Monday, January 29, 2007

Vista DRM Cracked by Security Researcher. Vista DRM Cracked by Security Researcher. An anonymous reader writes  "Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called 'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system. Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though." [Slashdot] 3:17:58 PM  PermaLink   / trackback []

Study Finds IE7 + EV SSL Won't Stop Phishing. Study Finds IE7 + EV SSL Won't Stop Phishing. An anonymous reader writes  "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."  [Slashdot] 3:11:05 PM  PermaLink   / trackback []

CIA Gets in Your Face(book). CIA Gets in Your Face(book). Want a job recruiting secret sources and working undercover in exotic overseas locations? Head to the CIA's Facebook page. By Chaddus Bruce. Since December 2006, the Central Intelligence Agency has been using Facebook.com, the popular social networking site, to recruit potential employees into its National Clandestine Service. It marks the first time the CIA has ventured into social networking to hire new personnel. The CIA's Facebook page (login required) provides an overview of what the NCS is looking for in a recruit, along with a 30-second promotional YouTube video aimed at potential college-aged applicants. U.S. citizens with a GPA above 3.0 can apply. "It's an invaluable tool when it comes to peer-to-peer marketing," says Michele Neff, a CIA spokeswoman. The NCS, one of the four directorates of the CIA, was established following 9/11 to gather intelligence from sources both domestic and abroad. In 2004, President Bush directed the CIA to increase the "human intelligence capabilities" of the agency and hire more officers that can "blend more easily in foreign cities." The search for better spies led the NCS to set up shop on Facebook, which is used primarily by college students. Every Facebook user has her or his own page, and users can choose to join Facebook "groups," which can be created by individuals or sponsored by companies as paid promotions. The NCS-sponsored Facebook group was launched on Dec. 19, 2006 and will stay active for two months. The group currently has over 2,100 members, up from around 200 one week after its debut. [Wired News: Top Stories] 3:06:28 PM  PermaLink   / trackback []

In Praise of Security Theater. In Praise of Security Theater. Feeling secure? Maybe you shouldn't. Feeling insecure? Maybe you should. Commentary by Bruce Schneier. [Wired News: Top Stories] 3:00:39 PM  PermaLink   / trackback []

Don't fall victim to the 'Free Wi-Fi' scam The next time you're at an airport looking for a wireless hot spot, and you see one called "Free Wi-Fi" or a similar name, beware -- you may end up being victimized by the latest hot-spot scam hitting airports across the country. You could end up being the target of a "man in the middle" attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen, end up with a spyware-infested PC and have your PC turned into a spam-spewing zombie. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge. If you're a Windows Vista user, you're especially susceptible to this attack because of the difficulty in identifying it when using Vista. In this article, you'll learn how the attack works and how to keep yourself safe from it if you use Windows XP or Vista. 2:58:24 PM  PermaLink   / trackback []

Tracking Audis With RFID. Tracking Audis With RFID. Audi will use RFID tags through production and delivery of its TT sports car for "quality-assurance." But how are the embedded tags used over a car's lifetime? Plus: BMW fields a remote-control convertible top. In Autopia. [Wired News: Top Stories] 2:52:45 PM  PermaLink   / trackback []

Michael Geist - Vista's Fine Print Raises Red Flags Vista's legal fine print includes extensive provisions granting Microsoft the right to regularly check the legitimacy of the software and holds the prospect of deleting certain programs without the user's knowledge. During the installation process, users "activate" Vista by associating it with a particular computer or device and transmitting certain hardware information directly to Microsoft. Even after installation, the legal agreement grants Microsoft the right to revalidate the software or to require users to reactivate it should they make changes to their computer components. In addition, it sets significant limits on the ability to copy or transfer the software, prohibiting anything more than a single backup copy and setting strict limits on transferring the software to different devices or users. Vista also incorporates Windows Defender, an anti-virus program that actively scans computers for "spyware, adware, and other potentially unwanted software." The agreement does not define any of these terms, leaving it to Microsoft to determine what constitutes unwanted software. Once operational, the agreement warns that Windows Defender will, by default, automatically remove software rated "high" or "severe,"even though that may result in other software ceasing to work or mistakenly result in the removal of software that is not unwanted. For greater certainty, the terms and conditions remove any doubt about who is in control by providing that "this agreement only gives you some rights to use the software. Microsoft reserves all other rights." For those users frustrated by the software's limitations, Microsoft cautions that "you may not work around any technical limitations in the software." 1:13:53 PM  PermaLink   / trackback []

Professor Michael Geist on Vista's Fine Print. Professor Michael Geist on Vista's Fine Print.   Russell McOrmond writes  "With Microsoft's Vista set to hit stores tomorrow, Michael Geist's weekly Law Bytes column (Toronto Star version, homepage version) looks at the legal and technical fine print behind the operating system upgrade. The article notes that in the name of shielding consumers from computer viruses and protecting copyright owners from potential infringement, Vista seemingly wrestles control of the "user experience" from the user. If you are a Canadian and think that the owner of computers should be in control of what they own, rather than some third party (whether virus authors or the manufacturer/maker), then please sign our Petition to protect Information Technology property rights." [Slashdot] 1:10:29 PM  PermaLink   / trackback []

It's Time to Forge Global Privacy Rules. It's Time to Forge Global Privacy Rules. Opinion: Privacy columnist Jay Cline says the time is ripe for a global privacy standard to replace the hodgepodge of privacy principles that multinational businesses must cope with. The first step is to agree on what privacy really means.  [Computerworld Privacy News] 1:02:40 PM  PermaLink   / trackback []

