Privacy Digest

DRM Not Dead, Just Temporarily Indisposed, Says RIAA Tech Head - Via Freedom to Tinker:

The RIAA’s head technology guy says that the move away from DRM (anti-copying) technology by record labels is just a phase, according to a Greg Sandoval story at News.com:

“(Recently) I made a list of the 22 ways to sell music, and 20 of them still require DRM,” said David Hughes, who heads up the RIAA’s technology unit, during a panel discussion at the Digital Hollywood conference. “Any form of subscription service or limited play-per-view or advertising offer still requires DRM. So DRM is not dead.”

…

Last January, when Sony BMG became the last major recording company to sell DRM-free tracks at Amazon, plenty of observers considered the technology buried. Since then, a growing number of online stores have begun offering at least some open MP3s, including Walmart.com, Zune’s Marketplace, Amazon, as well as iTunes.

Not so fast, said Hughes, who predicted that DRM would reemerge in a big way. “I think there is going to be a shift,” he told the audience. “I think there will be a movement towards subscription services, and (that) will eventually mean the return of DRM.”

The imminent success of subscription services with DRM is more or less what the record industry was predicting several years ago.  read more »

Firefox Infects Vietnamese Users With Trojan Code - Via Threat Level:

Mozilla, the maker of the open source Firefox browser, is redoubling its efforts to check user created add-ons for viruses and Trojans after it discovered that a language pack on its official add-on page had been infected for months with rogue code, the organization reported Wednesday.

Starting in mid-Feburary,  Vietnamese users of Mozilla's open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site.

The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.  read more »

oCERT.org - Open Source CERT:

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

The service aims to help both large infrastructures, like major distributions, and smaller projects that can't afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

oCERT also provides security vulnerability mediation for the security community, having reliable security contacts between registered projects and reporters that need to get in touch with a specific project regarding infrastructure security issues.

Last but not least oCERT provides aid with security vulnerability research and assessment.

(Read Original Article .)

FBI Targets Internet Archive With Secret 'National Security Letter', Loses - Via Threat Level:

The Internet Archive, a project to create a digital library of the web for posterity, successfully fought a secret government Patriot Act order for records about one of its patrons and won the right to make the order public, civil liberties groups announced Wednesday morning.

On November 26, 2007, the FBI served a controversial National Security Letter on the Internet Archive, asking for records about one of the library's registered users, asking for the user's name, address.

The Electronic Frontier Foundation, the Internet Archive's lawyers, fought the NSL, challenging its constitutionality in a December 14 complaint (.pdf) to a federal court in San Francisco.  read more »

Web firm sounds alert on criminal data trove - Via Reuters:

LONDON (Reuters) - A Web security firm said on Tuesday it had tipped off international banks and police after finding a huge trove of stolen business and personal data amassed on a server in the space of just three weeks.

Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".

"This server was running for about three weeks and within this period it managed to collect 1.4 gigabytes of data. It is indeed the largest treasure we've found in this very short time," Yuval Ben-Itzhak, chief technology officer of the California-based firm, said in a phone interview from Israel.

The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain.  read more »

"Crimeserver" Full of Personal/Business Data Found - Via Slashdot:

Presto Vivace sends news of a server found by security firm Finjin that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjin dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjin notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming.

(Read Original Article - Via Slashdot.)

No-go on GOFA - Via CDT - PolicyBeta:

Today, CDT posted an updated memorandum on the most recent version of the Global Online Freedom Act (”GOFA”). GOFA was first introduced by Rep. Christopher Smith (R-NJ) several years ago in response to troubling reports of company complicity in Internet censorship and cooperation in prosecutions of dissidents who posted political material online. The late Rep. Tom P. Lantos, (D-Ca) took up the cause last year and the bill was reported out of the Committee on Foreign Affairs late last year. Industry opposition to the bill has been fierce and efforts to bring the bill to the floor on suspension have thus far been thwarted.

CDT strongly believes that technology companies doing business in countries that broadly surveil and censor the Internet must take serious steps to identify and minimize the human rights risks associated with providing services and technology solutions in those countries. For several years, we have been co-facilitating a multi-stakeholder initiative aimed at developing global principles to guide ICT companies facing free expression and privacy challenges.  We remain hopefully that these principles will grow into a global industry standard that will give the industry a road map for collective action in this area.

We also believe that companies must not hide from these challenges. They should advocate for changes in public policy that protect the rights of their users, challenge laws where possible and collaborate with human rights groups and other stakeholders to build support for an open Internet that supports human rights.  read more »

Google backs open-source CERT group - Via Network World :

Google has thrown its weight behind a fledgling security reporting group for the open-source community.

