Saturday, January 6, 2007

MIT OpenCourseWare | Electrical Engineering and Computer Science | 6.912 Introduction to Copyright Law, January (IAP) 2006 | Home Highlights of this Course This course features video lectures and an extensive list of readings. A description of assignments is also available. This course is offered during the Independent Activities Period (IAP), which is a special 4-week term at MIT that runs from the first week of January until the end of the month. Course Description This course is an introduction to copyright law and American law in general. Topics covered include: structure of federal law; basics of legal research; legal citations; how to use LexisNexis(r); the 1976 Copyright Act; copyright as applied to music, computers, broadcasting, and education; fair use; Napster(r), Grokster(r), and Peer-to-Peer file-sharing; Library Access to Music Project; The 1998 Digital Millennium Copyright Act; DVDs and encryption; software licensing; the GNU(r) General Public License and free software. 6:31:36 PM  PermaLink   / trackback []

MIT Offering Free Copyright Course Online. MIT Offering Free Copyright Course Online.   IANAL writes  "MIT is offering Introduction to Copyright Law as a free online course. Interested Slashdotters might find it a good way to challenge their firmly held misconceptions about copyright law as it concerns fair use, Napster, Grokster, the GPL, and P2P filesharing, among other things. There's also an article about the course over on Groklaw." [Slashdot: Your Rights Online] 6:15:59 PM  PermaLink   / trackback []

Face Recognition for Online Photo Searches Sparks Privacy Fears A new type of search engine using facial recognition technology could soon be able to pinpoint images of a person among the billions of photos posted online--even if their name does not appear. A Swedish company named Polar Rose plans to launch its service for facial searches tied to the photo-sharing site Flickr within a couple weeks. In the next few months the firm hopes to expand the service to search images across the entire Web. The technology promises enhanced photo finding that would make it easier to find people on the Internet. But privacy advocates are concerned that Polar Rose and similar facial-mapping search engines will violate people's rights and potentially aid criminals. Lee Tien is an attorney at the Electronic Frontier Foundation, an Internet watchdog group that focuses on privacy and civil liberties. "Photos [posted online] are effectively anonymous now," Tien said, unless they are labeled with some sort if identifying text. "But if Polar Rose works the way they say it will, that's all going to change." Tien said that this kind of technology could aid stalkers in tracking down their victims, or it could allow employers, insurance companies, and the government to pry into people's lives more than some of us would like. Editor: The situation is currently being discused in a public discussion area over at Flickr itself. Stewart who works for Flickr and is one of the original big wigs commented early today in the thread. He said:   As far as I know they've never been in touch with us (I'll ask around internally). Judging from the screenshot, it looks like an explicit opt-in feature (which makes sense if they need people to identify the faces in the photos). If it's not opt-in, we'll have a look at how it works and see how people feel and do the right thing :) Unfortunately from looking at many of tghe other user comments, many people still don't get it. Probably because they don't understand the linking together of data from many variuos sources/databases. Many seem to think that if its not all in one monolithic database, its not connected. 5:34:51 PM  PermaLink   / trackback []

House Encourages Florida Court to Allow Access to E-voting Source Code, Hardware. House Encourages Florida Court to Allow Access to E-voting Source Code, Hardware. Another key member of the House of Representatives has weighed in on the disputed Florida Congressional election, saying that not only the litigants but the House itself would benefit from more open discovery. On Thursday, the incoming Chairwoman of the House Administration Committee, which has the responsibility for evaluating any House election contest, submitted a letter to the Florida First District Court of Appeal expressing concern with the inability of the Plaintiffs to pursue their claims. In her letter, Chairwoman Millender-McDonald (D-CA) stated: It is [...] of concern that the parties have been unable to agree upon, and that, on December 29th, the lower court declined to order, the requested access to the hardware and software (including the source code) needed to test the contestant's central claim: voting machine malfunction. Millender-McDonald went on to note that: [T]he House is well served in its own deliberations by having before it a complete record. Consequently, Florida law will facilitate the evaluation of the election contest pending before the House to the extent that it provides access to relevant and critical evidence. I am confident that this can be done in a way that accommodates the valid interests of the parties, and resolution of these issues may obviate the need for the House to address them. Millender-McDonald's letter strongly supports the positions taken by District 13 challenger Christine Jennings as well as the eleven Sarasota voters (represented by EFF, VoterAction, People for the American Way Foundation, and the ACLU of Florida) in their separate suit. Florida voters deserve and Florida law requires that challengers be given an opportunity to fully investigate legitimate claims that call into question the integrity of election results. On December 29, 2006, the trial court denied the Plaintiffs' motions to compel the production of hardware, software, and documentation that would allow the cases to move forward. The Court of Appeals is now considering an appeal that was filed this week. [EFF: Deep Links] 5:08:53 PM  PermaLink   / trackback []

