Thursday, March 15, 2007

SELinux by Example. (Book Review) SELinux by Example. Ravi writes "SELinux is a project started and actively maintained by the U.S Department of Defense to provide a Mandatory Access Controls mechanism in Linux. It had been a long standing grouse of Linux power users and system administrators over its lack of fine grained access control over various running processes as well as files in Linux. While Solaris touts its famous RBAC and Microsoft Windows has its own way of providing finer rights to its resources, Linux had to put up with the simple but crude user rights known in tech speak as discretionary access control to control user access of files. With SELinux project making great strides and now being bundled with many major Linux distributions, it is possible to effectively lock down a Linux system through judicious use of SELinux policies. SELinux implements a more flexible form of MAC called type enforcement and an optional form of multilevel security." -- Read the rest of Ravi's review. Or go directly to my Amazon Associate site and buy the book - SELinux by Example [Slashdot] 3:49:06 PM  PermaLink   / trackback []

Core Security | CoreLabs - OpenBSD's IPv6 mbufs remote kernel buffer overflow Vulnerability Description The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in: 1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or; 2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic) The issue can be triggered by sending a specially crafted IPv6 fragmented packet. OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration. 3:42:23 PM  PermaLink   / trackback []

Remote Exploit Discovered for OpenBSD. Remote Exploit Discovered for OpenBSD. An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible." [Slashdot] 3:39:14 PM  PermaLink   / trackback []

Newsroom | AssignmentZero Welcome. We're covering a story: How the Web makes it possible for the crowd to be the source of good ideas. But instead of one journalist reporting, we've created a site where many people can work on the story, with editors as guides. You are now in the Newsroom, where you can find an overview and learn what others are doing. The Assignment Desk is where you can see what we're covering in detail, and get an assignment. The Exchange is a place to offer new ideas. Check the day's developments with The Scoop. Ready? Join up. 3:36:39 PM  PermaLink   / trackback []

Wired News: Citizen Journalism Wants You! Welcome to Assignment Zero. It's pro-am journalism in the open style made possible by the web. This is a collaboration among NewAssignment.Net, Wired and those who choose to participate. I hope you will. Because we're trying to figure something out here. Can large groups of widely scattered people, working together voluntarily on the net, report on something happening in their world right now, and by dividing the work wisely tell the story more completely, while hitting high standards in truth, accuracy and free expression? If they can, this would matter. It's called Assignment Zero because we needed to jump start our site somehow, and this project with Wired turned out to be it. We're trying to create a pro-am, open-platform reporting tool that we can improve and modify later, for use in bigger, more sprawling and difficult stories down the road. Maybe about the environment. Or the schools. Or -- who knows? -- the war. 3:35:07 PM  PermaLink   / trackback []

Assignment Zero Tests Pro-Am Journalism Assignment Zero Tests Pro-Am Journalism Jay Rosen writes  "Assignment Zero is a pro-am, open-platform reporting project. The investigation: crowd sourcing and peer production are a social trend growing well beyond tech. Why is this happening? Partners: NewAssignment.Net and Wired.com, with Newsvine. From the Wired essay: 'We're trying to figure something out here. Can large groups of widely scattered people, working together voluntarily on the net, report on something happening in their world right now, and by dividing the work wisely tell the story more completely, while hitting high standards in truth, accuracy and free expression?' Wired.com: 'We want out readers and our sources to be one and the same. We think it will make for better journalism.'"  [Slashdot] 3:32:28 PM  PermaLink   / trackback []

Democrats grill FCC about neutrality, surveillance, more. Democrats grill FCC about neutrality, surveillance, more. Surveying the FCC's accomplishments in the three years since commissioners were last been required to make an account before a House oversight committee, some representatives question whether recent Republican supervision on such issues as emegency preparedness, NSA surveillance and Net neutrality wasn't somewhat lax [Computerworld Privacy News] 3:24:37 PM  PermaLink   / trackback []

AP Wire | 03/15/2007 | Senate votes against ad inserts in vehicle registration renewal notices JEFFERSON CITY, Mo. - Residents tired of getting junk ads in the mail could get a slight reprieve after action by the Senate on Wednesday night. The Department of Revenue last year began sending out advertisements along with license plate renewal notices. The state contracted with a company to handle the printing of vehicle registration notices in exchange for the right to sell and insert commercial ads in the packets. Senate Transportation Committee chairman Bill Stouffer, R-Napton, said the decision saves the state about $750,000. Missouri signed up partly because of the savings and partly in response to privacy concerns after it began mailing renewal notices on postcards in another budget-cutting move, the Revenue Department said at the time. The Senate was debating a wide-ranging bill to change motor vehicle laws, and Sen. Tim Green, D-St. Louis, offered an amendment preventing the state from including ads in the vehicle renewal notices. "The state has become a marketing agent," Green said. "It's just not the right of the state to use a requirement you have to fulfill to sell a product." 3:22:18 PM  PermaLink   / trackback []

