Thursday, October 12, 2006

Freedom to Tinker - Spamhaus Tests U.S. Control Over Internet In a move sure to rekindle debate over national control of the Internet, a US court may soon issue an order stripping London-based spamhaus.org of its Internet name. Here's the backstory. Spamhaus, an anti-spam organization headquartered in London, publishes ROKSO, the "Register of Known Spam Operations". Many sites block email from ROKSO-listed sites, as an anti-spam tactic. A US company called e360 sued Spamhaus, claiming that Spamhaus had repeatedly and wrongly put e360 on the ROKSO, and asking the court to award monetary damages and issue an injunction ordering e360's removal from ROKSO. Spamhaus lost the case, apparently due to bad legal maneuvering. Faced with a U.S. lawsuit, Spamhaus had two choices: it could challenge the court's jurisdiction over it, or it could accept jurisdiction and defend the case on the merits. It started to defend on the merits, but then switched strategies, declaring the court had no jurisdiction and refusing to participate in the proceedings. The court said that Spamhaus had accepted its jurisdiction, and it proceeded to issue a default judgment against Spamhaus, ordering it to pay $11.7M in damages (which it apparently can't pay), and issuing an injunction ordering Spamhaus to (a) take e360 off ROKSO and keep it off, and (b) post a notice saying that previous listings of e360 had been erroneous. Spamhaus has ignored the injunction. As I understand it, courts have broad authority to enforce their injunctions against noncompliant parties. In this case, the court is considering (but hasn't yet issued) an order that would revoke Spamhaus's use of the spamhaus.org name; the order would require ICANN and the Tucows domain name registry to shut off service for the spamhaus.org name, so that anybody trying to go to spamhaus.org would get a domain-not-found error. (ICANN says it's up to Tucows to comply with any such order.) There are several interesting questions here. (1) Is it appropriate under U.S. law for the judge to do this? (2) If the spamhaus.org is revoked, how will spamhaus and its users respond? (3) If U.S. judges can revoke domain name registrations, what are the international implications? 10:24:30 PM

For Microsoft, Patch Tuesday Often Becomes Exploit Thursday. For Microsoft, Patch Tuesday Often Becomes Exploit Thursday. Microsoft releases security updates on the second Tuesday of each month -- a regular schedule the company follows to make it easier for network administrators around to the world to manage all the updating necessary to deploy the fixes on their systems. Over the past several months news of exploits targeting previously undocumented flaws in Windows and other Microsoft applications have surfaced within hours of each Patch Tuesday. Today, less than 48 hours after Microsoft released a record number of security updates, comes the release of exploit code for yet another Office flaw, this one apparently targeted at PowerPoint files in Office 2003 (no, I'm not going to link to the site hosting the exploit code). As I've noted before, the Patch Tuesday/Exploit Wednesday (or Thursday) phenomenon gives bad guys the maximum amount of time to use exploits in the wild before Microsoft gets around to its next patch cycle. Redmond occasionally breaks out of that cycle for especially serious or high-profile attacks on unpatched flaws; it has done so twice this year, though neither of those emergency patches dealt with an Office vulnerability. It is quite clear from the massive number of Office patches issued this week that Microsoft is doing some long overdue code review on its desktop software. So far in 2006, Microsoft has issued patches to address no fewer than 44 distinct vulnerabilities in its Office products, many of them labeled "critical" -- meaning that bad guys can install malicious programs on your machine just by convincing you to open a poisoned document or spreadsheet. By comparison, Microsoft issued just six updates to fix problems in Office last year. It is also painfully clear that those who would wish to heap harm and embarrassment on Microsoft and its millions of users also are conducting their own audits, and with very effective results. Office flaws have shown themselves to be extremely potent weapons in targeted attacks against organizations (think corporate and government espionage). Regarding the Office exploit revealed today, a Microsoft spokesperson said the company "is investigating new public reports of a possible vulnerability in Microsoft Office 2003. Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary." While we're on the subject of Office vulnerabilities, it appears Microsoft's Office Update service is still experiencing some hiccups.. I tried to update my Office 2000 installation last night and again this morning and was met with an error message saying the site was experiencing technical difficulties. [Security Fix] 10:19:12 PM

Vista Licenses Limit OS Transfers, Ban VM Use - TechWeb Microsoft has released licenses for the Windows Vista operating system that dramatically differ from those for Windows XP in that they limit the number of times that retail editions can be transferred to another device and ban the two least-expensive versions from running in a virtual machine. The new licenses, which were highlighted by the Vista team on its official blog Tuesday, add new restrictions to how and where Windows can be used. "The first user of the software may reassign the license to another device one time. If you reassign the license, that other device becomes the "licensed device," reads the license for Windows Vista Home Basic, Home Premium, Ultimate, and Business. In other words, once a retail copy of Vista is installed on a PC, it can be moved to another system only once. The new policy is narrower than Windows XP's. In the same section, the license for Windows XP Home states: "You may move the Software to a different Workstation Computer. After the transfer, you must completely remove the Software from the former Workstation Computer." There is no limit to the number of times users can make this move. Windows XP Professional's license is identical. Elsewhere in the license, Microsoft forbids users from installing Vista Home Basic and Vista Home Premium in a virtual machine. "You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system," the legal language reads. Vista Ultimate and Vista Business, however, can be installed within a VM. 9:56:10 PM

Slashdot | Vista Licenses Limit OS Transfers, Ban VM Use NiK0laI writes  "TechWeb has posted an article regarding Vista's new license and how it allows you to only move it to another device once. How will this work for people who build their PCs? I have no intention of purchasing a new license every time I swap out motherboards. 'The first user of the software may reassign the license to another device one time. If you reassign the license, that other device becomes the "licensed device," reads the license for Windows Vista Home Basic, Home Premium, Ultimate, and Business. In other words, once a retail copy of Vista is installed on a PC, it can be moved to another system only once. ... Elsewhere in the license, Microsoft forbids users from installing Vista Home Basic and Vista Home Premium in a virtual machine. "You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system," the legal language reads. Vista Ultimate and Vista Business, however, can be installed within a VM.'"  Overly Critical Guy points out more information about changes to Vista's EULA and the new usage restrictions. "For instance, Home Basic users can't copy ISOs to their hard drives, can't run in a virtualized environment, and can only share files and printers to a maximum of 5 network devices." 9:50:37 PM

Slashdot: Does Your Employer Still Use SSNs? An anonymous reader asks: "My company, a fairly large telco, still uses social security numbers for non-financial purposes; mostly for our IT ticketing system. I find it amazing that in these times, with how easy it is to use an SSN to obtain credit, that any company still does this. I've heard talk for almost eight years that the practice is going to be stopped but little progress has been made. How many companies out there still use SSNs so openly? Since it seems that nobody is in a hurry to solve this issue, what can be done to speed the process up?" 9:34:23 PM

© Copyright 2006 Paul Hardwick. Last update: 11/10/06; 2:10:20 AM.