Privacy Digest

Firefox Infects Vietnamese Users With Trojan Code - Via Threat Level:

Mozilla, the maker of the open source Firefox browser, is redoubling its efforts to check user created add-ons for viruses and Trojans after it discovered that a language pack on its official add-on page had been infected for months with rogue code, the organization reported Wednesday.

Starting in mid-Feburary,  Vietnamese users of Mozilla's open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site.

The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.  read more »

oCERT.org - Open Source CERT:

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

The service aims to help both large infrastructures, like major distributions, and smaller projects that can't afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

oCERT also provides security vulnerability mediation for the security community, having reliable security contacts between registered projects and reporters that need to get in touch with a specific project regarding infrastructure security issues.

Last but not least oCERT provides aid with security vulnerability research and assessment.

(Read Original Article .)

Google backs open-source CERT group - Via Network World :

Google has thrown its weight behind a fledgling security reporting group for the open-source community.

The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team.

Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products, keeping open-source distributors on top of flaws and helping small software projects ensure that users of their code are aware of any issues.  read more »

Google Backs Open-Source CERT Group - Via Slashdot :

alphadogg points to a Network World story, excerpting
"Google has thrown its weight behind a fledgling security reporting group for the open-source community. The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team. Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products.

(Read Original Article - Via Slashdot.)

The Freenet Project - Freenet 0.7.0 release candidate 2 now available:

24th Apr, 2008 - Freenet 0.7.0 release candidate 2 now available

Freenet version 0.7 Release Candidate 2 is now available for public testing. Release Candidate 2 features many bugfixes and a number of usability improvements.

Freenet is a global peer-to-peer network designed to allow users to publish and consume information without fear of censorship. To use it, you must download the Freenet software, available for Windows, Mac, Linux and other operating systems. Once you install and run Freenet, your computer will join a global, decentralized P2P network. You will be able to publish and consume information anonymously, either through your web browser, or through a variety of third party applications.  read more »

Slashdot | Freenet Releases 0.7.0rc2 - Via Tech at Slashdot:

evanbd writes
"The Freenet Project has announced Freenet 0.7.0rc2. From the announcement: 'Freenet is a global peer-to-peer network designed to allow users to publish and consume information without fear of censorship. Freenet 0.7 is a ground-up rewrite of Freenet. The key user-facing feature in Freenet 0.7 is the ability to operate Freenet in a "darknet" mode, where your Freenet node will only talk to other Freenet users that you trust. This makes it much more difficult for an adversary to discover that you are using Freenet, let alone what you are doing with it. 0.7 also includes significant improvements to both security and performance.' Of course, for those of us who don't know anyone else running Freenet, or simply prefer it, there's also a non-darknet mode available."

(Read Original Article - Via Tech at Slashdot.)

Firefox update fixes security flaw - Via Macworld:

Mozilla has updated Firefox, Thunderbird and SeaMonkey, fixing a JavaScript security issue.

According to Mozilla a security problem in the JavaScript engine introduced a stability problem with the applications, where some users experienced crashes during JavaScript garbage collection. The Web browser developer said the fix is being issued to mainly address the stability issues and made a point of saying that there is no evidence that the issue is exploitable.

The issue has been fixed in Firefox 2.0.0.14, Thunderbird 2.0.0.14 and SeaMonkey 1.1.10. The applications are available for download from the developer’s Web site.

(Read Original Article - Via Macworld.)

Schwartz Comments On NSA/Sun OpenSolaris Collaboration - Via Slashdot:

sean_nestor writes to mention that Sun CEO Jonathan Schwartz took a bit of time recently to comment on last week's announcement that Sun Microsystems would be partnering closely with the NSA for security research surrounding OpenSolaris. Rather than the typical loads of legalese and confidentiality agreements Sun and the NSA are claiming that this move is more about the NSA joining the OpenSolaris community than anything else. I guess only time will tell.

(Read Original Article - Via Slashdot.)

Software for Keeping ISPs Honest - Via Electronic Frontier Foundation - Deeplinks Blog » March, 2008:

Yesterday's announcement of a détente between Comcast and BitTorrent was great news. Unfortunately, the general problem of ISPs doing strange things to Internet traffic without telling their customers is likely to continue in the future. EFF and many other organizations are working on software to test ISPs for unusual (mis)behavior. In this detailed post, we have a round-up of the tools that are out there right now, and others that are in development...

The Backstory

When you sign up for an Internet connection, you expect it to actually be an Internet connection. You expect that you can run whatever applications and protocols you choose over the link, or indeed that you can write your own software and run that.

