Paul Hardwick: Reviews

Windows For Warships Nearly Ready.

Fri, 02 Mar 2007 02:59:26 GMT

Windows For Warships Nearly Ready. mattaw writes "The Register is carrying the sanest and balanced article on Windows deployment in UK warships that I have read to date in the public domain. As an ex-naval bod myself we have long considered that this is potentially a REAL problem. The main issues are the huge amount of unrelated code that is imported with the kernel and the need for incredibly fast response times." [Slashdot]

Patently Bad Move Gags Critics.

Wed, 28 Feb 2007 23:47:07 GMT

Patently Bad Move Gags Critics. A company finds a sneaky new way to silence security researchers: Claim that defeating its products infringes on patents. Commentary by Jennifer Granick. [Wired News: Security Blanket]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Study Finds IE7 + EV SSL Won't Stop Phishing.

Mon, 29 Jan 2007 20:11:05 GMT

Study Finds IE7 + EV SSL Won't Stop Phishing. An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued." [Slashdot]

Review: Six Rootkit Detectors Protect Your System - News by InformationWeek

Thu, 18 Jan 2007 22:09:23 GMT

I've also looked at these applications in a more general light and tried to consider how useful the program is likely to be in the future: how easy the detector is to use; how easy it is to interpret the results; how often the detector was updated; and so on. Remember that rootkits, like viruses, are a moving target. An anti-rootkit program that protects you today might be defenseless tomorrow against a whole new variety of threat -- in fact, many rootkit makers write their programs to specifically avoid detection by some existing programs.

Six Rootkit Detectors To Protect Your PC.

Thu, 18 Jan 2007 22:07:25 GMT

Six Rootkit Detectors To Protect Your PC. An anonymous reader writes "InformationWeek has a review of 6 rootkit detectors.This issue became big last year when Sony released some music CDs which came with a rootkit that silently burrowed into PCs. This review looks at how you can block rootkits and protect your machine using F-Secure Backlight, IceSword, RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker." [Slashdot]

EFF - Line Noise at CES.

Mon, 15 Jan 2007 05:30:50 GMT

Line Noise at CES.

EFF's audio segment, Line Noise, returns with a visit to the Consumer Electronics Show. Activist Derek Slater takes a look at the latest gadgets, with an eye to how the market has been affected by the shifting sands of copyright law.

As ever, you can hear this episode directly as a MP3 formatted or Ogg Vorbis file, or subscribe to our podcast feeds in iPod-friendly MP3 feeds, or patently unencumbered Ogg format.

[EFF: Deep Links]

U.S. Bars Lab From Testing Electronic Voting - New York Times

Thu, 04 Jan 2007 17:35:10 GMT

A laboratory that has tested most of the nation's electronic voting systems has been temporarily barred from approving new machines after federal officials found that it was not following its quality-control procedures and could not document that it was conducting all the required tests.

Skip to next paragraph

The company, Ciber Inc. of Greenwood Village, Colo., has also come under fire from analysts hired by New York State over its plans to test new voting machines for the state. New York could eventually spend $200 million to replace its aging lever devices.

Experts on voting systems say the Ciber problems underscore longstanding worries about lax inspections in the secretive world of voting-machine testing. The action by the federal Election Assistance Commission seems certain to fan growing concerns about the reliability and security of the devices.

The commission acted last summer, but the problem was not disclosed then. Officials at the commission and Ciber confirmed the action in recent interviews.

Ciber, the largest tester of the nation's voting machine software, says it is fixing its problems and expects to gain certification soon.

Experts say the deficiencies of the laboratory suggest that crucial features like the vote-counting software and security against hacking may not have been thoroughly tested on many machines now in use.

"What's scary is that we've been using systems in elections that Ciber had certified, and this calls into question those systems that they tested," said Aviel D. Rubin, a computer science professor at Johns Hopkins.

The 10 most outrageous civil liberties violations of 2006. - By Dahlia Lithwick - Slate Magazine

Tue, 02 Jan 2007 04:10:50 GMT

I love those year-end roundups--ubiquitous annual lists of greatest films and albums and lip glosses and tractors. It's reassuring that all human information can be wrestled into bundles of 10. In that spirit, Slate proudly presents, the top 10 civil liberties nightmares of the year:

Computers, Freedom and Privacy - Montreal, May 1-4 2007

Fri, 29 Dec 2006 00:41:06 GMT

Come to CFP2007 in Montreal, May 1-4 2007. There's a lot at stake.

Computers, Freedom and Privacy 2007 - Call For Proposals

Fri, 29 Dec 2006 00:37:58 GMT

Call For Proposals - The deadline for proposals is January 20, 2006

The Program Committee of the Seventeenth Conference on Computers, Freedom, and Privacy (CFP2007) seeks your proposals for innovative conference sessions and speakers.

Audio captchas when visual images are unusable

Wed, 29 Nov 2006 20:15:21 GMT

Audio captchas when visual images are unusable Posted by T.V. Raman, Research Scientist

From time to time, our own T.V. Raman shares his tips on how to use Google from his perspective as a technologist who cannot see -- tips that sighted people, among others, may also find useful. - Ed.

Wikipedia defines 'captcha' as an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart" -- a word which is trademarked by Carnegie Mellon University. Most web users think of captchas as those hard to read distorted letters or images that one often is confronted by when websites attempt to verify that they're indeed talking to a live human. Google Accounts support captchas. Of course, bloggers (no matter which platform they use) can also use them to prevent comment spam.

