| |
|
Tuesday, February 13, 2007
|
|
RIAA to ISPs: Help Us Sue Your Customers Better. As if suing thousands of music fans isn't bad enough, now the RIAA wants to conscript ISPs into helping them streamline the shakedowns. The major record labels sent a letter to ISPs across the country asking them to trade away customers' rights and make the overzealous file sharing lawsuits more profitable -- and the RIAA even has the audacity to suggest that this all for your own good. ISPs currently have no obligation to maintain IP log files, and that's a good thing when it comes to protecting your privacy. Those log files can serve as Internet breadcrumbs -- your ISP and any third party that has access to them can retrace your online activities. But the RIAA wants ISPs to maintain (and disclose) a customer's IP logs for six months whenever the RIAA says the user may have infringed copyright. In exchange, the record companies will reduce its initial lawsuit settlement demands. Of course, the actual customer would have no say in the matter. The RIAA letter says it wants the information kept because it could "exculpate" the customer, but of course those same records can also implicate the user. Funny, the labels don't mention that.
EFF and others have long warned that copyright claims could become an altar on which personal privacy is sacrificed. Now the RIAA wants your ISP to voluntarily wield the knife, and there's no telling what else the RIAA might ask for once this cut has been made The RIAA also wants ISPs to keep customers in the dark about their legal options. Before the RIAA has even verified that the user is correctly identified, it wants ISPs to send along a note saying the user might be sued and can already settle potential claims. At the same time, the RIAA scolds ISPs for giving information to their customers that could help provide sound legal counsel. Instead, the RIAA wants ISPs to direct subscribers solely to the RIAA. In other words, the RIAA wants it to be harder for customers to find out that settling early might be a bad idea. Does the RIAA readily tell customers that parents are generally not liable for infringements committed by their kids, or that bankruptcy might be a last-ditch option for some, or that the record labels have occasionally sued the wrong people? Doubtful. The RIAA's letter notes that some people have been told that "the RIAA could have been incorrect in identifying your IP address" -- which of course is true -- and "directed the subscriber to certain websites, instead of having him contact the RIAA." We suspect those websites include EFF's resources as well as the Subpoena Defense website. It's possible that, after the fact, a given user might have preferred a cheaper, earlier settlement, but neither ISPs nor fans should have to make the remarkably perverse choice laid out in the RIAA's "offer." As we've pointed out repeatedly, the record labels could help forge a better way forward to get artists paid without suing fans or further endangering their privacy. The last time we checked, ISPs don't work for the RIAA, so until the major record labels come to their collective senses, ISPs shouldn't be handmaidens in their misguided lawsuit campaign. [EFF: Deep Links]
11:59:43 PM 
|
|
Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC
(User Account Control) and found out -- from Microsoft officials --
that the default no-admin setting isn't even a security mechanism
anymore.
Rutkowska, a hacker with a track record of defeating Vista's security mechanisms,
believes UAC has a major flaw in the way it automatically assumes that
all setup programs (application installers) should be run with
administrator privileges.
"[When] you try to run such a program, you get a UAC prompt and you
have only two choices: either to agree to run this application as
administrator or to disallow running it at all. That means that if you
downloaded some freeware Tetris game, you will have to run its
installer as administrator, giving it not only full access to all your
file system and registry, but also allowing it to load kernel drivers!
Why should a Tetris installer be allowed to load kernel drivers?,"
Rutkowska asked in a post on her Invisible Things blog.
That's because Vista uses a compatibility database and several
heuristics to recognize installer executables and, every time the OS
detects that an executable is a setup program, "it will only allow
running it as administrator."
This, in Rutkowska's mind, is a "very severe hole in the design of UAC."
"After all, I would like to be offered a choice whether to fully trust given installer executable
(and run it as full administrator) or just allow it to add a folder in
C:Program Files and some keys under HKLMSoftware and do nothing more. I
could do that under XP, but apparently I can't under Vista, which is a
bit disturbing," she added.
A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation
of the way the mechanism works. One thing that stood out in
Russinovich's explanation is an admission of sorts that the default
configuration of UAC puts the user at risk of a sophisticated code
execution attack.
11:11:29 PM
|
|
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls
(UAC) feature. The issue is that Vista automatically assumes that all
setup programs (application installers) should be run with
administrator privileges -- and gives the user no option to let them
run without elevated privileges. This means that a freeware Tetris
installer would be allowed to load kernel drivers. Microsoft's Mark
Russinovich acknowledges the risk factor but says it was a 'design
choice' to balance security with ease of use."
11:01:17 PM
|
|
When Johns Hopkins officials announced this week that a courier had
lost nine backup computer tapes containing personal data on 135,000
employees and patients, security specialists were critical, even though
the information probably was destroyed without being compromised.
The reaction came not just because the tapes were lost, but
because they weren't encrypted -- coded so that they could be read only
with a computerized key.
"Have we not learned from history yet, that if you're going to give
[data] to a third party that you either encrypt or password protect
it?" said Linda Foley, executive director of the Identity Theft
Resource Center in San Diego.
