Tuesday, February 13, 2007

RIAA to ISPs: Help Us Sue Your Customers Better. RIAA to ISPs: Help Us Sue Your Customers Better. As if suing thousands of music fans isn't bad enough, now the RIAA wants to conscript ISPs into helping them streamline the shakedowns. The major record labels sent a letter to ISPs across the country asking them to trade away customers' rights and make the overzealous file sharing lawsuits more profitable -- and the RIAA even has the audacity to suggest that this all for your own good. ISPs currently have no obligation to maintain IP log files, and that's a good thing when it comes to protecting your privacy. Those log files can serve as Internet breadcrumbs -- your ISP and any third party that has access to them can retrace your online activities. But the RIAA wants ISPs to maintain (and disclose) a customer's IP logs for six months whenever the RIAA says the user may have infringed copyright. In exchange, the record companies will reduce its initial lawsuit settlement demands. Of course, the actual customer would have no say in the matter. The RIAA letter says it wants the information kept because it could "exculpate" the customer, but of course those same records can also implicate the user. Funny, the labels don't mention that. EFF and others have long warned that copyright claims could become an altar on which personal privacy is sacrificed. Now the RIAA wants your ISP to voluntarily wield the knife, and there's no telling what else the RIAA might ask for once this cut has been made The RIAA also wants ISPs to keep customers in the dark about their legal options. Before the RIAA has even verified that the user is correctly identified, it wants ISPs to send along a note saying the user might be sued and can already settle potential claims. At the same time, the RIAA scolds ISPs for giving information to their customers that could help provide sound legal counsel. Instead, the RIAA wants ISPs to direct subscribers solely to the RIAA. In other words, the RIAA wants it to be harder for customers to find out that settling early might be a bad idea. Does the RIAA readily tell customers that parents are generally not liable for infringements committed by their kids, or that bankruptcy might be a last-ditch option for some, or that the record labels have occasionally sued the wrong people? Doubtful. The RIAA's letter notes that some people have been told that "the RIAA could have been incorrect in identifying your IP address" -- which of course is true -- and "directed the subscriber to certain websites, instead of having him contact the RIAA." We suspect those websites include EFF's resources as well as the Subpoena Defense website. It's possible that, after the fact, a given user might have preferred a cheaper, earlier settlement, but neither ISPs nor fans should have to make the remarkably perverse choice laid out in the RIAA's "offer." As we've pointed out repeatedly, the record labels could help forge a better way forward to get artists paid without suing fans or further endangering their privacy. The last time we checked, ISPs don't work for the RIAA, so until the major record labels come to their collective senses, ISPs shouldn't be handmaidens in their misguided lawsuit campaign. [EFF: Deep Links] 11:59:43 PM  PermaLink   / trackback []

Hacker, Microsoft duke it out over Vista design flaw | Zero Day | ZDNet.com Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out -- from Microsoft officials -- that the default no-admin setting isn't even a security mechanism anymore.   Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges. "[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog. That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator." This, in Rutkowska's mind, is a "very severe hole in the design of UAC." "After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can't under Vista, which is a bit disturbing," she added. A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack. 11:11:29 PM  PermaLink   / trackback []

Slashdot | "Very Severe Hole" In Vista UAC Design  Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use." 11:01:17 PM  PermaLink   / trackback []

Maine Senator Announces Legislation to Delay Implementation of Real ID. Maine Senator Announces Legislation to Delay Implementation of Real ID. "I will be introducing this legislation so that we can pause and take a more measured approach to Real ID." [GT: Security and Privacy] 9:02:22 PM  PermaLink   / trackback []

Valentine Spam, Valentine Virus. Valentine Spam, Valentine Virus. "As Valentine's Day approaches this year we are already seeing a proliferation of computer threats." [GT: Security and Privacy] 8:56:23 PM  PermaLink   / trackback []

