Tuesday, January 16, 2007

Cocaine found on 99.9% of UK banknotes. Cocaine found on 99.9% of UK banknotes. Spanish euros also tainted with nose ajax Pretty well every banknote in the UK shows traces of cocaine, forensic scientists have claimed. According to a report in the Sunday Telegraph, 99.9 per cent of the two billion notes currently in circulation have come into contact with Bolivian marching powder. [The Register - Music and Media] Editor: OK, everyone who doesn't use just credit and debit cards, its time to turn yourself into the "DEA" 11:41:46 PM  PermaLink   / trackback []

UK to review school fingerprinting. UK to review school fingerprinting. Leave them kids alone, as they say The Department for Education and Skills is to reconsider the fingerprinting of school children after a four year campaign by parents. [The Register - Music and Media] 11:35:48 PM  PermaLink   / trackback []

Forget Neutrality -- Keep Packets Private. Forget Neutrality -- Keep Packets Private. Daniel Berninger argues that more than just neutrality is at stake with the "net neutrality" debate - its also a matter of privacy: Never mind net neutrality, I want my privacy. As in packet privacy. The telcos say they need to sell non-neutral routing of traffic to recover the cost of building broadband networks. Moving from the Internet, where a packet-is-a-packet, to something that looks suspiciously like the 20th century telephone network requires remarrying the content and connectivity that TCP/IP divorced. It requires deep packet inspection. It requires looking at the content of communication. AT&T does not plan to roll out two physical pipes to every end point in order to sell Google enhanced access. The new telco plan calls for content-based routing to separate traffic into media and destination specific VPNs (Virtual Private Networks). Laws exist to address the substantial privacy threats created by the fact telephone companies know Mr. Smith called Mr. Jones, but the privacy risks associated with "content routing" replacing "end point routing" enter an different realm. Coping with billing disputes still means retaining data. Under what circumstances might a third party get access to the data derived from content routing? Content routing in one context enables content filtering in another. Lessons Cisco accumulates in providing content filtering equipment for the Great Firewall of China apply to directly to content routing ambitions of telcos in the U.S. The telcos do not claim a right to listen in on calls to enforce the business versus consumer pricing policies. What makes it appropriate to use packet inspection to accomplish the same thing? The pitch for content routing gets presented in terms of quality of service guarantees that benefit users, but there are other customers for content routing. Law enforcement and criminal enterpises will have plenty of uses for data obtained through deep packet inspection. One can imagine champagne will flow at the NSA should the telcos get their wish. michaelzimmer.org] 11:30:27 PM  PermaLink   / trackback []

A Warning to Windows Users on Acer Laptops. (Update, Jan. 16, 12:57 p.m) A Warning to Windows Users on Acer Laptops. Update, Jan. 16, 12:57 p.m: Acer has released an update that automates the deactivation of the culprit file, as described above. The patch is downloadable from this link here. Also, U.S. CERT has issued an advisory about this threat. Anyone using a laptop made by computer maker Acer Inc. should be aware of a serious security threat apparently resident on many -- if not all -- models shipped with Microsoft's Windows OS over the past decade or so. [Security Fix] 11:27:20 PM  PermaLink   / trackback []

Note to MySpace Users: Get Better Passwords. Note to MySpace Users: Get Better Passwords. An active scam Web site designed to look like the login page for social-networking site MySpace.com appears to have stolen user names and passwords from nearly 60,000 people, according to data in a file that was linked to today from a popular security mailing list. The phishing site, which is most likely being advertised via blasts of junk e-mail, looks identical to the real MySpace.com login page. A separate text file located on the scam site's Web server includes page after page of user names (in this case, e-mail addresses) and passwords, offering a rare insight into just how successful phishing scams can be for fraudsters. Granted, some of the "phished" user names and passwords show that a few would-be victims were wise to the scam, including "yourmom@hottmom.com:yoyoyomomma" and "getalife@hotmail.com:golayintraffic," and "Screwyouphishers:hahascrewyou," to name some of the more "polite" entries. Still, the entries that are junk or obviously fake are far outnumbered by the login credentials that appear to have come from actual victims. Finding these kinds of data caches can be quite useful for security research. It's very easy to conduct some analysis of password strength and complexity using some simple Unix command-line tools. For instance, while there are 57,406 sets of account credentials in the entire list at the time of this writing, only 37,621 of them contained unique passwords. The obvious explanation for that incongruity is the correct one in this case: Many people use the same passwords. The top 20 passwords used by phishing victims in this list are: password1 (106) abc123 (73) swimmer1(43) iloveyou1 (41) monkey1 (40) ****you (37) 123456 (33) myspace1 (32) ****you1 (32) i(32) password (27) babygirl1 (25) iloveyou2 (24) football1 (24) danny12031986 (23) blink182 (23) princess1 (22) freesh**4me (22) 16188s (22) 123abc (22) (The number in parentheses represents the number of victims who used the listed password.) It should go without saying that if you recognize your password in any of those listed above, you need to come up with a better one. Anyway, for all the apparent simpleness of the average MySpace phishing victim's passwords, they are -- at least for the most part -- fairly long passwords. Nearly 13,000 of them contained at least eight characters; and 12,762 passwords were nine characters in length. Eighty-three percent or -- 47,854 victims, included at least one number in their password. These results closely mirror those done in a similar analysis last year by encryption and security expert Bruce Schneier. He based his analysis on a subset of approximately 34,000 MySpace user passwords stolen by the Apple QuickTime/MySpace worm in December (MySpace officials estimate that about 100,000 users may have been affected by that attack in all). So why would someone bother to steal MySpace user names and passwords? For one, the attackers could simply use the hijacked accounts to blast out spam, as they did with the accounts stolen with the help of last month's MySpace worm. Also, far too many people use the same password and multiple sites. Chances are very good that for every five individuals who have entered a Hotmail.com address as their Myspace user name in this list, there is one individual who uses the same password for both accounts. That's dangerous because people register all kinds of other services to free e-mail accounts (think Amazon.com, eBay, PayPal, Skype, etc.). Once crooks have access to those e-mail accounts, they can often easily reset the passwords of any e-commerce service that a victim has registered to that address. It's very likely that most of victims in the MySpace data analyzed above weren't using free anti-phishing tools, or they fell for this scam before those tools had a chance to black list this site as scammy. When I checked today, Microsoft's Internet Explorer 7 and Mozilla's Firefox browsers flagged the bogus Myspace login page as a phishing site, as did Netcraft's anti-phishing toolbar. [Security Fix] 11:25:08 PM  PermaLink   / trackback []

