Paul Hardwick: Hardware

Administrivia: Possible unscheduled upgrade of Privacy Digest

Sun, 18 Mar 2007 01:39:04 GMT

Administrivia: Possible unscheduled upgrade of Privacy Digest.

I might be implementing an unscheduled upgrade of the site due to some problems with the software I am currently using to run the site. I had been working on upgrading the software to implement some new features but may have to implement sooner than originally planned. If you would like to take a peek at the planned software take a visit to http://www.PrivacyDigest.com/index.php Yes the full URL will have to be entered until I have completed the switch over.

There may be some hiccups during the process as the XML/RSS location will change along with access to the sub-topics. I plan to create mod-rewrite rules to take of this but they may not all be ready on day one.

Please let me know what you think.

Photocopiers: The newest ID theft threat.

Wed, 14 Mar 2007 19:40:11 GMT

Photocopiers: The newest ID theft threat. Photocopiers made in recent years often have hard drives that store what's been duplicated -- making them a potential target for identity thieves. [Computerworld Privacy News]

American Studios' Secret Plan to Lock Down European TV Devices.

Tue, 13 Mar 2007 19:53:46 GMT

American Studios' Secret Plan to Lock Down European TV Devices.

EFF Exposes Standards Jeopardizing Innovation and Consumer Rights

San Francisco - An international consortium of television and technology companies is devising draconian anti-consumer restrictions for the next generation of TVs in Europe and beyond, at the behest of American entertainment giants.

The Electronic Frontier Foundation (EFF) is the only public interest group to have gained entrance into the secretive meetings of the Digital Video Broadcasting Project (DVB), a group that creates the television and video specifications used in Europe, Australia, and much of Asia and Africa. In a report released today, EFF shows how U.S. movie and television companies have convinced DVB to create new technical specifications that would build digital rights management technologies into televisions. These specifications are likely to take away consumers' rights, which will subsequently be sold back to them piecemeal -- so entertainment fans will have to pay again and again for legitimate uses of lawfully acquired digital television content.

"DVB is abetting a massive power grab by the content industry, and many of the world's largest technology companies are simply watching," said Ren Bucholz, EFF Policy Coordinator, Americas. "This regime was concocted without input from consumer rights organizations or public interest groups, and it shows."

Despite recent record profits, American movie and television studios insist that new technologies could ruin their industry. In past battles against innovation, these same studios sued to block the sale of the VCR and the first mass-marketed digital video recorder in the U.S. Having failed in those efforts, they have now turned to creating technical standards that, when backed by law, are likely to restrict consumers' existing rights and threaten the future of technological innovation.

With DVB, the plan begun by entertainment companies in the U.S. has now gone global. EFF's report is aimed at alerting European consumer groups and consumers about the dangers posed by the proposed standards and providing informational resources for European regulators.

"DVB members' active indifference, even hostility, to user rights is shameful," said EFF Staff Technologist Seth Schoen. "When American studios ask for regulatory support for restrictions pushed through the DVB Project, public officials must stand up for consumer rights, sustain competition and innovation, and tell Hollywood to back off."

For the full report:
http://www.eff.org/IP/DVB/dvb_briefing_paper.php

EFF's 2005 Submission to the U.K. Department of Media, Sports and Culture:
http://www.eff.org/IP/DVB/dvb_critique.php

Contacts:

Ren Bucholz
Policy Coordinator, Americas
Electronic Frontier Foundation
ren@eff.org

Seth Schoen
Staff Technologist
Electronic Frontier Foundation
seth@eff.org

[EFF: Breaking News]

Seagate Ships Super-Secure Hard Disk Drive.

Mon, 12 Mar 2007 20:18:52 GMT

Seagate Ships Super-Secure Hard Disk Drive. ASI Computer Technologies will use the automatically encrypted Momentus in a laptop. [PC World: Latest Technology News]

NASA Describes Quantum Chip.

Sun, 11 Mar 2007 02:46:12 GMT

NASA Describes Quantum Chip. A custom chip powered a disputed demonstration of quantum computing by D-Wave Systems. [PC World: Latest Technology News]

Rootkits Evade Hardware Detection.

Tue, 06 Mar 2007 15:57:14 GMT

Rootkits Evade Hardware Detection. Sophisticated rootkits can hide from even the most reliable detection method currently available--hardware-based products, security researchers say. [PC World: Latest Technology News]

Hacker Defeats Hardware-based Rootkit Detection.

Mon, 05 Mar 2007 01:52:23 GMT

Hacker Defeats Hardware-based Rootkit Detection. Manequintet writes "Joanna Rutkowska's latest bit of rootkit-related research shatters the myth that hardware-based (PCI cards or FireWire bus) RAM acquisition is the most reliable and secure way to do forensics. At this year's Black Hat Federal conference, she demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU. The overall problem, Rutkowska explained, is the design of the system that makes it impossible to reliably read memory from computers. "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said." [Slashdot]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Tue, 27 Feb 2007 23:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 21:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

$82 Buys E-Voting Secrets.

Fri, 16 Feb 2007 17:39:17 GMT

$82 Buys E-Voting Secrets. Five Sequoia electronic voting machines sold at on online auction? $82. A chance for a researcher to dissect the embedded software that the company refused to make public? Priceless. By Kim Zetter. [Wired News: Top Stories]

Hitachi's Tiny RFID Chips.

Thu, 15 Feb 2007 21:32:21 GMT

Hitachi's Tiny RFID Chips. paltemalte writes "Hitachi has just come out with a new crop of RFID tags, measuring only 1/20 of a millimeter square. That's 1/8 the size (in linear dimension) of Hitachi's currently shipping mu-chips, which are 0.4 mm square. The new chip's width is slightly smaller than a human hair. These chips could put an end to shoplifting forever, but they could also be used by a governments or other entities to 'dust' crowds or areas, easily tagging anyone present without their knowledge or consent. Will someone come up with a surefire way of neutralizing chips that may be on your body or in your clothing?" --- Hard to pin down a source on this. The article cites another blog, which points to an article in Japanese. [Slashdot: Your Rights Online]

Time to Reboot the Internet Again.

Fri, 26 Jan 2007 16:18:32 GMT

Time to Reboot the Internet Again.

Cisco Systems Inc., the company whose hardware routers are responsible for handling the majority of the world's Internet traffic, today issued patches to fix at least three very serious security holes in its products. This is generally not something that the average user needs to worry about, but I'm blogging on it because the flaws do have the potential to cause some problems that Internet users could experience in a very real way (i.e. e-mail and Internet access temporarily goes bye-bye).

Most Internet service providers will stagger the installation of these patches so as not to disrupt customers' online connectivity, but one of these flaws appears to be so easy to exploit that if the bad guys figure out how before ISP get around to patching then we could very likely see portions of the Internet go dark soon.

Indeed, one of the flaws that Cisco highlighted today appears to suggest that most of Cisco's routers are susceptible to what can aptly be described as a "ping of death," that is -- send a single, specially crafted data packet down the wire to the control interface for an unpatched Cisco router, and you could make the device either crash or you can install software of your choosing on top of it. Granted, any Cisco administrator will tell you it is a very bad idea not to severely restrict remote access to a router's controls, but this is a serious threat nonetheless.

Tom Liston, an incident handler at the SANS Internet Storm Center, says this particular vulnerability definitely has the potential to get ugly.

"Cisco is very careful in their advisory not to give too many details on the options required" to exploit the vulnerability, he said. "But you can bet your next paycheck that the kiddies are right now playing around with [it] like mad about now. Overall, Cisco's mitigation steps aren't very practical in many environments, so this looks like it needs to be patched."

The Storm Center has changed its threat alert level from green to yellow over things like this in the past, but Liston says SANS will likely remain at green unless it begins to see signs that bad guys have figured out how to exploit the flaws.

