Privacy Digest

Microsoft addresses XSS in Internet Explorer 8 - Via searchsecurity.techtarget.com :

Microsoft is planning to add a series of new security features to the next version of its Internet Explorer browser, including protection against cross-site scripting attacks.

A beta version of IE 8 is due out in August, and along with the XSS filter, it will include a filter designed to provide better protection against phishing attacks, features that make it easier for developers to request resources and share information across domains, and some changes to the way that ActiveX controls are handled by the browser. Specifically, developers will be able to write controls that are only available for the individual user who downloads them.  read more »

IE 8 To Include New Security Tools - Via Slashdot:

Trailrunner7 writes "Internet Explorer has been a security punching bag for years, and rightfully so. IE 6 was arguably the least secure browser of all time. But Microsoft has been trying to get their act together on security, and the new beta of IE 8, due in August, will have a slew of new security features, including protection against Type-1 cross-site scripting attacks, a better phishing filter and better security for ActiveX controls."

(Read Original Article - Via Slashdot.)

Microsoft to MSN Music Customers: Your Music is Still Good – Till 2011 - Via EFF.org Updates:

Last April, Microsoft met with criticism when it announced that it would deactivate all music purchased from MSN Music. Customers rightly protested that the decision to pull the plug on the Digital Rights Management (DRM) servers that allow MSN Music customers to “reauthorize” music files would render their purchases useless

At the time, EFF announced an open letter to Microsoft, urging them to make things right with their customers by giving refunds or replacing DRM-crippled music, and by avoiding use of DRM in the future.

Now, Microsoft has responded to their customers’ concerns with a letter to customers that promises that the earlier deadline of August, 2008 will be not be enforced. Instead, the company will wait until 2011 to make a determination.  read more »

A Conversation About the Broadcast Flag - Via EFF Line Noise:

Tim Jones meets with Danny O'Brien to discuss Vista, DRM and the Broadcast Flag.

Links for further research:

• Cory Doctorow's Three Minute Guide to the Broadcast Flag
• EFF's Recent Blog Entries on the Broadcast Flag
• EFF's Broadcast Flag Issue Page
• The Corruptibles

Download: MP3, Ogg Vorbis

(Read Original Article - Via EFF Line Noise.)

A Guardian Angel In Your Cell Phone - Via Slashdot: Your Rights Online:

theodp writes "Bill Gates and Ray Ozzie are listed as inventors of the Guardian Angel, which is described in a most unusual Microsoft patent application that should intrigue privacy advocates. In addition to protecting you from possibly diseased people, by detecting body temperatures, the Guardian Angel's 'monitoring component can take note of the number of conversations occurring in a room (and more specifically, a breakdown of the types of people in the room accompanied by a warning for dangerous persons, based on sex offender registration, FBI most wanted, etc.).' The versatile Guardian Angel, Microsoft notes, can also recommend restaurants, advise you on the appropriateness of your jokes, detect that your heartbeat has stopped, display targeted ads on billboards, and block spam."

(Read Original Article - Via Slashdot: Your Rights Online.)

MSN Music Debacle Highlights EULA Dangers - Via EFF: Deep Links:

When Microsoft announced that it will no longer support former MSN Music customers who want to play their DRM disabled music on new computers, DRM-hating consumer advocates justifiably cried out, “I told you so!” But this debacle is not just another example of the dangers of DRM: its also a reminder of the danger of overreaching end user license agreements, or EULAs

Just as DRM allows unprecedented corporate control over music and movies, the EULAs that Microsoft and other content vendors force users to click through before downloading songs, shows or films help enforce and expand that control. For example, EULAs usually claim that whatever happens, you can't sue the company--even for problems that are entirely of the company’s own making. And EULAs are often used to try to limit a company’s obligation to live up to its apparent promises.  read more »

NZ cops get 'COFEE' to capture PC evidence - New Zealand's source for technology news on - Via Stuff.co.nz :

New Zealand police have been given a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a prototype of a USB "thumb drive" that Microsoft has quietly distributed to a few law-enforcement agencies around the world.

A spokesman at police national headquarters said today: "Police have been issued with the COFEE tool by Microsoft and the E-Crime Lab's digital forensic analysts have been trained in the use of it".

New Zealand police had an excellent relationship with the software company, which had provided specialist training to digital forensic analysts and investigators, he said.  read more »

500 Thousand MS Web Servers Hacked - Via Slashdot:

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that has been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

(Read Original Article - Via Slashdot.)

Betrayed MSN Music Customers Deserve More from Microsoft - Via EFF: Breaking News:

San Francisco - The Electronic Frontier Foundation (EFF) is urging Microsoft Corporation to fix the problems it will cause when it shuts down the MSN Music validation servers, making it impossible for customers to transfer their music files to new computers or even upgrade their operating system.

In an open letter sent to Microsoft Chief Executive Officer Steve Ballmer today, EFF outlines five steps Microsoft must take to make things right for MSN Music customers -- including a issuing a public apology, providing refunds or replacement music files, and launching a substantial publicity campaign to make sure all customers know their options.