A DMCA Takedown Tale With a Twist. A DMCA Takedown Tale With a Twist. Time and again, we've seen the DMCA takedown process abused to censor legitimate speech. It's not everyday that one of these stories ends with a quote like this: "I would like to make it clear that I regret filing DMCA claims in this case, because the real issue at hand wasn't at all about copyright." Those are the words of Guntram Graef, the husband of Second Life businesswoman Anshe Chung. Several weeks ago, Graef sent a DMCA takedown notice to YouTube, which was hosting a video of other Second Life users harassing Chung in the virtual world. The video, no matter how offensive to Graef or Chung, clearly didn't violate any of their copyrights, yet YouTube promptly removed it from the system. The DMCA takedown process invites this kind of abuse. You don't need a proven copyright infringement claim to fire off a cease-and-desist letter and have online speech immediately taken down. Most online speakers don't have the resources to defend themselves, especially when facing enormous monetary damages if sued when they counter-notice under the DMCA. Fortunately, Graef realized his error and apologized, as detailed in an interview with CNET. Hopefully others will learn from his story and think twice before pulling the DMCA trigger without first getting solid legal advice on its appropriateness. Ultimately, stories like these demonstrate the need for better checks and balances in the DMCA takedown process. Without them, we can only expect the situation for online speech to get worse. [EFF: Deep Links] 11:18:05 PM  PermaLink   / trackback []

AACS: Title Keys Start Leaking. AACS: Title Keys Start Leaking. (This is the fifth post in our series on AACS, the encryption scheme used for HD-DVD and Blu-Ray discs. Previous posts: 1, 2, 3, 4.) Last week we predicted that people would start extracting the title key (the cryptographic key needed to decrypt the contents of a particular next-gen DVD disc) from HD-DVD discs. Indeed, it turns out that WinDVD, a popular software player that runs on PCs, leaves the title key laying around in memory when it finishes playing a disc. This may seem like an elementary mistake, but it is more common and harder to avoid than you might think. Fairly easy methods for capturing these keys are already well known. There are even websites, such as aacskeys.com and hdkeys.com, that claim to contain title keys for about fifty HD-DVD discs. (That[base ']s about one-third of the discs available on Amazon.) At least some of these title keys are correct. Within days, expect to see a software program that downloads keys from such a site and uses the keys to play or copy discs. So far the attackers have published most of what they know. We know which title keys they (claim to) have found, and we know they extracted those keys from WinDVD and possibly PowerDVD. As Alex explained on Thursday and Friday, a clever attacker will withhold some information strategically so as not to provoke a response from the AACS central authority. The authority might respond by blacklisting the device keys assigned to WinDVD. To avoid angering honest WinDVD users, they might first push out a software update to WinDVD containing new keys along with new programming to better protect the keys. But as Alex suggested last week the authority might not want to blacklist WinDVD, even if it can. As long as the attackers limit what they publish, the authority might be better off accepting the damage they see now rather than provoking more damage by cutting off the usefulness of WinDVD to the attackers. The result is a kind of uneasy equilibrium between the attackers and the central authority. Even if the attackers want to cause maximum financial harm to Hollywood (which probably isn[base ']t their goal), their most effective strategy is to limit how many title keys they publish. One way to do this is to give Hollywood a [base "]release window[per thou] [~] a kind of grace period after each disc is released, in which the title key doesn[base ']t get published. A site could let people upload the headers of a disc; the site would then wait N days before decrypting and releasing the title key. Interestingly, this release window strategy resembles the studios[base '] current approach to extracting revenue from films, in which a film is available first in the highest-revenue format [~] in theaters [~] then later in a succession of lower-revenue formats [~] DVD and television. The idea is to extract more revenue from the most enthusiastic fans in early stages and pick up whatever revenue is available from everyone else later. What[base ']s the optimal length of the release window (for the attackers); and what is the financial effect on the studios? We can answer these questions with a simple economic model; but that[base ']s a topic for another day. Share This [Freedom to Tinker] 11:15:48 PM  PermaLink   / trackback []

