Thursday, October 12, 2006

Could Online Poker Law Raise The Stakes on Free Linking? Could Online Poker Law Raise The Stakes on Free Linking? If you're running a casino out of your house, you might get a call from the cops. But should the feds be able to go after phone book authors for merely putting your phone number and street address in their public directory? Of course not, right? The Unlawful Internet Gambling Act rocked the online casino industry mere days after its passage this month, and, with the president expected to sign the bill on Friday, most commentary has focused on how it will impact the millions of Americans who enjoy playing poker and placing bets online. As in many other instances, this attempt to stamp out an online activity could also impact anyone who wants to link to or help you access sites online. Blocking unlawful gambling-related activities shouldn't mean censoring people who simply reference the existence of gambling sites. Linking, like publishing a phone number or street address, is a form of expression protected by the First Amendment, and this bill raises some subtle free speech concerns. Read on for more after the jump. [EFF: Deep Links] 10:25:36 PM  PermaLink   / trackback []

Freedom to Tinker - Spamhaus Tests U.S. Control Over Internet In a move sure to rekindle debate over national control of the Internet, a US court may soon issue an order stripping London-based spamhaus.org of its Internet name. Here's the backstory. Spamhaus, an anti-spam organization headquartered in London, publishes ROKSO, the "Register of Known Spam Operations". Many sites block email from ROKSO-listed sites, as an anti-spam tactic. A US company called e360 sued Spamhaus, claiming that Spamhaus had repeatedly and wrongly put e360 on the ROKSO, and asking the court to award monetary damages and issue an injunction ordering e360's removal from ROKSO. Spamhaus lost the case, apparently due to bad legal maneuvering. Faced with a U.S. lawsuit, Spamhaus had two choices: it could challenge the court's jurisdiction over it, or it could accept jurisdiction and defend the case on the merits. It started to defend on the merits, but then switched strategies, declaring the court had no jurisdiction and refusing to participate in the proceedings. The court said that Spamhaus had accepted its jurisdiction, and it proceeded to issue a default judgment against Spamhaus, ordering it to pay $11.7M in damages (which it apparently can't pay), and issuing an injunction ordering Spamhaus to (a) take e360 off ROKSO and keep it off, and (b) post a notice saying that previous listings of e360 had been erroneous. Spamhaus has ignored the injunction. As I understand it, courts have broad authority to enforce their injunctions against noncompliant parties. In this case, the court is considering (but hasn't yet issued) an order that would revoke Spamhaus's use of the spamhaus.org name; the order would require ICANN and the Tucows domain name registry to shut off service for the spamhaus.org name, so that anybody trying to go to spamhaus.org would get a domain-not-found error. (ICANN says it's up to Tucows to comply with any such order.) There are several interesting questions here. (1) Is it appropriate under U.S. law for the judge to do this? (2) If the spamhaus.org is revoked, how will spamhaus and its users respond? (3) If U.S. judges can revoke domain name registrations, what are the international implications? 10:24:30 PM  PermaLink   / trackback []