Captchas were never intended to be purely visual -- however, most initial implementations used fuzzy images, and in attempting to lock out automated agents also inadvertently locked out people unable to see the image. As an alternative to these, this past spring Google Services that require verification began to provide an audio alternative -- people have the option of listening to a sequence of spoken digits that they then type into a form field to verify to the web application that there is indeed a live human at the other end.

To keep the audio captcha as challenging as the visual captcha when confronted by automated agents, we add some distortion to the spoken digits, and we're still experimenting with different distortion techniques to ease the burden on the genuine human user while locking out automated agents. We welcome feedback on the effectiveness of these techniques from you (we automatically collect feedback from those evil automated agents pretending to be human) :-).

You can easily spot the availability of audio captchas by the presence of the well-recognized "wheelchair" icon for accessibility --- the image is tagged with appropriate alt text to help blind users. Incidentally you donít have to be visually impaired to use the audio captcha; if you are in a situation where you find it hard to view the visual captcha -- either because you're at a non-graphical display, or because the specific visual challenge we offered you turned out to be unusable in a given situation, feel free to give the audio captcha a try. We've worked hard to ensure that the audio captchas work on different hardware/software combinations, and you do not need any special hardware (or software) other than a sound card to be able to use them. - A Googler [Official Google Blog]

Slashdot | Firefox 2.0 Password Manager Bug Exposes Passwords

Wed, 22 Nov 2006 06:30:33 GMT

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

Verisign backs Vista security green streak | The Register

Thu, 26 Oct 2006 20:59:30 GMT

The Mozilla Foundation risks losing the browser battle if it fails to keep up with Microsoft by incorporating new security technology into Firefox, a Verisign exec has claimed.

According to Verisign product marketing director Tim Callan, the "loose collection of technoanarchists" which make up the open source development community has frustrated efforts to build new security features into its new browser.

Verisign is at the RSA Europe Conference in Nice talking up a new breed of online security certificate. The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

In response, the verification industry in the form of the CA browser forum has come up with extended validation SSL, where the certificate really is a guarantee of kosher status. Honest.

Slashdot | Extended Validation SSL, More Secure or Just a Racket?

Thu, 26 Oct 2006 20:53:51 GMT

Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."

Vista Licenses Limit OS Transfers, Ban VM Use - TechWeb

Fri, 13 Oct 2006 02:56:10 GMT

Microsoft has released licenses for the Windows Vista operating system that dramatically differ from those for Windows XP in that they limit the number of times that retail editions can be transferred to another device and ban the two least-expensive versions from running in a virtual machine.

The new licenses, which were highlighted by the Vista team on its official blog Tuesday, add new restrictions to how and where Windows can be used.

"The first user of the software may reassign the license to another device one time. If you reassign the license, that other device becomes the "licensed device," reads the license for Windows Vista Home Basic, Home Premium, Ultimate, and Business. In other words, once a retail copy of Vista is installed on a PC, it can be moved to another system only once.

The new policy is narrower than Windows XP's. In the same section, the license for Windows XP Home states: "You may move the Software to a different Workstation Computer. After the transfer, you must completely remove the Software from the former Workstation Computer." There is no limit to the number of times users can make this move. Windows XP Professional's license is identical.

Elsewhere in the license, Microsoft forbids users from installing Vista Home Basic and Vista Home Premium in a virtual machine. "You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system," the legal language reads. Vista Ultimate and Vista Business, however, can be installed within a VM.

Some Sobering Security Stats.

Tue, 26 Sep 2006 13:19:24 GMT

Some Sobering Security Stats.

Symantec today released its latest report on Internet security, cataloging 2,249 software vulnerabilities discovered or reported from January through June 2006 -- the most the company has ever recorded in a six-month period.

Nearly 80 percent of the vulnerabilities were considered easily exploitable and involved applications like Web browsers or software such as blogging and shopping cart programs.

Hackers often use Web application flaws to deface Internet sites -- thousands of sites are defaced each day thanks to this class of vulnerabilities. Annoying as they are, however, defacements aren't the real problem. Criminals can exploit the same Web application flaws to gain access to sensitive databases, access that can drive credit card and identity theft. Online criminals also can use Web app flaws to hijack legitimate sites and redirect visitors to sites that try to install spyware and other malicious programs.

Web application flaws can even cause a Web site to become a drone in a massive army of computers that organized criminals use to launch crippling and extortionist attacks against other Web sites. According to Symantec's stats, the first six months of 2006 brought an average of 6,110 distributed denial-of-service attacks (DDoS) each day.

That figure is a low-ball number, as Symantec only measured DDoS attacks in cases where the perpetrators faked the Internet addresses of the compromised computers doing the attacking. With millions of compromised machines on the 'Net these days available for use in DDoS attacks, spoofing the source Internet address of drone computers is really not necessary, and the practice is now a lot less common than it used to be.

Other stats of interest in the report: Microsoft's Internet Explorer was the most frequently targeted Web browser, with 47 percent of all attacks. Mozilla's Firefox and other browsers had the most number of flaws -- 47 -- (IE had 38), but IE continued to have the largest window of exposure to known security flaws.

A PDF copy of the Symantec report can be downloaded here.

[Security Fix]

Security Analysis (and Response) of Diebold Voting Machines.

Sat, 23 Sep 2006 23:18:27 GMT

Security Analysis (and Response) of Diebold Voting Machines.

Ari Feldman, Alex Halderman, and Ed Felton released an amazing paper on the security of Dielbold's e-voting technology. The paper is accompanied by a ten-minute video that demonstrates some of the vulnerabilities they've uncovered. Here is the paper's abstract:

Security Analysis of the Diebold AccuVote-TS Voting Machine

Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
Princeton University

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities -- a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures.

