expects the servers will be returned without incident. We are simply part of a very wide net that they cast trying to track someone doing something illegal. It's not much different from what would have happened if the police were investigating someone who had made obscene phone calls where the police would have seized the logs of the phone company. The police won't find any useful information in the servers, since none of the volunteer operators enable logging on the Tor servers, according to Nerad. "In fact, that scenario of them checking for logs is worst case," Nerad said. "Likely, they just seized every machine with an IP which had touched someone doing something nefarious. They probably have no idea that these were even Tor servers." "I don't believe German police have a deep understanding of how an anonymizing system works and none of these routers have logs," Nerad said. She fully expects that the servers will be returned, though the question is when. "The mill of jurisprudence turns slowly, but exceedingly fine," Nerad said. "What happens is that this will all blow over, and they get their servers back." Europeans value privacy and anonymity more than the United States, and there's no political moves in Europe to criminalize anonymity, according to Nerad. Nerad learned of the seizures Thursday night, but the organization didn't send out a press release because they didn't consider it to be an attack on Tor. But, now that the story has hit Slashdot? "Now we are talking about it, otherwise there's no containing the brush fire," Nerad said. [27B Stroke 6] 2:34:29 PM  PermaLink   / trackback []

NYT Times: Ban Everything on Planes. NYT Times: Ban Everything on Planes. This Sunday's Week in Review section of the New York Times had a great piece on terrorist prosecutions in the United States post 9/11, and the increasing evidence that there's no large network of sleeper cells in the States. The editorial board seems not to have read that story, because pages later the Times's top editorial suggested that the Transportation Security Administration ban most items, including electronics and laptops, from airplanes. [T]he best approach would be a ban on virtually all carry-on items, or at least a limit of one small personal bag per passenger to tote travel documents, keys, vital medications, reading materials and any other minimal items that are allowed. [...] Separating people from their laptops during flights would be painful, although some people could surely use the time to go over reading material, or even revert to pen and paper. [...] For now, the surest way to keep dangerous materials out of the cabin is to keep virtually all materials out of the cabin. Actually, the surest way to keep dangerous materials out of the cabin of airplanes is to put the airline industry out of business and the Times's editorial board's policy would be a good first step. Business travelers keep the airline industry profitable. And many of those travelers actually welcome time in the air since its one of the few times they will not be interrupted with phone calls or meetings when trying to get work done. Take that away and they'll turn to driving and video-conferencing and watch the airlines file for bankruptcy. If the Times was really serious about saving lives on airplanes, they'd recommend that airlines institute positive passenger-bag matching on transfers. Currently, no bags go on the first leg of a traveler's trip, unless that person boards the plane. But domestic airlines don't do the same for transfer flights, a loophole that terrorists exploited in 1985.   [27B Stroke 6] 2:27:25 PM  PermaLink   / trackback []

Court Declines To Hear Campus Wiretapping Challenge. Court Declines To Hear Campus Wiretapping Challenge. The FCC rules in question re-interpreted a 1994 law known as CALEA, which distinguished between telecom networks, such as the traditional phone system and Internet providers. Under that law, telecoms were forced to make it easier for law enforcement to listen in on phone calls. Civil liberties groups controversially agreed to the legislation, so long as the Internet was not subject to the technical dictates of federal law enforcement agencies. In August 2005, the FCC announced the bargain was off. The American Council on Education challenged the extension of the rules to college networks, but a district court panel voted 2-1 to allow the FCC to sometimes regulate broadband providers as telecommunications providers and sometimes as information services. (Ruling) The upshot, according to my good editor Mr. Poulsen: Universities and broadband ISPs will be on the hook for an expensive retrofitting of their networks with surveillance gear, while law enforcement agencies will enjoy much quicker and easier access to information like a user's e-mail headers and the websites they visit, or -- with a court order -- a real time feed of the target's entire internet stream. The American Council on Education can now appeal the ruling (.pdf) to the Supreme Court, but that's always a long shot. [27B Stroke 6] 2:20:49 PM  PermaLink   / trackback []

German police seize TOR servers. German police seize TOR servers. Anonymising service flushed out Prosecutors in Germany have seized 10 servers which hosted the anonymising service TOR. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 2:02:20 PM  PermaLink   / trackback []