How SMBs Eliminate IT Threats with Proactive Security. How SMBs Eliminate IT Threats with Proactive Security. (Source: MessageLabs) In this exclusive Webcast, Chris Christiansen and a panel of security experts will examine the fundamental link between IT security and its effects on business health. [Computerworld Privacy News] 3:19:14 PM  PermaLink   / trackback []

New Fraudulent Adware Uses Rootkit Techniques. New Fraudulent Adware Uses Rootkit Techniques. "Under no circumstances should users download applications through pop-up ads, or shortcuts that suddenly appear on the desktop." [GT: Security and Privacy] 3:16:48 PM  PermaLink   / trackback []

European Policy Strategy Proposed for RFID. European Policy Strategy Proposed for RFID. "The Commission's Europe-wide public consultation in 2006 identified a strong lack of awareness and considerable concern among citizens." [GT: Security and Privacy] 3:14:57 PM  PermaLink   / trackback []

Chertoff: Security and privacy not at odds. Chertoff: Security and privacy not at odds. Calling privacy groups "Luddites," DHS head Michael Chertoff defends the Real I.D. Act. He claims that the data-chipped drivers licenses, which will be linked to a numbers of databases around the country, will actually protect privacy  Editor:And down is up, black is white, and I have a bridge I'd like to sell you. [...] The head of the Department of Homeland Security on Thursday downplayed privacy concerns raised by the government's efforts to create standardized, data-chipped drivers licenses across the country. The same technology that makes information on identification cards more reliable can also protect privacy, DHS Secretary Michael Chertoff said during a speech to the Northern Virginia Technology Council. "It's my contention that properly used technology ... actually protects privacy," he said. "We should not allow folks to be captivated by the argument that every time we do something with a computer, it invades privacy." Chertoff was referring to privacy concerns surrounding the Real ID Act, a law passed by Congress in 2005 that would require states to create machine-readable ID cards containing the name of the holder, the data of birth, a digital photograph and other information. Privacy groups, including the Electronic Privacy Information Center (EPIC), have said that the DHS hasn't come up with rules on how the information on the cards should be protected. DHS has made only "vague" plans for card security and for restricting which state motor vehicle agency employees would have access to the information, EPIC says. "On security and privacy standards for the card, state motor vehicle facilities, and the personal data and documents collected in state motor vehicle databases, DHS shows little interest," EPIC says on its Web site. But Chertoff said those raising privacy concerns about the use of IT in the U.S. government's domestic security efforts create a false tension between security and privacy. "This kind of Luddite attitude ... is exactly wrong," he said. "Security and privacy are very much the same type of value. I don't think they're mutually exclusive, they're mutually reinforced." Chertoff also talked about how DHS is using IT. Technology plays a part in nearly all the agency's efforts, including machines that read fingerprints at border crossings, databases that link law enforcement investigations and scanning technologies for containers coming into the U.S. [Computerworld Privacy News] 3:12:44 PM  PermaLink   / trackback []

Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed. Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed. After years of criticism from EFF and other privacy advocates, Google announced yesterday a new policy on how it handles logs of its users' searches: after 18-24 months, it will delete key information in its server logs that could be used to link particular users to records of their search queries. This is a big change from Google's previous policy, which was essentially to keep all of those logs forever in identifiable form, and we're certainly glad to see that Google is starting to limit its retention of such sensitive data. Your Google search history can paint an intimate portrait of your most private interests and concerns. Particularly in light of the disastrous AOL search terms disclosure, recent scandals involving government surveillance, and Google's own recent court fight with the government over a subpoena for search records, it seems that Google has finally realized that limiting the retention of such records is essential to protecting your privacy. Hopefully, Google's change in policy will spur other online service providers to consider how they can minimize the amount of personal data that they store, and perhaps even prompt competition between service providers to offer the most privacy-protective services. However, we hope that this new announcement is only Google's first step in changing its privacy practices, because additional changes would better protect user privacy and set an even better example for the industry: Google should shorten the retention period for identifiable logs to six months at the outside, and ideally to only thirty days (which is AOL's retention limit for similar logs). Barring this, it should at least justify why it needs such records for up to two years, beyond offering one-sentence platitudes about how such records are used to improve Google's service. Google should also shorten the retention of the "anonymized" logs, which Google apparently still intends to keep forever. As Google itself admits, the new policy changes still don't guarantee users' anonymity, and holding onto those records indefinitely still poses a serious private threat. Therefore, Google should consider more robust anonymization techniques, up to and including scrubbing entire IP addresses rather than just the last quarter or "octet" of such addresses. Finally, Google should expand its new anonymization policy to include the search records of users with Google Account log-ins, and to records generated by their myriad other services, rather than limiting the policy change to regular search logs. Beyond making these additional policy changes, there's one more thing that Google should be doing[~]something we think it actually has a duty to do as a good corporate citizen and as a preeminent Internet powerhouse[~]and that is using its considerable political clout to fight for better Internet privacy laws on Capitol Hill. Right now, there are significant questions as to whether or how Internet search logs are protected by existing federal privacy laws, and Google owes it to its customers to publicly advocate for updating those privacy laws for the 21st century. [EFF: Deep Links] 3:05:57 PM  PermaLink   / trackback []