Along with the various weaknesses they discuss in the paper, Felton later discovered that the lock "securing" the machine's components from outside tampering could be opened with a standard hotel mini-bar key. Unbelievable.

Predictably, Dielbold responded (PDF) with their PR team in full spin mode, but Felton easily dispenses with their generally off-point retorts. Felton's conclusion:

Secure voting equipment and adequate testing would assure accurate voting -- if we had them. To our knowledge, every independent third party analysis of the AccuVote-TS has found serious problems, including the Hopkins/Rice report, the SAIC report, the RABA report, the Compuware report, and now our report. Diebold ignores all of these results, and still tries to prevent third-party studies of its system.

If Diebold really believes its latest systems are secure, it should allow third parties like us to evaluate them.

[michaelzimmer.org]

Free anonymous browsing.

Thu, 21 Sep 2006 17:43:01 GMT

Free anonymous browsing.

Surf's up for privacy

A modified version of Mozilla Firefox that lets users browse the web anonymously has been released.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Required Reading for Product Reviewers.

Thu, 14 Sep 2006 18:50:04 GMT

Required Reading for Product Reviewers.

CDT has published a white paper setting out criteria on which DRM-restricted products and services should be judged. The paper should be required reading for every product reviewer who evaluates digital media products and services, suggesting specific questions that reviewers should be asking when examining DRM-restricted offerings.

Too many product reviews fail to mention DRM restrictions (where were the reviewers when Sony-BMG's rootkit CDs showed up?), much less test and evaluate DRM-laden products against unrestricted alternatives (for example, comparing DRM-laden products like TiVo against unrestricted alternatives like MythTV).

The point is not to rail against DRM, but rather to inform potential customers so that they can make an informed buying decision. Of course, this will require that reviewers do their homework, since the press release and product manual likely won't describe what the product has been designed not to do. But asking manufacturers hard questions is what we pay reviewers to do for us. (And some of them have been doing a great job, like The Washington Post's Rob Pegoraro and Wired's Eliot Van Buskirk.)

There are a few places where CDT pulls its punches (failing to mention that DRM is often used to force us to pay a second time for media we've already bought once) and others where it falls prey to the Hollywood propaganda machine (pretending that DVD ripping is rare when DVD Shrink and Handbrake are being reviewed in places like PC Magazine and MacWorld). But overall, the paper is a timely clarion call. I hope the product reviewers and their editors are paying attention.

[EFF: Deep Links]

Web browser leaves no footprints | InfoWorld | News | 2006-08-30 | By China Martens, IDG News Service

Thu, 31 Aug 2006 19:32:25 GMT

The latest entrant to the crowded Internet browser market is the appropriately named Browzar, a tool specifically designed to protect users' privacy by not retaining details of the Web sites they've searched.

Most Web browsers like Microsoft Corp.'s Internet Explorer automatically save users' searches in Internet caches and histories. Users do have the option of deleting the history folder and emptying the Internet cache, but many people either don't know how to do that or tend not to, leaving a trail of where they've been online behind them in the browser.

Browzar is being officially launched Thursday but can already be run or downloaded from its Web site. Users don't have to register to use the free browser.

Browzar automatically deletes Internet caches, histories, cookies and auto-complete forms. Auto-complete is the feature that anticipates the search term or Web address a user might enter by relying on information previously entered into the browser.

Anti-Virus Testing and Consumer Reports.

Wed, 30 Aug 2006 14:26:59 GMT

Anti-Virus Testing and Consumer Reports.

Consumer Reports recently came under heavy fire from some in the anti-virus industry for creating some 5,500 new virus variants to see how well a dozen leading products fared in detecting the new nasties. More than 100 security experts and executives from companies like Microsoft and HP as well as anti-virus vendors F-Secure, Kaspersky, McAfee, Sophos, Symantec and Trend Micro signed their names to a declaration denouncing Consumer Reports' methods, stating that it is "not necessary and ... not useful to write computer viruses to learn how to protect against them."

Some of the signatories noted -- via various media reports about the scandal -- that with so many viruses already in circulation today (estimates vary from 100,000 to 180,000) it was hardly necessary for Consumer Reports to gin up new ones that could, in theory, be leaked into the wild.

Today, however, I read a rather thoughtful article written by Juergen Schmidt, an editor with the German technology magazine Heise Security. Schmidt picks apart what he sees as the source of the industry's angst on this. He argues that testing anti-virus products against known viruses is a non-starter because the real battle against malicious worms and viruses these days is against previously unknown threats, of which he says about 250 emerge each day.

From the article: "The commandment 'Thou shalt not create new viruses' is a sensible self-imposed commitment by the manufacturers of anti-virus software, which prevents them from creating an atmosphere of threat to promote their products. In contrast, meaningful comparative testing of anti-virus software requires that testers work with self-generated virus variants. Anyone condemning such tests in general is certainly not doing so in the interests of the user."

Schmidt says that in light of the poor job most anti-virus programs do at spotting new threats (without the benefit of code snippets), it is clearly necessary to test anti-virus software using previously unseen malware.

"Known viruses no longer represent any great danger for users with anti-virus software -- pretty much every product will recognize them reliably. The real danger lies with the estimated 250 new malware programs that are released every day. And recognizing these as a threat is where many anti-virus products still fail miserably."

As I have noted here before, many malware authors are increasingly outpacing the security vendors by "automagically" updating the genetic makeup of their creations before anti-virus companies have time to ship updates. As a result, we have an industry whose business is predicated on 10 percent to 20 percent of its customers being successfully attacked before it can even begin to respond, according to some estimates.

