Privacy Digest

Dear Potus 08 - Via CFP: Technology Policy '08:

From the in-progress page on the program wiki:

If the Computers, Freedom, and Privacy community wrote a letter to the next President of the United States about our priorities for technology policy, what would we say -- and how would we get him or her to read it?

There's only one way to find out.

At this year's conference dinner, we will launch a collaborative effort to write a short letter to the next President from the CFP '08 attendees. We'll get these initial results up on a wiki for comments and evolution, and refine them over the follwing 36 hours. By Friday morning, if we've managed to converge on something plausible, we'll start circulating the current draft for signatures. At the end of the conference, we'll mail the current draft to the presidential campaigns and invite their response.

We'll also put it all up on the web - with a Creative Commons "by" (attribution) license - and invite others to use it for whatever purposes they want as we revise our initial draft, get broader involvement and discussion, and try to get our voice heard amidst the din of the campaigns.

We'll be using this blog as a big part of the "Dear Potus 08" project, both to update the details -- currently described as "mostly TBD" -- and to discussparticular topics. The 9.5 theses thread is the best place to get involved with the technology policy discussion right now. In this thread, any questions or thoughts about "Dear Potus 08" -- or links to similar projects?

(Read Original Article - Via CFP: Technology Policy '08.)

EFF Answers Your Questions About Border Searches - Via EFF: Deep Links:

Readers of my deeplink on safeguarding your laptop and digital devices from warrantless searches at the border responded with both questions and answers. Some readers wondered whether you have an obligation not to destroy information on your laptop. Others pointed out that U.S. citizens may be detained, but not turned away, at the U.S. border. Many technologists wrote to offer cryptographic solutions, or warnings about encryption schemes that are not as secure as they should be. In this post, I answer the question about destruction of information and reproduce or summarize, with permission, others' suggestions about protecting your laptop from arbitrary searches. I haven't done any independent analysis of these techniques or tools, so your mileage may vary.  read more »

Daily Kos: Another victory for the anti-Real ID rebels - Via ACLU's diary in Daily Kos:

By Larry Frankel, State Legislative Counsel, ACLU Washington Legislative Office

The anti-Real ID movement just took a big step forward, with the Arizona Senate’s 21-7 vote to bar implementation of Real ID in Arizona. The bill (H.B. 2677) still has to go back to the Arizona House for another vote and then on to Governor Janet Napolitano for her signature. But as of this writing, Arizona is poised to join the growing number of states who have recognized that Real ID is an expensive and unworkable invasion of our privacy.

The good work of a bipartisan group of Arizona legislators contrasts with what happened last week in Minnesota. Governor Tim Pawlenty vetoed a transportation bill that passed the Minnesota legislature with overwhelming bipartisan support because the members of the Minnesota legislature had the audacity to say no to the federal Real ID Act. The governor’s veto message reads like a set of talking points from the Department of Homeland Security.  read more »

Google backs open-source CERT group - Via Network World :

Google has thrown its weight behind a fledgling security reporting group for the open-source community.

The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team.

Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products, keeping open-source distributors on top of flaws and helping small software projects ensure that users of their code are aware of any issues.  read more »

Declassified NSA Document Reveals the Secret History of TEMPEST - Via Threat Level:

It was 1943, and an engineer with Bell Telephone was working on one of the U.S. government's most sensitive and important pieces of wartime machinery, a Bell Telephone model 131-B2. It was a top secret encrypted teletype terminal used by the Army and Navy to transmit wartime communications that could defy German and Japanese cryptanalysis.

Then he noticed something odd.

Far across the lab, a freestanding oscilloscope had developed a habit of spiking every time the teletype encrypted a letter. Upon closer inspection, the spikes could actually be translated into the plain message the machine was processing. Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether.  read more »

Betrayed MSN Music Customers Deserve More from Microsoft - Via EFF: Breaking News:

San Francisco - The Electronic Frontier Foundation (EFF) is urging Microsoft Corporation to fix the problems it will cause when it shuts down the MSN Music validation servers, making it impossible for customers to transfer their music files to new computers or even upgrade their operating system.

In an open letter sent to Microsoft Chief Executive Officer Steve Ballmer today, EFF outlines five steps Microsoft must take to make things right for MSN Music customers -- including a issuing a public apology, providing refunds or replacement music files, and launching a substantial publicity campaign to make sure all customers know their options.

"MSN Music customers trusted Microsoft when it said that this was a safe way to buy music, and that trust has been betrayed," said EFF Staff Attorney Corynne McSherry. "If Microsoft is prepared to treat MSN Music customers like this, is there any reason to suppose that future customers won't get the same treatment?"  read more »

Letters Give C.I.A. Tactics a Legal Rationale - Via New York Times:

WASHINGTON — The Justice Department has told Congress that American intelligence operatives attempting to thwart terrorist attacks can legally use interrogation methods that might otherwise be prohibited under international law.

The legal interpretation, outlined in recent letters, sheds new light on the still-secret rules for interrogations by the Central Intelligence Agency. It shows that the administration is arguing that the boundaries for interrogations should be subject to some latitude, even under an executive order issued last summer that President Bush said meant that the C.I.A. would comply with international strictures against harsh treatment of detainees.

