TJX Hacking Conspirator Gets 4 Years: Via Threat Level.

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. [ Read more ... ]

The Cell Phone Network: Law Enforcement's Surveillance Dream: Via Blog of Rights: Official Blog of the American Civil Liberties Union.

Yesterday, WNYC's On the Media (OTM) profiled our cell phone tracking case. In this case, the ACLU, Center for Democracy and Technology and the Electronic Frontier Foundation (EFF) asked the court to require that the government at least show probable cause before it can ask a wireless provider to fork over information about your whereabouts using GPS or cell tower tracking via your cell phone. We won in the district court (PDF); the government appealed that decision to the 3rd Circuit. [ Read more ... ]

Serious Apache Exploit Discovered: Via Slashdot.

bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.

Read Original Article:(Via Slashdot.)

White House Cyber Czar: ‘There Is No Cyberwar’: Via Threat Level.

Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it. [ Read more ... ]

DMCA Muscle Strong-Arms DVD Copying: Via Threat Level.

Those awaiting a legitimate method to duplicate DVDs for personal use likely will have to wait even longer, perhaps forever, after RealNetworks tossed in the white towel and abandoned litigation toward that end.

RealNetworks spent almost two years in a legal battle with the Motion Picture Association of America, which sued the Seattle-based company to block the sale of its DVD-copying software and hardware –- generally known as RealDVD. The company said late Wednesday it was dropping its appeal of an August federal court decision that declared RealDVD an illegal violation of the Digital Millennium Copyright Act of 1998.

The act, which the Hollywood studios strongly lobbied for, prohibits the circumvention of encryption technology. DVDs are encrypted with what is known as the Content Scramble System, and DVD players must secure a license to play discs. RealDVD, U.S. District Judge Marilyn Hall Patel ruled, circumvents the CSS technology designed to prevent copying and is therefore a breach of the CSS license.

The litigation cost RealNetworks millions of dollars, including $4.5 million to reimburse the MPAA for its legal costs. The outcome cost Rob Glaser, RealNetworks’ CEO, his job. [ Read more ... ]

Unintended Consequences: 12 Years Under the DMCA: Via EFF.org Updates.

EFF today released Unintended Consequences: 12 Years Under the DMCA. This is the sixth update to the report, which aims to catalog all the reported instances where the DMCA's ban on tampering with DRM have been abused to stymie fair use, free speech, and competition, rather than to attack "piracy."

Congress enacted the DMCA's ban on bypassing DRM at the urging of entertainment industry lobbyists who argued that DRM backed by law would quell digital copyright infringement. Of course, 12 years later, that exactly hasn't worked out. Nor is it likely to ever work out. But lots of industries have recognized that these provisions of the DMCA are good for other things—like impeding scientific research and legitimate competition. The Unintended Consequences report collects these stories, including oldies like Lexmark's effort to block toner cartridge refilling and new cases like the lawsuit against RealDVD. [ Read more ... ]

Flipping Off Cops Is Legal, Not Advised: Via Threat Level.

Flipping the bird, or sticking out the middle finger, is perhaps the oldest insulting gesture on earth. The move dates back to ancient Greece and was adopted by the Romans as digitus impudicus — the impudent finger.

A zillion middle fingers later, an Oregon man is suing suburban Portland cops (.pdf) over his use of the gesture, claiming civil rights violations. Twice he flipped them off for no apparent reason while driving and was pulled over each time — resulting in what he said was a “bogus” traffic citation that was later dismissed, and a tongue lashing he still remembers.

“The guy flew into a road rage,” Robert Ekas, a retired Silicon Valley systems analyst, said in a telephone interview Tuesday.

Lawrence Wolf, a Los Angeles criminal defense attorney, said there was no law against flipping off cops. And in most instances when it leads to an arrest or conviction, the charges are dismissed. But the gesture invites police confrontation, he said.

“It’s certainly not the smartest thing one can do,” Wolf said. [ Read more ... ]

Cyberwar Hype Intended to Destroy the Open Internet: Via Threat Level.

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering:  McConnell is the nice-seeming guy who is willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those not in the know.

When he was head of the country’s national intelligence, he scared President Bush with visions of e-doom, prompting the president to sign a comprehensive secret order that unleashed tens of billions of dollars into the military’s black budget so they can start making firewalls and malware into military equipment. And now McConnell, back safely in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton, is out in front of Congress and the media, peddling the same Cybaremaggedon! gloom.