Security Fix]

Cable Modem Hacker Publishes a Tell-All.

Wed, 30 Aug 2006 14:19:52 GMT

Cable Modem Hacker Publishes a Tell-All.
Cable Modem Hacker Publishes Tell-All

The founder of a hardware-hacking group that helps scofflaw internet speed junkies "uncap" their cable modems has written a how-to book.

From the press release:

Written for people at all skill levels, Hacking the Cable Modem features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, and previously unreleased cable modem hacks.

Readers of "Hacking The Cable Modem" will learn:

-the history of cable modem hacking

-how a cable modem and DOCSIS work

-the importance of firmware (including ways to install new firmware)

-how to unblock network ports and unlock hidden features

-how to hack and modify a cable modem

-what uncapping is and how it makes cable modems upload and download faster

"I don't like black boxes; I like to know how things work. The goal of this book and my point in publishing it is to show the many cable modem users how that black box works, how to understand it, and how to control it," said Bill Pollock, founder of No Starch Press.

NoStarch Press is the independent publisher that took in Andrew "bunnie" Huang's book Hacking the Xbox after Wiley -- in a shameful moment in publishing -- spiked it out of an abundance of respect for the DMCA.

This book could be as controversial. Like the Xbox, cable modems are meant to be tamper resistant -- to only run code that's been digitally signed by the cable provider, even if you own the modem. This is to prevent you from doing things like sniff your neighbors' packets off the wires, get service before you've activated it, or uncap your modem to get extra bandwidth.

Author "DerEngel" and his gang, TCNiSO, have gotten around that several ways -- some of them very cool. They found a vestigial serial port on a modem's circuit board that, with a little soldering, lets you plug in a computer terminal and interact with a command prompt. Later they found a buffer overflow that allows you to soft-mod some modems without ever cracking the case.

They started off developing methods and software to allow amateurs to easily uncap their modems (tsk) and wound up writing a complete firmware replacement for the Motorola Surfboard 5100 cable modem.

I don't know how much of that is in the book, but the table of contents looks fun. There's also a sample chapter (.pdf) online.
[27B Stroke 6]

An Open Source Security Triple Play.

Tue, 08 Aug 2006 17:12:10 GMT

An Open Source Security Triple Play. Marcus Maciel writes to tell that Linux.com's Joe Barr recently took a look at OSSEC-HIDS, an open source host intrusion detection system. From the article: "According the OOSEC-HIDS Web site, it's more than a host intrusion detection system (IDS). It's also a security event manager and a security information manager, which makes it the security equivalent of a hat trick in hockey, a triple-play in baseball, or a rare triple-double in basketball. OSSEC-HIDS runs on both Windows and Linux/Unix. You can download the latest version along with the project's PGP public key, so you can verify the download."--- Linux.com and Slashdot are both owned by OSTG.[Slashdot]

DefCon Delays Can't Stop the Madness.

Sun, 06 Aug 2006 20:01:30 GMT

DefCon Delays Can't Stop the Madness.

LAS VEGAS, Aug. 4 -- DefCon, the nation's largest annual hacker conference, is well underway here at the Riveria Hotel and Casino, and as usual there is just far too much to see and do to really take it all in. The conference hit a minor speed bump this morning, after the local fire marshal took her sweet time inspecting the conference setup, pushing back all of the first day's talks by a full two hours. Conspiracy theories abound as to why the con was delayed, but the most oft-uttered explanation is that perhaps the inspector has a general distaste for the type of crowd in attendance here.

There are more plausible explanations: The sheer size of this year's con is enough to make anyone in charge of crowd control blink twice in amazement. This place is completely packed, teeming with at least 6,000 hackers (the conference organizers had 6,000 badges to give out, and they ran out of them shortly after registration began).

I've also heard from several attendees that the hotel's sprinkler system was hacked, as well as the devices that control the elevators. I've not been able to confirm either claim yet, but I'm told that hacking hotel elevators is fairly regular occurence at DefCon and hardly a challenge for this bunch. I rode the elevators early in the day and was perplexed to find the digital floor level indicator displaying the hotel's top floor just after I'd gotten on the lift from the ground floor. Last year, someone hacked into the ATM at the Alexis Park Hotel (the site of the past three DefCons), though I have yet to spot a cash machine anywhere near the main area of the Riviera.

Already, there are dozens of names on the "Wall of Sheep," a running tally of the unsuspecting or foolhardy souls who venture to log in to various unencrypted Web sites over the hotel's wired, wireless or Bluetooth networks. As of 3 p.m. PT Friday I spotted at least five Myspace.com user-account credentials on the wall, as well as user name and password info for someone at networking giant Cisco and another at a Hawaii state government Web site. At the rate the sheep are piling up this year, we are likely to see more than 100 victims listed on the wall.

The conference tracks here have for the most part been fairly solid and largely devoid of half-baked presentations. Defcon speaker Rick Hill -- a security engineer for Reston, Va.-based IT consulting firm Tenacity Solutions Inc. -- showed an innovative method for locating wireless networks using a kit he installed atop a replica of the 1950s research rocket Nike Smoke. In the rocket's nose cone, Hill embedded an Ipaq handheld computer with an attached 802.11b/g wireless card, as well as an onboard computer and a powerful antenna. He tested the rocket in a rural area of Culpeper, Va., shooting the missile up to an altitude of 6,800 feet, with a large parachute allowing the rocket more than six minutes of scanning for wireless networks within a 50-mile radius.

