Saturday, January 27, 2007

Minor Google Security Lapse Obscures Ongoing Online Data Risk - News by InformationWeek Finjan confirmed earlier reports that Google's anti-phishing blacklist, containing private user names and passwords, was accessible without protection on Google's servers. 6:51:57 PM  PermaLink   / trackback []

Google Antiphishing Site Exposed Private User Data. Google Antiphishing Site Exposed Private User Data. Juha-Matti Laurio writes  "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list."  The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services. [Slashdot: Your Rights Online] 6:49:15 PM  PermaLink   / trackback []

Gonzales Questions Habeas Corpus | BaltimoreChronicle.com In one of the most chilling public statements ever made by a U.S. Attorney General, Alberto Gonzales questioned whether the U.S. Constitution grants habeas corpus rights of a fair trial to every American. Responding to questions from Sen. Arlen Specter at a Senate Judiciary Committee hearing on Jan. 18, Gonzales argued that the Constitution doesn't explicitly bestow habeas corpus rights; it merely says when the so-called Great Writ can be suspended. "There is no expressed grant of habeas in the Constitution; there's a prohibition against taking it away," Gonzales said. Gonzales's remark left Specter, the committee's ranking Republican, stammering. "Wait a minute," Specter interjected. "The Constitution says you can't take it away except in case of rebellion or invasion. Doesn't that mean you have the right of habeas corpus unless there's a rebellion or invasion?" Gonzales continued, "The Constitution doesn't say every individual in the United States or citizen is hereby granted or assured the right of habeas corpus. It doesn't say that. It simply says the right shall not be suspended" except in cases of rebellion or invasion." "You may be treading on your interdiction of violating common sense," Specter said. While Gonzales's statement has a measure of quibbling precision to it, his logic is troubling because it would suggest that many other fundamental rights that Americans hold dear also don't exist because the Constitution often spells out those rights in the negative. For instance, the First Amendment declares that "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press, or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances." Applying Gonzales's reasoning, one could argue that the First Amendment doesn't explicitly say Americans have the right to worship as they choose, speak as they wish or assemble peacefully. The amendment simply bars the government, i.e. Congress, from passing laws that would impinge on these rights. Similarly, Article I, Section 9, of the Constitution states that "the privilege of the Writ of Habeas Corpus shall not be suspended, unless when in Cases of Rebellion or Invasion the public Safety may require it." The clear meaning of the clause, as interpreted for more than two centuries, is that the Founders recognized the long-established English law principle of habeas corpus, which guarantees people the right of due process, such as formal charges and a fair trial. That Attorney General Gonzales would express such an extraordinary opinion, doubting the constitutional protection of habeas corpus, suggests either a sophomoric mind or an unwillingness to respect this well-established right, one that the Founders considered so important that they embedded it in the original text of the Constitution. 5:52:09 PM  PermaLink   / trackback []

Earth to Alberto: Habeas Corpus-update-video added ( Crooks and Liars ) mcjoan says it so well: A reader transcribed this exchange concerning habeas corpus from today's Senate Judiciary Committee hearings (no official transcript yet): Specter: Now wait a minute, wait a minute. The Constitution says you can't take it away except in the case of invasion or rebellion. Doesn't that mean you have the right of habeas corpus? Gonzales: I meant by that comment that the Constitution doesn't say that every individual in the United States or every citizen has or is assured the right of habeas corpus. It doesn't say that. It simply says that the right of habeas corpus shall not be suspended. Article I, Section 9: The Privilege of the Writ of Habeas Corpus shall not be suspended, unless when in Cases of Rebellion or Invasion the public Safety may require it. Alberto Gonzales should not only be impeached for his willfully obtuse interpretations of the Constitution, he should be disbarred. 5:44:05 PM  PermaLink   / trackback []