Headmaster justifies fingerprinting pupils. Headmaster justifies fingerprinting pupils. 'We don't have to ask parents' The headmaster of Porth County Comprehensive School in South Wales has defended fingerprinting all 1,400 of his pupils days after their parents were told about the scheme last Wednesday. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:57:41 PM  PermaLink   / trackback []

Beijing Big Brother gets bigger. Beijing Big Brother gets bigger. New laws tighten grip on media, technology Beijing today attempted to defend sweeping new powers which gag foreign media and bar citizens from subscribing to news from abroad. The laws were published Sunday and went into effect immediately. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:54:10 PM  PermaLink   / trackback []

Podcasters, Help Stop the Broadcasting Treaty! Podcasters, Help Stop the Broadcasting Treaty! If adopted, the WIPO Broadcasting Treaty would lockdown your digital media devices and grant to broadcasters and cablecasters broad new IP-like rights over anything they transmit. That's bad enough, but some countries at WIPO have also supported expanding the treaty to cover various Internet transmissions. While many prominent webcasters have already spoken out about the treaty, podcasters also should make their voices heard. If you're a podcaster, read this joint statement to WIPO opposing the treaty and write to podcastersandwipo@eff.org to sign on. [EFF: Deep Links] 1:52:00 PM  PermaLink   / trackback []

Required Reading for Product Reviewers. Required Reading for Product Reviewers. CDT has published a white paper setting out criteria on which DRM-restricted products and services should be judged. The paper should be required reading for every product reviewer who evaluates digital media products and services, suggesting specific questions that reviewers should be asking when examining DRM-restricted offerings. Too many product reviews fail to mention DRM restrictions (where were the reviewers when Sony-BMG's rootkit CDs showed up?), much less test and evaluate DRM-laden products against unrestricted alternatives (for example, comparing DRM-laden products like TiVo against unrestricted alternatives like MythTV). The point is not to rail against DRM, but rather to inform potential customers so that they can make an informed buying decision. Of course, this will require that reviewers do their homework, since the press release and product manual likely won't describe what the product has been designed not to do. But asking manufacturers hard questions is what we pay reviewers to do for us. (And some of them have been doing a great job, like The Washington Post's Rob Pegoraro and Wired's Eliot Van Buskirk.) There are a few places where CDT pulls its punches (failing to mention that DRM is often used to force us to pay a second time for media we've already bought once) and others where it falls prey to the Hollywood propaganda machine (pretending that DVD ripping is rare when DVD Shrink and Handbrake are being reviewed in places like PC Magazine and MacWorld). But overall, the paper is a timely clarion call. I hope the product reviewers and their editors are paying attention. [EFF: Deep Links] 1:50:04 PM  PermaLink   / trackback []

New Site Educates Political Speakers About Their Rights Online. New Site Educates Political Speakers About Their Rights Online. The vast majority of political speech by individuals on the Internet is fully protected by the law and carries no risk of violating campaign finance rules. That is the key message of NetDemocracyGuide.org, a new Web site created by the Center for Democracy & Technology (CDT) to educate Internet users about their rights and obligations under campaign finance law. Developed with the support of the Carnegie Corporation of New York, NetDemocracyGuide.org makes it easy for bloggers and other citizen activists to quickly understand the new campaign finance rules, and how those rules apply to them. [Center for Democracy and Technology] 1:46:30 PM  PermaLink   / trackback []