While the entire mission was a success, that particular launch netted only two networks. Hill said the technique showed its promise, but also the method's inherent limitations -- testing such projectiles in densely populated areas would be dangerous (and probably illegal ... Hill had to get clearance from the Federal Aviation Administration, required for any launch higher than 2,000 feet). For anyone interested in additional specifications on this project, I hope to be able to post a copy of his slides here, but for now the file upload tool we're using says it's too large (the PDF is more than 3.4 megabytes).

Collin Mulliner, a member of the Trifinite Group, which researches mobile device security issues, pointed to a number of exploitable flaws he found in wireless handheld Pocket PC phones powered by Windows CE 4.2x that could be used to remotely install software on the phones. You can check out his presentation here.

Jay Beale, a researcher with the security consultancy group Intelgaurdians, gave an entertaining and excellent talk on weaknesses he found while reviewing the firewall that ships with Mac OS X systems. Beale said that while the Mac firewall is not turned on by default, his research showed some pretty big holes in the hacker shield. Beale found that the firewall that comes with Mac OS X Panther does not block simple pings (network probes used to tell whether a host on the network is reachable) or communications sent via the user datagram protocol (UDP).

Unlike the "transfer control protocol" (TCP), which requires a three-way "handshake" between, say, a Web browser and a Web site to ensure that all of the data segments in the request are reliably exchanged, UDP traffic doesn't bother to check whether everything is sent the way it was meant to. While data requests and transfers over UDP do not provide the reliability and ordering guarantees of TCP traffic, such requests are much faster than TCP connections, and such are more ideally suited for data exchanges that demand swiftness, such as streaming media applications and Internet-based telephone conversations, for example.

The firewall that ships with Mac OS X Tiger doesn't block incoming ping or UDP traffic either unless the user clicks on the "advanced" tab of the firewall settings, Beale said. But even users who click on the "block UDP traffic" box in the firewall's advanced settings won't be completely protected, as his research showed that the firewall will still allow UDP traffic as long as it appears to have been generated by either the service that dynamically assigns network addresses to new devices on the network, or comes from a Mac service called Zeroconf (a.k.a "Bonjour"), an OS X feature designed to make it easy for Apple applications and devices like iTunes, wireless cameras and printers to communicate with the system.

The upshot of this weakness, Beale said, is that it is enough for an attacker to mimic the types of network signals sent by devices using these communications channels in order to bypass the OS X firewall and scan a targeted system, whereapon the attacker could learn not only the security update or patch level of the machine, but also the machine's assigned name (which could hold clues as to specific username accounts on the system), as well as which applications are running on the computer.

Beale is perhaps best known as the author of Bastille, a program designed to harden the security of machines running different flavors of the Linux operating system. Beale said that in the next week or so he plans to release a version of Bastille for OS X users. Security Fix will post another entry when Beale finishes work on the tool. More information from his talk is available via these slides that he made available.

[Security Fix]

Windows Genuine Advantage: What it is, how to ditch it.

Wed, 02 Aug 2006 18:13:51 GMT

Windows Genuine Advantage: What it is, how to ditch it. Looking to rid your Windows PC of Microsoft's anti-piracy software, Windows Genuine Advantage? Computerworld's Scot Finnie takes you step-by-step through the process. [Computerworld Privacy News]

Hackers Fight Authority in NYC at Hope 6.

Sat, 29 Jul 2006 16:55:46 GMT

Hackers Fight Authority in NYC. The Man keeping you down? The sixth-annual Hackers on Planet Earth conference doles out briefings on picking locks, jamming phones and beating wiretaps. There was only one arrest. Annalee Newitz reports from New York. [Wired News: Security Blanket]

Forrester Research Q2 2006 Web Application Firewall Evaluation.

Wed, 26 Jul 2006 17:38:10 GMT

Forrester Research Q2 2006 Web Application Firewall Evaluation.

Back in March 2006 I was approached by Forrester Research and invited to participate in their Q2 web application firewall evaluation, along with six other WAF vendors. I was delighted with their invitation and gladly accepted. It is not often that an open source product is invited to play with the commercial guys. It turned out the participation required a lot of work on my part. I had to systematically cover and describe the entire feature set of ModSecurity, and that's not something I do often (at least not with that level of detail). It was, however, a very productive exercise because I had to make a step back and look at a bigger picture.

The results were published a couple of weeks ago and I think we did rather well. We were praised for our positive aspects (e.g. everything is configurable) and criticised for our weaknesses (e.g. lack of a management GUI). Unfortunately the entire report is not available online - you would have to buy the report if you want to read it. Revealing excerpts are available for the main report and for ModSecurity.

Two quotes from the ModSecurity scorecard summary are of particular interest:

"...ModSecurity is by far the most extensively deployed Web application firewall, with more than 10,000 customers."

and:

"ModSecurity's stringent implementation standards [~] build nothing unless you approach the highest level of security [~] will push the entire Web application firewall market toward higher-quality products."

[Source: Forrester Wave^TM: Web Application Firewalls, Q2 June 2006", Forrester Research, Inc., June 2006.]

P.S. Forrester are also making available a PowerPoint presentation that gives a quick overview of the reviewed products.

[Web Security Blog]

The Fourth of July, 2006 is Privacy Digest's 7th Anniversary

Mon, 03 Jul 2006 17:14:11 GMT

Tomorrow, The Fourth of July 2006, Privacy Digest will have been publishing as this domain for seven years. We were actually around a bit longer as part of another blog. But on July 4, 1999, I decided that the issue was important enough to warrant it's own dedicated domain.

If you would like to help out my Amazon wishlist has a few things I need. More ideas on ways to support us can be found here.