The Seattle Times: Local News: PSE to pay $995,000 for violating consumer privacy rules SEATTLE - Puget Sound Energy will pay $995,000 for violating consumer privacy laws by giving information on thousands of customers to an outside marketing company and will permanently abolish the program under a settlement approved Monday by the state Utilities and Transportation Commission. Under the settlement agreement, the utility agreed to pay a $900,000 penalty, contribute $95,000 to its low-income heating assistance program and avoid such violations in future. PSE will comply, utility spokeswoman Martha Monfreid said Monday. "We discontinued the program last March as soon as the commission raised the issue of there being privacy issues," she said. The utility acknowledged transferring, through its PSE Connections marketing program, more than 65,000 phone calls, as well as basic information on new and relocating customers, to Georgia-based Allconnect, Inc. between November 2001 and March 2006. Due to a two-year statute of limitations, only 18,992 call transfers were made subject to penalties. Under state regulations, privately owned gas and electric companies cannot release or sell customer information to a third party for marketing purposes without written permission from customers. "We conclude that PSE intentionally violated the rule as part of a corporate decision to sell its customers' private information for financial gain," the commission said in its written decision. 1:00:49 PM  PermaLink   / trackback []

Payments News: Mobile Malware A Risk - January 22, 2007 TowerGroup has published a new research report titled "Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning" - saying that as the use of mobile devices for banking and payments increases, incidents of mobile virus and mobile malware are likewise going to be on the upswing. 12:56:59 PM  PermaLink   / trackback []

N.H. lawmakers renew push for greater privacy - Fosters CONCORD, N.H. (AP) _ Lawmakers pushing a range of bills aimed at protecting privacy say they hope to benefit from a shift in public awareness about their concerns. Rep. Neal Kurk, R-Weare, one of the Legislature's fiercest privacy advocates, has proposed several measures meant to protect New Hampshire residents from a variety of technological intrusions. This year, he's not alone. ''I'm very pleased that so many other people are recognizing that one of the consequences of technological change has been intrusions on what used to be protected, not by statute but by the inability to invade privacy,'' he said. ''But as that has changed, people have become much more sensitive to it and a lot more folks are introducing legislation.'' At the top of Kurk's list is a second try at preventing the state from participating in the federal government's Real ID program. The House passed a measure he co-sponsored last year to reject Real ID, but the Senate refused to negotiate a compromise version. Kurk believes the bill ''was the victim of a game of political chicken,'' but may have a better chance now given the heightened public interest in privacy issues. He also has submitted proposals for bills requiring companies to provide notice if tracking devices are used on consumer protects, banning ''pretexting'' to obtain personal information and allowing consumers to opt out of cell phone directories. He also believes the timing might be right to study a Constitutional amendment on personal privacy. ''Over the past 20 years I've been in the Legislature, there has been a major shift in awareness and sensitivity to privacy issues,'' he said. A bill sponsored by Rep. Jim Ryan, D-Franklin, would create a committee to study whether a privacy amendment should be added to the state Constitution. 12:54:30 PM  PermaLink   / trackback []

Enterprise Rights Management (ERM): Architectural Approaches. Enterprise Rights Management (ERM): Architectural Approaches. This document compares the architectural approaches to implementing an effective enterprise rights management (ERM) system, namely tethered and untethered models. The document attempts to explore the advantages and disadvantages of both approaches and the impact the two models have on a corporate installation of such a system. By Avoco Secure. [Infosec Writers Latest Security Papers] 11:25:04 AM  PermaLink   / trackback []

Record Companies Boxed In By Their Own Rhetoric. Record Companies Boxed In By Their Own Rhetoric. Reports are popping up all over that the major record companies are cautiously gearing up to sell music in MP3 format, without any DRM (anti-copying) technology. This was the buzz at the recent Midem conference, according to a New York Times story. The record industry has worked for years to frame the DRM issue, with considerable success. Mainstream thinking about DRM is now so mired in the industry[base ']s framing that the industry itself will have a hard time explaining and justifying its new course. The Times story is a perfect example. The headline is [base "]Record Labels Contemplate Unrestricted Music[per thou], and the article begins like this: As even digital music revenue growth falters because of rampant file-sharing by consumers, the major record labels are moving closer to releasing music on the Internet with no copying restrictions [base ']Äî a step they once vowed never to take. Executives of several technology companies meeting here at Midem, the annual global trade fair for the music industry, said over the weekend that at least one of the four major record companies could move toward the sale of unrestricted digital files in the MP3 format within months. But of course the industry won[base ']t sell music [base "]with no copying restrictions[per thou] or [base "]unrestricted[per thou]. The mother of all copying restrictions [~] copyright law [~] will still apply and will still restrict what people can do with the music files. I can understand leaving out a qualifier in the headline, where space is short. But in a 500-word article, surely a few words could have been spared for this basic point. Why did the Times (and many commentators) mistake MP3 for [base "]unrestricted[per thou]? Because the industry has created a conventional wisdom that (1) MP3 = lawless copying, (2) copyright is a dead letter unless backed by DRM, and (3) DRM successfully reduces copying. If you believe these things, then the fact that copyright still applies to MP3s is not even worth mentioning. The industry will find these views particularly inconvenient when it is ready to sell MP3s. Having long argued that customers can[base ']t be trusted with MP3s, the industry will have to ask the same customers to use MP3s responsibly. Having argued that DRM is necessary to its business [~] to the point of asking Congress for DRM mandates [~] it will now have to ask artists and investors to accept DRM-free sales. All of this will make the industry[base ']s wrong turn toward DRM look even worse than it already does. Had the industry embraced the Internet early and added MP3 sales to its already DRM-free CDA (Compact Disc Audio format) sales, they would not have reached this sad point. Now, they have to overcome history, their own pride, and years of their own rhetoric. Share This [Freedom to Tinker] 11:22:44 AM  PermaLink   / trackback []