Thursday, March 1, 2007

PC World - Vista's UAC Warnings Can't Be Trusted, Symantec Says Windows Vista's User Account Control (UAC), a system that Microsoft says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, a Symantec researcher said on Wednesday. Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry Tuesday to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself. 10:19:06 PM  PermaLink   / trackback []

Tricking Vista's UAC To Hide Malware. Tricking Vista's UAC To Hide Malware. Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.  [Slashdot] 10:14:53 PM  PermaLink   / trackback []

Windows for Warships nears frontline service | The Register The Type 45 destroyers now being launched will run Windows for Warships: and that's not all. The attack submarine Torbay has been retrofitted with Microsoft-based command systems, and as time goes by the rest of the British submarine fleet will get the same treatment, including the Vanguard class (V class). The V boats carry the UK's nuclear weapons and are armed with Trident ICBMs, tipped with multiple H-bomb warheads. All this raises a number of worrying issues. First up is basic reliability and usability. Most of us have stared in helpless despair at the dreaded blue screen; how much worse would you feel if that wasn't just your desktop gone but your combat display, and it really was the screen of death? 10:07:50 PM  PermaLink   / trackback []

Windows For Warships Nearly Ready. Windows For Warships Nearly Ready. mattaw writes "The Register is carrying the sanest and balanced article on Windows deployment in UK warships that I have read to date in the public domain. As an ex-naval bod myself we have long considered that this is potentially a REAL problem. The main issues are the huge amount of unrelated code that is imported with the kernel and the need for incredibly fast response times." [Slashdot] 9:59:26 PM  PermaLink   / trackback []

T-Mobile Bans Others' Apps On Their Phones. T-Mobile Bans Others' Apps On Their Phones. cshamis writes "T-Mobile has recently changed their policies and now tell their customers with appropriate data plans and with Java-Micro-App-capable T-Mobile phones: no third-party network applications. You can, of course, still use their incredibly clunky and crippled built-in WAP browsers, but GoogleMaps and OperaMini are left high and dry. Would anyone care to speculate if this move is likely to retain or repel customers?" [Slashdot] 9:53:54 PM  PermaLink   / trackback []

BitTorrent Video Download Store Falls Flat. BitTorrent Video Download Store Falls Flat. seriously writes  "We've all heard about BitTorrent going legit this week with legal movie and TV show downloads. Ars Technica took a look at the service to see how usable it was and ran into a few snags, including not being able to download or even open the video files on some computers. However, the ones that they did manage to open varied a lot in quality. Overall, they blame DRM: 'Without knowing whether browser compatibility and dysfunctional video files are a rare occurrence or not, it's hard to say whether BitTorrent's service is a good one overall. Our initial experiences have been disappointing and frustrating, and guess what the culprit is once again? DRM. Why the DRM failed to work on 50% of our purchases is not clear, but whatever the cause, it's simply unacceptable.'"  [Slashdot] 9:47:44 PM  PermaLink   / trackback []

Audio Watermark Web Spider Starts Crawling. Audio Watermark Web Spider Starts Crawling. DippityDo writes "A new web tool is scanning the net for signs of copyright infringement. Digimarc's patented system searches video and audio files for special watermarks that would indicate they are not to be shared, then reports back to HQ with the results. It sounds kind of creepy, but has a long way to go before it makes a practical difference. 'For the system to work, players at multiple levels would need to get involved. Broadcasters would need to add identifying watermarks to their broadcast, in cooperation with copyright holders, and both parties would need to register their watermarks with the system. Then, in the event that a user capped a broadcast and uploaded it online, the scanner system would eventually find it and report its location online. Yet the system is not designed to hop on P2P networks or private file sharing hubs, but instead crawls public web sites in search of watermarked material.'" [Slashdot] 9:43:48 PM  PermaLink   / trackback []

You Can Plead Guilty Here. You Can Plead Guilty Here. The RIAA unveils P2PLawsuits.com, a site that allows people turned in by their universities or ISPs for copyright infringement to settle their cases in advance of due process. In Listening Post. [Wired News: Top Stories] 9:36:31 PM  PermaLink   / trackback []

Lawmakers Tout DMCA Killer. Lawmakers Tout DMCA Killer. The Fair Use Act would free honest consumers to pick the electronic locks on their digital media, under certain circumstances. A congressman says it's a good first step. Luke O'Brien reports from Washington. [Wired News: Top Stories] 9:33:54 PM  PermaLink   / trackback []