Update on Missing Veteran's Affairs Portable Hard Drive. Update on Missing Veteran's Affairs Portable Hard Drive. May have included information on approximately 535,000 individuals. [GT: Security and Privacy] 8:53:35 PM  PermaLink   / trackback []

Smart Cards Key to Information and Identity Security, Says Gates, Others. Smart Cards Key to Information and Identity Security, Says Gates, Others. "We need to secure the king instead of the castle. Information is king and it likes to move around." [GT: Security and Privacy] 8:43:38 PM  PermaLink   / trackback []

Debate growing over data security - baltimoresun.com When Johns Hopkins officials announced this week that a courier had lost nine backup computer tapes containing personal data on 135,000 employees and patients, security specialists were critical, even though the information probably was destroyed without being compromised. The reaction came not just because the tapes were lost, but because they weren't encrypted -- coded so that they could be read only with a computerized key. "Have we not learned from history yet, that if you're going to give [data] to a third party that you either encrypt or password protect it?" said Linda Foley, executive director of the Identity Theft Resource Center in San Diego. Amid a spate of lost or stolen data, some organizations and industries have begun taking steps to better protect employee and customer information, yet far too many have not, privacy advocates say. Many still leave sensitive information uncoded or hand it off to sometimes-careless employees or third parties. This year alone, Social Security numbers were posted on a public Web site at the University of Nebraska; personal information on 537 people was stolen from the New York Department of Labor; a hacker accessed Social Security numbers for more than 1,200 people at the University of Missouri; and a laptop was stolen that contained medical records for 1,100 patients at the Salina Regional Health Center in Kansas. Some consultants say that costs keep organizations from updating their security practices -- encryption software and developing privacy procedures can be expensive. But the No. 1 reason is complacency, according to Lillie Coney, associate director of the Electronic Privacy Information Center, or EPIC, in Washington. "They don't see themselves as being in a position where they're going to lose something," Coney said. 8:40:57 PM  PermaLink   / trackback []

Lost VA hard drive may have held 1.8M IDs. Lost VA hard drive may have held 1.8M IDs. A portable hard drive reported missing by the Department of Veterans Affairs may have held data on 1.8 million veterans and physicians -- far more than the 50,000 people the agency initially said might be affected. [Computerworld Privacy News] 8:24:40 PM  PermaLink   / trackback []

Web Censorship Proposed For Norway. Web Censorship Proposed For Norway. Aqwis writes "A Norwegian Web filtering system (link in Norwegian), comparable to the Great Firewall of China, has been proposed to the Norwegian legislature. It would, if enacted, block all Web sites and servers that contain hate material (racial hate, pro-Nazi sites, hate towards the government, etc.), most kinds of pornography (not only child pornography), foreign gambling sites, and sites that share copyrighted or other material that it is not legal to share (such as most BitTorrent sites and services such as LimeWire). Reactions have been mixed; however they are mostly negative." [Slashdot: Your Rights Online] 8:08:57 PM  PermaLink   / trackback []

RIAA Admits ISPs Have Misidentified "John Does". RIAA Admits ISPs Have Misidentified "John Does".  NewYorkCountryLawyer writes  "The RIAA has sent out a letter to the ISPs telling them to stop making mistakes in identifying subscribers, and offering a 'Pre-Doe settlement option' -- with a discount of '$1000 or more' -- to their subscribers, if and only if the ISP agrees to preserve its logs for 180 days. Other interesting points in the letter (PDF): the RIAA will be launching a web site for 'early settlements,' www.p2plawsuits.com; the letter asks the ISPs to notify the RIAA if they have previously 'misidentified a subscriber account in response to a subpoena' or become aware of 'technical information... that causes you to question the information that you provided in response to our clients' subpoena'; it notes that ISPs have identified 'John Does' who were not even subscribers of the ISP at the time of the infringement; and it requests that ISPs furnish their underlying log files, not just names and addresses, when responding to RIAA subpoenas." [Slashdot: Your Rights Online] 7:33:16 PM  PermaLink   / trackback []