And now he says we need to re-engineer the internet. [ Read more ... ]

‘Sophisticated’ Hack Hit Intel in January: Via Threat Level.

Intel is the latest U.S. corporation to acknowledge that it was hacked in January in a sophisticated attack that occurred at the same time that Google, Adobe and others were targeted.

The giant California-based chip maker was rumored to have been among some 34 companies that were targeted, but said on Tuesday there was no evidence to tie its hack to the attack on Google and others.

“We did not see the kind of broad-based attack as described by Google,” said Intel spokesman Chuck Mulloy. “Companies routinely see hackers trying to get into their system. It is a risk factor and that’s why it was in the 10k. We’ve seen no loss of [intellectual property] as a result of any of these attacks.”

In its latest 10k filing to the Securities and Exchange Commission, Intel disclosed that it had been the target of a “sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google. [ Read more ... ]

The Time Has Come to Protect Reader Privacy: Via Blog of Rights: Official Blog of the American Civil Liberties Union.

(Originally posted on the ACLU of Northern California's Bytes and Pieces blog.)

Today, Google and the authors and publishers who sued Google are hoping that United States District Court Judge Denny Chin will approve their settlement and allow Google to launch the world's largest digital library and bookstore combined.

While the ACLU strongly supports increased access to books, we have filed an objection to this settlement on behalf of a coalition of authors and publishers — including best sellers Michael Chabon and Jonathan Lethem and publisher Lawrence Ferlenghetti — who have serious concerns that reader privacy and free speech is being left out of the story. They think that a settlement that does not protect the privacy and free speech of readers is not fair to their readers, or fair to them. That's why we're in federal court in New York today, along with the Electronic Frontier Foundation and the Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley, School of Law, urging Judge Chin to reject the settlement and insist on one with greater privacy and free speech protections for users. [ Read more ... ]

Google Books Fosters Intellectual, Legal Crossroads: Via Threat Level.

Nobody in their right mind opposes the intellectual soundness of digitizing the world’s books – even titles gathering dust in the stacks of university libraries — and making them available online.

Yet Google will encounter stiff resistance in a Manhattan federal court Thursday during a marathon hearing that could grant Google the keys to free the written word from a business and intellectual model as old as paper and ink.

“The benefits of approval are bounded only by the limits of human creativity and imagination,” Google told U.S. District Judge Denny Chin in a recent court filing ahead of Thursday’s hearing.

The final word on the so-named “Google Books” plan won’t rest with Judge Chin, and instead likely could fall on the U.S. Supreme Court. [ Read more ... ]

Google May Offer Buzz Independently From Gmail: Via Search Engine Land.

Google says it may allow people to participate in Google Buzz without having it integrated within Gmail, in addition to offering a combined Gmail service. That may be a welcome move from users of both products, especially in light of the substantial privacy concerns voiced this week about Google Buzz.

“It’s clear that interest in Buzz may extend beyond the current Gmail base, and we’re open to serving that community,” said Bradley Horowitz, Google’s VP of Product Marketing, when I spoke to him about some Buzz issues at the TED Conference.

Horowitz stressed that Google would still offer a version of Buzz within Gmail, in addition to any independent version.

[...]

Meanwhile, there’s also the privacy issue. Since Buzz is tied to Gmail, people are forced to expose their Gmail address if they want ot have a profile URL that isn’t a string of numbers. And even if they don’t, it turns out there’s still a way that Buzz can give away your Gmail address. [ Read more ... ]

Cellular user privacy at risk: Via Philadelphia Inquirer .

If you own a cell phone, you should care about the outcome of a case scheduled to be argued in federal appeals court in Philadelphia tomorrow. It could well decide whether the government can use your cell phone to track you - even if it hasn't shown probable cause to believe it will turn up evidence of a crime.

The American Civil Liberties Union, the Electronic Frontier Foundation and the Center for Democracy and Technology will ask the court to require that the government at least show probable cause before it can track your whereabouts.

Although most people don't realize it, cell phones double as tracking devices. Newer phones contain GPS chips, [ Read more ... ]

Facebook Denies ‘All Wrongdoing’ in ‘Beacon’ Data Breach: Via Threat Level.

Facebook is denying it illegally breached the privacy of its users in a proposed $9.5 million settlement to a class action challenging its program that monitored and published what users of the social-networking site were buying or renting from Blockbuster, Overstock and other locations.