Follow the Media-to-Congress Money Trail. Follow the Media-to-Congress Money Trail. Want to know if your Congressional representatives filled their campaign coffers with the entertainment industry's cash? Look no further than the Center for Public Integrity's awesome Media Tracker. The new version helps you learn more about major media companies, including a detailed history of all campaign contributions to all candidates for Congress and the Presidency, dating back to 1998. The neat "Power Trips" tracks legislators' travel that was paid for by a company. To get you started, check out the new House Internet and Intellectual Property Subcommittee Chairman Howard "Hollywood" Berman. Telling, no? [EFF: Deep Links] 5:07:30 PM  PermaLink   / trackback []

2007 Predictions - Freedom to Tinker 2007 Predictions. This year, Alex Halderman, Scott Karlin and I put our heads together to come up with a single list of predictions. Each prediction is supported by at least two of us, except the predictions that turn out to be wrong, which must have slipped in by mistake. Our predictions for 2007: (1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly. (2) An easy tool for cloning MySpace pages will show up, and young users will educate each other loudly about the evils of plagiarism. (3) Despite the ascent of Howard Berman (D-Hollywood) to the chair of the House IP subcommittee, copyright issues will remain stalemated in Congress. (4) Like the Republicans before them, the Democrats[base '] tech policy will disappoint. Only a few incumbent companies will be happy. (5) Major record companies will sell a significant number of MP3s, promoting them as compatible with everything. Movie studios won[base ']t be ready to follow suit, persisting in their unsuccessful DRM strategy. (6) Somebody will figure out the right way to sell and place video ads online, and will get very rich in the process. (We don[base ']t know how they[base ']ll do it. If we did, we wouldn[base ']t be spending our time writing this blog.) (7) Some mainstream TV shows will be built to facilitate YouTubing, for example by structuring a show as a series of separable nine-minute segments. (8) AACS, the encryption system for next-gen DVDs, will melt down and become as ineffectual as the CSS system used on ordinary DVDs. (9) Congress will pass a national law regarding data leaks. It will be a watered-down version of the California law, and will preempt state laws. (10) A worm infection will spread on game consoles. (11) There will be less attention to e-voting as the 2008 election seems far away and the public assumes progress is being made. The Holt e-voting bill will pass, ratifying the now-solid public consensus in favor of paper trails. (12) Bogus airport security procedures will peak and start to decrease. (13) On cellphones, software products will increasingly compete independent of hardware. Share This [Freedom to Tinker] 5:05:37 PM  PermaLink   / trackback []

Take Me to Your (Adobe) Reader. Take Me to Your (Adobe) Reader. It seems like almost every week now we learn about a security threat that is linked to ill-conceived "features" built into widely used software applications. Most recently, it was a design flaw in the Apple QuickTime player that powered the hugely successful QuickSpace worm (a flaw, by the way, that remains unpatched and for which exploit code is now posted online). The latest example of this trend is a flaw revealed late last month in most versions of Adobe Reader -- the ubiquitous program useful for viewing PDF documents -- that can be used to further phishing scams or to steal sensitive and personal information from users. The trouble, once again, is with Javascript, a powerful programming language that works exceptionally well with Web sites to do all kinds of things that make the online experience much smoother, such as dynamically loading Web page content, forms, etc. The problem with that kind of power is that it can be a tempting target for attackers. The Adobe flaw is with a Javascript "feature" in Reader and the Adobe plug-ins that render PDFs in Microsoft's Internet Explorer and Mozilla's Firefox Web browsers. It turns out that this feature introduces the possibility of so-called "cross-site-scripting" attacks, which involve tricking a Web site (or a user's Web browser) into displaying content from a site other than the one that's listed in the browser's address bar. (Yes, I'm aware of the irony of referring readers to a PDF document for further reading on cross-site-scripting attacks in Adobe's software...). Let's say you're reading some comments on a random blog about online banking and someone leaves a comment that includes a link to a PDF document that's hosted on BankofAmerica.com. Maybe the document is about how great Bank of America's Web site security is, and how much the company has done to protect users from Javascript attacks that criminals can use to make their online scams seem more legitimate. So you click on this link, and indeed are taken to Bank of America's actual Web site and are presented with a legitimate PDF document. But here's where it gets dangerous: Because Adobe Reader will silently relay pretty much any Javascript commands, the person who posted that comment could include Javascript commands in the link that tell your browser to launch a pop-up prompt or new Web page pulled from a separate site set up by the attacker. In a such an attack, the page that pops up (in all likelihood on top of the bank's PDF file) would be designed to look exactly like Bank of America's site but would actually be hosted on a site controlled by the bad guys. This fake page could be a login prompt or a bogus warning saying you need to "update" your account information. "The scary thing is that regardless of how secure a bank makes its site, that bank now has a cross-site-scripting vulnerability due to this feature," said Billy Hoffman, an expert on cross-site-scripting attacks and lead security researcher at Atlanta-based SPI Dynamics. If you're curious how this type of attack looks (or if my hypothetical left you befuddled), these guys have a harmless proof-of-concept example that displays a PDF from Google's site and then launches another page on top of that. (In case you're wondering, it's merely the HTML source code for that Google landing page, but it could have just as easily been a fake Gmail login page.) Websense also has a cool screenshot that makes this a little easier to wrap your brain around. Let's take this attack one step further: Say you're a Bank of America customer and you logged into your online bank account just prior to clicking on the malicious blog link. [Security Fix] 5:00:56 PM  PermaLink   / trackback []