For Microsoft, Patch Tuesday Often Becomes Exploit Thursday. For Microsoft, Patch Tuesday Often Becomes Exploit Thursday. Microsoft releases security updates on the second Tuesday of each month -- a regular schedule the company follows to make it easier for network administrators around to the world to manage all the updating necessary to deploy the fixes on their systems. Over the past several months news of exploits targeting previously undocumented flaws in Windows and other Microsoft applications have surfaced within hours of each Patch Tuesday. Today, less than 48 hours after Microsoft released a record number of security updates, comes the release of exploit code for yet another Office flaw, this one apparently targeted at PowerPoint files in Office 2003 (no, I'm not going to link to the site hosting the exploit code). As I've noted before, the Patch Tuesday/Exploit Wednesday (or Thursday) phenomenon gives bad guys the maximum amount of time to use exploits in the wild before Microsoft gets around to its next patch cycle. Redmond occasionally breaks out of that cycle for especially serious or high-profile attacks on unpatched flaws; it has done so twice this year, though neither of those emergency patches dealt with an Office vulnerability. It is quite clear from the massive number of Office patches issued this week that Microsoft is doing some long overdue code review on its desktop software. So far in 2006, Microsoft has issued patches to address no fewer than 44 distinct vulnerabilities in its Office products, many of them labeled "critical" -- meaning that bad guys can install malicious programs on your machine just by convincing you to open a poisoned document or spreadsheet. By comparison, Microsoft issued just six updates to fix problems in Office last year. It is also painfully clear that those who would wish to heap harm and embarrassment on Microsoft and its millions of users also are conducting their own audits, and with very effective results. Office flaws have shown themselves to be extremely potent weapons in targeted attacks against organizations (think corporate and government espionage). Regarding the Office exploit revealed today, a Microsoft spokesperson said the company "is investigating new public reports of a possible vulnerability in Microsoft Office 2003. Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary." While we're on the subject of Office vulnerabilities, it appears Microsoft's Office Update service is still experiencing some hiccups.. I tried to update my Office 2000 installation last night and again this morning and was met with an error message saying the site was experiencing technical difficulties. [Security Fix] 10:19:12 PM  PermaLink   / trackback []

Vista Licenses Limit OS Transfers, Ban VM Use - TechWeb Microsoft has released licenses for the Windows Vista operating system that dramatically differ from those for Windows XP in that they limit the number of times that retail editions can be transferred to another device and ban the two least-expensive versions from running in a virtual machine. The new licenses, which were highlighted by the Vista team on its official blog Tuesday, add new restrictions to how and where Windows can be used. "The first user of the software may reassign the license to another device one time. If you reassign the license, that other device becomes the "licensed device," reads the license for Windows Vista Home Basic, Home Premium, Ultimate, and Business. In other words, once a retail copy of Vista is installed on a PC, it can be moved to another system only once. The new policy is narrower than Windows XP's. In the same section, the license for Windows XP Home states: "You may move the Software to a different Workstation Computer. After the transfer, you must completely remove the Software from the former Workstation Computer." There is no limit to the number of times users can make this move. Windows XP Professional's license is identical. Elsewhere in the license, Microsoft forbids users from installing Vista Home Basic and Vista Home Premium in a virtual machine. "You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system," the legal language reads. Vista Ultimate and Vista Business, however, can be installed within a VM. 9:56:10 PM  PermaLink   / trackback []

Slashdot | Vista Licenses Limit OS Transfers, Ban VM Use NiK0laI writes  "TechWeb has posted an article regarding Vista's new license and how it allows you to only move it to another device once. How will this work for people who build their PCs? I have no intention of purchasing a new license every time I swap out motherboards. 'The first user of the software may reassign the license to another device one time. If you reassign the license, that other device becomes the "licensed device," reads the license for Windows Vista Home Basic, Home Premium, Ultimate, and Business. In other words, once a retail copy of Vista is installed on a PC, it can be moved to another system only once. ... Elsewhere in the license, Microsoft forbids users from installing Vista Home Basic and Vista Home Premium in a virtual machine. "You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system," the legal language reads. Vista Ultimate and Vista Business, however, can be installed within a VM.'"  Overly Critical Guy points out more information about changes to Vista's EULA and the new usage restrictions. "For instance, Home Basic users can't copy ISOs to their hard drives, can't run in a virtualized environment, and can only share files and printers to a maximum of 5 network devices." 9:50:37 PM  PermaLink   / trackback []