Castrated RFID Talk at Black Hat. Castrated RFID Talk at Black Hat. Following a lawsuit threat, a security researcher goes ahead with a presentation on vulnerabilities in RFID access cards -- but doesn't demonstrate problems with HID Global's system. By Kim Zetter. [Wired News: Top Stories] 9:29:30 PM  PermaLink   / trackback []

TIA becomes ADVISE | Free Government Information (FGI) Congress killed the Total Information Awareness (TIA) program in 2003 and several new programs have been reported to take its place. (See Total Information Awareness just changed its name FGI, 2006-02-26.) A forthcoming GAO report looks at the use of the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) system. 9:13:23 PM  PermaLink   / trackback []

NGA Praises Congressional Movement to Correct Real ID. NGA Praises Congressional Movement to Correct Real ID. "The substantial costs and looming implementation deadline make Real ID unworkable and unreasonable." [GT: Security and Privacy] 9:07:42 PM  PermaLink   / trackback []

DHS Proposal for State Driver License Enhancements Posted for Public Comment. DHS Proposal for State Driver License Enhancements Posted for Public Comment. DHS will grant states an extension of the compliance deadline until December 31, 2009. [GT: Security and Privacy] 9:04:53 PM  PermaLink   / trackback []

Solaris Worm Blasts Way Through Operating System. Solaris Worm Blasts Way Through Operating System. "Hi, I'm Casper, I am a bored Sun developer and I wrote this piece of code." [GT: Security and Privacy] 9:02:48 PM  PermaLink   / trackback []

Malware Adopts Disguises in Attempt to Dupe IT Defenses. Malware Adopts Disguises in Attempt to Dupe IT Defenses. Top ten threats and hoaxes reported in February 2007. [GT: Security and Privacy] 8:55:38 PM  PermaLink   / trackback []

Real ID Act Deadline Pushed Back to 2009. Real ID Act Deadline Pushed Back to 2009. "We will work closely with states to implement these standards and protect American's privacy against identity theft and the use of fraudulent documents." [GT: Security and Privacy] 8:53:08 PM  PermaLink   / trackback []

Legislation eyes nightclubs - Greenwich Time  Pending the mayor's signature, which is expected, all clubs where dancing is permitted will be required to install surveillance cameras at entrances and exits. While some Council members raised privacy concerns, the overwhelming majority agreed the surveillance tapes would be an invaluable deterrent and aid police if a crime is committed. All surveillance tapes must be securely stored, and clubs could be fined up to $50,000 if the footage makes its way onto TV or gossip Web sites. Industry representatives welcomed the surveillance camera vote, but pointed out that 90 percent of clubs with dancing already have such cameras installed. 8:50:56 PM  PermaLink   / trackback []

National ID Card Rules Unveiled. National ID Card Rules Unveiled. The DHS chief reveals how he'll turn state driver's licenses into internal passports. By Ryan Singel. [Wired News: Security Blanket] 7:48:35 PM  PermaLink   / trackback []

DOD, Microsoft sign deal to data mine health records The Defense Department has signed an agreement with Microsoft under which the software vendor will help develop tools and methods for analyzing the department's 9.1 million electronic patient records to find better ways to manage the health of DOD beneficiaries. Under the cooperative research and development agreement, Microsoft will work with the Army's Telemedicine and Advanced Technology Research Center to extract, store and analyze data stored in DOD's Armed Forces Health Longitudinal Technology Application (AHLTA) electronic health record system. The AHLTA clinical data repository (CDR) is "an untapped goldmine of health information, and the ability to draw upon and efficiently use this data will allow us to unleash the true power of AHLTA," said Dr. William Winkenwerder Jr., assistant secretary of Defense for health affairs. "This project has the potential to vastly improve our ability to provide both force health protection and population health improvement activities for every soldier, sailor, airman and Marine." Microsoft and the Army center aim to develop a clinical data warehouse (CDW) that provides predefined queries of interest to clinicians and analysts. The warehouse also will support data mining, which uses clustering and pattern recognition techniques to discover previously unknown correlations in the data. Intel and HP are providing support on security, sizing, and scalability testing of the CDW architecture, Microsoft said. Dr. Deborah Peel, chairwoman of the Patient Privacy Rights Foundation, views the patient information not as a goldmine ripe for exploitation but as a collection of personal and sensitive health information that needs to be zealously guarded and only accessed with express consent by the patient. 7:46:58 PM  PermaLink   / trackback []

