Thursday, February 1, 2007

FBI turns to broad new wiretap method | CNET News.com The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed. Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords. Such a technique is broader and potentially more intrusive than the FBI's Carnivore surveillance system, later renamed DCS1000. It raises concerns similar to those stirred by widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of what's legally permissible. Call it the vacuum-cleaner approach. It's employed when police have obtained a court order and an Internet service provider can't "isolate the particular person or IP address" because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Department's Computer Crime and Intellectual Property Section. (An Internet Protocol address is a series of digits that can identify an individual computer.) That kind of full-pipe surveillance can record all Internet traffic, including Web browsing--or, optionally, only certain subsets such as all e-mail messages flowing through the network. Interception typically takes place inside an Internet provider's network at the junction point of a router or network switch. The technique came to light at the Search & Seizure in the Digital Age symposium held at Stanford University's law school on Friday. Ohm, who is now a law professor at the University of Colorado at Boulder, and Richard Downing, a CCIPS assistant deputy chief, discussed it during the symposium. 10:40:38 PM  PermaLink   / trackback []

'Full-Pipe' FBI Internet Monitoring Questionably Legal. 'Full-Pipe' FBI Internet Monitoring Questionably Legal. CNet is running a piece looking at what they refer to as a 'questionably legal' internet surveillance technique being employed by the FBI. In situations where isolating a specific IP address for a suspect is not possible, the FBI has taken to 'full-pipe' surveillance: all activity for a bank of IPs is recorded, and then data mining is used to attempt to isolate their target. The questionable legality of this situation results from a requirement that, under federal law, the FBI is required to use 'minimization'. The article describes it this way: "Federal law says that agents must 'minimize the interception of communications not otherwise subject to interception' and keep the supervising judge informed of what's happening. Minimization is designed to provide at least a modicum of privacy by limiting police eavesdropping on innocuous conversations." Full-pipe surveillance would seem to abandon that principle in favor of getting to the target faster. [Slashdot: Your Rights Online] 10:36:41 PM  PermaLink   / trackback []

Wired News: I Was a Cybercrook for the FBI With so many fake IDs in play it was unclear to police exactly who they had in custody. Then as they read Thomas his rights, he told them: "Get me some federal agents and I'll give you a case involving the Russians and millions of dollars." Thus was the beginning of Thomas' turn to the other side. For 18 months beginning in April 2003, Thomas worked as a "paid asset" for the FBI running a website for identity and credit card thieves from a government-supplied apartment in the tony Queen Anne neighborhood of Seattle. From bedrise to bedrest, seven days a week, he rode the boards and forums of his and other carding sites using the online nickname El Mariachi. He recorded private messages and IRC chats for the FBI as "carders" schemed to, among other things, sell stolen credit and debit card numbers, defraud the George Bush and John Kerry campaign sites, drain hundreds of thousands of dollars from bank and investment accounts, sell access to Paris Hilton's T-Mobile account and run phishing scams against U.S. Bank and the FDIC. He did it all while battling denial-of-service attacks against his site and dodging attempts by his old partner Taylor and other carders to track his whereabouts and out him as a fed. Just as his enemies were closing in on him in September 2004, the FBI pulled the plug on his work and cut him loose. But not before Thomas had given authorities a valuable look at the internet's underworld, even though the strain of leading a double life nearly broke him. 10:33:14 PM  PermaLink   / trackback []

I Was a Cybercrook for the FBI. I Was a Cybercrook for the FBI. Hoi Polloi writes "Wired News has a series starting on internet crime. The first piece they have up covers the story of a cybercrook who specialized in credit card fraud. Caught in a sting operation in November of 2002, the man who identified himself as 'El Mariachi' on message boards would lead a double life for the next two years working for the FBI. As he reported on credit card scammers, dodged his former associates, and stopped criminals from defrauding the 2004 presidential campaign, he also tried to keep his life together. A fascinating tale that looks at the face of modern crime, and crime-stopping techniques." [Slashdot: Your Rights Online] 10:29:02 PM  PermaLink   / trackback []