US Attorney General Questions Habeas Corpus. US Attorney General Questions Habeas Corpus. spiedrazer writes  "In yet another attempt to create legitimacy for the Bush Administration's many questionable legal practices, US attorney General Alberto Gonzales actually had the audacity to argue before a Congressional committee that the US Constitution doesn't explicitly bestow habeas corpus rights on US citizens. In his view it merely says when the so-called Great Writ can be suspended, but that doesn't necessarily mean that the rights are granted. The Attorney General was being questioned by Sen. Arlen Specter at a Senate Judiciary Committee hearing on Jan. 18. THe MSM are not covering this story but Colbert is (click on the fourth video down, 'Exact Words')." --- From the Baltimore Chronicle and Sentinel commentary:  "While Gonzales's statement has a measure of quibbling precision to it, his logic is troubling because it would suggest that many other fundamental rights that Americans hold dear (such as free speech, freedom of religion, and the right to assemble peacefully) also don't exist because the Constitution often spells out those rights in the negative. It boggles the mind the lengths this administration will go to to systematically erode the rights and privileges we have all counted on and held up as the granite pillars of our society since our nation was founded." [Slashdot: Your Rights Online] 5:32:22 PM  PermaLink   / trackback []

Are DMCA Abuses a Temporary or Permanent Problem? Are DMCA Abuses a Temporary or Permanent Problem?  Regular Slashdot contributor Bennett Haselton wrote in with a story about the DMCA. He starts  "On January 16, a man named Guntram Graef who invoked the Digital Millennium Copyright Act to ask YouTube to remove a video of giant penises attacking his wife's avatar/character in the virtual community "Second Life", retracted the claim and stated that he now believes the video was not a copyright violation. (He had sent similar notices to BoingBoing and the Sydney Morning Herald just for posting screen shots of the video.) His statements in a C-Net interview suggest that he didn't mean to alienate the anti-censorship community and was probably angry over what he saw as a sexually explicit attack on his wife. But the event sparked renewed debate over the DMCA and what constitutes abuse of it. I sympathize with Graef and I admire him for admitting an error, but I still think the incident shows why the DMCA is a bad law."  [Slashdot: Your Rights Online] 5:26:54 PM  PermaLink   / trackback []

Myspace and GoDaddy Shut Down Security Site. Myspace and GoDaddy Shut Down Security Site. Several readers wrote in with a CNET report that raises novel free-speech questions. MySpace asked GoDaddy to pull the plug on Seclists.org, a site run by Fyodor Vaskovich, the father of nmap. The site hosts a quarter million pages of mailing-list archives and the like. MySpace did not obtain a court order or, apparently, compose a DMCA takedown notice: it simply asked GoDaddy to remove a site that happened to archive a list of thousands of MySpace usernames and passwords, and GoDaddy complied. Fyodor says the takedown happened without prior notice. The site was unavailable for about seven hours until he found out what was happening and removed the offending posting. The CNET article concludes: "When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: 'I don't know... It's a case-by-case basis.'" [Slashdot: Your Rights Online] 5:21:20 PM  PermaLink   / trackback []

IBM to open source information security software - Network World The XML-based software technology, called Identity Mixer, employs a novel method of using X.509-based digital certificates to mask selected sensitive information transmitted in a document but still lets that shielded content be seen by authorized viewers. The goal is to make Identity Mixer available as open source software through the Eclipse Open Source Foundation to encourage widespread deployment, said Anthony Nadalin, IBM distinguished engineer and chief security architect at Tivoli. "The Identity Mixer code is in the intellectual-property review phase and within a few weeks it should be available through Eclipse," said Nadalin. The Identity Mixer software was developed to further "user-centric identity management" -- a way that computer users can manage and control personal information--under the aegis of Project Higgins, which was initiated a year ago by IBM, Harvard and Novell. For the end user, Identity Mixer would work as a Web browser plug-in, "to control the amount of data flowing to your related party," said Nadalin. The technical process works through public-key cryptographic mechanisms. The Identity Mixer browser plug-in generates tokens called iCards that represent the data that can be read by a user with the appropriate cryptographic software on the receiving end. When the Identity Mixer software is made available through the Eclipse Open Source Foundation, it is expected to include a full X.509-based tool kit, including certificate issuance server, validation server and more, that would allow for experimentation with the data-masking technology. 5:18:19 PM  PermaLink   / trackback []