Spyware Legislation Could Aid Enforcement, CDT Testifies. Spyware Legislation Could Aid Enforcement, CDT Testifies. An anti-spyware measure pending in Congress contains important provisions that could strengthen enforcement against spyware scammers, but broad consumer privacy legislation is still needed to address the larger issues associated with spyware, CDT Deputy Director Ari Schwartz told a congressional panel today. Testifying before the House Energy and Commerce Committee's Subcommittee on Commerce Trade and Consumer Protection, Schwartz applauded language in the Spy Act (H.R. 964) that bolsters the Federal Trade Commission's enforcement capabilities. But Schwartz also noted that the longtime practice of addressing privacy concerns sector-by-sector, rather than as part of a broader initiative would not get to the root of the problem. [Center for Democracy and Technology] 2:45:50 PM  PermaLink   / trackback []

Comments on Google's Privacy Announcement. Comments on Google's Privacy Announcement. Greetings. Google has announced significant changes to their data retention policy. Since I'm already being asked for my opinion regarding their announcement, I'm sending this out now rather selfishly to avoid having to generate a large number of individual responses... [Lauren Weinstein's Blog] 2:22:07 PM  PermaLink   / trackback []

Google adding search privacy protections | CNET News.com Google is changing its data retention practices to make it harder to identify the specific computers used in searches. Google's servers log information every time someone conducts a Web search, keeping data such as the keywords used, the Internet Protocol address or unique number assigned to that person's computer, and information from Web cookies, which are small bits of data exchanged between a server and a Web browser each time the browser accesses the server. Cookies are used to authenticate the user and maintain information such as the user's site preferences. Currently, Google maintains the search data logs indefinitely. Under the new policy announced on Wednesday, which Google expects to have fully implemented by the end of the year, the company will anonymize the final eight bits of the IP address and the cookie data after somewhere between 18 months and 24 months, unless legally required to retain the data for longer. The information on specific searches will remain indefinitely, but it will be much harder to tie the searches to specific individuals or computers. "Logs anonymization does not guarantee that the government will not be able to identify a specific computer or user, but it does add another layer of privacy protection to our users' data," the company said. The policy change will apply to future Web search data as well as archived logs and all copies of the data stored on other servers, Google said. Users will be able to opt out of the practice and request that their search data be maintained indefinitely. Privacy advocates in general said Google's policy change is a step in the right direction but not nearly enough to really protect Web searchers from overzealous law enforcers. Keeping the search histories could enable investigators and governments to get to all sorts of personal information about people, they argue. "I don't think the Google proposal is adequate. This period is too long and it's not in fact data destruction, it's more data de-identification, and that should be happening in 18 to 24 hours, not months," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "I'm not persuaded that this isn't still a ticking time bomb for Google's search engine." Richard M. Smith, an Internet security and privacy consultant at Boston Software Forensics, said Google should never be archiving the IP address and cookies on servers. "Google should not be in the spy business," he said. "By logging IP addresses and search strings they are running the largest intelligence operation in the world." Anonymizing the last eight bits of the IP address effectively would enable investigators to narrow the IP address down to 256 possible computers or users. That would be similar to obscuring the last digit in someone's street address. [...] Kevin Bankston, staff attorney at the Electronic Frontier Foundation, said he would like to see Google scrub the entire IP address within six months, but praised Google for making this "positive first step." "We hope other online service providers will heed this example and work to minimize the amount of data they keep about their customers," Bankston said. [...] The risks associated with Web search data were highlighted last August when AOL inadvertently exposed on the Internet the search history of more than 650,000 of its users. The move prompted widespread criticism from privacy advocates and Congress and the filing of a complaint against AOL with the Federal Trade Commission, as well as the firing of two AOL employees and the resignation of its chief technology officer and a class action lawsuit. 2:21:06 PM  PermaLink   / trackback []