While the Geneva Conventions prohibit “outrages upon personal dignity,” a letter sent by the Justice Department to Congress on March 5 makes clear that the administration has not drawn a precise line in deciding which interrogation methods would violate that standard, and is reserving the right to make case-by-case judgments.  read more »

Senate Poised To Tighten Broadcast Ownership Rules - Via American Civil Liberties Union:

Washington, DC – Today, the Senate Commerce Committee is expected to approve a bipartisan resolution, sponsored by Sen. Byron Dorgan (D-ND), which would restore a media ownership rule recently rescinded by the Federal Communications Commission (FCC). The old rule generally restricted a company from owning both a newspaper and a television station in the same city, unless the FCC granted a waiver.

Caroline Fredrickson, Director of the ACLU’s Washington Legislative Office said, “Senator Dorgan’s resolution aims to protect the airing of a multiplicity of voices, which fuels our democracy. Democracy is not served well by a media oligarchy where five or six corporations decide what Americans see in the news. We urge the Commerce Committee to also take up S. 2332, Senator Dorgan’s bill to reverse the media ownership rules to ensure the FCC does not go down this road again.”  read more »

Comcast-Pando Deal: Collaborative Model Only Goes So Far - Via CDT - PolicyBeta:  read more »

'Outrageous' REAL ID affront to Americans' privacy concerns ( by Mark Sanford, the Republican governor of South Carolina ) - Via The Post and Courier of Charleston, SC :

If I were a betting man, I'd wager that most people haven't followed the debate on REAL ID. If you indeed missed it, I would ask that you take the time to learn about what I consider the most troubling piece of legislation I've seen come from Washington since I've been governor.

REAL ID would surreptitiously require all fifty states to change their driver's licenses to act as de-facto national ID cards. It's outrageous, and not just because it was a back door way of doing something proponents in Washington have never been able to pull off in the past.

I say "outrageous" because REAL ID was never really debated in Congress because the cost of its implementation is handed down to states and individuals, and because it is an affront to Americans' privacy concerns.

Let's look more closely at a few of those concerns:  read more »

FCC Gets an Earful From Open-Net Defenders at Stanford - Via Threat Level:

Stanford professor Larry Lessig brought down the house at a net neutrality hearing Thursday, calling for the Federal Communications Commission to finally move to make sure that the internet's architecture remain open and neutral, with the goal of having the internet become as uncomplicated as the electrical grid.

With his standard flair for stunning PowerPoint presentations, Lessig made the case that an open internet made possible the massive economic gains of the 1990s and that network operators who want to change the internet in order to create fast and slow lanes need to prove that such a 'smart' network would actually be better than an internet where the intelligence lies at the edges.

"We are facing these problems because of a failure of FCC policy," Lessig said, as the FCC's five commissioners sat behind him in a Stanford auditorium. "The FCC failed to make it clear to the network owners that if they are building the internet they need to build it neutrally."  read more »

ISPs' Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses - Via Threat Level from Wired.com:

Seeking to make money from mistyped website names, some of the United States' largest ISPs are instead creating gaping security holes in the web's largest websites, including eBay, PayPal, Google and Yahoo.

The ISPs are making it possible for hackers to turn any website into a source of viruses, phishing attacks and other malware.

The massive vulnerability introduced by Earthlink and Comcast was quietly and quickly patched on Friday, after IOActive security researcher Dan Kaminsky reported the vulnerability to Earthlink and its technology partner, a British ad company called Barefruit.  read more »

Automatic Patch-Based Exploit Generation - Via cs.cmu.edu:

by David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng
Abstract
The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.  read more »

Windows Update Can Hurt Security - Via Slashdot >:

An anonymous reader writes
"Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

(Read Original Article - Via Slashdot.)

FCC Hearings at Stanford: Towards a Consensus on ISP Transparency? - Via EFF: Deep Links:

Yesterday, the FCC held a second hearing in its investigation of Comcast's use of forged RST packets to interfere with BitTorrent and other P2P applications. Free Press has a page linking to written testimony, statements, and audio and video recordings from the Stanford hearing.

At the previous hearing at Harvard Law School, Comcast attracted criticism for filling the auditorium with paid attendees. This time around, the telcos declined to participate at all. They sent proxies in their place: a conservative think tank called the Phoenix Center, freelance tech pundit George Ou, and one ISP: Lariat.net of Wyoming. It's a pity that ISPs aren't willing to participate in public debate about their own practices.  read more »

ISPs Say P4P Negates Need for Net Neutrality Regs - Via Slashdot:

Donut hole hole writes "AT&T and Comcast are using recent successful P2P trials to argue to the FCC that there's no need for strong traffic management or net neutrality rules. 'Comcast's statement, filed with the FCC on April 9th, hails an announcement by P2P developer Pando Networks that its experiments with P4P technology on a wide variety of U.S. broadband networks have boosted delivery speeds by up to 235 percent. This news, Comcast vice president Kathryn A. Zachem wrote to the Commission, "provides further proof that policymakers have been right to rely on marketplace forces, rather than government regulation, to govern the evolution of Internet services."' Looks like Comcast only likes P2P technology when it can be used to serve its political and regulatory agenda."

(Read Original Article - Via Slashdot.)