The More Mainstream Media Covers Craigslist Attack. The More Mainstream Media Covers Craigslist Attack. The AP's Internet correspondent Anick Jesdanun covers Jason Fortuny's sociopathic publication of the personal information and photos of more than 150 men who responded to a fake, sexually explicit Craig's List posting: "It's a sad commentary overall," said Lauren Weinstein, a veteran computer scientist and privacy advocate. "It's one of those situations where both sides look bad. ... From an ethical standpoint, this isn't brain surgery." [...] In this case, however, the men who replied to Fortuny's posting did not appear to be doing anything illegal, so the outing has no social value other than to prove that someone could ruin lives online, said Jonathan Zittrain, a law professor at Oxford and Harvard universities. Whether Fortuny violated any laws is less clear, he said. "It's one of those questions that could find its way onto a law school exam because it is comparatively new territory," Zittrain said. [...] Fortuny's liability under Washington state law, [Kurt Opsahl, staff attorney with the Electronic Frontier Foundation] said, rests on whether the disclosures are of legitimate concern to the public. The Register's Andrew Orlowski strings together a few Slashdot postings and says I climbed on the "tallest horse in the world" I could find to object to Fortuny's attack (Actually Andrew, I'm a modern guy, I got on the tallest bike I could find.) There's a sense that what prompts much of the outrage isn't simply the privacy breach - and Fortuny may have been as successful in drawing attention to the brittle nature of privacy as any campaign by the ACLU, whatever you may think of his methods. One wonders if some of the outrage is stimulated by the brutal fact that computer networks aren't the idyllic, utopian playground some imagine them to be. The BBC's Bill Thompson puts Fortuny's stunt in context with some other recent privacy outrages in his column. [Fortuny] has acted in a despicable manner, and deserves whatever legal action is coming his way. He also deserves to be ostracised by the online communities he was so clearly seeking to impress. We didn't need to know about his experiment to understand that the net creates new possibilities for public exposure. And we certainly don't need to give Fortuny credit for his cheap trick. After all, this was the week in which Facebook founder Mark Zuckerberg apologised publicly for messing with his users' privacy and getting it wrong at the massively popular social networking site he created. And Seattle P-I columnist Robert L. Jamieson, Jr. adds: On Monday I spoke with a man who said that his name, phone and e-mail had been posted without his knowledge. The man said he never replied to the Craigslist sex ad, suggesting someone else -- a stranger? Fortuny? -- got hold of his personal information and used it against him. This certainly wouldn't be an Internet first. "I'm not very happy," the man said. "This is a nasty joke." You have to wonder if what Fortuny just did is such a big crack-up, why so few are laughing. And don't forget to stop by Upcoming.org founder Andy Baio's blog, Waxy.org, which had the first real story on this. Photo: Doviende [27B Stroke 6] 1:43:27 PM  PermaLink   / trackback []

MySpace = Spam 2.0? MySpace = Spam 2.0? Trent Lapinski, a freelance writer, was hired to write an expos[radical]© about MySpace, but apparently News Corp threatened to sue his publisher if they ran the story. Instead, Lapinski sold his story to Valleywag, who decided to publish it despite the threat of legal action. Why doesn[base ']t News Corp want it published? Probably becuase Lapinski concludes that MySpace is nothing but the next generation of spyware & spam: Spam 2.0. Here[base ']s excerpts from the condensed version: 1. MySpace is NOT a viral success. MySpace was advertised on mass levels to reach the public. MySpace was created by a company named eUniverse (who later changed their name to Intermix Media). eUniverse was a marketing and entertainment company who had over 50 million e-mail addresses in their databases, as well as over 18 million monthly web users. eUniverse leveraged their resources to proliferate and advertise MySpace.com. eUniverse went as far as telling 3 million users of their paid dating website, CupidJunction.com, to sign up for free MySpace accounts. (CupidJunction message screenshot) 2. MySpace.com is Spam 2.0. MySpace has spawned an incredibly successful twist on the age-old art of self-promotion, allowing[^]even encouraging[^]the marketing of everything from bands to businesses on their site. Essentially, they[base ']ve opened up a channel through which to solicit and promote everyone and everything, most importantly the individual. The whole site is, in essence, a marketing tool that everyone who registers has access to. Users constantly receive spam-like messages from said bands, business, and individuals looking to add more [base "]friends[per thou] (and therefore more potential fans, consumers, or witnesses) to their online identity. A testament to this strange new social paradigm is the phrase [base "]Thanks for the Add,[per thou] a nicety offered when one MySpace user adds another as a friend. Best yet, to use the site, members must log in, causing them to inadvertently view advertisements, and then read their messages on a page with even more advertisements. In the world of MySpace, Spam is earth, air, fire, and water. Lapinksi also concludes that 3) Tom Anderson did not create MySpace, 4) MySpace[base ']s CEO Chris DeWolfe is connected to a past of spam, and 5) MySpace was a direct assault on Friendster.com. This apparent connection between MySpace and spam should not be too surprising, and also explains Facebook[base ']s recent decision to expand their user base beyond the halls of education. I[base ']m sure these examples of the corporatization of social networks will be discussed in detail at the Critical Perspectives on Social Software and Web 2.0 seminar in Denmark next month. [via Search Engine Journal] [michaelzimmer.org] 1:39:35 PM  PermaLink   / trackback []