Rocky Mountain News: First Data tied to post-9/11 terror sweep

Thu, 22 Jun 2006 16:04:36 GMT

In the days after the Sept. 11 terrorist attacks, First Data Corp. and its Western Union unit volunteered itself for the U.S. government's war on terror.

FBI agents happily turned the Greenwood Village-based company into a "deadly weapon" to fight terrorism, according to a new book by Pulitzer Prize winner Ron Suskind.

At the same time, however, the Bush administration used First Data to create a "vast search-and-seizure machine" that sifted through millions of Americans' credit-card purchases and wire transfers, unbeknownst to congressional overseers or the secret court designed to rule on matters of domestic surveillance, Suskind reported.

A First Data spokesman declined to answer questions. The company released a statement Tuesday afternoon that said, "First Data and Western Union take security and compliance very seriously. Both companies support and adhere to all laws related to financial information and provide information to law enforcement agencies only in response to subpoenas and other lawful requests."

"We have not worked with Mr. Suskind nor had the opportunity to read his book," the company said.

The relationship between the U.S. government and First Data is detailed in Suskind's The One Percent Doctrine, a new book that promises to take readers "deep inside America's pursuit of its enemies since 9/11."

While noting that Suskind's description of the First Data efforts is "fuzzy on some of the legal questions," Washington Post national-security reporter Barton Gellman called the book "important . . . filled with the surest sign of great reporting: the unexpected."

The revelation threatens to pull First Data into the web of controversy that engulfed Verizon, BellSouth and AT&T after a USA Today article reported that Denver-based Qwest was the only large phone company that refused to turn large batches of calling records over to the federal government.

At the same time, the news of First Data's role may win the company praise for its role in aiding the U.S. government's war on terror.

The evolution of SNMP from a security perspective.

Tue, 06 Jun 2006 14:58:09 GMT

A Comparison of SNMP v1, v2 and v3. Eddie Bibbs and Brandon Matt submit this paper which discusses the evolution of SNMP from a security perspective. By Brandon Matt. [Infosec Writers Latest Security Papers]

RFID Guidelines Get Mixed Review

Mon, 15 May 2006 18:21:25 GMT

The newly unveiled best-practices guidelines for radio frequency identification (RFID) tags, released in early May, are an attempt by a group of businesses and consumer advocates to protect consumer privacy.

The guidelines suggest retailers take stronger action to safeguard customers. Among other recommendations, the guidelines advise notifying consumers when goods have been affixed with the tags, because when tags get buried in packaging or labels, buyers cannot always see them. Once consumers find the tags, they can dispose of them, but not easily enough, the group said. It contends the tags cannot be easily disabled. As for the tracking information on the tags, businesses should be ready to supply that to consumers if they ask for it.

Dissenters also worry the recommendations do not address privacy issues: Because RFID tags can provide access to products shipped anywhere at any time, companies worry that privacy will be jeopardized. Opponents of the guidelines were also concerned about the plan's effectiveness. Lee Tien, a senior staff lawyer for the Electronic Frontier Foundation, called the guidelines a valuable starting point, but said they leave the industry too much "wiggle room," according to the New York Times.

SANS - Internet Storm Center -Microsoft helps you choose "good passwords".

Mon, 24 Apr 2006 16:34:11 GMT

Microsoft recently released a link to help you choose "good passwords"
http://www.microsoft.com/athome/security/privacy/password_checker.mspx

In my opinion they did some things good and some things bad.

BAD teaching people to type their password into a website is not a good idea.
It violates most corporation's security policies.

GOOD it's a javascript that appears to run locally so your password is never sent over the internet. This could change at anytime so I would not recommend you type your password into it.

[...]

Linux.com | Review: Trustix Secure Linux lives up to its name

Thu, 30 Mar 2006 19:11:54 GMT

Trustix Secure Linux is an interesting distro for servers that is designed to be all about security. While Linux, in general, is fairly secure, a distro that focuses on security and stability from the ground up should be a good choice for Internet servers. In our testing, we found Trustix lives up to its intentions.

I downloaded the stable 2.2 release of Trustix. You can also download the new version, 3.0, which is based on the 2.6 series kernel. However, if your focus is security, Trustix suggests that you use the stable version. The 450MB ISO is easy to download, especially since it's available via Bittorrent.

Trustix concentrates on keeping it simple. You won't get a GUI or the latest bells and whistles. What you do get with Trustix is a small and secure distribution that incorporates IBM's Stack Smash Protection, which protects the system and applications from stack-smashing attacks. This is one of the major forms of attacks, and many secure Linux distros have this turned on by default.

The developers have kept the number of packages to a minimum by including only the basic server-specific packages. Trustix contains no graphical desktop and few userland tools.

Trustix, a Worthy Contender?

Thu, 30 Mar 2006 19:07:52 GMT

Trustix, a Worthy Contender? Linux.com (also owned by OSTG) is running a quick look at Trustix, a Linux distro designed for servers that focuses on ground up security and stability. From the article: "No operating system can claim to be completely secure. There will always be zero-day exploits, configurations errors, user errors, and other factors that can defeat the best security for any system. On the other hand, it's always good to start from a secure base and then add more security. Trustix provides a reliable and secure Linux distribution that you can build upon. There are no wasteful graphical displays and no wizards to set up your firewall. If you aren't comfortable with the command line, forget about Trustix. [...] That said, Trustix does a good job of keeping your system up-to-date, and if you have the required experience, you'll find that it's a robust distro. As a simple server distro with a high level of security and customizability, Trustix is a worthy contender." [Slashdot]

(IN)SECURE Issue 6 has been released.