As serious as this vulnerability is, the reality is that even if all of the vulnerable Cisco routers were attacked, it is unlikely that the Internet would fall over. That might have been the outcome not too long ago, when the Internet was held up pretty much by a Cisco router monoculture. However, today, many of the Internet's core networks are supported by routers manufactured by Cisco's chief rival, Juniper Networks.

While we're on the subject of the monocultures and large scale Internet attacks, it seems appropriate to mention that tomorrow is the fourth anniversary of the SQL Slammer worm, which infected 100 percent of the vulnerable Web servers on the planet inside of 15 minutes, temporarily disabling many important infrastructure systems that relied on the flawed Microsoft component.

[Security Fix]

TrackStick: Amateur Surveillance.

Fri, 26 Jan 2007 14:38:13 GMT

TrackStick: Amateur Surveillance.

I just received a (spam) e-mail asking me if I'm interested in becoming a reseller of the TrackStick or TrackStick Pro. Um, no.

TrackStick is a GPS tracking device featuring software integrated with Google Maps to enable tracking of oneself (I suppose) and amateur surveillance of others (more likely). The device records its location, time, date, speed, heading and altitude at preset intervals. With over 1Mb of memory, they claim it can store months of travel information. Downloading the data to their software allows the user to trace the devices activity via Google Maps and even Google Earth. The screenshot to the right reveals that a device was at a shopping mall on Sept 16 at 4:33pm and stayed there for 6 minutes.

The basic version looks like a typical USB flash drive. You can simply drop it in your wife's purse or kids backpack, and they'd probably never know. The sales pitch touts various applications:

Find where your kids have beenVerify
employee driving routesReview
family members driving habitsWatch
large shipment routesKnow
where anything or anyone has been

The Pro version is meant to be permanently installed on vehicles and features tamper resistant labels so you know if your employee or loved one has become suspicious and tries to remove the device.

Amateur surveillance has never been so easy...

[michaelzimmer.org]

Editor: Links removed since I don't want to help the products search ranking in any way. Hmm, They didn't ask me to sell their product. Should I be happy or insulted ;-)

Cisco Routers Affected by Security Problems.

Fri, 26 Jan 2007 14:17:32 GMT

Cisco Routers Affected by Security Problems. The company warns of serious vulnerabilities in its IOS software, releases update. [PC World: Latest Technology News]

The Surprising Security Threat: Your Printers

Thu, 18 Jan 2007 20:51:53 GMT

Networked printers -- yes, printers -- can open your corporate network to malicious attacks. They need security patches, too.

The Blaster worm hit McCormick and Co. hard and fast. It entered the famous spice company through a service provider connection and ripped across plants and offices in a matter of hours. What was most vexing, however, was that the virus kept coming back on disinfected network segments.

Upon further investigation, it turned out that Blaster, as well as some instances of the Sasser worm, were trying to repropagate from infected network printers.

"Printers were just one of several types of systems contributing to the nightmare at the time," says Michael Rossman, who'd just taken over as global director of IT services and information security at McCormick at the time of the worm outbreak in 2003. "Blaster went to all our PCs, our radio frequency units, our handhelds. And, we learned belatedly, it also spread to our printers."

Printers Vulnerable To Security Threats.

Thu, 18 Jan 2007 20:49:16 GMT

Printers Vulnerable To Security Threats. jcatcw writes "Networked printers are more vulnerable to attack than many organizations realize. Symantec has logged vulnerabilities in five brands of network printers. Printers outside firewalls, for ease of remote printing, may also be open to easy remote code execution. They can be possible launching pads for attacks on the rest of the network. Disabling services that aren't needed and keeping up with patches are first steps to securing them." From the article: "Security experts say that printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.... [N]etworked printers need to be treated like servers or workstations for security purposes [~] not like dumb peripherals." [Slashdot]

Another Step Towards Cable Set-Top Competition

Fri, 12 Jan 2007 02:10:03 GMT

Another Step Towards Cable Set-Top Competition.

Way back in 1996, Congress directed the FCC to foster useful, competitive alternatives to cable providers' proprietary set-top boxes. As we saw at CES, several alternatives that rely on CableCARD technology are finally coming to market, and now the FCC took another step towards putting them on a more level competitive playing field.

Yesterday, the FCC denied Comcast's request for a permanent waiver from the "integration ban," which in effect forces cable providers to rely on CableCARD in their own set-top boxes. Without the ban, providers would be able to continue pushing their own proprietary set-top boxes on customers, treating CableCARD devices (such as TiVo Series 3 HD) like second-class citizens. The ban had been delayed twice before due to cable industry pressure and will go into effect on July 1.

Unfortunately, CableCARD devices are DRM-laden, but consumers could face even worse DRM if cable providers' set-tops were the only game in town. Set-top competition should help hold the DRM in check as well as bring more features and lower prices to consumers.

EFF, Public Knowledge, and a coalition of public interest groups recently asked the FCC to reject the cable providers' requests. Also, over 2000 people used EFF's Action Center to file comments with the FCC and support set-top competition.

The FCC did grant two more limited requests from other cable providers, but Chairman Kevin Martin stated at CES that, "I think the commission should be saying no to some of the largest carriers [requesting "blanket waivers" of the integration ban]."

Keep the letters to the FCC coming by visiting EFF's Action Center now.

[EFF: Deep Links]

Canadian coins bugged, U.S. security agency says

Wed, 10 Jan 2007 19:39:10 GMT

They say money talks, and a new report suggests Canadian currency is indeed chatting, at least electronically, on behalf of shadowy spies.

Canadian coins containing tiny transmitters have mysteriously turned up in the pockets of at least three American contractors who visited Canada, says a branch of the U.S. Department of Defence.

Security experts believe the miniature devices could be used to track the movements of defence industry personnel dealing in sensitive military technology.

"You might want to know where the individual is going, what meetings the individual might be having and, above all, with whom," said David Harris, a former CSIS officer who consults on security matters.

"The more covert or clandestine the activity in which somebody might be involved, the more significant this kind of information could be."

The counter-intelligence office of the U.S. Defence Security Service cites the currency caper as an example of the methods international spies have recently tried to illicitly acquire military technology.

A Warning to Windows Users on Acer Laptops.

Wed, 10 Jan 2007 19:12:38 GMT

A Warning to Windows Users on Acer Laptops.

Anyone using a laptop made by computer maker Acer Inc. should be aware of a serious security threat apparently resident on many -- if not all -- models shipped with Microsoft's Windows OS over the past decade or so.

According to research first published in November and picked up only recently by geek and security news sites, Acer computers ship with a Microsoft ActiveX control that gives bad guys the ability to control any aspect of the computer remotely if the user is browsing with any version of Internet Explorer but the latest (at least in IE7 the browser is supposed to ask you if you want to run the ActiveX control, whereas older versions of IE may simply let it run automagically). Online criminals would need to lure the Acer user to a malicious Web site to pull off the hijacking -- a common Internet fraud tactic.

ActiveX (or "hacktiveX" as it is sometimes derisively called by security researchers) is a Microsoft creation that is deeply woven into the Windows operating system and into Internet Explorer. ActiveX was designed to allow Web sites to develop interactive, multimedia-rich pages, but such powerful features rarely ever come without security trade-offs.

It's not clear what function this particular ActiveX has, other than to perhaps make it easier for Acer to troubleshoot issues should customers call with support problems. Acer users can check to see whether the control is present on their machine by clicking "Start," "Search," and then entering the filename, "lunchapp.ocx". It's probably safe to go ahead and remove it by clicking "Start," "Run," and type "regsvr32 -u lunchapp.ocx" (without the quote marks). Although it might not be a bad idea to set a restore point in Windows before you do (in Windows XP, you can get to the page to set a System Restore point by clicking "Start," "Programs," "Accessories," and then "System Tools.")

