Privacy Digest

Web firm sounds alert on criminal data trove - Via Reuters:

LONDON (Reuters) - A Web security firm said on Tuesday it had tipped off international banks and police after finding a huge trove of stolen business and personal data amassed on a server in the space of just three weeks.

Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".

"This server was running for about three weeks and within this period it managed to collect 1.4 gigabytes of data. It is indeed the largest treasure we've found in this very short time," Yuval Ben-Itzhak, chief technology officer of the California-based firm, said in a phone interview from Israel.

The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain.  read more »

"Crimeserver" Full of Personal/Business Data Found - Via Slashdot:

Presto Vivace sends news of a server found by security firm Finjin that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjin dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjin notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming.

(Read Original Article - Via Slashdot.)

MSN Music Debacle Highlights EULA Dangers - Via EFF: Deep Links:

When Microsoft announced that it will no longer support former MSN Music customers who want to play their DRM disabled music on new computers, DRM-hating consumer advocates justifiably cried out, “I told you so!” But this debacle is not just another example of the dangers of DRM: its also a reminder of the danger of overreaching end user license agreements, or EULAs

Just as DRM allows unprecedented corporate control over music and movies, the EULAs that Microsoft and other content vendors force users to click through before downloading songs, shows or films help enforce and expand that control. For example, EULAs usually claim that whatever happens, you can't sue the company--even for problems that are entirely of the company’s own making. And EULAs are often used to try to limit a company’s obligation to live up to its apparent promises.  read more »

Judge in Murdoch Hacker Trial Admonishes CEO - Via Threat Level:

A California judge overseeing the trial against a Rupert Murdoch company for allegedly hacking a competitor and helping pirates steal pay-TV content, admonished the CEO of the Murdoch firm for leaving the court without testifying. As a result of the CEO's action, the judge suggested that if his company loses the trial it could face shareholder lawsuits.

Multichannel News reports that U.S. District Court Judge David Carter made the comments on Friday after temporarily halting the trial in mid-testimony and dismissing the jury.  read more »

Digital Deception - Via washingtonpost.com - Technology:

With a test, Web sites let people in and keep out computers set to unleash spam attacks. Now, computers are cracking the code.

Are you a human or a computer?

Over the Internet, it's getting harder and harder to tell.

Some of the common tests used by Web sites to distinguish between legitimate flesh-and-blood visitors and malicious human-mimicking computers recently appear to have been outwitted.

Last month, the human verification tests, which typically require users to identify deformed letters set against a cluttered backdrop, were broken by a computer. The computer then repeatedly created free Hotmail e-mail accounts and sent spam from them, according to Websense, the security firm that detected the hacking.  read more »

MSN Music Pulls the Plug on Customers - Via EFF: Deep Links:

Last week, Microsoft announced that it was leaving the paying customers of its MSN Music store out in the cold. Rob Bennett, the head of MSN Entertainment and Video Services, told customers in an email that “[a]s of August 31, 2008, we will no longer be able to support the retrieval of license keys for the songs you purchased from MSN Music or the authorization of additional computers."

In other words, the DRM copy protection that Microsoft and the major record labels insisted customers put up with has now drastically devalued that music -- at least for consumers who like to regularly upgrade their PCs. Come August 31st, if you buy a new computer, or even upgrade your OS, you’ll have to give up your MSN Music.  read more »

ICANN Takes a Step Toward Ending Domain Tasting - Via Slashdot: Your Rights Online:

An anonymous reader writes "For years, domain squatters have exploited an ICANN loophole: whenever a domain name is registered, ICANN collects a 20-cent fee from the registrar. To allow for non-paying customers, the registrar can return it five days later for a full refund. The loophole has let unscrupulous registrars constantly create and refund domain-squatting websites, selling 'what you need when you need it' advertising. The problem has grown so bad that every month the world's top three domain squatters, all located in Miami with the same address and represented by the same lawyer, recycle 11 million domain names. After years of complaints, ICANN has finally begun moving on the problem.  read more »

spammers gone wild - Via Freedom to Tinker:

I’m sure this sort of behavior is old news, but it’s still really annoying.  Starting last night and continuing as I’m writing this, some annoying spammer has been forging my email address as the “From” line of a variety of spams.  This is causing a staggering volume of backscatter, mostly of the “Delivery Status Notification (failure)” variety.  Sampling these messages, I’m seeing several interesting things.  read more »

Senate Proposal To Clarify 'State Secrets' Doctrine - Via Slashdot:

I Don't Believe in Imaginary Property writes "Sen. Edward Kennedy (D-MA) and other lawmakers are pushing legislation to limit the power of the state secrets doctrine in blocking lawsuits. The doctrine has been used as a 'get out of jail free' card in cases like the EFF's warrantless wiretapping lawsuit. This new legislation would make it harder for the administration to invoke the doctrine, and provide new allowances, such as using attorneys with security clearances to enable the lawsuits to go forward even when the issue is appropriately raised." --- Update: 04/28 16:58 GMT by KD : The New Yorker is running a detailed piece, State Secrets, by Patrick Radden Keefe, about how the use of the state secrets doctrine is playing out in one particular case.

(Read Original Article - Via Slashdot.)

DRM sucks redux: Microsoft to nuke MSN Music DRM keys - Via Ars Technica :

Customers who have purchased music from Microsoft's now-defunct MSN Music store are now facing a decision they never anticipated making: commit to which computers (and OS) they want to authorize forever, or give up access to the music they paid for. Why? Because Microsoft has decided that it's done supporting the service and will be turning off the MSN Music license servers by the end of this summer.