Techworld.com - Exploit code hiding in cache servers According to Finjan Software, which has just released its latest Web trends report, caching technology used by search engines, ISPs and large companies has been discovered to harbour certain kinds of malicious code even after the website that hosted it has been taken down. Such "infection-by-proxy" code can remain in caches for as long as two weeks, giving it a "life after death" at a time it would conventionally be assumed to have been neutralised. Although caching does not always save copies of everything on a website, it will still store code embedded in html, including programming formats such as Javascript. The company offered details of how code designed to exploit a number of vulnerabilities in Microsoft products from 2003 and 2004 was able to continue in the public domain thanks to it hiding in the cache servers of one of three unnamed search engines. Although old, there is no reason why the same issue wouldn't apply to recent issues on an unlimited scale, depending on the nature of the code and the way it was buried within cacheable content. And code pointing to malware such as Trojans would remain because of the issue, raising the level of risk further. "This is more than just a theoretical danger. It is possible that storage and caching servers could unintentionally become the largest 'legitimate' storage venue for malicious code," said Finjan's CTO Yuval Ben-Itzhak. "Almost every malicious website out there has a copy on a cacheing server," he told Techworld. 9:45:13 PM  PermaLink   / trackback []

Slashdot | Cache Servers Keeping Exploit Code Alive 1960's architecture writes,  "At last some evidence that exploit code is hiding on servers used to cache website content. According to Techworld, Israeli outfit Finjan has come up with evidence that real exploits have hidden on cache servers used by large search engines, effectively extending their life for periods of weeks after the original website had been taken down. The exploits detailed are from 2003-2004, but the principle would still apply to any exploit website around today, and any cache servers used by any one of the three unnamed search engines. It's almost literally malware 'life after death.'" 9:43:19 PM  PermaLink   / trackback []

Slashdot | Web Censorship on the University Campus? Censored Prof asks: "I teach at a private university in San Antonio, TX. Besides some horrendous bandwidth issues, we have lately been subjected to Lightspeed and/or Websense blocking. This means that suddenly, university students are unable to see content that the rest of the (free) world sees; and more importantly are often blocked from very legitimate information crucial to their area of study. Papers like Village Voice are blocked. Anatomy sites are blocked. Electronic Art sites are blocked. Anything with ".mp3" is blocked. Our CIO has assured us that this is not uncommon and that there are good reasons to do this on a university campus. It strikes me as odd that students must leave campus to learn, and smacks of censorship in horrible ways. So my question: Is this unique to our university? Who else at what other universities are subject to similar web-content blocking? Are we alone, or part of a disturbing trend?" 9:41:34 PM  PermaLink   / trackback []

How Do You Secure 100 Million Laptops? If the plan is perfectly executed, Nicholas Negroponte's One Laptop Per Child project will deploy 100 million laptops in the first year. In one fell swoop, the nonprofit organization will create the largest computing monoculture in history. Wary of the security risks associated with a computing monoculture--millions of machines with hardware and software of identical design--OLPC foundation officials are seeking help from the world's best hackers to review the full specifications of the $100 laptop's security model. "This is an enormous challenge for us," said Ivan KrstiÄ[omega], director of the security and information platform efforts for the OLPC project in Cambridge, Mass. "Security for these machines is hands down the hardest thing I've ever worked on." 9:39:33 PM  PermaLink   / trackback []

Slashdot | Security and the $100 Laptop gondaba writes  "The One Laptop Per Child project is actively recruiting hackers to help crack the security model of the $100 laptop to avoid the obvious risks associated with what will effectively be the largest computing monoculture in history. From the article: 'The key design goal, Krstic explained, is to avoid irreversible damage to the machines. The laptops will force applications to run in a "walled garden" that isolates files from certain sensitive locations like the kernel. "If we discover vulnerabilities, the security model must hold up enough that even a machine that is unpatched won't be easily exploitable. This gives us a bit of diversity to avoid the monoculture trap," he added.'" 9:37:35 PM  PermaLink   / trackback []

Slashdot: Does Your Employer Still Use SSNs? An anonymous reader asks: "My company, a fairly large telco, still uses social security numbers for non-financial purposes; mostly for our IT ticketing system. I find it amazing that in these times, with how easy it is to use an SSN to obtain credit, that any company still does this. I've heard talk for almost eight years that the practice is going to be stopped but little progress has been made. How many companies out there still use SSNs so openly? Since it seems that nobody is in a hurry to solve this issue, what can be done to speed the process up?" 9:34:23 PM  PermaLink   / trackback []