I put a query in to Acer about this on Monday and again today, but have to hear back from them. I'll be sure to update this post in the event that I receive a response.

About a year ago Security Fix wrote about the danger of sloppily designed ActiveX controls. Cue the wavy lines on the screen and psychadelic music as we take you back to that post:

As it turns out, a poorly designed ActiveX control distributed by a Fortune 500 company that most consumers already trust can be just as dangerous as a malicious control foisted by a dodgy Web site. According to estimates by Richard M. Smith, a privacy and security consultant at Boston Software Forensics, more than half of all Windows PCs contain one or more ActiveX controls which allow for system takeover from malicious Web pages.

Smith found dangerous security problems in ActiveX controls distributed by dozens of other major companies, including PC manufacturers and even some of the nation's largest Internet service providers. In some cases, he said, these insecure controls come pre-installed on a Windows PC from the factory. Last year, computer maker HP and Internet service provider America Online fixed similar flaws in ActiveX controls that shipped with their software.

The most recent high-profile scare over an ActiveX control came as part of the recent controversy over a flawed piece of anti-piracy software installed by certain Sony BMG music CDs. After the label released a program to help customers remove the software, security experts found that the program left behind an ActiveX control that any Web site could use to plant any files -- even viruses or spyware -- on a visitor's computer if they browsed the site with IE.

[Security Fix]

CES 2007: DRM, Device "Integration," HD Cable on the PC.

Wed, 10 Jan 2007 00:50:27 GMT

CES 2007: DRM, Device "Integration," HD Cable on the PC.

Michael Gartenberg sums up one theme of CES nicely:

"A few years ago, it was all about convergence, the merging of all functionality into a single device. This year, it's all about how to integrate the diversity of devices that consumers are using into a whole that allows for the information and content they want to flow seamlessly from device to device[sigma].
"DRM restricts the flow of content seamlessly. Likewise, home networks are still a huge issue (but lots of stuff being shown at CES that can help potentially overcome some of this stuff)."

On the one hand, we've seen devices like Sling's new Sling Catcher, which will help you send video from your PC to your TV. Netgear and Bittorrent are also teaming up to help you download video and move it around your digital home.

On the other hand, there are also some clear DRM fault lines. For instance, quite a few companies at CES are showing off devices that will let you receive digital cable on PCs running Microsoft Vista. These CableCARD-compatible devices allow you to do away with your cable company's proprietary set-top box and receive and record HD straight to your computer.

That's great news, but there's a catch. As explored in our article about TiVo Series 3 for HD, all CableCARD-compatible devices are forced to add DRM shackles. So with these Vista devices, you'll be limited in how you stream around the home, and you won't be able to copy recordings to other devices. In other words, you've already invested a good chunk of change in your cable subscription, but it seems you'll have to pay again for the same content if you want it on another device.

When you ask product representatives when new CableCARD-compatible devices will be approved to help with portability around the home and beyond, they say "soon." (The same answer you get when you ask when you'll be allowed to rip that HD-DVD you bought to your iPod with the DRM vapor-ware known as "AACS Managed Copy.") At a convention that hypes up devices that aren't even close to the market (let alone ready for mass adoption), "soon" translates to "a very long time."

[EFF: Deep Links]

U.S. Bars Lab From Testing Electronic Voting - New York Times

Thu, 04 Jan 2007 16:35:10 GMT

A laboratory that has tested most of the nation's electronic voting systems has been temporarily barred from approving new machines after federal officials found that it was not following its quality-control procedures and could not document that it was conducting all the required tests.

Skip to next paragraph

The company, Ciber Inc. of Greenwood Village, Colo., has also come under fire from analysts hired by New York State over its plans to test new voting machines for the state. New York could eventually spend $200 million to replace its aging lever devices.

Experts on voting systems say the Ciber problems underscore longstanding worries about lax inspections in the secretive world of voting-machine testing. The action by the federal Election Assistance Commission seems certain to fan growing concerns about the reliability and security of the devices.

The commission acted last summer, but the problem was not disclosed then. Officials at the commission and Ciber confirmed the action in recent interviews.

Ciber, the largest tester of the nation's voting machine software, says it is fixing its problems and expects to gain certification soon.

Experts say the deficiencies of the laboratory suggest that crucial features like the vote-counting software and security against hacking may not have been thoroughly tested on many machines now in use.

"What's scary is that we've been using systems in elections that Ciber had certified, and this calls into question those systems that they tested," said Aviel D. Rubin, a computer science professor at Johns Hopkins.

Feds Shut Down E-voting Certification Lab

Thu, 04 Jan 2007 16:31:45 GMT

Feds Shut Down E-voting Certification Lab.

Colorado-based Ciber Inc., the largest laboratory that tests software used in U.S. voting systems, has been temporarily banned from approving new systems following problems discovered last summer by the Election Assistance Commission. In July, the EAC began a new oversight program that increased the level of scrutiny that independent testing authorities ("ITAs") must satisfy in order to be able to review candidate voting systems. The EAC found that Ciber was not following proper quality-control procedures and could not document that it was conducting all the required tests. Ciber's renewed petition for accreditation is currently under EAC review.

The ITA review process, largely closed and funded by voting machine vendors themselves, is regularly criticized for its lack of transparency and procedures that are insufficient to ensure that systems are accurate and secure.

[EFF: Deep Links]

Computers, Freedom and Privacy - Montreal, May 1-4 2007

Thu, 28 Dec 2006 23:41:06 GMT

Come to CFP2007 in Montreal, May 1-4 2007. There's a lot at stake.

Forensically Unrecoverable Hard Drive Data Destruction.

Sat, 23 Dec 2006 03:02:01 GMT

Forensically Unrecoverable Hard Drive Data Destruction. This paper, written by Daniel James, is a good introduction in to data destruction and recovery touching on the basics with good references defined for further research. By Daniel James. [Infosec Writers Latest Security Papers]

RFID Guardian Project ( Faculty of Science : Vrije Universiteit )

Thu, 07 Dec 2006 17:53:03 GMT

Our paper at USENIX Lisa 2006 just won theBest Paper Award!
The RFID Guardian Project is a collaborative project focused upon providing security and privacy in Radio Frequency Identification (RFID) systems. The goals of our project are to:

Investigate the security and privacy threats faced by RFID systems
Design and implement real solutions against these threats
Investigate the associated technological and legal issues

The namesake of our project is the RFID Guardian: a mobile battery-powered device that offers personal RFID security and privacy management. One the focuses of our project is to build an RFID Guardian prototype.

RFID Personal Firewall.

Thu, 07 Dec 2006 17:46:09 GMT

RFID Personal Firewall. JanMark writes "Prof. Andrew Tanenbaum and his student Melanie Rieback (who published the RFID virus paper in March) and 3 coauthors have now published a paper on a personal RFID firewall called the RFID Guardian. This device protects its owner from hostile RFID tags and scans in his or her vicinity, while letting friendly ones through. Their work has won the Best Paper award at the USENIX LISA Conference." [Slashdot: Your Rights Online]

Nike + iPod poses threat to personal security.

Mon, 04 Dec 2006 18:01:49 GMT

Nike + iPod poses threat to personal security.

Could aid stalking and burglary

One of this year's must-have gadgets for music-crazy runners is a security nightmare that could help someone track your movements with relative ease, according to researchers at the University of Washington.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Congress unlocks US cellphones.

Sat, 25 Nov 2006 01:36:09 GMT

Congress unlocks US cellphones.

But censorware research is illegal, again

The US copyright office will permit mobile phone subscribers to unlock their phones, allowing them to be used by rival network providers.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Slashdot | Trusted or Treacherous Computing?