The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team.

Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products, keeping open-source distributors on top of flaws and helping small software projects ensure that users of their code are aware of any issues.  read more »

Google Backs Open-Source CERT Group - Via Slashdot :

alphadogg points to a Network World story, excerpting
"Google has thrown its weight behind a fledgling security reporting group for the open-source community. The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team. Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products.

(Read Original Article - Via Slashdot.)

NZ cops get 'COFEE' to capture PC evidence - New Zealand's source for technology news on - Via Stuff.co.nz :

New Zealand police have been given a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a prototype of a USB "thumb drive" that Microsoft has quietly distributed to a few law-enforcement agencies around the world.

A spokesman at police national headquarters said today: "Police have been issued with the COFEE tool by Microsoft and the E-Crime Lab's digital forensic analysts have been trained in the use of it".

New Zealand police had an excellent relationship with the software company, which had provided specialist training to digital forensic analysts and investigators, he said.  read more »

The Freenet Project - Freenet 0.7.0 release candidate 2 now available:

24th Apr, 2008 - Freenet 0.7.0 release candidate 2 now available

Freenet version 0.7 Release Candidate 2 is now available for public testing. Release Candidate 2 features many bugfixes and a number of usability improvements.

Freenet is a global peer-to-peer network designed to allow users to publish and consume information without fear of censorship. To use it, you must download the Freenet software, available for Windows, Mac, Linux and other operating systems. Once you install and run Freenet, your computer will join a global, decentralized P2P network. You will be able to publish and consume information anonymously, either through your web browser, or through a variety of third party applications.  read more »

Slashdot | Freenet Releases 0.7.0rc2 - Via Tech at Slashdot:

evanbd writes
"The Freenet Project has announced Freenet 0.7.0rc2. From the announcement: 'Freenet is a global peer-to-peer network designed to allow users to publish and consume information without fear of censorship. Freenet 0.7 is a ground-up rewrite of Freenet. The key user-facing feature in Freenet 0.7 is the ability to operate Freenet in a "darknet" mode, where your Freenet node will only talk to other Freenet users that you trust. This makes it much more difficult for an adversary to discover that you are using Freenet, let alone what you are doing with it. 0.7 also includes significant improvements to both security and performance.' Of course, for those of us who don't know anyone else running Freenet, or simply prefer it, there's also a non-darknet mode available."

(Read Original Article - Via Tech at Slashdot.)

500 Thousand MS Web Servers Hacked - Via Slashdot:

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that has been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

(Read Original Article - Via Slashdot.)

What's Up with the Secret Cybersecurity Plans, Senators Ask DHS - Via Threat Level:

The government's new cyber-security "Manhattan Project" is so secretive that a key Senate oversight panel has been reduced to writing a letter to beg for answers to the most basic questions, such as what's going on, what's the point and what about privacy laws.

The Senate Homeland Security committee wants to know, for example, what is the goal of Homeland Security's new National Cyber Security Center. They also want to know why it is that in March, DHS announced that Silicon Valley evangelist and security novice Rod Beckstrom would direct the center, when up to that point DHS said the mere existence of the center was classified.

Those are just two sub-questions out of a list of 17 multi-part questions centrist Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine) sent to DHS in a letter Friday.  read more »

Congress, can you hear me NOW? (commentary) - Via PogoWasRIght - Privacy News Headlines:

By Dissent:

A few nights ago, I played "catch up" on breaches after the Maryland Attorney General's office started making breach notifications publicly available on the web.

It is staggering how many breaches we never learn about because there is no central registry of breaches and most states do not make their breach notices publicly available on the web. Thankfully, three states do report on notifications received, and two of them upload the reports themselves.

Since the beginning of this year, Maryland has received approximately 64 breach notifications. New Hampshire shows 43 breach reports for 2008. Of the combined pool of 74 unique breaches, 44 breaches appeared on one of the two, but not both, states' reports. Clearly we need more states uploading their reports as some breaches may be state- or region-specific.  read more »

Digital Deception - Via washingtonpost.com - Technology:

With a test, Web sites let people in and keep out computers set to unleash spam attacks. Now, computers are cracking the code.

Are you a human or a computer?

Over the Internet, it's getting harder and harder to tell.

Some of the common tests used by Web sites to distinguish between legitimate flesh-and-blood visitors and malicious human-mimicking computers recently appear to have been outwitted.

Last month, the human verification tests, which typically require users to identify deformed letters set against a cluttered backdrop, were broken by a computer. The computer then repeatedly created free Hotmail e-mail accounts and sent spam from them, according to Websense, the security firm that detected the hacking.  read more »