Amid a spate of lost or stolen data, some organizations and
industries have begun taking steps to better protect employee and
customer information, yet far too many have not, privacy advocates say.
Many still leave sensitive information uncoded or hand it off to
sometimes-careless employees or third parties.
This year alone, Social Security numbers were posted on a public
Web site at the University of Nebraska; personal information on 537
people was stolen from the New York Department of Labor; a hacker
accessed Social Security numbers for more than 1,200 people at the
University of Missouri; and a laptop was stolen that contained medical
records for 1,100 patients at the Salina Regional Health Center in
Kansas.
Some consultants say that costs keep organizations from updating
their security practices -- encryption software and developing privacy
procedures can be expensive. But the No. 1 reason is complacency,
according to Lillie Coney, associate director of the Electronic Privacy
Information Center, or EPIC, in Washington.
"They don't see themselves as being in a position where they're going to lose something," Coney said.
8:40:57 PM
|
|
Wanted: Missing FBI Laptops. If you lose your laptop, don't go crying on the shoulder of the Federal Bureau of Investigation. It has its own problems. The agency had at least 160 laptops lost or stolen over the past four years.
Ten of those laptops contained highly sensitive classified information and at least one included "personal identifying information on FBI personnel, according to a new report.
While the number may loom large, the agency actually has improved on keeping tabs on its wares. The report released today by the Justice Department's Office of Inspector General was a follow-up to a similar 2002 report. The charter report found that the FBI had reported some 317 employee laptops as either lost or stolen over the previous 28-month period. Seventeen of those laptops were reported stolen. In 2002, the FBI had roughly 11 laptops stolen or lost each month. The agency currently mismanages an average of four laptops monthly.
It's worth noting that as many as 51 of the laptops reported lost or stolen since 2002 may also have contained classified data, but the inspector general's office said the FBI could not be sure. At least seven of the laptops were assigned to the agency's counterintelligence or counterterrorism divisions, the report notes.
It is not clear from the report how many of those stolen or lost laptops used encryption technology to safeguard the data. Only one individual case cataloged in the report details that encryption technology was used to protect data stored on the computer's hard drive.
The report recommends that future laptop-loss reports include information on whether the computer in question had protected data. The FBI agreed with that recommendation, and said it would make such reporting mandatory.
Now, if they would just make the use of encryption technology mandatory on government laptops, I'm sure we would all sleep a little more soundly.
[Security Fix]
7:25:51 PM
|
|
Microsoft Releases Patches to Fix 20 Security Holes. Microsoft Corp. today issued a dozen software updates to plug at least 20 security holes in its Windows operating system and other software, including fixes for a number of vulnerabilities in Office that hackers are currently exploiting to hijack vulnerable PCs. Windows users can download the free updates by visiting Microsoft Update or by enabling automatic updates.
The company labeled half of the vulnerabilities "critical," its most severe rating. Critical security holes are those that bad guys could exploit to seize control over vulnerable machines without any action on the part of the user, or those that could be exploited just by convincing a user to click on a link in an e-mail, or visit a particular Web page.
Today's patch bundle addresses a total of eight separate vulnerabilities in different versions of Office, Word, Excel and PowerPoint, six of which are already being exploited by hackers, according to Microsoft. As usual, those most in danger are Office 2000 users. These users cannot download the updates through the usual Windows/Microsoft update site. Instead, Office 2000 users must scan their machine at Microsoft's Office Update site and apply any outstanding fixes listed there.
Regardless of which version of Office you are using (or whether you are running Office at all), be extremely careful about opening attachments in e-mails that you were not expecting -- even if they appear to come from someone you know.
Microsoft also issued updates to correct four flaws in most versions of its Internet Explorer Web browser, all of which earned a "critical" rating. Worse yet, instructions detailing how to exploit two of these IE flaws have already been posted online (one set of instructions dates back to Oct. 2006).
Another patch fixes a critical flaw in the way that Microsoft's security software scans portable document format files (.PDF -- Adobe Acrobat documents, for example) for malicious software. According to Microsoft, this bug affects Windows Live OneCare, Microsoft Antigen, Windows Defender, Windows Defender in Windows Vista, Microsoft Forefront Security for Exchange Server and Forefront Security for SharePoint.
Interestingly, Microsoft said it also is investigating new public reports of a potential vulnerability in both Windows Mobile Internet Explorer and Windows Mobile Pictures and Video -- applications built into most Microsoft Smartphone and PocketPC mobile phones.
There were other patches released today. Home users should not delay in applying these updates: Last month, hackers infiltrated the official Web site of Dolphins Stadium -- the site of Superbowl XLI -- and seeded it with a Trojan horse program that installed a password stealing program on Windows machines if users browsed to the site without having applied a patch that Microsoft issued just two weeks prior. [Security Fix]
7:24:06 PM
|
|
|
© Copyright 2007 Paul Hardwick.
Last update: 3/4/07; 10:33:30 AM.
|
|
|
