Privacy Digest

oCERT.org - Open Source CERT:

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

The service aims to help both large infrastructures, like major distributions, and smaller projects that can't afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

oCERT also provides security vulnerability mediation for the security community, having reliable security contacts between registered projects and reporters that need to get in touch with a specific project regarding infrastructure security issues.

Last but not least oCERT provides aid with security vulnerability research and assessment.

(Read Original Article .)

Isohunt Founder at Center of U.S. Torrent-Tracking Legal Battle - Via Threat Level:

Gary Fung remembers years ago when the first computer he operated was a Pentium 90.

His programming skills have grown considerably since that first computer and his mastery of Pascal. Combined with his business acumen, the 25-year-old Fung now heads the popular BitTorrent search engine Isohunt and two tracking sites, Podtropolis and Torrentbox.

The Motion Picture Association of America claims in a lawsuit that Fung is a copyright scofflaw of the highest order -- facilitating the theft of millions of its copyrighted works hosted in tiny  pieces resting on servers and individuals' computers worldwide.  read more »

Daily Kos: Another victory for the anti-Real ID rebels - Via ACLU's diary in Daily Kos:

By Larry Frankel, State Legislative Counsel, ACLU Washington Legislative Office

The anti-Real ID movement just took a big step forward, with the Arizona Senate’s 21-7 vote to bar implementation of Real ID in Arizona. The bill (H.B. 2677) still has to go back to the Arizona House for another vote and then on to Governor Janet Napolitano for her signature. But as of this writing, Arizona is poised to join the growing number of states who have recognized that Real ID is an expensive and unworkable invasion of our privacy.

The good work of a bipartisan group of Arizona legislators contrasts with what happened last week in Minnesota. Governor Tim Pawlenty vetoed a transportation bill that passed the Minnesota legislature with overwhelming bipartisan support because the members of the Minnesota legislature had the audacity to say no to the federal Real ID Act. The governor’s veto message reads like a set of talking points from the Department of Homeland Security.  read more »

Web firm sounds alert on criminal data trove - Via Reuters:

LONDON (Reuters) - A Web security firm said on Tuesday it had tipped off international banks and police after finding a huge trove of stolen business and personal data amassed on a server in the space of just three weeks.

Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".

"This server was running for about three weeks and within this period it managed to collect 1.4 gigabytes of data. It is indeed the largest treasure we've found in this very short time," Yuval Ben-Itzhak, chief technology officer of the California-based firm, said in a phone interview from Israel.

The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain.  read more »

"Crimeserver" Full of Personal/Business Data Found - Via Slashdot:

Presto Vivace sends news of a server found by security firm Finjin that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjin dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjin notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming.

(Read Original Article - Via Slashdot.)

Google backs open-source CERT group - Via Network World :

Google has thrown its weight behind a fledgling security reporting group for the open-source community.

The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team.

Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products, keeping open-source distributors on top of flaws and helping small software projects ensure that users of their code are aware of any issues.  read more »

Google Backs Open-Source CERT Group - Via Slashdot :

alphadogg points to a Network World story, excerpting
"Google has thrown its weight behind a fledgling security reporting group for the open-source community. The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team. Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products.

(Read Original Article - Via Slashdot.)

One Step Forward, Two Steps Back for Genetic Privacy - Via ACLU Blog - Privacy & Technology:

Yesterday, the House passed H.R. 493, the Genetic Nondiscrimination Act (GINA), and the bill is now headed to President Bush for his signature.
This is a victory for all Americans who value their genetic privacy: GINA prevents employers and health insurance companies from discriminating against applicants based on their genetic code, which, thanks to modern science, reveals a lot about your body's predisposition towards illness and disease.  read more »

Beware of Robert Johnsons and Anyone Named Ted Kennedy - Via ACLU Blog - Privacy & Technology:

My latest Civil Discourse comic tackles the government's Terrorist Watch list, which has almost million names. Who's on it? Toddlers, dead people, congressmen, and Iraq War vets. You know, the people most likely to harm America. See the ACLU's watch list counter for more info.  read more »