Sat, 25 Nov 2006 01:01:19 GMT

theodp writes "Just because Richard Stallman is paranoid doesn't mean Microsoft's not out to get you. For a hint about the possible end-game of Microsoft's Trusted Computing Initiative, check out the patent application published Thanksgiving Day for Trusted License Removal, in which Microsoft describes how to revoke rights to render based on 'who the user is, where the user is located, what type of computing device or other playback device the user is using, what rendering application is calling the copy protection system, the date, the time, etc.' So much for Microsoft's you-should-have-control assurances."

Exploit Targets Widely Deployed Wireless Flaw.

Wed, 15 Nov 2006 00:19:41 GMT

Exploit Targets Widely Deployed Wireless Flaw.

A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops from HP, Dell, Gateway and other computer makers. An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet, so be forewarned that reading the rest of this post could make you awfully leery of that guy sitting in the corner booth at Starbucks gleefully clacking away on his laptop.

According to the the latest addition to the Month of Kernel Bugs project, the vulnerability resides in a flawed device driver from Broadcom Corp. that is bundled with many different laptops and built in to some devices made by Linksys and Zonet. The flaw is exploitable on vulnerable Windows machines whether or not the machine is connected to a wireless network. In fact, it is the wireless card's background scan for available wireless networks that apparently triggers the flaw.

Security researcher Johnny "Cache" Ellch said he reported the bug to Broadcom last month, and that the exploit code he released today is tailored to work on a very specific version of the Broadcom driver (Version 3.50.21.10). Still, he said, it appears that every version except a brand new one currently being distributed is vulnerable.

"The exploit only needs to be modified slightly for other versions," Ellch wrote in an online chat conversation with Security Fix.

The Broadcom flaw also highlights a serious set of problems with fixing security vulnerabilities in device-driver software. For starters, who is responsible for shipping a patch? Many different companies use Broadcom chips and rebrand the hardware and drivers as their own. Linksys appears to be the only vendor that has a downloadable update for some of its affected devices. In addition, it's not clear what sorts of mechanisms the PC makers have in place to push updates (should they become available) out to customers.

Apparently, these are questions that a number of security experts are also asking now. In an alert jointly posted today by the Zeroday Emergency Response Team (ZERT is the group that made headlines earlier this year for releasing an unofficial patch to fix a dangerous Windows flaws), the Metasploit Project, the SANS Internet Storm Center and SecuriTeam, the groups explained why writing a one-sized-fits-all patch would not work in this instance.

"Though most of these vendors and manufacturers use the same basic driver, it differs enough that in most cases a single patch just won't cut it," the groups wrote in their alert. "Further, building a patch for all the different drivers from each vendor and all their versions, as well as test against them, is impractical."

Paul Vixie, a ZERT volunteer, said Microsoft's Windows Update and Automatic Update patch deployment network could play a huge role in pushing fixes out to affected machines, but he said that process would likely be complicated and take some time.

"Any way they try to address this is going to be a mess, and moving the fix to the user is going to be a lot like moving water with a fork," Vixie said. "This is dangerous because we know that people who like to do bad things are going to take advantage of this, that's no longer an open question."

There is evidence to suggest the Linksys patch may plug the security hole in certain operating systems, but it's not altogether straightforward and we may not be at the stage where it would be responsible to explain how to do that. I suspect that a number of PC makers will come forward with updates to fix this problem in the coming days and weeks, and Security Fix will point to those as they are made available.

In the meantime, many laptops sold these days come with a button you can push to disable the built-in wireless card. If your laptop came with one of those, it might not be a bad idea to get into the habit of using it.

[Security Fix]

DriveSentry Unveils Storage 'Firewall'.

Wed, 08 Nov 2006 03:54:34 GMT

DriveSentry Unveils Storage 'Firewall'. Program manages whitelist of safe applications, blocks others from writing to hard drive. [PC World: Latest Technology News]

Beaucoup Cell-Phone Security.

Wed, 01 Nov 2006 07:08:33 GMT

Beaucoup Cell-Phone Security. Want a phone that can recognize you and refuse to work if you get too far away from it? A new Japanese mobile phone comes with a security card that doubles as a credit card, and has facial ID capability and password protection. [Wired News: Top Stories]

Vista's hardware tolerance: one significant change before support remediation

Wed, 01 Nov 2006 07:00:16 GMT

Windows Vista's licensing terms have raised eyebrows among PC enthusiasts. As previously reported, Windows Vista sports a new Software Protection Platform (SPP) aimed at curbing piracy. Among SPP's many "features" is a service that monitors PCs for evidence of significant hardware changes. New hard drive? New motherboard? Windows Vista will recognize and keep track of the hardware in your PC, much like its predecessor Windows XP did, and it will use that information to monitor licensing compliance.

What has enthusiasts concerned are language changes to the retail license for Vista that restrict the number of times you may transfer Vista from one device to another. The license reads: "The first user of the software may reassign the license to another device one time. If you reassign the license, that other device becomes the 'licensed device.'" Putting SPP and the new license together, many have wondered if Windows Vista would permit major hardware changes such as swapping out a motherboard. To make matters more confusing, reports circulated last week claiming that Microsoft's official policy allows for 10 re-activations stemming from hardware changes. We decided to contact Microsoft to get to the facts.

Seagate Readies Secure Drive.

Mon, 30 Oct 2006 18:21:06 GMT

Seagate Readies Secure Drive. Automatically encrypted Momentus is aimed at laptops containing sensitive data. [PC World: Latest Technology News]

Creative Labs "Upgrade" Removes FM Radio Recording.

Thu, 26 Oct 2006 03:19:30 GMT

Creative Labs "Upgrade" Removes FM Radio Recording.

Engadget (via BoingBoing) reports yet another digital media device "upgrade" that actually downgrades certain features. Creative Labs' latest firmware update to the Zen MicroPhoto and Zen Vision:M portable media players removes the ability to record FM radio.

None of Creative's customers asked for this misfeature, though certain copyright holders might have. Today radio recording restrictions are not mandatory, but if the major record labels get their way, that won't be the case -- take action now to block digital radio restrictions bills currently in Congress.

[EFF: Deep Links]

Apple Says Some iPods Shipped With Virus.

Wed, 25 Oct 2006 02:50:21 GMT

Apple Says Some iPods Shipped With Virus.

Apple Computer this week warned customers that some Video iPods sold over the past five weeks were shipped with a computer virus capable of infecting computers running Microsoft Windows and exposing them to attacks by hackers.

Apple said the virus was embedded in less than 1 percent of the Video iPods available for purchase after September 12, 2006. Greg Joswiak, vice president of iPod product marketing at Apple, said the company traced the virus back to a Windows machine used to test iPod software in the manufacturing process.

Joswiak declined to say how many devices were affected, citing the potential impact on investors closely watching the company's earnings reports today. But he said Apple has corrected the problem and that all video iPods the company is currently shipping are virus-free.

The virus (more accurately, a computer worm) variously dubbed "RavMonE.exe" and "W32/Rjump.worm" by different anti-virus vendors, first surfaced in June and attempts to spread to all memory storage devices attached to an infected computer. It also opens a "back door" on infected PCs that criminals can use to gain access to the machines.

Joswiak said affected Windows users should be able to clean up the problem with up-to-date anti-virus software. Because the virus spreads to all removable media attached to an infected machine, any media inserted into the PC after the acquisition of the Video iPod should also be scanned for infection.

From Apple's advisory: "After installing an anti-virus application, you should attach your Video iPod to your Windows computer and run the anti-virus program. If your Windows system is infected with this virus, an alert will be triggered and inform you that the virus has been detected and either quarantined or removed. You should then use iTunes 7 to easily restore the software on your newly purchased Video iPod."

Apple said it has received fewer than 25 reports about the problem. But Ed Felten, director of the Center for Information Technology Policy at Princeton University, said many Windows users who have this virus on their machines may not have noticed, as it silently installs itself when the users merely plugs the device into their computer.