Captain Copyright Expires. Captain Copyright Expires. The Canadian superhero Captain Copyright has finally expired, not due to pirates or to the passage of 50 years after the death of the author, but because "the current climate around copyright issues will not allow a project like this one to be successful." The cartoon was intended to provide an education in copyright law for children, but it became a focus for criticism when even the Canadian Library Association condemned it for lacking balance because it ignored issues like Fair Dealing (Canada's version of Fair Use). Personally, I was hoping we'd see them get sued by DC & Marvel, who claim to own the trademark on the word "superhero", and vanish in a puff of logic. [Slashdot: Your Rights Online] 7:29:37 PM  PermaLink   / trackback []

Wanted: Missing FBI Laptops. Wanted: Missing FBI Laptops. If you lose your laptop, don't go crying on the shoulder of the Federal Bureau of Investigation. It has its own problems. The agency had at least 160 laptops lost or stolen over the past four years. Ten of those laptops contained highly sensitive classified information and at least one included "personal identifying information on FBI personnel, according to a new report. While the number may loom large, the agency actually has improved on keeping tabs on its wares. The report released today by the Justice Department's Office of Inspector General was a follow-up to a similar 2002 report. The charter report found that the FBI had reported some 317 employee laptops as either lost or stolen over the previous 28-month period. Seventeen of those laptops were reported stolen. In 2002, the FBI had roughly 11 laptops stolen or lost each month. The agency currently mismanages an average of four laptops monthly. It's worth noting that as many as 51 of the laptops reported lost or stolen since 2002 may also have contained classified data, but the inspector general's office said the FBI could not be sure. At least seven of the laptops were assigned to the agency's counterintelligence or counterterrorism divisions, the report notes. It is not clear from the report how many of those stolen or lost laptops used encryption technology to safeguard the data. Only one individual case cataloged in the report details that encryption technology was used to protect data stored on the computer's hard drive. The report recommends that future laptop-loss reports include information on whether the computer in question had protected data. The FBI agreed with that recommendation, and said it would make such reporting mandatory. Now, if they would just make the use of encryption technology mandatory on government laptops, I'm sure we would all sleep a little more soundly. [Security Fix] 7:25:51 PM  PermaLink   / trackback []

Microsoft Releases Patches to Fix 20 Security Holes. Microsoft Releases Patches to Fix 20 Security Holes. Microsoft Corp. today issued a dozen software updates to plug at least 20 security holes in its Windows operating system and other software, including fixes for a number of vulnerabilities in Office that hackers are currently exploiting to hijack vulnerable PCs. Windows users can download the free updates by visiting Microsoft Update or by enabling automatic updates. The company labeled half of the vulnerabilities "critical," its most severe rating. Critical security holes are those that bad guys could exploit to seize control over vulnerable machines without any action on the part of the user, or those that could be exploited just by convincing a user to click on a link in an e-mail, or visit a particular Web page. Today's patch bundle addresses a total of eight separate vulnerabilities in different versions of Office, Word, Excel and PowerPoint, six of which are already being exploited by hackers, according to Microsoft. As usual, those most in danger are Office 2000 users. These users cannot download the updates through the usual Windows/Microsoft update site. Instead, Office 2000 users must scan their machine at Microsoft's Office Update site and apply any outstanding fixes listed there. Regardless of which version of Office you are using (or whether you are running Office at all), be extremely careful about opening attachments in e-mails that you were not expecting -- even if they appear to come from someone you know. Microsoft also issued updates to correct four flaws in most versions of its Internet Explorer Web browser, all of which earned a "critical" rating. Worse yet, instructions detailing how to exploit two of these IE flaws have already been posted online (one set of instructions dates back to Oct. 2006). Another patch fixes a critical flaw in the way that Microsoft's security software scans portable document format files (.PDF -- Adobe Acrobat documents, for example) for malicious software. According to Microsoft, this bug affects Windows Live OneCare, Microsoft Antigen, Windows Defender, Windows Defender in Windows Vista, Microsoft Forefront Security for Exchange Server and Forefront Security for SharePoint. Interestingly, Microsoft said it also is investigating new public reports of a potential vulnerability in both Windows Mobile Internet Explorer and Windows Mobile Pictures and Video -- applications built into most Microsoft Smartphone and PocketPC mobile phones. There were other patches released today. Home users should not delay in applying these updates: Last month, hackers infiltrated the official Web site of Dolphins Stadium -- the site of Superbowl XLI -- and seeded it with a Trojan horse program that installed a password stealing program on Windows machines if users browsed to the site without having applied a patch that Microsoft issued just two weeks prior. [Security Fix] 7:24:06 PM  PermaLink   / trackback []