To settle allegations that the social networking site’s “Beacon” program breached federal wiretap and video-rental privacy laws, Facebook is agreeing to seed what the agreement is calling a “Digital Trust Fund” that would issue more than $6 million in grants to organizations to study privacy. Facebook would have a seat on the fund’s three-member board — a move raising some eyebrows in the privacy community.

A fairness hearing on the issue is set for Feb. 26 in a San Jose, California, federal court. The judge presiding over the case, Richard Seeborg, gave preliminary approval to the deal three months ago. [ Read more ... ]

Sweden Probing Cisco, NASA Hacks: Via Threat Level.

Swedish investigators are probing a hacker U.S. authorities accuse of unlawfully intruding into Cisco Systems, NASA’s Ames Research Center and NASA’s Advanced Supercomputing Division, the authorities said Monday.

Philip Gabriel Pettersson, known in the hacking world as “Stakkato,” allegedly seized computer code that controls internet traffic. After the 2004 breach of Cisco, the proprietary source code for Cisco’s IOS operating system was discovered on a Russian website.

Pettersson was indicted in the United States in May on five hacking counts, (.pdf) but could not be brought from Sweden to the United States for trial. Sweden does not extradite its own citizens, but said it was examining whether to prosecute him in Sweden after U.S. authorities in San Francisco initiated that request. [ Read more ... ]

Report Details Hacks Targeting Google, Others: Via Threat Level.

It’s been three weeks since Google announced that it and numerous other U.S. companies were targeted in a recent sophisticated and coordinated hack attack dubbed Operation Aurora.

Until now we’ve only known that the attackers got in through a vulnerability in Internet Explorer and that they obtained intellectual property and access to the Gmail accounts of two human rights activists whose work revolves around China. We also know a few details about how the hackers siphoned the stolen data, which went to IP addresses in Taiwan, and about 34 mostly undisclosed companies were breached.

Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers, that struck Google and others. The report never mentions Google by name, or any other companies, but focuses on information gathered from hundreds of forensic investigations the firm has conducted that are identical to what we know about the Google hack. [ Read more ... ]

Europe Looms as Major Battleground for Google: Via NYT > Privacy.

PARIS — Google has a problem in China. It may be headed for a bigger one in Europe.

So far, no one has accused European governments of cyberattacks like those that Google says it has suffered in China. But on issues from privacy to copyright protection to the dominance of Google’s Internet search engine, clashes with European lawmakers, regulators and consumer advocates are escalating.

Europe matters to Google and its shareholders — potentially more than China. For nowhere else in the world is the company as powerful and as potentially vulnerable. Across most of Europe, Google is by far the biggest search engine, with a substantially bigger market share than in the United States. In a single European country, Britain, Google has roughly 10 times its estimated sales in China.

On a region where the media sector is mostly fragmented along national lines and sometimes dependent on public subsidies, Google’s border-straddling scale, its ambitious pursuit of profit and its embrace of an open, anything-goes Web are raising alarms. [ Read more ... ]

Software Firms Fear Hackers Who Leave No Trace: Via NYTimes.com .

MOUNTAIN VIEW, Calif. — The crown jewels of Google, Cisco Systems or any other technology company are the millions of lines of programming instructions, known as source code, that make its products run.

If hackers could steal those key instructions and copy them, they could easily dull the company’s competitive edge in the marketplace. More insidiously, if attackers were able to make subtle, undetected changes to that code, they could essentially give themselves secret access to everything the company and its customers did with the software.

The fear of someone building such a back door, known as a Trojan horse, and using it to conduct continual spying is why companies and security experts were so alarmed by Google’s disclosure last week that hackers based in China had stolen some of its intellectual property and had conducted similar assaults on more than two dozen other companies. [ Read more ... ]

China Accuses U.S. of Cyberwarfare: Via Threat Level.

In the wake of a recent speech by U.S. Secretary of State Hillary Clinton condemning countries that censor the internet and engage in hacking, China has lobbed a return volley and accused the United States of hypocrisy and initiating cyberwarfare against Iran.

An editorial in the People’s Daily — the main mouthpiece for China’s Communist Party — accused the U.S. of doublespeak and of using “online warfare” to instigate violent unrest in Iran via Twitter and YouTube following that country’s national elections in June.