"This type of thing is a risk that follows from fact that these are storage devices, but also that Windows is designed to accept programs from storage devices very easily," Felten said. "Twenty-five complaints translates into who knows how many people infected."

Eric Gaertner, 19, of East Brunswick, N.J., said he noticed his Video iPod was infected on Oct. 6 when his anti-virus program threw up a warning after he plugged the week-old device into his Windows XP computer.

Gaertner said he was able to delete the virus and the three infected files it installed, but that he remains bitter about the whole ordeal.

"I paid $250 for this thing, and it's pretty ridiculous that Apple's quality control is not better than that, because a lot of people who might get an iPod probably don't have up to date anti-virus [software] installed," he said.

The iPod news comes just days after McDonald's Japan recalled MP3 players it gave away as prizes to customers after learning that the devices shipped with spyware designed to steal sensitive data that users entered at financial and e-commerce Web sites. Last year, multimedia giant Creative acknowledged that roughly 4,000 of the company's Zen Neeon MP3 players shipped with a Windows computer worm embedded inside.

One final note: I took a look this morning at the Internet servers (located in China) that the virus is designed to connect back to, but at the moment they do not appear to be online or accepting any connections.

Update, 4:11 p.m. ET: The above post was edited to include comments from an individual whose PC was infected after plugging in a brand new Video iPod.

[Security Fix]

Pay By Touch puts its finger on ID verification system.

Wed, 11 Oct 2006 21:41:13 GMT

Pay By Touch puts its finger on ID verification system. Pay By Touch, a credit card processing and in-store biometrics vendor, has launched an identity verification service that allows online shoppers to make purchases by using their fingerprint to verify their identity. [Computerworld Privacy News]

Slashdot | New Copy Protection to Make Playing DVDs on a PC Difficult

Wed, 11 Oct 2006 21:25:22 GMT

The Cowardly Pirate writes "ZDNet's Hardware 2.0 blog is reporting that new copy-protection software for DVD publishers from a company called ProtectDisc not only makes it difficult to rip movies that you've purchased but also prevents discs from playing in a Windows PC at all. From the article: 'Protect DVD-Video is the brainchild of a company called ProtectDisc. Part of the copy-protection mechanism is a non-standard UDF (Universal Disc Format) file system which results in the IFO file on the DVD (this is the file responsible for storing information on chapters, subtitles and audio tracks) appearing to the PC as being zero bytes long.'"

Chaos Computer Club condemns e-voting machine.

Wed, 11 Oct 2006 03:57:02 GMT

Chaos Computer Club condemns e-voting machine.

Flaws detected

The German Computer Chaos Club, Europe's largest hacker group, has called for a ban on the Nedap ES3B voting machine and similar computers after a Dutch citizens group found flaws in the dated e-voting machine.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Intel and Symantec Push Security Into Firmware.

Sun, 01 Oct 2006 05:46:51 GMT

Intel and Symantec Push Security Into Firmware. 'Virtual security solution' is designed to slow virus and malware attacks. PC World: Latest Technology News]

ATM Hack Uncovered.

Thu, 21 Sep 2006 16:37:01 GMT

ATM Hack Uncovered.
A security expert in New York has learned how to get free money from some ATMs by entering a special code sequence on the PIN pad.

Last week, news reports circulated about a cyber thief who strolled into a gas station in Virginia Beach, Virginia, and, with no special equipment, reprogrammed the mini ATM in the corner to think it had $5.00 bills in its dispensing tray, instead of $20.00 bills.

Using a pre-paid debit card, the crook then made a withdrawal, and casually strolled off with a 300% profit in his pocket.

Foolishly, he left the ATM misprogrammed this way for 9 days -- presumably to the delight of other customers -- before a good Samaritan reported the issue and exposed the caper.

How, exactly, he pulled off the swindle remained unreported. Curious, Dave Goldsmith, a computer security researcher at Matasano Security began poking around. Based on CNN's video, he identified the ATM as a Tranax Mini Bank 1500 series.

He then set out to see if he could get a copy of the manual for the apparently-vulnerable machine to find out how the hack worked. Fifteen minutes later, he reported success.

I am holding in my hands a legitimately obtained copy of the manual. There are a lot of security sensitive things inside of this manual. As promised, I am not going to reveal them, but there are:

Instructions on how to enter the diagnostic mode.
Default passwords
Default Combinations For the Safe

Do not ask me for them.

I didn't have to. Following his clues, I found a copy of the Tranax manual online, from a third-party website, within a few seconds. Sure enough, it includes a special key sequence to put the ATM into "Operator Mode." Passwords are required from there, but the default passwords are listed.

The manual suggests operators change the default passwords. Presumably, Tranax sent out a reminder of this important tip last week after the Virginia heist appeared on CNN. Otherwise, expect long lines at the ATM for a while.

[27B Stroke 6]

ATM Crime Spree Imminent?

Thu, 21 Sep 2006 16:23:14 GMT

ATM Crime Spree Imminent?

I ran to the Shell Food Mart across the street from Wired News HQ, and found a Tranax Mini -Bank 1500 sitting oblivious next to the potato chips.

I did not try the default password. But, I have to wonder, how many vulnerable ATM machines are out there?

According to the company website, "Tranax has installed more than 70,000 ATMs and self-service terminals throughout North America." Besides the 1500, that includes card and ticket kiosks, and two other ATM models which may or may not have the same issue. But the Mini-Bank 1500 is the company's flagship.

Now that the Virginia gas station hack has brought this cash-friendly crime to the fore, the implications are mind boggling; how many people bother to change default passwords, if given the option not to?

There are some limitations for crooks though. From the manual, it appears the ATM has a hard limit on the number of bills it will dispense -- 40 per transaction. That caps the net take from a single card, at a single machine, at a meager $600.

So it's a high-tech street crime, at best. I'd bet the perp in Virginia Beach has been pulling this caper for a long time, probably as part of an organized ring. I wonder if they practice the button-presses on a mock-up ATM pad, until the sequence for free money is absorbed into muscle memory.

A Tranax spokeswoman told me at 4:00 p.m. she'd look into the whole thing and get back to me. For now, it's unclear what action the company has taken.

And what about other ATMs? A Google search turned up the manual for a line of small cash machines from Tranex competitor Triton. These ATMs also have a backdoor key sequence, and a lamentably simple default password printed in the manual. But using it requires the ATM be power-cycled, which probably makes it less attractive to crooks. Who wants to be seen futzing with an ATM's power cord at the Quick-E-Mart?

If you have experience with other models, or special insight into retail ATM security, drop me a line.
[27B Stroke 6]

Court Declines To Hear Campus Wiretapping Challenge.

Thu, 14 Sep 2006 18:20:49 GMT

Court Declines To Hear Campus Wiretapping Challenge.

The FCC rules in question re-interpreted a 1994 law known as CALEA, which distinguished between telecom networks, such as the traditional phone system and Internet providers.

Under that law, telecoms were forced to make it easier for law enforcement to listen in on phone calls.

Civil liberties groups controversially agreed to the legislation, so long as the Internet was not subject to the technical dictates of federal law enforcement agencies.

In August 2005, the FCC announced the bargain was off.

The American Council on Education challenged the extension of the rules to college networks, but a district court panel voted 2-1 to allow the FCC to sometimes regulate broadband providers as telecommunications providers and sometimes as information services. (Ruling)

The upshot, according to my good editor Mr. Poulsen:

Universities and broadband ISPs will be on the hook for an expensive retrofitting of their networks with surveillance gear, while law enforcement agencies will enjoy much quicker and easier access to information like a user's e-mail headers and the websites they visit, or -- with a court order -- a real time feed of the target's entire internet stream.

The American Council on Education can now appeal the ruling (.pdf) to the Supreme Court, but that's always a long shot.

[27B Stroke 6]

Cable Modem Hacker Publishes a Tell-All.