MSN Entertainment and Video Services general manager Rob Bennett sent out an e-mail this afternoon to customers, advising them to make any and all authorizations or deauthorizations before August 31. "As of August 31, 2008, we will no longer be able to support the retrieval of license keys for the songs you purchased from MSN Music or the authorization of additional computers," reads the e-mail seen by Ars.  read more »

EFF Issues Report on Abuse of National Security Letter - Via EFF: Deep Links:

Today, EFF published a report on the misuse of a National Security Letter to seek educational records from North Carolina State University at Raleigh in 2005. The NSL authority does not allow the government to seek educational records.

The detailed report stems from EFF's Freedom of Information Act request for records about NSL abuse. FBI documents show that, over the span of three days in July 2005, the Charlotte Division of the FBI first obtained educational records pursuant to a grand jury subpoena, and then -- at the direction of FBIHQ -- returned the records and sought them again pursuant to an improper NSL.

The improper NSL was refused by the university, but the FBI finally obtained them pursuant to a second grand jury subpoena. Later in July 2005, FBI Director Robert Mueller used the delay in obtaining these particular records as an example of why the FBI needed administrative subpoena power instead of NSLs in testimony.  read more »

EFF Report: FBI Slowed Terror Investigation with Improper NSL Request - Via EFF: Breaking News:

San Francisco - The Electronic Frontier Foundation (EFF) has found that the Federal Bureau of Investigation (FBI), which claims that National Security Letters (NSLs) take too long and that it needs the authority to conduct surveillance without judicial oversight, delayed its own investigation of a student suspected of links to terrorism by employing an improper NSL to seek information on the suspect, at the direction of FBI Headquarters. The FBI failed to report the misuse for almost two years.

EFF's report comes as the House Judiciary Committee prepares for a Tuesday hearing on the misuse of NSLs. The Senate Judiciary Committee will hold another hearing on Wednesday.

"This report raises important questions about the FBI's use of these very powerful investigative tools," said EFF Senior Staff Attorney Kurt Opsahl. "Congress should determine why FBI headquarters insisted on an improper NSL instead of using the appropriate tools, and why the FBI failed to report the misuse for almost two years."  read more »

More Questions Swirl Around Mukasey's Emotional Plea for Warrantless Wiretapping - Via EFF: Deep Links:

The San Francisco Chronicle reports that lawmakers are still looking for answers about Attorney General Michael Mukasey's strange tale of an unmonitored terrorist phone call. Mukasey gave the account at a speech in San Francisco last month as part of an emotional plea to legalize warrantless wiretapping. But House Judiciary Committee members say this is the first they have heard of such a call.  read more »

D.C.'s Dirty Slavery Secret - Via ACLU Blog:

Today, Vania Leveille, Legislative Counsel at our Washington, D.C. Legislative Office, guest blogged on Pam's House Blend on D.C.'s dirty little secret of turning a blind eye to the enslavement of domestic workers by diplomats:

Policy makers have ignored for too long Washington, DC's dirty little secret: in the nation's capital, the State Department unwittingly facilitates the trafficking, exploitation and enslavement of poor women of color from around the world. It does so by issuing special nonimmigrant employment visas — more than 3,000 every year — so that ambassadors, foreign diplomats, consular officers, and employees of international organizations like the United Nations and the IMF can bring their nannies and other household workers into the US. Too often, these domestic workers become slaves in the household, unaware of their rights and unable to escape. And their tormentors are shielded by the domestic worker's anonymity and by diplomatic immunity.  read more »

Slashdot | Cities Tampering With Traffic Lights To Generate Revenue - Via Slashdot :

Techdirt is reporting that there has been a rash of reports indicating that red light cameras are being used to generate revenue rather than to promote safety.
"Time and time again studies have shown that if cities really wanted to make traffic crossings safer there's a very simple way to do so: increase the length of the yellow light and make sure there's a pause before the cross traffic light turns green (this is done in some places, but not in many others). Tragically, it looks like some cities are doing the opposite! Jeff Nolan points out that six US cities have been caught decreasing the length of the yellow light below the legal limits in an effort to catch more drivers running red lights and [increase] revenue."

(Read Original Article - Via Slashdot.)

Chertoff’s Defense of REAL ID is “Dead Wrong” - Via CDT - PolicyBeta:

Department of Homeland Security Secretary Michael Chertoff has a hard job. Among other things, it’s his responsibility to make sure that our country isn’t attacked by terrorists and that undocumented immigrants don’t cross our borders. So it’s understandable when he vociferously defends his Department’s efforts at “protecting the homeland.” But it’s inexcusable when the guy is simply factually (and vociferously) wrong on an important policy issue.

On April 2, Chertoff, testifying before the Senate Judiciary Committee during a hearing on DHS oversight, had the gall to say that public interests groups have been putting out “misinformation” and are “dead wrong” about the privacy and civil liberties risks of REAL ID. Yet it was the Secretary who put out misinformation and was dead wrong about the risk of the wrong people gaining access to personal information stored in the REAL ID card’s “machine-readable zone” (MRZ).  read more »

The Cybercrime Economy - Via Security Blog - InformationWeek :

Dot-coms daunted by the financial downturn would be well advised to look to the cybercrime economy.

Cybercriminals "have very sound business models," said Joe St Sauver, manager of Internet2 Security Programs through the University of Oregon at an RSA Conference panel on Wednesday, "better than many corporate business plans I routinely see."

The conference session, "Deconstructing the Modern Online Criminal Ecosystem," offered interesting insight into the way the Internet's black market works.  read more »