Google To Anonymize Data -- Updated WIRED Blogs: 27B Stroke 6 Googleis reversing a long-standing policy to retain all the data on its users indefinitely, and by the end of the year will begin removing identifying data from its search logs after 18 months to two years, depending on the country the servers are located in. Currently, Google retains indefinitely detailed server logs on its search engine users, including user's IP addresses - which can identify a user's computer, the query, any result that is clicked on, their browser and operating system, among other details. Even if a user never signs up for a Google account, those searches are all tied together through a cookie placed on the user's computer, which currently expires in 2038. The new policy will be global, but there will be variances by country, especially in Europe where a data retention rule passed in 2005 requires ISPs and phone companies to keep data from six months to two years. After that time period, Google will "anonymize" the search data from web and image searches by dropping either the second half or last quarter of I.P. addresses, thus turning an address such as 127.0.34.35into127.0or127.0.34. The goal is to make it technically impossible to retroactively tie a query back to a computer, unless the query included identifying information. User logs from services that require log-ins, such as personalized search, Google Documents and Gmail will not be subject to this policy. Those services are governed by their own privacy policies. More can be found on this at Google's official blog announcement. Civil libertarians have long criticized the search giant's hoarding for data, saying that the data store created an attractive target for law enforcement and civil suits. Google successfully quashed a Justice Department request for large chunks of user data in 2005. 2:15:53 PM  PermaLink   / trackback []

Google To "Anonymize" Personal Data after 18-24 Months. Google To "Anonymize" Personal Data after 18-24 Months. Google made a major announcement today that by the end of the year will begin removing identifying data from its search logs after 18 -24 months: When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we're pleased to report a change in our privacy policy: Unless we're legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google's services and protect them from security and other abuses)--but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months. They've released a log retention FAQ (PDF) with more details, including how they will "anonymize" the log data: What does it mean to anonymize the logs? We will change some of the bits in the IP address in the logs as well as change the cookie information. We're still developing the precise technical methods and approach to this, but we believe these changes will be a significant addition to protecting user privacy. How do these anonymizing measures protect user privacy? Changing the bits of an IP address makes it less likely that the IP address can be associated with a specific computer or user. Cookie anonymization makes it less likely that a cookie can be used to identify a user. Do these changes guarantee anonymization? It is difficult to guarantee complete anonymization, but we believe these changes will make it very unlikely users could be identified. This is an important and promising step towards greater privacy and protection of personal search history records. But remember, AOL thought they had released anonymized data as well. Just because and IP and cookie has been modified doesn't mean that user privacy is ensured. The preferred solution would be for Google to purge the data altogether after, or just don't collect it in the first place. Unfortunately I don't have much time for further analysis (baby, dissertation, oh my!), but 27B Stroke 6 is on top of it, and CNet has reaction from CDT, EFF, and others. michaelzimmer.org] 2:12:41 PM  PermaLink   / trackback []

ugc panel video from the State of the Net Conferece. ugc panel video from the State of the Net Conferece. Earlier this year, the Congressional Internet Caucus Advisory Committee held its always relevant State of the Net Conference 2007. One of the panels was on user generated content (or ugc), titled [base "]User-Generated Content - Can Copyright Tolerate Mixing & Mashing?.[per thou] Members of the panel included, Pam Samuelson, Rob Pegoraro, Jim DeLong, and Steven Starr. It was a good discussion, and you can watch the video here (Real Video). [Public Knowledge - Blogging, Events, and Action Alerts] 2:08:01 PM  PermaLink   / trackback []

Google to anonymize user data. Google to anonymize user data. It's about time Google is to discard some of the information it stores about user search requests in an effort to address concerns by privacy watchdogs and defend itself against government demands for data. [The Register - Music and Media] 2:03:25 PM  PermaLink   / trackback []

Google to Make Search Logs Anonymous. Google to Make Search Logs Anonymous. Google announced today that it will start making its records about users' searches anonymous after 18 to 24 months. [PC World: Latest Technology News] 2:01:09 PM  PermaLink   / trackback []

Interpreting the Results of a Vulnerability Assessment: How to Focus on What's Important in Your Web Application Security Testing. Interpreting the Results of a Vulnerability Assessment: How to Focus on What's Important in Your Web Application Security Testing. SPI Dynamics just completed a new article, written by Kevin Beaver and Caleb Sima, that discusses how to interpret and prioritize the results of Web application security tests. By Kevin Beaver. [Infosec Writers Latest Security Papers] 1:59:06 PM  PermaLink   / trackback []

EU Working Towards RFID Standards. EU Working Towards RFID Standards. European Commission has formed a RFID stakeholder group, says industry must pay attention to security and privacy issues. [PC World: Latest Technology News] 1:57:25 PM  PermaLink   / trackback []