IBM to Open Source Novel Identity Protection Software. IBM to Open Source Novel Identity Protection Software. coondoggie handed us a link to a Network World article reporting that IBM plans to open source the project 'Identity Mixer'. Developed by a Zurich-based research lab for the company, Identity Mixer is a novel approach to protecting user identities online. The project, which is a piece of XML-based software, uses a type of digital certificate to control who has access to identity information in a web browser. IBM is enthusiastic about widespread adoption of this technology, and so plans to open source the project through the Eclipse Open Source Foundation. The company hopes this tactic will see the software's use in commercial, medical, and governmental settings. [Slashdot: Your Rights Online] 5:16:22 PM  PermaLink   / trackback []

Anger over EC medical data-sharing scheme - ZDNet UK The European Commission is about to call for proposals on how patients' medical details would be shared between its member states, with the UK almost certain to be included in the scheme. Within the next few days, an initiative called the Competitiveness and Innovation Framework Programme (CIP) will be adopted as part of Framework 7, a massive drive by the EU to fund research and development, with e-health being a major beneficiary. One requirement of the CIP will be to establish interoperability between member states' healthcare IT systems, such as the NHS' so-called "Spine", which is the new UK database of patient care records. This aim was outlined in a document published in September last year, entitled Connected Health: Quality and Safety for European Citizens. In this document, the Commission's ICT for Health unit called for interoperability between nations' healthcare systems, arguing that "health, social care and other providers must no longer work in isolation, but need to collaborate as a team, if necessary beyond their national and linguistic borders". On Wednesday, Paul Timmers, the head of the Commission's eGovernment unit, told a London telehealth symposium that work was already underway on "interoperable platforms that can work... across borders". Dr Gerard Comyn, head of the ICT for Health unit, confirmed on Thursday that the idea will shortly enter the "proposals stage", part of the competitive bidding process. This will be followed by a large-scale pilot involving six member states. According to those close to the plans, the UK is certain to be one. The pilot stage will take about three years to become operational and "real scale operations" should be in place by 2012. 3:40:51 PM  PermaLink   / trackback []

Anger Over EU Medical Data-Sharing. Anger Over EU Medical Data-Sharing. ukhackster writes "A row is brewing in Europe over plans to make medical records available across the EU. The scheme calls for interoperability between health systems in 22 different countries. Experts are predicting that security problems could expose confidential patient records, with one calling the affair 'a colossal waste of money and energy.' This 'e-Health' initiative reflects similar projects in the United States, and raises many of the same issues discussed here. The article makes it clear that many important issues, such as security, privacy, and the rights of patients, are still up in the air as the project moves forward. Could this be another huge IT project disaster on the horizon?" [Slashdot: Your Rights Online] 3:36:14 PM  PermaLink   / trackback []

Microsoft Copies Idea, Admits It, Then Patents It. Microsoft Copies Idea, Admits It, Then Patents It. An anonymous reader writes  "BlueJ is a popular academic IDE which lets students have a visual programming interface. Microsoft copied the design in their 'Object Test Bench' feature in Visual Studio 2005 and even admitted it. Now, a patent application has come to light which patents the very same feature, blatantly ignoring prior art."  [Slashdot: Your Rights Online] 3:32:07 PM  PermaLink   / trackback []

Sen. Rockefeller Promises Scrutiny of NSA Spying Program. Sen. Rockefeller Promises Scrutiny of NSA Spying Program. Over five years since it first began, the NSA's massive domestic spying program remains shrouded in secrecy. Despite the President's determination to dodge meaningful oversight, key members of the newly elected Congress may soon take steps to rein in this illegal activity. In an interview with the LA Times, Senator John Rockefeller, the new Chairman of the Senate Intelligence Committee, "rejected the Bush administration's claim that it had brought a controversial domestic spying program into compliance with the law, saying he wanted strict new rules requiring the government to obtain a separate warrant every time it places a wiretap on a U.S. resident." The article also notes that "The committee recently designated eight members of its staff to examine the NSA program and to begin drafting new requests for documents that the Bush administration had refused to turn over to the panel [~] including the initial presidential order authorizing the domestic surveillance program." Take action now to support immediate and thorough investigations into the NSA spying program. [EFF: Deep Links] 3:27:41 PM  PermaLink   / trackback []