"MSN Music customers trusted Microsoft when it said that this was a safe way to buy music, and that trust has been betrayed," said EFF Staff Attorney Corynne McSherry. "If Microsoft is prepared to treat MSN Music customers like this, is there any reason to suppose that future customers won't get the same treatment?"  read more »

MSN Music Pulls the Plug on Customers - Via EFF: Deep Links:

Last week, Microsoft announced that it was leaving the paying customers of its MSN Music store out in the cold. Rob Bennett, the head of MSN Entertainment and Video Services, told customers in an email that “[a]s of August 31, 2008, we will no longer be able to support the retrieval of license keys for the songs you purchased from MSN Music or the authorization of additional computers."

In other words, the DRM copy protection that Microsoft and the major record labels insisted customers put up with has now drastically devalued that music -- at least for consumers who like to regularly upgrade their PCs. Come August 31st, if you buy a new computer, or even upgrade your OS, you’ll have to give up your MSN Music.  read more »

Microsoft Gives Backdoor to Law Enforcement -- Well, Not Really - Via Threat Level:

Admit it. You always thought Microsoft had put a backdoor into its operating system to allow law enforcement agents to worm their way into your computer.

Now the proof is here. At least that's how some readers are interpreting a story out yesterday about a forensic tool that Microsoft is providing crime-stoppers to help them extract evidence from computers seized at crime scenes.

The Computer Online Forensic Evidence Extractor, or COFEE, is a USB memory stick that was "quietly distributed" to a handful of law-enforcement agencies last June, according to Seattle Times tech reporter Benjamin Romano. Romano says the portable device can "decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer."  read more »

DRM sucks redux: Microsoft to nuke MSN Music DRM keys - Via Ars Technica :

Customers who have purchased music from Microsoft's now-defunct MSN Music store are now facing a decision they never anticipated making: commit to which computers (and OS) they want to authorize forever, or give up access to the music they paid for. Why? Because Microsoft has decided that it's done supporting the service and will be turning off the MSN Music license servers by the end of this summer.

MSN Entertainment and Video Services general manager Rob Bennett sent out an e-mail this afternoon to customers, advising them to make any and all authorizations or deauthorizations before August 31. "As of August 31, 2008, we will no longer be able to support the retrieval of license keys for the songs you purchased from MSN Music or the authorization of additional computers," reads the e-mail seen by Ars.  read more »

MSN Music DRM Servers Going Dark In September - Via Slashdot: Your Rights Online:

PDQ Back writes to tell us about an email Microsoft sent to former customers of MSN Music today. The company said it would be turning off the DRM servers used to authorize playback of music purchased from the now-defunct MSN Music store. "'As of August 31, 2008, we will no longer be able to support the retrieval of license keys for the songs you purchased from MSN Music or the authorization of additional computers,' reads the e-mail. This doesn't just apply to the five different computers that PlaysForSure allows users to authorize, it also applies to operating systems on the same machine (users need to reauthorize a machine after they upgrade from Windows XP to Windows Vista, for example). Once September rolls around, users are committed to whatever five machines they may have authorized — along with whatever OS they are running."

(Read Original Article - Via Slashdot: Your Rights Online.)

Windows Update Can Hurt Security - Via Slashdot >:

An anonymous reader writes
"Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

(Read Original Article - Via Slashdot.)

Vista's UAC security prompt was designed to annoy you - Via ars technica :

User Account Control is easily one of the most hated features of Windows Vista, according to readers. The seemingly endless stream of UAC pop-ups, asking you to confirm this action or that action, just get in the way (and aren't particularly zippy, given the screen redraw). Others don't mind UAC, but there's no doubt it's a controversial "feature" of the OS.

At the RSA 2008 confab in San Francisco, Microsoft admitted that UAC was designed, in fact, to annoy. Microsoft's David Cross came out and said so: "The reason we put UAC into the platform was to annoy users. I'm serious," said Cross.  read more »

Microsoft Designed UAC to Annoy Users - Via Slashdot:

I Don't Believe in Imaginary Property writes "At the 2008 RSA security conference, Microsoft's David Cross was quoted as saying, 'The reason we put UAC into the platform was 'to annoy users. I'm serious.' The logic behind this statement is that it should encourage application vendors to eliminate as many unnecessary privilege escalations as possible by causing users to complain about all the UAC 'Cancel or Allow' prompts. Of course, they probably didn't expect that Microsoft would instead get most of the complaints for training users to ignore meaningless security warnings."

(Read Original Article - Via Slashdot.)

Thoughts on the Microsoft-Yahoo Deal - Via CDT - PolicyBeta:

CDT is still considering the policy implications of Microsoft’s unsolicited takeover offer for Yahoo. Clearly, this would have a major impact on the Internet.

Our colleague, and CDT Fellow, Peter Swire has a detailed summary that he posted to the Center for American Progress Web site.  read more »

Michael Geist - Microsoft Misleads on Copyright Reform - Via Michael Geist:

The Hill Times this week includes an astonishingly misleading and factually incorrect article on Canadian copyright written by Microsoft. The most egregious error comes in the following paragraph which attempts to demonstrate why Microsoft thinks reform is needed:  read more »