There is a disturbing trend, however, of ISPs stepping in to meddle with your communications, deciding that some applications and protocols are more suitable than others. Or deciding that they can inject advertisements into your queries for domain names, or your browser's exchanges with web sites. Or deciding that encrypted traffic should be throttled across the board.  read more »

StopBadware discussion group sees flurry of hacked WordPress blogs - Via StopBadware Blog:

We like to feature occasional guest posts from members of the StopBadware community. Below, guest poster and StopBadware discussion group volunteer Steven Whitney sheds some light on a recent flurry of attacks on WordPress sites:

The StopBadware discussion group began receiving in January a flurry of reports about WordPress blogs suddenly flagged for badware by Google. The blogs had been hacked, and one or both of the following iframes were injected into their posts:  read more »

Security Holes In Google's Android SDK - Via Slashdot:

Redon Buckeye writes "Google's Android software development kit is using several outdated and vulnerable open-source image processing libraries, some of which can be exploited to take complete control of mobile devices running the Android platform.  read more »

Adobe Pushes DRM for Flash - Via EFF: Deep Links:

The immense popularity of sites like YouTube has unexpectedly turned Flash Video (FLV) into one of the de facto standards for Internet video. The proliferation of sites using FLV has been a boon for remix culture, as creators made their own versions of posted videos. And thus far there has been no widespread DRM standard for Flash or Flash Video formats; indeed, most sites that use these formats simply serve standalone, unencrypted files via ordinary web servers.

Now Adobe, which controls Flash and Flash Video, is trying to change that with the introduction of DRM restrictions in version 9 of its Flash Player and version 3 of its Flash Media Server software. Instead of an ordinary web download, these programs can use a proprietary, secret Adobe protocol to talk to each other, encrypting the communication and locking out non-Adobe software players and video tools. We imagine that Adobe has no illusions that this will stop copyright infringement -- any more than dozens of other DRM systems have done so -- but the introduction of encryption does give Adobe and its customers a powerful new legal weapon against competitors and ordinary users through the Digital Millennium Copyright Act (DMCA).  read more »

Open Source Advocate, Canadian Copyfighter, and AT&T Whistleblower Win Pioneer Awards | Electronic Frontier Foundation - Via The Electronic Frontier Foundation (EFF) :

Mitchell Baker and the Mozilla Foundation, Michael Geist, and Mark Klein to be Honored at San Diego Award Ceremony

San Diego - The Electronic Frontier Foundation (EFF) is pleased to announce the winners of its 2008 Pioneer Awards: the Mozilla Foundation and its Chairman Mitchell Baker, University of Ottawa Professor Michael Geist, and AT&T whistleblower Mark Klein.

The award ceremony will be held at 7pm, March 4th at the San Diego Marriott Hotel and Marina in conjunction with the O'Reilly Emerging Technology Conference (ETech). Michael Robertson -- founder and CEO of MP3.com, Linspire, MP3Tunes and Gizmo5 -- will give the awards' keynote address: "What to Expect When You're Expecting...To Be Sued."  read more »

Slashdot | Extending SpamAssassin and Amavis - Via Slashdot | Developers :

An anonymous reader writes
"Spam filtering solutions are a necessary evil in today's e-mail climate. There are many different tools and systems available for the filtering and removal of spam e-mail. Tools like SpamAssassin and more detailed agents, such as Amavis use a variety of different methods to identify and capture spam. An IBM article shows how you can extend SpamAssassin and Amavis, providing additional filtering facilities to lower the amount of spam hitting e-mail boxes."

(Read Original Article - Via Slashdot | Developers.)

Slashdot | Firefox Spoofing Bug Puts Passwords At Risk - Via Slashdot:

hairyfeet writes "Aviv Raff, an Israeli researcher known for his work in hunting browser bugs, has revealed a Firefox spoofing vulnerability which could allow identity thieves to dupe users into giving up their password. According to Mr. Raff Firefox fails to sanitize single quotes and spaces in the 'Realm' value of an authentication header.  read more »

I just wanted to wish you all a Merry Christmas and a Happy New Year ! Here's hoping that next year is even better than this one.  read more »

MPAA Forced To Take Down University Toolkit - Via Slashdot: Your Rights Online:  read more »

New Details Support Tor Spying Theory - Via Threat Level:

You'll recall the story about the Swedish security researcher who stumbled upon unencrypted embassy e-mail traffic that was passing through five Tor exit nodes he set up. The researcher, Dan Egerstad, told me before the Swedish feds raided his apartment that he was certain that others were grabbing such traffic through Tor exit nodes in the same way that he was. Government and intelligence agencies were presumed to be some of the spies tapping into the Tor network.  read more »