Wed, 30 Aug 2006 13:19:52 GMT

Cable Modem Hacker Publishes a Tell-All.
Cable Modem Hacker Publishes Tell-All

The founder of a hardware-hacking group that helps scofflaw internet speed junkies "uncap" their cable modems has written a how-to book.

From the press release:

Written for people at all skill levels, Hacking the Cable Modem features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, and previously unreleased cable modem hacks.

Readers of "Hacking The Cable Modem" will learn:

-the history of cable modem hacking

-how a cable modem and DOCSIS work

-the importance of firmware (including ways to install new firmware)

-how to unblock network ports and unlock hidden features

-how to hack and modify a cable modem

-what uncapping is and how it makes cable modems upload and download faster

"I don't like black boxes; I like to know how things work. The goal of this book and my point in publishing it is to show the many cable modem users how that black box works, how to understand it, and how to control it," said Bill Pollock, founder of No Starch Press.

NoStarch Press is the independent publisher that took in Andrew "bunnie" Huang's book Hacking the Xbox after Wiley -- in a shameful moment in publishing -- spiked it out of an abundance of respect for the DMCA.

This book could be as controversial. Like the Xbox, cable modems are meant to be tamper resistant -- to only run code that's been digitally signed by the cable provider, even if you own the modem. This is to prevent you from doing things like sniff your neighbors' packets off the wires, get service before you've activated it, or uncap your modem to get extra bandwidth.

Author "DerEngel" and his gang, TCNiSO, have gotten around that several ways -- some of them very cool. They found a vestigial serial port on a modem's circuit board that, with a little soldering, lets you plug in a computer terminal and interact with a command prompt. Later they found a buffer overflow that allows you to soft-mod some modems without ever cracking the case.

They started off developing methods and software to allow amateurs to easily uncap their modems (tsk) and wound up writing a complete firmware replacement for the Motorola Surfboard 5100 cable modem.

I don't know how much of that is in the book, but the table of contents looks fun. There's also a sample chapter (.pdf) online.
[27B Stroke 6]

Passports receiving ID chips / Infineon gets order for high-tech security documents

Tue, 22 Aug 2006 15:49:39 GMT

A German semiconductor company with offices in San Jose said Monday that it has received an order from the U.S. government for millions of identification chips that will be embedded in passports to help prevent fraud at border crossings.

Infineon Technologies provided few details about the order. A spokeswoman for the Government Printing Office, which prints and binds passports in Colorado, confirmed the deal.

A French company, Gemalto, has also received an order for a pilot run of the ID chips, she said, but at this point it isn't known whether those will go into volume production.

The chips carry an encrypted digital photograph of the passport holder. The chip is designed to be read by a special device that will be used by U.S. government workers who check passports when travelers come through border crossings.

The State Department began issuing what are being called e-passports to tourists last week and will gradually increase production. State Department spokeswoman Janelle Hironimus said existing passports will remain valid until they expire but, eventually, all U.S. passports -- about 13 million will be issued in 2006 -- will contain such chips.

The decision to mass produce these chip-powered passports comes after a lengthy process during which privacy activists argued that the new electronic devices might give hackers access to personal information. And while their complaints prompted features to boost privacy, skeptics remain.

"Whether the changes are enough, we'll have to find out,'' said Lillie Coney, associate director of the Electronic Privacy Information Center in Washington.

Privacy not a problem, say smart-card vendors

Tue, 22 Aug 2006 15:28:04 GMT

A group of smart-card and smart-chip vendors is launching a campaign to talk up the security and privacy features of their products, even as researchers raise questions about their use in passports.

Smart-card makers Gemalto NV and Oberthur Card Systems, as well as chip makers Infineon Technologies AG, Philips Semiconductors and Texas Instruments Inc., on Wednesday launched the Secure ID Coalition to promote the use of secure smart card standards as a way to protect privacy.

The group, debuting at the National Conference of State Legislators this week, was formed because the message about the security features of contactless smart cards is "not getting through very clearly," said Tres Wiley, director of e-documents for Texas Instruments.

Earlier this month, at the Black Hat conference in Las Vegas, German security researcher Lukas Grunwald demonstrated a way to copy information from his passport's RFID (radio frequency identification) chip to another smart card. And as the U.S. Department of State geared up this month to start issuing passports with smart cards included, Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., predicted that the new passports could eventually be hacked and allow for surreptitious tracking.

GSA awards smart-card contract to BearingPoint.

Mon, 21 Aug 2006 17:36:03 GMT

GSA awards smart-card contract to BearingPoint. The GSA has awarded IT systems integrator BearingPoint a five-year contract worth up to $104.6 million to help federal agencies move to mandated smart-card identity systems. The company now contends with an "incredibly aggressive" rollout timeline. [Computerworld Privacy News]

Infineon chips to be used in U.S. e-passports.

Mon, 21 Aug 2006 17:32:48 GMT

Infineon chips to be used in U.S. e-passports. German chip maker Infineon Technologies will supply chips for new electronic passports the U.S. government will begin issuing in October. [Computerworld Privacy News]

CALEA challenge.

Tue, 01 Aug 2006 18:35:15 GMT

CALEA challenge.

CDT, EFF, the Media Access Project, Sun, and Pulver.com have asked the judges on the D.C. Circuit Court of Appeals to all sit together to reconsider the June 9 opinion upholding the FCC[base ']s creative interpretation of CALEA.

In order for such a reconsideration request to be granted, the petition has to concern a [base "]question of exceptional importance.[per thou] That[base ']s certainly present here [~] the D.C. Circuit[base ']s June ruling allowing the FBI to serve as a gatekeeper for online applications doesn[base ']t fit with the statute and poses enormous threats to innovation.

Remember, everyone has to comply with lawful wiretapping/interception requests. Compliance is not the issue here. The additional cost-shifting burden imposed by CALEA is to require that things be built so that they are easily tappable by law enforcement.

In 1994, Congress unquestionably exempted the internet (both access to the internet and applications used online) from CALEA obligations. (That[base ']s why there[base ']s an awful CALEA rewrite in circulation now [~] DOJ wants to change the law.) Even though the statutory language is clear, the FCC decided to interpret the statute to include elements that had specifically been left out by Congress.

The FCC did this by saying that the statute was ambiguous [~] when it isn[base ']t [~] and by arguing that because [base "]interconnected VoIP[per thou] services are [base "]replacements for a substantial portion[per thou] of traditional telephone services they must be covered by CALEA.

Their position was/is specious, in my view, because CALEA specfically excludes [base "]information services.[per thou] And [base "]information services[per thou] include internet access and online applications.

But backing up the frame from the statutory arguments (which the petition admirably presents in visual/analogy form several times) reveals a crucial and enormous legal issue. Congress hasn[base ']t expressly delegated power to the FCC to [base "]regulate the internet.[per thou] Who gets to do this [base "]regulation[per thou] is very important to the future of this country. In the absence of an express delegation, no deference to the agency[base ']s views is required. The D.C. Circuit is the group we depend on to rein in the Commission when it gets adventurous [~] or succumbs to pressure.

The FCC is far from independent of the wishes of the Executive Branch, particularly when it comes to national security and law enforcement desires. Incrementally, in a thousand definitional nuances and statutory-creep extensions, the Commission is becoming the de facto internet regulator. Surely we[base ']d want to have told them to do this; surely we would have thought through the consequences of such a step. Because we haven[base ']t, it would be wrong for a court to defer to what they have to say when it comes to the regulation of the internet. Particularly when it comes to getting FBI guys involved in designing new online applications.

[Public Knowledge - Policy Blog]

Sony Patent Will Limit PlayStation Abilities - Los Angeles Times

Fri, 14 Jul 2006 15:14:10 GMT

Sony Corp. has patented technology that would prevent its PlayStation consoles from playing used, rented or borrowed video games -- raising questions about whether the electronics and entertainment giant may attempt to redefine what it means to own something in the digital age.