Bill Proposes Mandatory Data Retention for ISPs. Bill Proposes Mandatory Data Retention for ISPs. A senior Congressman has introduced legislation that would require Internet Service Providers to retain records on all their subscribers. H.R. 837, introduced by Rep. Lamar Smith (R-TX), would grant the Attorney General broad authority to require ISPs to collect and retain unspecified information identifying their subscribers and their Internet activity. The measure would also require websites to label sexually explicit content and would impose liability on any ISP that engaged in any conduct that facilitated access to child pornography. [Center for Democracy and Technology] 7:20:48 PM  PermaLink   / trackback []

Schneier: Why Microsoft Sold Out Consumers in Vista. Schneier: Why Microsoft Sold Out Consumers in Vista. Today, the PC industry needs Hollywood more than Hollywood needs the PC. Most consumers rely on traditional consumer electronics devices to view DVDs and TV content, but companies like Microsoft are betting on the converged digital home and desperately want a bigger piece of the media device market. Because of the DMCA, Microsoft has to get permission to build devices compatible with Hollywood's DRMed content. So when Hollywood demanded that Microsoft lard Vista with restrictions to access high-def DVD and digital cable content, the software giant was in a weak bargaining position. But as Bruce Schneier explains in a recent editorial (via BoingBoing), Vista's DRM may also be a play to turn the tables and turn Microsoft's platform into a distribution channel on which Hollywood relies: "[W]hile it may have started as a partnership, in the end Microsoft is going to end up locking the movie companies into selling content in its proprietary formats. "We saw this trick before; Apple pulled it on the recording industry. First iTunes worked in partnership with the major record labels to distribute content, but soon Warner Music's CEO Edgar Bronfman Jr. found that he wasn't able to dictate a pricing model to Steve Jobs. The same thing will happen here; after Vista is firmly entrenched in the marketplace, Sony's Howard Stringer won't be able to dictate pricing or terms to Bill Gates. This is a war for 21st-century movie distribution and, when the dust settles, Hollywood won't know what hit them.... "Microsoft is reaching for a much bigger prize than Apple: not just Hollywood, but also peripheral hardware vendors. Vista's DRM will require driver developers to comply with all kinds of rules and be certified; otherwise, they won't work. And Microsoft talks about expanding this to independent software vendors as well. It's another war for control of the computer market." Schneier overstates his case a bit when he says Microsoft could have simply refused Hollywood's demands for DRM and Hollywood would have released today's high-def video content for Vista anyway. But he's right that Microsoft would very much like to lock content vendors into a distribution channel that it controls, including for channels like IPTV and digital downloads. And the more Hollywood depends on Microsoft, the more Microsoft may be able to limit competition from other tech companies' platforms and devices. [EFF: Deep Links] 7:19:17 PM  PermaLink   / trackback []

U.S. Government Readying Massive Cybersecurity Test. U.S. Government Readying Massive Cybersecurity Test. The U.S. Department of Homeland Security is planning a large-scale test of the nation's response to a cyberattack, to be held in early 2008. [PC World: Latest Technology News] 7:16:58 PM  PermaLink   / trackback []

Mobile Attacks Jumped Fivefold in 2006, Study Says. Mobile Attacks Jumped Fivefold in 2006, Study Says. The number of security attacks reported by mobile phone operators in 2006 jumped fivefold over the year before, a McAfee study reports. [PC World: Latest Technology News] 7:14:44 PM  PermaLink   / trackback []