Thu, 30 Mar 2006 14:50:20 GMT

(IN)SECURE Issue 6 has been released. The latest edition of this free PDF digital security magazine is packed with content that caters all levels of knowledge. Get your copy today! [LinuxSecurity.com]

PaulDotCom's Web Site: Security Podcasts Roundup

Tue, 14 Mar 2006 14:20:49 GMT

We at PaulDotCom security weekly listen to many podcasts in an attempt to assimilate as much information as possible. Each podcast we listen to has its own strengths, and there are few on this list that I would dismiss altogether, but I'll let you be the judge. There have been a few other blog postings related to security podcasts:

Hack Media: Security podcasts, by Eliot Phillips
What are you listening to?, by Martin McKeay
IT security podcasts you can't miss, by Roger A. Grimes

What follows is an attempt to be a comprehensive list of what we've found out there, so if we miss something, just let us know!

Firefox Whips Internet Explorer In Vulnerability Tally - Yahoo! News

Mon, 13 Mar 2006 05:11:59 GMT

Symantec has changed how it spells out Firefox and Internet Explorer browser vulnerabilities in reaction to complaints last September from Mozilla Firefox users and developers.

"How we did it before wasn't a fair comparison," said Oliver Friedrichs, the senior manager of Symantec's security response group. "It wasn't an apples to apples comparison."

Previously, Symantec's Internet Security Threat Report counted only vendor-confirmed bugs in the two browsers, which led to gripes from Firefox fans that the Internet Explorer tally was inaccurate, and too low.

In the newest report, which Symantec issued Tuesday, the Cupertino, Calif.-based security company has split the counts into two categories: vendor-confirmed and a combination of vendor- and non-vendor-confirmed flaws.

That gives the edge to IE in one tally, Firefox in the other.

Caffeinated Security - Review: Penetration Tester's Open Source Toolkit

Sun, 26 Feb 2006 18:56:34 GMT

The Penetration Tester's Open Source Toolkit is a new offering from Syngress that primarily focuses on using the Auditor live CD. The 200605-02-ipw2100 version comes included with the book; if you have an IPW2200 wireless interface in your laptop, though, the 802.11x tools won't work as it doesn't include the proper driver.

The book walks through using a number of Open Source or free tools for overall reconnaissance, enumeration, and scanning (most of which everyone's seen before), but then it delves into database, web application, and wireless testing as well as network devices. There's a chapter on "Writing Open Source Security Tools", but it's a little misleading as it's a quick guide to writing security tools without any real discussion of open source development or what it means other than an appendix that briefly includes and talks about the GPL and why it's good.

There are four chapters on Nessus, most of which focus on using NASL and other ways of extending the venerable vulnerability scanner. The final two chapters discuss the Metasploit Project; the first of these is also misleading as it's not so much about "Extending Metasploit" as it is an (admittedly good) introduction to the Framework. The second does a decent walkthrough of developing an exploit with Metasploit, including other offerings from the project like the Opcode Database and such.

It's a very useful book; much of it you'll already know, but there's a lot of discussion about tools that I hadn't seen before. A few of the tools are mostly out-dated, and not all of them are on the Auditor CD, but this goes beyond simple discussions of nmap and whois; even some Google tools from Sensepost are examined. The database chapter features a lot of great information about Oracle but is cursory in its discussion of SQL Server (though I'll be reviewing another book focusing on database testing in the near future). The other topic areas receive decent coverage, if somewhat fast-paced from time to time.

Slashdot book review - Essential PHP Security.

Tue, 14 Feb 2006 17:10:28 GMT

Essential PHP Security. Michael J. Ross writes "Given the remarkable popularity of PHP for developing dynamic Web sites, as well as the ever-increasing need for security on those same sites, one would think that there would be great demand for [~] and comparable supply of [~] books that explain how to create secure sites using PHP. However, such is not the case, and even the most extensive general purpose PHP books may only devote a single chapter to this critical topic, if that much. Essential PHP Security, written by PHP expert Chris Shiflett, aims to fill the gap." Read the rest of Michael's review. [Slashdot]

EFF - Nominate a Pioneer for EFF's Pioneer Awards.

Sun, 12 Feb 2006 19:52:09 GMT

Nominate a Pioneer for EFF's Pioneer Awards.

Awards Recognize Leaders on the Electronic Frontier

San Francisco - The Electronic Frontier Foundation (EFF) is calling for nominations for its 2006 Pioneer Awards -- the annual celebration of leaders on the electronic frontier who extend freedom and innovation in the realm of information technology. Past winners have included Tim Berners-Lee, Linus Torvalds, and Ed Felten.

Pioneer Awards nominations are open to individuals or organizations from any country. Nominations are reviewed by a panel of judges chosen for their knowledge of the technical, legal, and social issues associated with information technology.

This year's award ceremony will be held in Washington, DC, in conjunction with the Computers, Freedom and Privacy conference (CFP), which takes place in early May. Persons or representatives of organizations receiving an EFF Pioneer Award will be invited to attend the ceremony at EFF's expense.

How to Nominate Someone for a 2006 Pioneer Award:

You may send as many nominations as you wish by email to pioneer@eff.org, but please use one email per nomination. We will accept nominations until March 1, 2006.

Simply tell us:
1. The name of the nominee;
2. The phone number or email address or website by which the nominee can be reached, and, most importantly;
3. Why you feel the nominee deserves the award.