Apple, Microsoft Release Software Patches. Apple, Microsoft Release Software Patches. Apple and Microsoft today released updates to fix security problems in their software, including a patch bundle for the popular QuickTime media player, as well as fixes for computers running Windows and Microsoft Office. The QuickTime update, available for both Mac and Windows systems, mends seven security holes that Apple said could let attackers install malicious programs if a user opened specially crafted media files. The newest version is QuickTime 7.1.3, and it is available at this link. Microsoft issued two patches to fix flaws in Windows, one of which the company said could let bad guys hijack vulnerable PCs. The more serious of the two affects Windows XP systems. Another patch corrects a critical flaw in Microsoft Publisher. If you use a Windows system and do not have your machine set to fetch Windows updates on its own via Automatic Updates, point Internet Explorer over to Microsoft Update to download and install these updates. Microsoft also re-released two patches that it issued in August, including the Internet Explorer update that caused problems for some people running IE on Windows 2000 and Windows XP systems that do not have Service Pack 2 installed. In addition, it re-issued another patch that was creating glitches for some users of Windows Server 2003 and Windows XP Professional 64-Bit systems. Microsoft pushed out an advisory on an important update for Adobe's Flash Player program, which is installed by default on millions of PCs running Windows. In May, Microsoft pushed out a Flash update to fix a couple of serious security holes in prior versions of Flash, a version of which ships with all Windows XP systems. Today, Redmond called attention to an Adobe update that mends three newly disclosed flaws in Flash Player version 8.0.24.0. The newest version -- v. 9.0.16.0 -- fixes those problems and is available from Adobe's site. To see which version of Flash you have installed, go to this link on Macromedia's site. If you run Flash on your machine, try not to put off updating: Vulnerability watcher Secunia rated the Flash flaws "highly critical," as they could be exploited just by convincing a user to visit a malicious Web site. Finally, I mentioned last week that Microsoft was going to issue a couple of high-priority, non-security related updates for Windows. When I scanned my Windows XP machine at Microsoft Update, it presented me with two non-security updates, including one to fix what Microsoft says is an audio problem that could cause stability issues for Windows XP users. The other one addresses errors that some Windows users have been seeing when trying to download updates via Microsoft Update, Windows Update, and Automatic Updates. [Security Fix] 1:35:44 PM  PermaLink   / trackback []

HP Chairman to Step Down Amid Scandal. HP Chairman to Step Down Amid Scandal. HP's CEO will step into chairman's role after the board's January 2007 meeting. [PC World: Latest Technology News] 1:33:50 PM  PermaLink   / trackback []

Democrats Call NSA's Input To Senate Panel Inappropriate - washingtonpost.com Democrats on the Senate intelligence committee are complaining that the National Security Agency has played politics in support of the secret program to intercept phone calls between alleged terrorists in the United States and abroad. On July 27, shortly after most members of the committee were briefed on the controversial surveillance program, the NSA supplied the panel's chairman, Pat Roberts (R-Kan.), with "a set of administration approved, unclassified talking points for the members to use," as described in the document. Among the talking points were "subjective statements that appear intended to advance a particular policy view and present certain facts in the best possible light," Sen. John D. Rockefeller IV (D-W.Va.) said in a letter to the NSA director. The cleared statements included "I can say the program must continue" and "There is strict oversight in place . . . now including the full congressional intelligence committees," as well as "Current law is not agile enough to handle the threat posed by sophisticated international terrorist organizations such as al-Qaeda" and "The FISA should be amended so that it is technologically neutral." FISA refers to the Foreign Intelligence Surveillance Act, the current law. Rockefeller and six Democrats on the panel wrote Lt. Gen. Keith B. Alexander, the NSA's director, on Aug. 29 that they believed those statements "appear intended to advocate particular policies rather than provide guidance on classification." The letter added: "We believe that it is inappropriate for the NSA to insert itself into this policy debate." Alexander had earlier told Rockefeller that the talking points were in response to requests from more than one committee Democrat for guidance as to what could be said publicly as the policy debate began over what should be done with the program. One element particularly troubling to the Democrats was the statement that there was "strict" congressional oversight of the program, because, as one senior Democrat said yesterday, committee members are still awaiting requested documents such as the original authorization by President Bush that initiated the program. 1:31:42 PM  PermaLink   / trackback []