Why You & Yahoo Should Like This Human Rights Law. Why You & Yahoo Should Like This Human Rights Law. Regular contributor Bennett Haselton has written in to say that  "The Global Online Freedom Act, introduced last year during a firestorm of controversy over American companies cooperating with totalitarian governments in China and elsewhere, was introduced this month as the Global Online Freedom Act of 2007. When Chris Smith (R-NJ) first introduced the law in 2006, Yahoo was under fire for recently turning over information to Chinese authorities that led to the arrest of a political dissident, Microsoft was attacked for removing pages from MSN Spaces China at the behest of the government, Google was being criticized for removing political sites from search results displayed to China, and Cisco was accused of helping to enable Chinese filtering of the Web. All four corporations testified at a February 2006 House hearing during which Representative Tom Lantos summed up the mood of many of his colleagues by telling the companies, "I do not understand how your corporate leadership sleeps at night." The companies protested that they had no choice but to comply with local Chinese laws, but that they were troubled by their own actions, and -- in a rarity for individual tech companies, much less for a chorus -- they all invited the U.S. government to play a bigger role, while being vague about what the role should be."  [Slashdot: Your Rights Online] 10:19:17 PM  PermaLink   / trackback []

Solving DRM in the BitTorrent Age. Solving DRM in the BitTorrent Age. An anonymous reader writes "FiringSquad has a new article on DRM in the BitTorrent Age. They argue that the movie industry looking for "perfect DRM" should aim for the printed book model (people still buy books even though they can read them for free at Barnes & Noble). They argue that the missing element is that screenwriters are not marketed by Hollywood in the same way the book industry markets its authors." [Slashdot: Your Rights Online] 10:14:44 PM  PermaLink   / trackback []

Has the White House interfered on global warming reports? | csmonitor.com More than 120 scientists across seven federal agencies say they have been pressured to remove references to "climate change" and "global warming" from a range of documents, including press releases and communications with Congress. Roughly the same number say appointees altered the meaning of scientific findings on climate contained in communications related to their research. These findings, part of a new report compiled by two watchdog groups, shed new light on complaints by a scattering of scientists over the past year who have publicly complained that Bush administration appointees have tried to mute or muzzle what researchers have to say about global warming. "We are beyond the anecdotal," says Francesca Grifo, director of the scientific integrity program at the Union of Concerned Scientists (UCS), one of the two groups, referring to press reports of a dozen instances of interference that have emerged over the past 12 months. "We now have evidence to support the view that this problem goes deeper than just these few high-profile cases." Global-warming science must be accurately represented to enable lawmakers to craft adequate policies to control the problem and adapt to climate change, Dr. Grifo says. Scientists at the National Aeronautics and Space Administration, the National Oceanic and Atmospheric Administration, and other agencies working on climate-related issues are doing excellent work. "But it's under threat, and they are struggling to get their results out" to the general public, she says. Grifo described some of the report's findings during hearings Tuesday before the House Committee on Oversight and Government Reform and during a press briefing afterward. The two groups say they will release additional material next week, when the Senate Committee on Commerce, Science, and Transportation holds similar hearings. 10:09:56 PM  PermaLink   / trackback []

Congress Hears From Muzzled Scientists. Congress Hears From Muzzled Scientists. BendingSpoons writes  "More than 120 scientists across seven federal agencies have been pressured to remove the phrases 'global warming' and 'climate change' from various documents. The documents include press releases and, more importantly, communications with Congress. Evidence of this sort of political interference has been largely anecdotal to date, but is now detailed in a new report by the Union of Concerned Scientists. The House Oversight and Government Reform Committee held hearings on this issue Tuesday; the hearing began by Committee members, including most Republicans, stating that global warming is happening and greenhouse gas emissions from human activity are largely to blame. The OGR hearings presage a landmark moment in climate change research: the release of the 2007 report by the Intergovernmental Panel on Climate Change. The IPCC report, drafted by 1,250 scientists and reviewed by an additional 2,500 scientists, is expected to state that 'there is a 90% chance humans are responsible for climate change' -- up from the 2001 report's 66% chance. It probably won't make for comfortable bedtime reading; 'The future is bleak', said scientists."  [Slashdot: Your Rights Online] 10:05:52 PM  PermaLink   / trackback []

Groklaw - A Brave New Modular World - Another MS Patent Application A reader sent me a link to a new patent application by Microsoft. Not the Bluej one, which has been in the news and which Microsoft, commendably, has withdrawn, but another one, for what seemed to me to be a modular operating system, "System and method for delivery of a modular operating system". Microsoft and modular are two words I wouldn't normally associate with one another, so I thought maybe I'd misunderstood it. Heaven only knows, patent applications are generally written to confuse, not illuminate, and so I sent it to Dr. Stupid to ask if he'd please explain it to me. He did, and his explanation was so interesting, I asked if I could share it with you. As best as I can understand it, it's not an attempted patent on a modular system per se. That obviously wouldn't fly. As he points out, it's not new. The patent relates to a method of delivery of an operating system where you start off with a very basic operating system, a kind of crippled starter edition, and then you pick and choose (and purchase) additional functionality, with DRM used to make sure you don't self-help. It's like modular copyleft, turning the advantages of GNU/Linux -- modularity there increases what you can do and what you can add and how well everything works -- and instead turns the concept on its head by using modularity plus DRM to restrict and contain and enforce. 10:03:10 PM  PermaLink   / trackback []