Fighting Porn Vs. Ruining Innocent Lives. Fighting Porn Vs. Ruining Innocent Lives.  After news of the conviction of a substitute teacher for endangering minors -- because porn popups, possibly initiated by adware, had appeared on her computer during class -- comes the even sadder story of 16-year-old Matt Bandy. His family's life was turned upside-down when he was charged in Arizona with possession of child pornography, even though the family computer was riddled with spyware and Trojans. After the intervention of ABC's 20/20, Matt finally was allowed to plead to a lesser charge (namely, sharing a Playboy magazine with friends) and just barely escaped being labeled a sex offender for the rest of his life. [Slashdot: Your Rights Online] 4:11:17 PM  PermaLink   / trackback []

Privately, Hollywood admits DRM isn't about piracy For almost ten years now I have argued that digital rights management has little to do with piracy, but that is instead a carefully plotted ruse to undercut fair use and then create new revenue streams where there were previously none. I will briefly repeat my argument here before relating a prime example of it in the wild. 4:06:45 PM  PermaLink   / trackback []

DRM ó It's Not Really About Piracy. DRM [~] It's Not Really About Piracy.  shadowmage13 writes "Hollywood privately admits that DRM is not really about piracy. From the article: 'In a nutshell: DRM's sole purpose is to maximize revenues by minimizing your rights so that they can sell them back to you... Like all lies, there comes a point when the gig is up; the ruse is busted. For the movie studios, it's the moment they have to admit that it's not the piracy that worries them, but business models which don't squeeze every last cent out of customers.' You can take action on Digital Restrictions Management at DefectiveByDesign of the Free Software Foundation, Digital Freedom, and the Electronic Frontier Foundation." [Slashdot: Your Rights Online] 4:02:00 PM  PermaLink   / trackback []

ABC News: Pentagon Viewing Americans' Bank Records WASHINGTON Jan 14, 2007 (AP) -- The Pentagon and to a lesser extent the CIA have been using a little-known power to look at the banking and credit records of hundreds of Americans and others suspected of terrorism or espionage within the United States, officials said Saturday. Pentagon spokesman Bryan Whitman said Saturday the Defense Department "makes requests for information under authorities of the National Security Letter statutes ... but does not use the specific term National Security Letter in its investigatory practice." Whitman did not indicate the number of requests that have been made in recent years, but said authorities operate under the Right to Financial Privacy Act, the Fair Credit Reporting Act and the National Security Act. 3:58:54 PM  PermaLink   / trackback []

Feds Check Credit Reports Without a Subpoena. Feds Check Credit Reports Without a Subpoena. An anonymous reader points out that, by using National Security Letters, the FBI and other agencies can legally pull your credit report. The letters have been used by the FBI (mostly) but in some cases by the CIA and Defense Department. From the article: "'These statutory tools may provide key leads for counterintelligence and counterterrorism investigations,' Whitman said. 'Because these are requests for information rather than court orders, a DOD request under the NSL statutes cannot be compelled absent court involvement.'" Recipients of the letters, banks and credit bureaus, usually hand over the requested information voluntarily. A posting at tothecenter.com quotes the Vice President on the use of the letters: "It's perfectly legitimate activity. There's nothing wrong or illegal with it. It doesn't violate people's civil rights... The Defense Department gets involved because we've got hundreds of bases inside the United States that are potential terrorist targets."[Slashdot: Your Rights Online] 3:56:23 PM  PermaLink   / trackback []

The Return of the Fairness Doctrine? The Return of the Fairness Doctrine?  Slithe writes "Last week at the National Conference for Media Reform, Ohio congressman Dennis Kucinich (a long-shot candidate for the Democratic presidential nomination) stated that the Fairness Doctrine may be reinstated. Kucinich will be heading up a new House subcommittee that will focus on issues around the FCC. The Fairness Doctrine was an FCC regulation that required broadcast media to present controversial issues in an honest, equal, and balanced manner. The FCC repealed it in 1987 -- Democrats at the time tried to forestall this move but were ultimately thwarted by a veto by President Ronald Reagan. Critics of the Fairness Doctrine have stated that it was only used to intimidate and silence political opposition. At the convention, Kucinich said, 'We know the media has become the servant of a very narrow corporate agenda. We are now in a position to move a progressive agenda to where it is visible.'" In the interest of fairness, here is a Republican, free-market perspective on the return of the Fairness Doctrine. [Slashdot: Your Rights Online] 3:52:51 PM  PermaLink   / trackback []