Freedom to Tinker - Security Analysis of the Diebold AccuVote-TS Voting Machine Today, Ari Feldman, Alex Halderman, and I released a paper on the security of e-voting technology. The paper is accompanied by a ten-minute video that demonstrates some of the vulnerabilities and attacks we discuss. Here is the paper's abstract: Security Analysis of the Diebold AccuVote-TS Voting Machine Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten Princeton University This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities -- a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures. 1:29:14 PM  PermaLink   / trackback []

Senate Judiciary Approves 3 NSA Bills. Senate Judiciary Approves 3 NSA Bills. The Senate Judiciary panel today passed three different measures that amend the law regarding the government's use of surveillance for foreign intelligence gathering, a response to the revelations about the Administration's end run around the laws to authorize warrantless wiretapping of Americans and a recent court ruling that found that program unconstitutional. The bills now go to the full Senate for debate and a vote, and according to the ACLU's legislative counsel Lisa Graves, Specter has moved to have his bill passed on a voice vote. The committee, headed by Arlen Specter, passed 10-8 on party lines, a bill crafted by Specter in conjunction with the Vice President that, in its original form, made more radical changes to the nation's surveillance laws than the Patriot Act did. Analysis here and here. That bill is S.2453, the "National Security Surveillance Act." I haven't yet seen the text as passed today, but will update as soon as I can. The committee also passed, again along party lines, a bill by Senator Mike DeWine's (R-OH) called "Terrorist Surveillance Program Act of 2006," that likewise loosens restrictions on government surveillance and allows for warrantless surveillance. Senator Feinstein's bill, which Specter also signed onto and voted for, includes some minor government-friendly tweaks, but re-affirms that all wiretapping must be in accord with FISA. That provision all but calls the current NSA program illegal, though Feinstein has not come out and said so. The committee was never briefed on the extent or oversight of the NSA's warrantless wiretapping of American citizens' communications. The ACLU reacted immediately, saying that the committee should be investigating, not legalizing, the warrantless surveillance. "Today, the Senate Judiciary Committee acted as a rubber stamp for the administration's abuse of power," said Caroline Fredrickson, Director of the ACLU Washington Legislative Office. "Congress has a right and obligation to conduct meaningful oversight on the unlawful actions of the president. But instead of investigating lawbreaking, the Senate Judiciary Committee wants to make it legal. We urge the full Senate to reject any attempts to ratify this illegal program." [27B Stroke 6] 1:18:25 PM  PermaLink   / trackback []

NSA Bill "Major Disaster," Mainstream Civil Lib Group. NSA Bill "Major Disaster," Mainstream Civil Lib Group. The Center for Democracy and Technology's policy director Jim Dempsey, a longtime expert on national security law who testified to the Judiciary Committee on Senator Arlen Specter's NSA bill, described the bill's passage out of committee a "major disaster." Specter's bill was drafted in concert with the Vice President's office, and Specter has championed the bill because the administration promised him that it would submit its warrantless wiretapping program to a secret court for review, though the bill makes that optional, and arguably makes the program legal, due to changes to the law governing surveillance. What started out as Senator Specter wanting to rein in the president's program has turned on its head and is now not just a legislative ratification of the program, but an expansion of warrantless wiretapping of Americans. It would allow the NSA to turn its vacuum cleaners on even domestic phone calls and emails of citizens. And -- they do all of this in Alice-in-Wonderland fashion by defining all kinds of categories of surveillance to be not surveillance. The bill is basically saying that any time you are targeting a foreigner, even if you are collecting calls to us citizens, that's not surveillance. And anytime you are targeting nobody, but scooping up vast quantities of calls, that's not surveillance. This bill goes light years or miles beyond the Patriot Act. The Foreign Intelligence Surveillance Act is such a complicated statute and so much of the weight of it is borne by the definitions, that I'm not sure the sponsors of these bills appreciate what they are doing. The people who drafted this bill knew what they were doing, and it's been a very clever sell job. [27B Stroke 6] 1:13:31 PM  PermaLink   / trackback []