Worst Practices for Online Service Providers. Worst Practices for Online Service Providers. In an instant, Seclists.org, including thousands of pages, vanished from the Internet this week. And if your online service providers have as weak a backbone as GoDaddy, the same thing could happen to your site. Here's the story (as recounted by News.com): A list of MySpace user names and passwords began floating around online weeks ago, including in a Seclists.org post and many other places online. Rather than ask the Seclists.org's owner, Fyodor Vaskovich, to remove a single offending page, MySpace wrote to his domain name registrar GoDaddy, which shut down all 250,000 Seclists.org pages. Did GoDaddy demand to receive a court order first? Was it at any legal risk? No. Apparently all it took was a single informal request from MySpace, and Seclists.org was gone, a mere 52 seconds after GoDaddy notified Vaskovich. "I think the fact that we gave him notice at all was pretty generous," said GoDaddy's general counsel Christine Jones, in what has to be in the running for most ironic comment of the week. All too often, that's what passes for customer service when your free speech is at stake. Internet intermediaries owe their customers more than that. GoDaddy should have given Vaskovich meaningful notice, time, and information to respond, and it should have been willing to stand up for his rights. Read the News.com article for more, and check out EFF's Best Practices for Online Service Providers for more on how companies like GoDaddy ought to behave. [EFF: Deep Links] 3:25:22 PM  PermaLink   / trackback []

Maine rejects Real ID Act | CNET News.com Maine overwhelmingly rejected federal requirements for national identification cards on Thursday, marking the first formal state opposition to controversial legislation scheduled to go in effect for Americans next year. Both chambers of the Maine legislature approved a resolution saying the state flatly "refuses" to force its citizens to use driver's licenses that comply with digital ID standards, which were established under the 2005 Real ID Act. It asks the U.S. Congress to repeal the law. The vote represents a political setback for the U.S. Department of Homeland Security and Republicans in Washington, D.C., which have argued that nationalized ID cards for all Americans would help in the fight against terrorists. "I have faith that the Democrats in Congress will hear this from many states and will find a way to repeal or amend this in the coming months," House Majority Leader Hannah Pingree, a Democrat, said in a telephone interview after the vote. "It's not only a huge federal mandate, but it's a huge mandate from the federal government asking us to do something we don't have any interest in doing." The Real ID Act says that, starting around May 2008, Americans will need a federally approved ID card--a U.S. passport will also qualify--to travel on an airplane, open a bank account, collect Social Security payments or take advantage of nearly any government service. States will have to conduct checks of their citizens' identification papers, and driver's licenses likely will be reissued to comply with Homeland Security requirements. 3:20:03 PM  PermaLink   / trackback []

