Sunday, December 10, 2006

How Much Privacy? - Forbes.com ComScore Networks is the Big Brother of the Internet. The widely-used online research company takes virtual photos of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. Then comScore aggregates the information into market analysis for its over 500 clients, including such large companies as Ford Motor, Microsoft and The New York Times Co. ComScore says that its participants are willing exhibitionists, happily selling their online privacy for gift certificates and free screensavers. But two computer scientists are raising new questions about comScore, claiming that company tracking software is being installed without consent on an unknown number of computers. "[The] software is sneaking onto users' computers without the user agreeing to receive it," says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall. (Edelman and Howes spend their days patrolling the Internet for new threats.) ComScore (revenues: $50 million) denies the allegations, saying the company would never install software without permission. "There is spyware out there, but that's not what we do," says comScore chairman and co-founder Gian Fulgoni. "We get explicit permission before our software is put on someone's machine." But privacy officer Chris Lin acknowledges seeing some unauthorized downloads several months ago. She says the company didn't distribute the nonconsensual software and immediately cut it off from comScore servers. This isn't the company's first dalliance into apparent voyeurism: Two years ago, university IT managers busted comScore for tricking students into installing tracking software packaged with a free Web-accelerator program. Students were often unaware that they were being watched. comScore has since discontinued the program, called MarketScore. But comScore remains the only major online research company that partners with third-parties. Outside distributors bundle its surveillance software with desirable free programs like games or videos. 4:55:20 PM  PermaLink   / trackback []

Slashdot | Market Research Company Secretly Installs Spyware An anonymous reader writes  "Forbes reports that two security experts are raising new questions about comScore, claiming that company's tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co." ---  From the article:  "'[The] software is sneaking onto users' computers without the user agreeing to receive it,' says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall." 4:47:59 PM  PermaLink   / trackback []

HP Settlement Pays for IP Enforcement--What's the Connection? HP Settlement Pays for IP Enforcement--What's the Connection? The California Attorney General just announced a $14.5 million settlement with Hewlett-Packard for its use of pretexting, a type of fraud, to spy on its board members and journalists who were reporting on internal strife at the company. Nothing so surprising thereâo[per thou]the investigation has been going on for a while, and there was no question as to wrongdoing on the part of HP leadership. What[base ']s interesting, though, is where that money is going. According to the settlement agreement and the AG[base ']s own press release, $13.5 million is going to create a new [base "]Privacy and Piracy Fund,[per thou] which will finance [base "]law enforcement activities related to privacy and intellectual property rights.[per thou] Now, I[base ']d be the first to note that there are intrinsic links between privacy and copyright law and policy, but more often than not, this link comes about because overzealous, self-appointed copyright cops are all too willing to invade users[base '] privacy: installing spyware on computers; lobbying for personal information to be web-accessible before registering a domain; and defeating laws that would specifically target actions like HP[base ']s pretexting. read more [Public Knowledge - Policy Blog] 12:27:02 PM  PermaLink   / trackback []

Pirates Hack Vista's Registration Features. Pirates Hack Vista's Registration Features. "MelindaGates" hack allows users to activate Vista without alerting Microsoft. [PC World: Latest Technology News] 12:20:42 PM  PermaLink   / trackback []

Speakers at ABA National Security Law Conference Confront NSA Surveillance Program and Leaks of Classified Information to the Press. Speakers at ABA National Security Law Conference Confront NSA Surveillance Program and Leaks of Classified Information to the Press. Speakers at the 16th annual review of National Security Law, held November 30-December 1, 2006, in Washington, D.C., addressed topics ranging from accountability for actions by private security contractors on the battlefield to civil litigation against terrorists and their bankers. Approximately 440 lawyers attended the conference, which was sponsored by the ABA Committee on Law and National Security, by the Center for National Security Law at the University of Virginia School of Law, and by the Center on Law, Ethics, and National Security at Duke University School of Law. Conference materials, which include several insightful papers, are available online. In a speech at the conference, Representative Jane Harmon, the out-going ranking member of the House Intelligence Committee, described Congressional efforts to get executive branch officials to brief the members of the House and Senate Intelligence Committee about the NSA's domestic surveillance program. A video and audio copy of her remarks is available online. She said that only after the Senate Intelligence Committee threatened to delay confirmation hearings regarding General Michael Hayden's nomination to serve as CIA Director did executive officials agree to brief the Intelligence Committees about the NSA program. Ibid. at 15:30 Having received the classified briefing about the NSA program earlier this year, Representative Harmon said "As one of the few people outside the White House and NSA briefed into this program, I assure you that the program can be conducted pursuant to the Foreign Intelligence Surveillance Act." Id. at 15:51. Given that Representative Harmon has heard classified details about the NSA program that the Bush Administration has refused to disclose publicly, including in the dozens of pending lawsuits challenging the NSA program, her assertion that program could be conducted within FISA constraints is important. It directly contradicts the Administration's claims that the NSA cannot run the program in a manner that complies with FISA. [Privacy and Security Law Blog] 12:14:43 PM  PermaLink   / trackback []

Time to Update Your Adobe Reader. Time to Update Your Adobe Reader. Adobe Systemss is urging users who run the company's Adobe Reader software on Microsoft Windows computers to update to a new version of the popular PDF document viewer, after the company was alerted to several flaws that criminals could exploit to break into computers running the software. From the Adobe advisory: "Critical vulnerabilities have been identified in Adobe Reader and Acrobat 7.0 through 7.0.8 that could -- although Adobe is not aware of any specific code exploits at this time -- allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious file must be loaded by the end user for an attacker to exploit these vulnerabilities. This issue is remotely exploitable. It is recommended that users update to Adobe Reader 8 or apply the workaround provided below." I had Adobe Reader version 7 installed before applying the Adobe Reader 8 update, available for download from this link here. The "check for updates" feature in Reader 7 (select "Help" and the "Check for Updates") said I had the latest version of Reader -- when, of course I did not. So I downloaded the standalone installer, which cheerily replaced the previous version and installed the new one without issue (although it wasn't speedy, and this was on my super-fast machine). Adobe says that users who for one reason or another can't upgrade to Reader 8 should replace a specific file in the program's directory. Instructions for how to do that are in the Adobe advisory's "Solution" section. Most people reading this blog probably have some version of Adobe Reader on their machines that isn't version 8. Take a moment to check which version you are running (Click "Help," then "About Adobe Reader" if you're not sure) and update. [Security Fix] 12:08:58 PM  PermaLink   / trackback []

Monthly Microsoft Patch Release Won't Include Word Fix. Monthly Microsoft Patch Release Won't Include Word Fix. Microsoft Corp. said yesterday that its monthly patch release next Tuesday will include at least six software updates to plug security holes in its Windows operating system and other software. Missing from the company's notice, however, is any mention of a software update to fix a dangerous flaw in Microsoft Word that criminals are actively exploiting to break into Windows PCs. Five of the updates on the list for next week address vulnerabilities in Windows, while a sixth patch would fix a problem with Microsoft Visual Studio 2005 that the company has acknowledged also is being exploited in the wild. Microsoft said this month's release will include a large number of non-security, high-priority updates, but it wasn't more specific on any of those. Check back with Security Fix on Tuesday afternoon for the lowdown. [Security Fix] 12:05:42 PM  PermaLink   / trackback []

Security Hole Found in Windows Media Player. Security Hole Found in Windows Media Player. Microsoft is investigating a new vulnerability in Windows Media Player that could be used to run malicious code on a user's PC. [PC World: Latest Technology News] 12:03:55 PM  PermaLink   / trackback []