HP's Crime Partner IDed. HP's Crime Partner IDed. The New York Times and the Wall Street Journal have identified the agency HP hired to spy on board members and journalists. It's a small Boston firm called Security Outsourcing Solutions, run by a former restaurateur named Ronald R. DeLia. From the WSJ: According to its Web site, Security Outsourcing Solutions "was formed to provide small- to medium-size corporations and institutions with the same level of security currently available only to Fortune 1000 companies." At one time, it published a newsletter called "Corporate Homicide: Life in a Global Economy." In a 1999 edition of the newsletter, Mr. DeLia warned that "identity theft is becoming a major law-enforcement problem about which consumers can ill afford to become indifferent." The newsletter said the Internet had made it easier for identity thieves to obtain addresses and Social Security numbers for a fee. It's not clear how HP picked DeLia for the caper, but the Times links him to an east coast law firm The company shares a business phone number and a Boston address with Bonner Kiernan Trebach & Crociata, a law firm with offices in several cities. No one answered at the number Tuesday night. The firm's Web site says one of its specialties is internal corporate investigations. Presumably, DeLia was the middle man, and he farmed out the dirty work to one or more other people who conducted the pretext phone calls --- a legal gray area -- and computer intrusions -- a flat out felony. [27B Stroke 6] 1:10:55 PM  PermaLink   / trackback []

ACLU Hates NSA Bill. ACLU Hates NSA Bill. The ACLU's senior legislative counsel Lisa Graves calls the passage of Specter's bill by the Senate Judiciary committee "incredible" and "stunning." The Administration has taken their illegal conduct in wiretapping Americans without court orders in violation of the Foreign Intelligence Surveillance Act and the Constitution and used it as springboard to not only get FISA changed to allow the Terrorist Surveillance program, but to actually, going forward, not give protections to American's privacy rights. The bill would warrantless surveillance the rule, not the exception. What's really a shame is that supporters of the bill don't know what they are supporting and don't know the consequences of the bill. We had a dozen hearings on the substance of Patriot Act last year, including several hearings on the roving wiretap provisions that are FISA's authorization for wiretaps. Then the President went out on the campaign trail saying how great the Patriot Act was because it gave them access to terrorist cellphones. They could monitor their cellphones, roving from line to line. Yet here we are with this bill that no one knows what it does, and they were supposed to get these powers in the Patriot Act -- the very rationale they gave last year for keeping the Patriot Act last year. Now it turns out the warrant process is optional anyways. They want to blow FISA out of the water by making it optional, and defining things that are electronic surveillance as not electronic surveillance and the Attorney General gets to do these massive certifications. This is bad, bad, bad for the American people. [27B Stroke 6] 1:09:06 PM  PermaLink   / trackback []

AOL Issues Security Update. AOL Issues Security Update. America Online has shipped a security update for its millions of users to fix a flaw in the way the Internet service provider's Web browser processes certain types of image files -- a vulnerability that could let attackers install malicious software on a user's machine. The flaw resides in the way AOL's browser handles files ending in ".art", an image file format used by AOL's software. A hacker could attack AOL users just by getting them to visit a Web site that invokes a .art image. Making the vulnerability worse, according to an advisory from vulnerability research firm iDefense, a unit of Verisign Inc., is that the malicious file or image "does NOT need to have an .art extension to be rendered by the vulnerable library. Any extension can be used, provided the image is loaded via an IMG SRC tag in an HTML document in Internet Explorer." Computers running Microsoft Windows are potentially vulnerable, since Internet Explorer displays ART images. But Microsoft issued a patch in June to fix this problem. The underlying problem affects AOL versions 9.0 and earlier. AOL says subscribers who are currently using AOL 9.0 just need to log in to the service and the fix will be applied to their systems automatically. AOL urges users who are currently using an earlier version of AOL to upgrade to AOL 9.0 Security Edition. [Security Fix] 1:06:46 PM  PermaLink   / trackback []

Canadian Sony Rootkit Settlement Misses the Mark. Canadian Sony Rootkit Settlement Misses the Mark. Almost a year after the Sony BMG rootkit debacle began, Sony BMG has finally settled with its Canadian customers. Much of the settlement, particularly the compensation customers will receive, mirrors the provisions of the U.S. agreement approved last May. But the Canadian settlement is missing some crucial commitments regarding Sony BMG's future conduct. Details after the jump: [EFF: Deep Links] 1:05:12 PM  PermaLink   / trackback []