First Official State Act Resisting Real ID Act Passes in Maine. Concerns First Official State Act Resisting Real ID Act Passes in Maine. Concerns regarding the Real ID Act have manifested themselves in Maine becoming the first state to express formal opposition to the federal legislation. The Real ID Act prohibits all federal agencies, starting May 2008, from accepting for any official purpose state-issued identifications unless they meet new federal standards, and effectively calls for creation of electronically readable, federally approved IDs for all individuals for purposes of air travel, banking, Social Security, and most government services. While state-issued driver licenses can be tailored to satisfy the statute, as a practical matter they would have to be re-issued in almost all cases in order to meet federal standards, which the Real ID Act gives the Department of Homeland Security the power to establish. The criteria, which states must certify to the Homeland Security that their IDs meet, include that they bear the holder's full legal name, signature, date of birth, gender, address of principle residence, and driver license or identification card number. To meet the federal standard, before issuing a driver's license or ID, states must require the prospective holders to show a photo ID or other identity document that includes both their full legal name and date of birth, documentation showing date of birth, proof of social security number or verification of ineligibility for an SSN, and documentation showing name and address of principle residence. States are required to verify with the issuing agency each document required to be presented, and must confirm the SSN information with the Social Security Administration. The IDs also must include a digital photograph of the holder, physical security features that prevent tampering, counterfeiting, or duplication, and a common machine-readable technology. Homeland Security has not yet adopted regulations to effectuate the requirement that the IDs be "machine-readable," which could take the form of being a magnetic strip, an enhanced bar code or radio frequency identification (RFID) chips. Yesterday, Maine's legislature approved a resolution that rejects the federal requirements by stating the state "refuses to implement the REAL ID Act" and force its citizens to use driver's licenses that comply with the federal law, and by calling on Congress to repeal it. The vote in the state legislature was nearly unanimous - 34-0 in the state Senate and 137-4 in the House - and accordingly was wholly nonpartisan. The resolution reflects that complying with the Act would cost the state $185 million over five years and require every state resident to visit the motor vehicle agency so the various documents required by the Act could be uploaded to a federal database. Other states, including Georgia, Massachusetts, Washington and Montana have similar measures under consideration. In Montana, this week saw a legislative hearing on a bill that says the state "will not participate in the implementation of the Real ID Act of 2005" and that directs the motor vehicle department "not to implement the provisions." Some observers expect that Congress, newly under Democratic control, will act to repeal or modify the law, and that the Maine vote will be a catalyst for other states to follow suit. Civil liberties watchdogs that oppose a national ID card surely would welcome such a development.  [Privacy and Security Law Blog] 3:18:10 PM  PermaLink   / trackback []

Why One Angry Customer Broke AACS. Why One Angry Customer Broke AACS. Slyck News has posted an interview with muslix64, the coder responsible for the BackUpHDDVD tool that helps movie fans get around the next-gen DVDs' DRM restrictions. Muslix64 makes plain that he's no "pirate" -- he's just an "angry customer" who wanted to play his lawfully-acquired movie on his own PC. "With the HD-DVD, I wasn't able to play my movie on my non-HDCP HD monitor. Not being able to play a movie that I have paid for, because some executive in Hollywood decided I cannot, made me mad..." (link, mine) DRM isn't doing anything to stop "Internet piracy," but it is creating more and more frustrated customers like muslix64. Read the whole interview here. [EFF: Deep Links] 3:11:41 PM  PermaLink   / trackback []

Norway Investigates Google on Privacy. Norway Investigates Google on Privacy. Pandia Search Engine News reports that the Norwegian Data Inspectorate, whose role is to protect persons from violation of their right to privacy through the processing of personal data, is investigating Google's information collecting practices. From Pandia's report: "Why do the search engine store the IP addresses [of searchers] for so long and are they using them for?" Senior Engineer Atle Årnes of the Inspectorate asks in the Norwegian newspaper Aftenposten. "Even if the search engines cannot identify the person behind every IP address, people do leave behind their names and other personal information that make it possible to track who they are," he continues. Google's privacy expert Peter Fleischer has come to Oslo to meet the Directorate. He says to Aftenposten that Google does not know the persons behind the IP numbers, and that the company is not willing to give such information to others. The only exception, according to Fleischer, are court orders or rulings in countries with a trustworthy judicial system. If the same policy applies in the US, then Google must demand a court order before turning over the identities of YouTube users to Fox, who is hunting copyright infringers. [michaelzimmer.org] 3:09:34 PM  PermaLink   / trackback []

Recursive Surveillance. Recursive Surveillance. While we[base ']re all too familiar with how surveillance cameras are becoming ubiquitous, they are now also becoming recursive: CCTV to safeguard speed cameras [michaelzimmer.org] 3:06:36 PM  PermaLink   / trackback []