MPAA Fires Back at AACS Decryption Utility. MPAA Fires Back at AACS Decryption Utility. RulerOf writes  "The AACS Decryption utility released this past December known as BackupHDDVD originally authored by Muslix64 of the Doom9 forums has received its first official DMCA Takedown Notice. It has been widely speculated that the utility itself was not an infringing piece of software due to the fact that it is merely "a textbook implementation of AACS," written with the help of documents publicly available at the AACS LA's website, and that the AACS Volume Unique Keys that the end user isn't supposed to have access to are in fact the infringing content, but it appears that such is not the case." --- From the thread   "...you must input keys and then it will decrypt the encrypted content. If this is the case, than according to the language of the DMCA it does sound like it is infringing. Section 1201(a) says that it is an infringement to "circumvent a technological measure." The phrase, "circumvent a technological measure" is defined as "descramb(ling) a scrambled work or decrypt(ing) an encrypted work, ... without the authority of the copyright owner." If BackupHDDVD does in fact decrypt encrypted content than per the DMCA it needs a license to do that."  [Slashdot: Your Rights Online] 7:43:21 PM  PermaLink   / trackback []

Dell Censors IdeaStorm Linux Dissent. Dell Censors IdeaStorm Linux Dissent. thefickler writes "It seems pointless to seek ideas and feedback if you're going to ignore and delete the opinions you don't like. That's exactly what Dell is doing with its IdeaStorm website, which the company set up to solicit such ideas and feedback. Dell deleted a post linking to an article that criticizes its handling of the 'pre-installed Linux' issue." [Slashdot: Your Rights Online] 7:39:34 PM  PermaLink   / trackback []

Berners-Lee Speaks Out Against DRM, Advocates Net Neutrality. Berners-Lee Speaks Out Against DRM, Advocates Net Neutrality. narramissic writes "Speaking before the House Subcommittee on Telecommunications and the Internet, Tim Berners-Lee advocated for net neutrality, saying that the Web deserves 'special treatment' as a communications medium to protect its nondiscriminatory approach to content. Berners-Lee's more controversial statements came on the topic of DRM, in which he suggested that instead of DRM, copyright holders should provide information on how to legally use online material, allowing users the opportunity 'to do the right thing.' This led to an odd exchange with Representative Mary Bono who compared Berner-Lee's suggestion to 'having a speed limit but not enforcing the speed limit.'" [Slashdot: Your Rights Online] 7:31:36 PM  PermaLink   / trackback []

Manipulating Reputation Systems. Manipulating Reputation Systems. BoingBoing points to a nice pair of articles by Annalee Newitz on how people manipulate online reputation systems like eBay[base ']s user ratings, Digg, and so on. There[base ']s a myth floating around that such systems distill an uncannily accurate folk judgment from the votes submitted by millions of ordinary citizens. The wisdom of crowds, and all that. In fact, reputation systems are fraught with problems, and the most important systems survive because companies expend great effort to supplement the algorithms by investigating abuse and trying to compensate for it. eBay, for example, reportedly works very hard to fight abuse of its reputation system. Why do people put more faith in reputation systems than the systems really deserve? One reason is the compelling but not entirely accurate analogy to the power of personal reputations in small town gossip networks. If a small-town merchant is accused of cheating a customer, everyone in town will find out quickly and [~] here[base ']s where the analogy goes off the rails [~] individual townspeople will make nuanced judgments based on the details of the story, the character of the participants, and their own personal experiences. The reason this works is that the merchant, the customer, and the person evaluating the story are embedded in a complex, densely interconnected network. When the network of participants gets much bigger and the interconnections much sparser, there is no guarantee that the same system will still work. Even if it does work, a large-scale system might succeed for different reasons than the small-town system. What we need is some kind of theory: some kind of explanation for why a reputation system can succeed. Our theory, whatever it is, will have to account for the desires and incentives of participants, the effect of relevant social norms, and so on. The incentive problem is especially challenging for recommendation services like Digg. Digg assumes that users will cast votes for the sites they like. If I vote for sites that I really do like, this will mostly benefit strangers (by helping them find something cool to read). But if I sell my votes or cast them for sites run by my friends and me, I will benefit more directly. In short, my incentive is to cheat. These sorts of problems seem likely to get worse as a service grows, because the stakes will grow and the sense of community may weaken. It seems to me that reputation systems are a fruitful area for technical, economic and social research. I know there is research going on already [~] and readers will probably chastise me in the comments for not citing it all [~] but we[base ']re still far from understanding online reputation. Share This [Freedom to Tinker] 7:25:59 PM  PermaLink   / trackback []