“We’re afraid that in the eyes of American politicians, only information controlled by America is free information, only news acknowledged by America is free news, only speech approved by America is free speech, and only information flow that suits American interests is free information flow,” said the Sunday editorial, according to the Guardian newspaper.

The editorial was taking aim at a speech by Clinton on Thursday in which she said that access to information, and the internet, is a basic human right, but that countries around the world were erecting virtual walls in place of the physical walls that generally characterize oppressive regimes. [ Read more ... ]

Science Friday: Facial Recognition: Via NPR's Science Friday.

Photo management programs such as Picasa and iPhoto can pick out a snapshot of your cousin Dave from a stack of party pictures -- but what about more complex uses of facial recognition in less controlled situations? In this segment, we'll take a look at the state of the art in facial recognition, from 'Google Goggles' that give you additional information about things your cell phone camera sees, to security applications that scan faces at airports. How good is the technology, and how can it be employed while respecting privacy concerns? [ Read more ... ]

"Three Strikes" and Verizon: Not Happening: Via Public Knowledge.

Yesterday’s CNET report that Verizon had secretly adopted a “three strikes” policy towards alleged copyright infringers had our office all atwitter last night - how could a charter member of our ad hoc copyright reform coalition be engaging in such radical activity? Well, it turns out they weren’t.

As their misquoted spokesperson explains here, what Verizon employs is a process for passing on warning notices to alleged infringers, but that process does not include automatic termination. My guess is that to the extent that she was talking about infringers having their internet access terminated, she was referring to people who had been adjudicated by a court to be infringing, and as such, they would be violating Verizon’s terms of service.

Passing on warning notices that do not involve deep packet inspection is a process for limiting infringement that PK wholeheartedly supports and which appears to be quite effective. [ Read more ... ]

Verizon Terminating Copyright Infringers’ Internet Access: Via Threat Level.

While it was not immediately clear whether other internet service providers were following suit, the move comes as the Recording Industry Association of America and the Motion Picture Association of America are lobbying ISPs and Congress to support terminating internet access for repeat, online copyright offenders.

All the while, the United States has been privately lobbying the European Union to “encourage” so-called three strikes policies, according to leaked documents surrounding a proposed international intellectual property accord.

Verizon was not immediately prepared to comment in detail on the developments, first reported by CNET, or to detail how many of its more than 8 million broadband subscribers it has terminated — although CNET said the number was “small.” The RIAA declined comment.

“We reserve the right to do that,” Verizon spokeswoman Bobbi Henson said in a telephone interview regarding the terminations. [ Read more ... ]

Michael Arrington is Wrong about Privacy, Too: Via Michael Zimmer's blog.

Responding to the brouhaha caused by Facebook founder Mark Zuckerberg’s recent proclamation that social norms on privacy have loosened, Michael Arrington (the tech blogger who was interviewing Zuckerberg at the time) has posted a piece on his blog Tech Crunch: “Ok You Luddites, Time To Chill Out On Facebook Over Privacy”

Arrington is correct that Zuckerberg never actually said that “the age of privacy is over”, and that off-line data aggregation companies like Equifax and TransUnion have been eroding privacy long before Facebook existed. However, just as Zuckerberg is wrong in his suggestion that Facebook is merely following shifting social norms regarding privacy, Arrington is wrong in his general defense of Facebook. [ Read more ... ]

Google Turns on Gmail Encryption to Protect Wi-Fi Users: Via Threat Level.

Google is now encrypting all Gmail traffic from its servers to its users in a bid to foil sniffers who sit in cafes, eavesdropping in on traffic passing by, the company announced Wednesday.

The change comes just a day after the company announced it might pull its offices from China after discovering concerted attempts to break into Gmail accounts of human rights activists. The switch to always-on HTTPS adds more security, but does not help prevent the kind of attacks Google announced Tuesday.

All Gmail users will now default to using HTTPS, the secure, encrypted method for communicating with a remote server, for their entire e-mail sessions, not just for log-in. Session-long HTTPS has been an official option for Gmail users since 2008 (and unofficial for much longer), but Google says it [ Read more ... ]

Skeptical judges ask FCC if Comcast P2P smackdown was legal: Via Law & Disorder Section - Ars Technica.

Comcast has had its day in court over the issue of "network management." News accounts suggest that the three-judge panel from the DC Court of Appeals was plenty skeptical that the FCC had the proper authority to sanction Comcast's BitTorrent blocking in 2008. [ Read more ... ]