Speculation over Sony's plans for the technology have sparked a furor online as game fans and consumer advocates fret that the company may incorporate it into the upcoming PlayStation 3 console, due to hit stores this fall.

Sony 'Anti-Used Game' Patent Explored.

Fri, 14 Jul 2006 15:09:34 GMT

Sony 'Anti-Used Game' Patent Explored. Sometime in 2000, Sony patented a process that would 'verify a disc as legitimate, register the disc to that particular game console, then wipe out verification data so the disc would be rendered unreadable in other PlayStations'. Despite unrest in the gaming community over this technology, the company has repeatedly stated they have no plans to use it in the PS3. The LA Times explores this persistent debate, examining why Sony developed the tech and why gamers are nervous. From the article: "Whatever Sony's plans, the tempest [over the patent] illustrates the changing nature of ownership as millions of people accumulate vast collections of digital entertainment. Few people realize that when they buy software or music or movies, they are actually buying a license to use, watch or listen. That's why it violates copyright laws for people to sell copies of their music collection." Thanks to 1up.com for the link. [Slashdot: Your Rights Online]

Man-In-The-Middle vs. Cute Password Fob (InterTube RoundUp).

Fri, 14 Jul 2006 14:51:20 GMT

Man-In-The-Middle vs. Cute Password Fob (InterTube RoundUp).

Those great little security fobs that churn out seemingly random numbers that some banks and brokerage houses are handing out? Not perfect security, as Bruce Schneier points out by pointing to the blog of the Washington Post's security guru Brian Krebs.

Here's a report of phishers defeating two-factor authentication using a man-in-the-middle attack.

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

I predicted this last year.

[27B Stroke 6]

Broadcast Flag Smackdown: Video v. Audio.

Fri, 14 Jul 2006 14:31:40 GMT

Broadcast Flag Smackdown: Video v. Audio.

One of the memes repeated over and over again at the House Energy and Commerce broadcast flag hearing two weeks ago was that the audio broadcast flag is much different (read: worse) than the video version. This argument is made largely to explain why the consumer electronics, software and broadcast industries are neutral or support the video flag, while they vehemently oppose the audio flag.

Yes, there are some superficial distinctions between the two, but they are distinctions without a difference. Here are the justfications most often given for distinguishing the two flags:

The video flag was developed by [base "]consensus.[per thou] This one either makes me laugh out loud or furious. First, there was significant disagreement on a number of issues surrounding the flag when it was proposed to the Copy Protection Technical Working Group, including whether it would be effective, whether it would have adverse consequences for consumers, and how specifically to enforce the [base "]compliance and robustness[per thou] rules. Second, CE, software and other companies heartily opposed the flag scheme at the FCC, as, did, by the way, every consumer group working on this issue (we don[base ']t usually count when determining whether there is a consensus, it seems). In fact, PK[base ']s filings in the broadcast flag court case were largely cribbed from Philips Electronics[base '] FCC filings. But Hollywood[base ']s relentless pressure has paid off, and those companies who opposed the flag are either grudgingly supporting it, or neutral.
The audio flag scheme would prohibit personal copying, while the video flag scheme only prohibits [base "]mass, indiscriminate redistribution[per thou] over the Internet. It is true that if you have the right equipment you should still be able to make personal copies with the video flag. (Remember, some old devices may not work with flag-compliant devices, and once you buy one brand of flag-compliant device, you must buy the same brand for all downstream devices). However, regardless of what the FCC claims that the broadcast flag scheme prohibits, all but one of the broadcast flag technologies approved by the FCC prohibit all Internet redistribution, not just [base "]mass, indiscriminate[per thou] redistribution. So if I want to email a copy of my appearance on the local news to my mother, the flag prohibits me from doing so. Essentially, the video flag permits me to retain my fair use rights circa 1992. Not a significant improvement over the audio flag, if you ask me.
The video flag scheme has been vetted and debated, the audio flag scheme has not. It is true, and not insignificant, that unlike the video flag technology, no audio flag technology exists, although that certainly does not make the video flag scheme better policy. But it would be hard to argue that the concept of copy protection for digital and satellite radio has not been publicly debated. The FCC put the issue of broadcast radio content protection out for public comment, and Congress has had at least three hearings on various radio content protection proposals in this Congress. So the merits of radio content protection, whatever it might look like, has been and still is, being vigorously debated.

Regardless of these distinctions, what the flag schemes have in common should alarm anyone wants to promote innovation and competition. Both flag schemes would put the Federal Communications Commission in the position of technology gatekeeper - determining what devices can and cannot come to market. This determination of course, would be made under great pressure from the powerful and persistent content industry to limit approvals to only those technologies with which they approve. This alone, should be enough reason for technology companies to oppose both flag schemes.

So why are broadcasters, CE companies and software companies either supporting or neutral about the video flag yet opposed to the audio flag? It all comes down to politics, of course. Local broadcasters are not affected by the flag one way or another, but their Disney, Fox, Viacom & Universal-NBC brethren have put the thumbscrews to the National Association of Broadcasters (NAB) to support it. Some of the Hollywood studios, which also own broadcast stations, have quit the NAB before over media ownership battles, and one can only guess that their continued membership is contingent on NAB support of the video flag.

Several CE companies, including the aforementioned Philips have decided it is better to join [OE]em than beat [OE]em. Having bet wrongly that we would lose our court case, Philips and some others have started to manufacture flag compliant devices, and don[base ']t want competition from more consumer-friendly non-compliant devices. And the support of companies like Philips hamstrings trade groups like the Consumer Electronics Association from taking a position.

Tactically, I think it is a grave mistake to try and distinguish the two, since they are, at their core, exactly the same - ways for the content industry to have veto power over new devices. Even if the video flag somehow makes it into law without the audio flag (unlikely given Senator Frist[base ']s desire to help his former chief of staff, RIAA CEO Mitch Bainwol), cries of [base "]regulatory parity[per thou] will be heard from the RIAA[base ']s corner. And that is an argument that is likely to carry a great deal of weight at the FCC and elsewhere.

[Public Knowledge - Policy Blog]

Two Leftovers. - DOD trying for lockdown of FOIA and DOJ wants router backdoors

Tue, 11 Jul 2006 12:23:22 GMT

Two Leftovers.

Two bits I meant to get around to over the weekend, but didn't -- the Army is funding research in how to further lock down Freedom of Information Act requests and the Justice Department is drafting model legislation that would require router manufacturers to build backdoors for law enforcement.

The feds are showing the legislation to industry representatives, but it is likely too late in the legislative calendar for anything to happen this year.

The bill would, according to News.com's Declan McCullagh:

Require manufacturers of routing and addressing hardware to modify their equipment or firmware to make Internet wiretapping easier.
Extend wiretap rules to instant messaging (likely including in-game messaging services) if the FCC agrees.
Force ISPs to figure out what VOIP service a wiretap target is using.
Free the feds from having to publicly report how often they wiretap and how much capacity they need for those taps.

Read the whole story for the details and Declan's solid contextualization of the proposal.

Beyond, the obvious privacy issues, forcing manufacturers to build in back-doors in internet switches raises serious security risks.

And the USA Today reports that the military is paying a law school a million dollars to study better ways to keep more information out of the reach of Freedom of Information Act requests. The reason: some of that information, such as infrastructure information, could be used by terrorists. The tightening has been going on for years and it's getting harder and harder to get information from the government.

Steven Aftergood, who runs the Federation of American Scientists Project on Government Secrecy, has given up on FOIAs, due to this tightening and the judicial deference given to claims of secrecy.

A million bucks might have been better spent on stealth black markers that only show up black text when would-be terrorists pore through government documents.