Groups Call for E-Voting Paper Trail Legislation. Groups Call for E-Voting Paper Trail Legislation. A coalition of voting rights groups today called on the U.S. Congress to pass legislation that would require electronic voting machines to have printers attached. [PC World: Latest Technology News] 7:13:06 PM  PermaLink   / trackback []

MySpace Working to Foil Pirates. MySpace Working to Foil Pirates. MySpace adopts video-filtering system to keep users from uploading copyrighted material. [PC World: Latest Technology News] 7:11:20 PM  PermaLink   / trackback []

Microsoft Fixes Critical Flaw in Security Products. Microsoft Fixes Critical Flaw in Security Products. Software patches include critical fixes for bugs in Microsoft Office and the scanning engine used by the company's security products. [PC World: Latest Technology News] 7:09:20 PM  PermaLink   / trackback []

New Capabilities Drive Cell Phone Security Demands. New Capabilities Drive Cell Phone Security Demands. The growing functionality of mobile phones is driving demand for new and stronger security products. [PC World: Latest Technology News] 7:07:48 PM  PermaLink   / trackback []

MySpace to block unauthorized videos. MySpace to block unauthorized videos. Automated filter MySpace will use software to monitor videos posted to the site in a bid to block unauthorised use of copyrighted content. The social networking giant will use technology to analyse videos' audio tracks to identify infringing posts. [The Register - Music and Media] 7:06:36 PM  PermaLink   / trackback []

Eli Lilly Loses Effort to Censor Zyprexa Documents Off the Internet. Eli Lilly Loses Effort to Censor Zyprexa Documents Off the Internet. Judge Rescinds Injunction Against Wiki, Other Websites New York - A U.S. District Court judge today refused Eli Lilly's request to ban a number of websites from publishing leaked documents relating to Zyprexa, Eli Lilly's top-selling drug. Although the judge rejected the First Amendment arguments made by a variety of individuals eager to publish the documents, the court concluded that "it is unlikely that the court can now effectively enforce an injunction against the Internet in its various manifestations, and it would constitute a dubious manifestation of public policy were it to attempt to do so." The order is a victory for the Electronic Frontier Foundation (EFF), which represents an anonymous individual who was previously barred by the court's earlier orders from posting links to the Zyprexa documents on the zyprexa.pbwiki.com wiki. The Zyprexa documents were leaked from an ongoing product liability lawsuit against Eli Lilly. The internal documents allegedly show that Eli Lilly intentionally downplayed the drug's side effects, including weight gain, high blood sugar, and diabetes, and marketed the drug for "off-label" uses not approved by the Food and Drug Administration (FDA). The documents were the basis for a front-page story in the New York Times in December of last year, and electronic copies are readily available from a variety of Internet sources. EFF's client posted links to one set of copies on a wiki devoted to the controversy that were part of extensive, in-depth analysis from a number of citizen journalists. "This ruling makes it clear that Eli Lilly cannot invoke any court orders in its futile efforts to censor these documents off the Internet," said EFF Staff Attorney Fred von Lohmann. "We are disappointed, however, that the judge failed to appreciate that its previous orders constituted prior restraints in violation of the First Amendment." The court stayed its ruling for 10 days in order to permit an appeal. Zyprexa is Eli Lilly's best selling drug, used to treat schizophrenia and bipolar disorder. Eli Lilly has paid more than $1.2 billion to resolve lawsuits involving Zyprexa. For the full order: http://eff.org/legal/cases/zyprexa/zyprexa_judgement.pdf For more on the Eli Lilly Zyprexa litigation: http://www.eff.org/legal/cases/zyprexa/ Contact: Fred von Lohmann Senior Intellectual Property Attorney Electronic Frontier Foundation fred@eff.org [EFF: Breaking News] 7:04:42 PM  PermaLink   / trackback []