Here comes image spam. Here comes image spam. Image spam--e-mail solicitations that use graphical images of text--is not new. But its rising sophistication has made much of it invisible to spam filters so that it makes up one-third of all spam, according to Doug Bowers, director of antiabuse engineering at Symantec. E-mail traffic--83 percent of which was spam--rose in 2006, according to antispam company BorderWare, and researchers there expect image spam to grow. [CSO Online Data Security Briefing] 7:24:29 PM  PermaLink   / trackback []

'Electric Slide' Creator Steps on Fair Use. 'Electric Slide' Creator Steps on Fair Use. EFF Lawsuit Battles Bogus Copyright Claims San Francisco - The Electronic Frontier Foundation (EFF) filed suit today against the man who claims to have created the popular line dance "The Electric Slide," asking the court to protect the free speech rights of a videographer who captured a few steps of the dance in a documentary video he posted to the Internet. EFF's client, Kyle Machulis, shot the video at a concert last month. In one ten-second segment, a group of fans in the audience attempts to dance part of the Electric Slide. Machulis later uploaded the video to YouTube. Within just a few days, Richard Silver, owner of www.the-electricslidedance.com, filed a takedown demand under the Digital Millennium Copyright Act (DMCA). Silver claimed he owned the copyright to the Electric Slide and that Machulis' video infringed his rights. The removal appears to be part of a broad campaign by Silver to misuse copyright allegations to prevent dancers from performing the dance "incorrectly." "Silver's claim of copyright infringement is absurd and is a classic example of the kind of DMCA abuse that can chill Internet speech," said EFF Staff Attorney Corynne McSherry. "Even if Silver had a valid copyright in the dance--which is not at all clear--this is a fair use and not infringing." EFF's complaint asks that the judge immediately rule that the video does not infringe any copyright owned by Silver, and that Silver cease his meritless claims towards Machulis. "We spend a lot of time fighting the misuse of copyright law on the Internet, but this situation is particularly outrageous," said EFF Staff Attorney Jason Schultz. "With thousands of videos being uploaded to sites like YouTube every day, free speech is on the line and needs to be protected." For the full complaint: http://www.eff.org/legal/cases/electricslide/complaint.pdf Contacts: Corynne McSherry Staff Attorney Electronic Frontier Foundation corynne@eff.org Jason Schultz Staff Attorney Electronic Frontier Foundation jason@eff.org [EFF: Breaking News] 7:23:19 PM  PermaLink   / trackback []

War of Words Erupts Between HP Scandal Players. War of Words Erupts Between HP Scandal Players. The attorney for the ousted HP chairman fired back at public comments made by board rival about the HP pretexting scandal. [PC World: Latest Technology News] 7:20:30 PM  PermaLink   / trackback []

U.S. Bill Proposes E-Health Records Incentives. U.S. Bill Proposes E-Health Records Incentives. Doctors would get $3 for every patient signed up to use an electronic health record under terms of a new House bill introduced today. [PC World: Latest Technology News] 7:19:07 PM  PermaLink   / trackback []

DHS Issues REAL ID Regulations; CDT Urges Repeal of Law. DHS Issues REAL ID Regulations; CDT Urges Repeal of Law. The Department of Homeland Security has issued proposed regulations implementing the REAL ID Act, which would require states to adopt tighter standards and create a networked system for driver's license issuance. Given the Act's fundamental flaws, CDT has joined other civil liberties groups in supporting legislation introduced in recent days in the House and Senate to repeal the hastily-enacted 2005 law and return to the driver's license reform process begun by the previous Congress. CDT is especially concerned that the Act would result in the creation of a linked network of government databases of personal information, without standards or limits on access and use. [Center for Democracy and Technology] 7:17:49 PM  PermaLink   / trackback []

Senators Weigh in on WIPO Broadcast Treaty. Senators Weigh in on WIPO Broadcast Treaty. Senators Patrick Leahy and Arlen Specter recently sent a letter to the Copyright Office and the PTO, expressing their concern about the WIPO Broadcast Treaty. In it, they voice many of the same concerns that have brought together a broad alliance of public interest groups, libraries, technology groups, and communications providers against the treaty as it is currently envisioned at WIPO. Specifically, the senators (who are, respectively, the Chair and Ranking Member of the Judiciary Committee) are worried that granting broadcasters a separate, 20-year-long IP right in broadcasts could interfere with the fair use of works, as well as complicating the legal hoops that consumers would have to jump through. The letter also addresses the fact that copyright owners and ISPs could run into unintended liabilities under the treaty. read more [Public Knowledge - Blogging, Events, and Action Alerts] 7:16:23 PM  PermaLink   / trackback []