[27B Stroke 6]

FBI plans new Net-tapping push | CNET News.com

Mon, 10 Jul 2006 13:31:51 GMT

The FBI has drafted sweeping legislation that would require Internet service providers to create wiretapping hubs for police surveillance and force makers of networking gear to build in backdoors for eavesdropping, CNET News.com has learned.

FBI Agent Barry Smith distributed the proposal at a private meeting last Friday with industry representatives and indicated it would be introduced by Sen. Mike DeWine, an Ohio Republican, according to two sources familiar with the meeting.

The draft bill would place the FBI's Net-surveillance push on solid legal footing. At the moment, it's ensnared in a legal challenge from universities and some technology companies that claim the Federal Communications Commission's broadband surveillance directives exceed what Congress has authorized.

FBI Planning New Net-Tapping Push.

Mon, 10 Jul 2006 13:28:59 GMT

FBI Planning New Net-Tapping Push. Section_Ei8ht writes to tell us CNet is reporting that the FBI is pushing for legislation to allow law enforcement officials free access to networking gear via built in backdoors for eavesdropping. From the article: "Jim Harper, a policy analyst at the free-market Cato Institute and member of a Homeland Security advisory board, said the proposal would 'have a negative impact on Internet users' privacy. People expect their information to be private unless the government meets certain legal standards,' Harper said. 'Right now the Department of Justice is pushing the wrong way on all this.'" [Slashdot: Your Rights Online]

Cops spot-fine Goth £80 for upsetting weapons detector.

Thu, 06 Jul 2006 15:55:56 GMT

Cops spot-fine Goth Â£80 for upsetting weapons detector.

Worried of Arsenal...

Metal detectors have feelings too, apparently. Last Friday a team of crack (are you sure about this? - Ed) coppers leapt to the defence of one being verbalised by a Goth at Highbury & Islington station, and spot-fined the miscreant Â£80.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Internet Security Zone Blog: Forensics: Looking Inside the Stolen VA Laptop

Wed, 05 Jul 2006 13:58:32 GMT

As mentioned in this post, the laptop containing Veteran's Administration data was recovered. While it's good they got the *hardware* back, recovering the laptop itself doesn't mean the data wasn't stolen.

Speaking to this concern, another report stated this:

FBI Says Data on VA Laptop Not Accessed

The FBI, in a statement from its Baltimore field office, said:
A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen. A thorough forensic examination is underway, and the results will be shared as soon as possible. The investigation is ongoing.

As a former Computer Forensic Specialist, I wanted to explain what's probably going on with this laptop now that the FBI has the system and is forensically examining it. This explanation assumes the data was present on the hard drive (not a CD-Rom or other storage medium).

The Fourth of July, 2006 is Privacy Digest's 7th Anniversary

Mon, 03 Jul 2006 16:14:11 GMT

Tomorrow, The Fourth of July 2006, Privacy Digest will have been publishing as this domain for seven years. We were actually around a bit longer as part of another blog. But on July 4, 1999, I decided that the issue was important enough to warrant it's own dedicated domain.

If you would like to help out my Amazon wishlist has a few things I need. More ideas on ways to support us can be found here.

Business: No cash? No card? Just stick in finger

Mon, 26 Jun 2006 12:28:19 GMT

TAMPA - Customers can pay with cash, plastic or their index finger at a new Coast to Coast Family Convenience store here.

Taking a big step beyond the ease of the Mobil SpeedPass, Coast to Coast has installed what's claimed as Florida's first biometric payment system.

There are no cards or PIN numbers to remember. Just stick your finger in the scanner and be on your way.

While applications are available to process credit and store loyalty card transactions by fingerprint, this one is limited to processing only debit account transactions.

"People either love it or think it's a sign of the coming apocalypse,'' said Amer Hawatmeh, owner of the new convenience store at 110 E Bearss Ave. who signed up a few hundred customers for Pay By Touch. "But to me, it's the wave of the future.''

Pay By Touch is one of several speedier payment technologies racing to build enough retailer acceptance to ace out rivals and overcome consumers' rising concerns over identity theft.

It's all on the road to payment gurus' vision of a cashier-free future, in which customers just walk out the door while their transaction is automatically processed.

The big credit card companies, for instance, are deploying a card reader developed by MasterCard International that picks up a radio signal to record a transaction when a card is merely tapped on or waved around a reader at the checkout stand. Other wireless systems in use in other countries use built-in payment system prompts broadcast to and from a cell phone to activate vending machines.

Pay By Touch is a closely held San Francisco startup that uses finger-scan technology to authenticate payment account holders. Backed by $130-million in venture capital money, Pay By Touch recently paid $82-million to acquire BioPay LLC, its biggest finger-scan competitor that has won a following in Europe big enough to authenticate $7-billion worth of transactions to date.

Pay By Touch now has tests under way with several convenience stores, gas stations and supermarket chains around the United States, including Harris Teeter in the Carolinas, Farm Fresh in Virginia and Jewel Osco in Chicago.

"Finger scanning is new, so we want to get people used to it by building acceptance at high-frequency, high-traffic retail locations such as gas stations and grocery stores,'' said Leslie Connelly, spokeswoman for Pay By Touch. "We're also going into places where people who don't have a banking relationship cash paychecks.''

The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token or account number that's tapped into a computer or spoken over the phone?

The company pledges not to sell or rent personal information, or access to it. The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.

It's similar to the finger-scan technology used at theme park gates. Those systems take measurements of patrons' hands and fingers and link them to a multi-day pass to prevent several people from using one person's pass.

The Pay By Touch computer records a multitude of point-to-point measurements and stores them in an encrypted form in an IBM data center. Images of both index fingers are kept in case a shopper's trigger finger is hidden by a bandage.

Senators skeptical of need to fill analog hole.

Thu, 22 Jun 2006 14:53:39 GMT

Senators skeptical of need to fill analog hole.

Today, the Senate Judiciary Committee held a hearing considering the "problem" of the analog hole. Public Knowledge President Gigi Sohn was the last witness, and the 3 Senators in attendance seemed to react well to her message and the concerns of our allies in the tech sector.

First, let's cover some technical and legal background. (Skip ahead if you just want the digs on the hearing. Also, here are Gigi[base ']s oral and written (pdf) testimony.)

[Public Knowledge - Policy Blog]

EFF Launches New Animation - Stop Hollywood's Corruptibles!

Wed, 14 Jun 2006 14:44:42 GMT

EFF Launches New Animation - Stop Hollywood's Corruptibles!

In 2006 the entertainment industry asked the government to give it incredible new powers -- the broadcast flag, digital radio restrictions, and control over all analog-to-digital devices.

But in the future, those super powers will become the Corruptibles, three villains that invade your home, break your devices, and stop legitimate uses. EFF has launched a new Flash animation today that features exclusive, breaking news footage from the future.

Remember, the Corruptibles aren't real, but the powers that they represent could be. Don't let the entertainment industry try this at home. Find out more about the proposed laws and write your representatives now.

You can also watch The Corruptibles on EFF's MySpace page, Google Video, and YouTube.

[EFF: Deep Links]

PRESS RELEASE Smart Card Alliance Challenges DHS Stand on Deploying RFID for WHTI PASS Card

Mon, 12 Jun 2006 15:37:32 GMT

New White Paper Recommends Contactless Technology for Meeting Goals of High Throughput and Privacy Protection at Border Crossings

PRINCETON JUNCTION, NJ -- (MARKET WIRE) -- 06/08/2006 -- Contactless smart card technology best meets the objectives set forth by the Department of Homeland Security (DHS) for high throughput and the protection of individual privacy at the nation's border crossings for its People Access Security Service (PASS) card program supporting legislation directed by the Western Hemisphere Travel Initiative (WHTI). PASS cards would be required by 2008 for all U.S. citizens who cross the northern and southern borders of the United States without passports. The Smart Card Alliance makes its case for DHS using secure contactless chip technology vs. RFID in a new white paper from its Identity Council.