Microsoft's Achilles' Heel: Office. Microsoft's Achilles' Heel: Office. The cyber attack last month against a U.S.-based public utility came wrapped in a Microsoft PowerPoint document featuring holiday illustrations and heartwarming reflections. This PowerPoint file, which resembled an innocuous version that was being forwarded around the Web by many sentimental e-mail users, had been modified to include a Trojan horse program designed to open a secret backdoor into the utility's internal computer network. The company called in to investigate the attack, Verisign's iDefense Labs in Sterling, Va., also found two separate Microsoft Word files on computers inside the company's network that had also been tainted with malicious software code designed to give attackers control over the machines. None of the files were detected as malicious by the anti-virus software used by the company. Ken Dunham, director of iDefense's rapid response team, said similarities in the computer code of all three malicious programs strongly suggested the handiwork of a Chinese hacking group known to write computer viruses for hire. And in each case, the attackers designed their hidden viruses to take advantage of security holes recently discovered in the Microsoft Office programs. The attack investigated by iDefense is just one example of one of the biggest problems facing Microsoft: The seemingly endless string of vulnerabilities discovered last year in the software giant's Office software, the productivity suite that includes the widely used Excel, Outlook, PowerPoint and Word programs. Microsoft patched a total of 41 critical vulnerabilities in its various Office products last year, accounting for more than one third of the 104 "critical" flaws the company patched in all of 2006. Microsoft assigns a patch its most dire "critical" rating if the update fixes a vulnerability that bad guys could exploit with little to no action on the part of user, aside from maybe visiting a malicious Web site or viewing a specially crafted e-mail. To put last year's 41 critical Office patches into perspective, consider that Microsoft shipped a total of 37 critical updates for all of its software products in 2005. None of the patch or vulnerability numbers cited in this story takes into account three still-unpatched vulnerabilities present in Microsoft Word, two of which Microsoft has acknowledged that criminals are actively exploiting. In at least four cases in 2006, Microsoft rushed to issue patches to fix Office flaws that it first learned about after bad guys already were exploiting them for financial or personal gain. For its part, nearly each time last year that Microsoft acknowledged attacks on unpatched flaws in its software, the company assured customers that the attacks were "very limited" and "very targeted" in scope. Indeed, at least when it comes to attacks this past year that leveraged unpatched Microsoft Office flaws, the anecdotes from victims have been few and far between, suggesting that the company's assurances are correct. It may also be the case that the victims of such attacks are government agencies or businesses that simply do not want to risk the potential for negative publicity should news of a network security breach attack reach the press. [Security Fix] 4:57:50 PM  PermaLink   / trackback []

DOJ pushes FBI to broaden data sharing with outside agencies. DOJ pushes FBI to broaden data sharing with outside agencies. The Department of Justice is pushing its operating units to speed up and expand their information-sharing efforts, and it has directed its CIO to work with them to devise plans for doing so. [Computerworld Data Mining News] 4:55:34 PM  PermaLink   / trackback []

Elliptic Curve Cryptography. Elliptic Curve Cryptography. This paper, written by Annop MS, gives an introduction to elliptic curve cryptography (ECC) and how it is used in the implementation of digital signature (ECDSA) and key agreement (ECDH) Algorithms. He also discusses the implementation of ECC on two finite fields, prime field and binary field. This paper also gives an overview of ECC implementation on different coordinate systems called the projective coordinate systems and the basics of prime and binary field arithmetic. By Anoop MS. [Infosec Writers Latest Security Papers] 4:53:34 PM  PermaLink   / trackback []

16-year-old Norwegian filesharer charged. 16-year-old Norwegian filesharer charged. Parents may have to pay too A 16-year-old from Stavanger in Norway who shared thousands of movies and songs through the P2P program Direct Connect, has been charged with illegal file-sharing, Norwegian Aftenposten reports. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 4:52:15 PM  PermaLink   / trackback []

New fraud concerns over Dutch ballot computers. New fraud concerns over Dutch ballot computers. Good enough for local elections A Dutch plan to use e-voting computers by manufacturer Sdu for the coming provincial elections in March has met with fierce criticism. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 4:50:32 PM  PermaLink   / trackback []

Ready to produce IMs in court? Ready to produce IMs in court?  The legal discovery process is never easy for companies, and new regulations greatly expand the types of information that must be stored. Experts suggest it's time to examine your data retention strategies for PDAs, instant messaging, flash drives, voicemail and more. [Computerworld Data Mining News] 4:48:16 PM  PermaLink   / trackback []

Adobe To Issue Patches for Reader Vulnerability. Adobe To Issue Patches for Reader Vulnerability. Adobe encourages upgrading to Reader 8 and recommends disabling Acrobat and Reader plug-ins on Web browsers until patches are issued. [PC World: Latest Technology News] 4:46:08 PM  PermaLink   / trackback []