Red Alert! Mandela Wants In! - Via ACLU Blog - Privacy & Technology:

USA Today reports:

Nobel Peace Prize winner and international symbol of freedom Nelson Mandela is flagged on U.S. terrorist watch lists and needs special permission to visit the USA. Secretary of State Condoleezza Rice calls the situation "embarrassing…"

Shocking that this has happened considering how well-organized and error-free the watchlist is otherwise.  read more »

What's Up with the Secret Cybersecurity Plans, Senators Ask DHS - Via Threat Level:

The government's new cyber-security "Manhattan Project" is so secretive that a key Senate oversight panel has been reduced to writing a letter to beg for answers to the most basic questions, such as what's going on, what's the point and what about privacy laws.

The Senate Homeland Security committee wants to know, for example, what is the goal of Homeland Security's new National Cyber Security Center. They also want to know why it is that in March, DHS announced that Silicon Valley evangelist and security novice Rod Beckstrom would direct the center, when up to that point DHS said the mere existence of the center was classified.

Those are just two sub-questions out of a list of 17 multi-part questions centrist Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine) sent to DHS in a letter Friday.  read more »

Congress, can you hear me NOW? (commentary) - Via PogoWasRIght - Privacy News Headlines:

By Dissent:

A few nights ago, I played "catch up" on breaches after the Maryland Attorney General's office started making breach notifications publicly available on the web.

It is staggering how many breaches we never learn about because there is no central registry of breaches and most states do not make their breach notices publicly available on the web. Thankfully, three states do report on notifications received, and two of them upload the reports themselves.

Since the beginning of this year, Maryland has received approximately 64 breach notifications. New Hampshire shows 43 breach reports for 2008. Of the combined pool of 74 unique breaches, 44 breaches appeared on one of the two, but not both, states' reports. Clearly we need more states uploading their reports as some breaches may be state- or region-specific.  read more »

DNA database constitutional, high court rules - Via The Burlington Free Press :

Law-enforcement authorities have the right to collect, analyze and store DNA samples from people convicted of nonviolent felonies, the Vermont Supreme Court ruled Friday.

In a narrow 3-2 opinion, justices determined the government's interest in monitoring forensic profiles of criminals outweighs their privacy rights.

Police and government lawyers argued they need the DNA database to identify the perpetrators of crimes, to exclude the innocent from suspicion, to deter crime and to help find missing people. The high court agreed those goals allow police to swab a convict's mouth, laboratory personnel to analyze and store the data, and local authorities to transmit the information to federal law enforcement.  read more »

Congress Must Investigate Electronic Searches at U.S. Borders - Via EFF: Breaking News:

San Francisco - The Electronic Frontier Foundation (EFF) and a broad coalition, including civil rights groups, professional associations and technologists, called on Congress today to hold oversight hearings on the Department of Homeland Security's search and seizure of electronic devices at American borders.

The press has widely reported disturbing stories about U.S. citizens subject to intrusive searches of their laptops and cell phones. But a recent court decision found that customs officials can search travelers' computers at the border without suspicion or cause. In a letter sent to the House and Senate Homeland Security and Judiciary committees today, the coalition urges lawmakers to consider passing legislation to prevent abusive search practices by border agents and to protect all Americans from suspicionless digital border inspections.

"Our computers, cell phones, and other electronic devices hold a vast amount of personal information like financial data, health histories, and personal emails and letters," said EFF Staff Attorney Marcia Hofmann. "In a free country, the government cannot have unlimited power to read, seize, and store this information without any oversight."

So far, the Department of Homeland Security has refused to release its policies and procedures for conducting these intrusive searches. EFF and the Asian Law Caucus have filed suit against the Department of Homeland Security to obtain the information through the Freedom of Information Act.  read more »

Wikipedia Overrules DOJ - Via Slashdot: Your Rights Online:

kylehase writes "The release of Wikiscanner last year brought much attention to white washing of controversial pages on the community generated encyclopedia. Apparently Wikipedia is very serious in fighting such behavior as they've temporarily blocked the US Department of Justice from editing pages for suspicious edits."

(Read Original Article - Via Slashdot: Your Rights Online.)