Microsoft Applies To Patent DRM'ed OS Modules. Microsoft Applies To Patent DRM'ed OS Modules.   wellingj writes  "Microsoft has applied for a patent that sounds on the face of it like it ought to improve OS stability and reliability: the patent proposes to modularize device drivers much like Linux does. But, going further, Microsoft would apply DRM to these modules -- as Groklaw puts it, 'using modularity plus DRM to restrict and contain and enforce.' The net result is that you might have to pay extra for OS hardware support. Things like USB keys, DVD-ROMS, Raid drives, and video cards might not be supported out of the box. LXer indulges in some dystopian speculation." [Slashdot: Your Rights Online] 9:59:09 PM  PermaLink   / trackback []

Survey: Identity theft on the decline | NetworkWorld.com Community Hours after meeting with Verisign yesterday at DEMO 07 to discuss that company's major anti-identity theft initiative comes news from a trio of leading financial firms that this ongoing crisis of consumer confidence -- the bane of retailers both online and off -- is already well under control, with the number of victims down 12% last year over 2005. Pop the corks? ... Well, there's every reason to hope that this report reflects an emerging new reality ... as well as every reason to remain skeptical. The problem with vendor-sponsored surveys of this nature, of course, is that they make it difficult to overlook the obvious self-interest of the parties involved. The e-commerce world as a whole has been in full panic mode over the public's increasing wariness about doing business online. All would hail anything that might lessen that unease.So this poll offers such hope, grain of salt and all. The 2007 Identity Fraud Survey Report paid for by Visa, Wells Fargo and CheckFree contends that: 9:55:57 PM  PermaLink   / trackback []

Survey Indicates ID Theft May Be Diminishing. Survey Indicates ID Theft May Be Diminishing. netbuzz passed us a link discussing a survey conducted by major credit firms. Keeping in mind the source (CheckFree, Visa, and WellsFargo), the results indicate identity theft may be on the downswing as consumers wise up to scammers. The number of respondents that reported a fraudulent account created with a stolen identity dropped by a full half percentage point between 2005 and 2006. Overall fraud apparently dropped by some 12% over last year, representing $6.4 billion in fraud reduction. Again, consider the source: identity fraud is still apparently costing some $49.3 billion annually. [Slashdot: Your Rights Online] 9:52:57 PM  PermaLink   / trackback []

Birth of the Verbal Hack? Birth of the Verbal Hack? Microsoft Corp. said Wednesday that a voice-recognition feature built into Vista -- the new version of Windows that went on sale this week -- could be exploited remotely to delete files on a victim's machine if he or she visited a Web site that tried to issue specific commands through the computer's audio system. Online computer security forums were abuzz this week with discussions of ways to exploit the new feature. In the DailyDave online security newsgroup, one commenter described a successful test in which he managed to delete his entire "My Documents" folder using the voice command feature. An attack recorded as an audio file and automatically played when a user visits a malicious Web site could have the same effect, security experts said. Microsoft noted that the voice-recognition feature is not turned on by default in Vista, and that such an attack would be extremely difficult to execute. In a posting on its security Web site, Microsoft said a targeted system "would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as 'copy,' 'delete,' 'shutdown,' etc. and acting on them. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation." While Microsoft said the feature could be exploited to delete a victim's documents, it pointed out that a key component of security on Vista -- the "user account control" (UAC) feature that requires a user to enter his or her password before making any significant changes to the system -- would prevent an attacker from, installing software or creating new user accounts on the victim's PC. Rich Mogull, a security analyst with Gartner Inc., said he doubts that many users will bother to configure and run the voice command feature in Vista, and even for those who do the real threat of falling victim to such an attack would be fairly low. Still, Mogull said, "if they are running it, and someone can get the right kind of file to play when no one is looking, yep- you could do nasty stuff." My personal favorite perspective on this comes from the venerable security guru Dan Geer, who offered the following challenge on the DailyDave list: "Here's $500 for the first documented case of someone using the white courtesy phone in an airport to page Mr Shootdown, Reese Sett, Sleep Now, or whatever and blanking all the laptops in a concourse. An extra $500 if it's DC National..." [Security Fix] 9:47:19 PM  PermaLink   / trackback []