Nominee Criteria:

There are no specific categories for the EFF Pioneer Awards, but the following guidelines apply:
1. The nominees must have contributed substantially to the health, growth, accessibility, or freedom of computer-based communications.
2. To be valid, all nominations must contain your reason, however brief, for nominating the individual or organization and a means of contacting the nominee. In addition, while anonymous nominations will be accepted, ideally we'd like to contact the nominating parties in case we need further information.
3. The contribution may be technical, social, economic, or cultural.
4. Nominations may be of individuals, systems, or organizations in the private or public sectors.
5. Nominations are open to all (other than current members of EFF's staff and executive board or this year's award judges), and you may nominate more than one recipient. You may also nominate yourself or your organization.

More on the EFF Pioneer Awards:
http://www.eff.org/awards/pioneer/

Contact:

Katina Bishop
Projects Coordinator
Electronic Frontier Foundation
katina@eff.org

[EFF: Breaking News]

Distributed Wireless Security Monitoring Systems | How To Find Rogues and Crush Them | Feb 8, 2006 | Network Computing

Fri, 10 Feb 2006 17:23:38 GMT

Distributed Wireless Security Monitoring Systems help categorize and prioritize threats. We examine two offerings from AirDefense and AirTight Networks.

It's been more than 6 months since our last comparative review of wireless IDS products (see "Time To Tighten the Wireless Net," ID# 1612f2). In the past few weeks, two of the participating vendors in that review--one an established player and one a relative newcomer to the market--have introduced significant upgrades to their products. AirDefense has pushed forward with its forensic analysis, which adds a great deal of insight into the history of your wireless space, while AirTight Networks has filled out its feature set and enhanced its autoclassification capability. With security concerns escalating, there's no time like the present to take another look at how the wireless IDS market is evolving.

business2blog: B2Day : Would You Trust Google With Your Desktop?

Thu, 09 Feb 2006 19:50:51 GMT

Google has a new version of its desktop search product, which sports a feature that sounds both incredibly useful and raises serious privacy concerns.

You can now upload your Web-surfing history and text files (Word documents, Excel spreadsheets, Powerpoint presentations, PDFs) to Google's servers from all of your computers and search your desktop from anywhere in the world. To enable this feature, Google had to change its privacy policy from stating that "your computer's content is never sent to Google (or anyone else)" to "we copy this content to servers located at Google" and the much weaker "your data is never accessible by anyone doing a Google search."

Gee, what about my data being accessible to a U.S. government lawyer with an overreaching subpeona? And will I start seeing ads targeted to all the words I write or read on my computer, just as I get ads today based on the words I write in my Gmail correspondence?

To be fair, Google lets you turn this search-across-computers feature off, limit it to only specific types of data (like Web history or Word documents), or manually erase all your files from Google's servers at any time. It should also be noted that Google is currently resisting an overly-broad subpeona from the Department of Justice for a week's worth of all search results. How successful it will be in that stance is not certain.

Managing Windows XP Firewall Through Command-Line.

Thu, 26 Jan 2006 16:45:02 GMT

Managing Windows XP Firewall Through Command-Line. Pavan Shah contributes this document which introduces functionalities of Windows XP's native netsh command. By Pavan Shah. [Infosec Writers Latest Security Papers]

Massive demand for unauthorised Windows patch - ZDNet UK News

Thu, 05 Jan 2006 18:23:44 GMT

Ilfak Guilfanov's personal Web site has been taken offline by his hosting provider after hordes of Microsoft users scrambled to download his unofficial patch against the Windows Metafile vulnerability.

According to antivirus firm F-Secure, demand for the unauthorised Windows Meta File (WMF) patch developed by Guilfanov was so high his hosting provider temporarily shut his Web site on Wednesday morning.

The site was temporarily closed as "half the planet tried to download WMFFIX_HEXBLOG.EXE." reported F-Secure in its blog. "The resulting traffic amounts were so huge that his hosting provider actually shut his site down."

At the time of writing, the unofficial patch is again available from Guilfanov's site. It is also available from the Sunbelt Blog.

Microsoft has advised businesses not to use the patch, as the company cannot guarantee it will work. But with no official patch is due to be released until next week, security experts are urging businesses to use the unofficial patch because of the serious nature of the WMF vulnerability.

Experts: Windows Flaw Can't Wait for Microsoft Fix.

Wed, 04 Jan 2006 00:41:03 GMT

Experts: Windows Flaw Can't Wait for Microsoft Fix. Users should consider applying an unofficial security patch, researchers say. [PCWorld.com - Latest News Stories]

Linux vs. Windows security | Linux

Wed, 04 Jan 2006 00:33:52 GMT

A qualitative assessment of operating system security is subjective and your 'mileage may vary' based on present and past experience. The overall finding of this analysis is that Linux provides more secure capabilities than Windows. Taken from a IBM White Paper by Stacey Quandt.

Microsoft and Linux both provide support for authentication, access control, audit trail/logging, Controlled Access Protection Profile, and cryptography. However, Linux is superior due to Linux Security Modules, "SELinux", and winbind. The user of a Linux system can decide to add additional security mechanisms to a Linux distribution without having to patch the kernel.

Review: Password Management: Grief Relief.

Tue, 03 Jan 2006 05:24:01 GMT

Review: Password Management: Grief Relief. With more users, partners, accounts and platforms, password automation is becoming a necessity. We tested seven password-management products and granted our Tester's Choice to the one with outstanding policy creation and enforcement as well as extensive platform support. [Security Pipeline]

Happy New Year 2006 !!

Mon, 02 Jan 2006 04:27:02 GMT

Happy New Year 2006 !!

Rootkits, cybercrime and OneCare. 2005 in review.

Tue, 27 Dec 2005 18:11:59 GMT

Rootkits, cybercrime and OneCare.

The year in IT security

2005 in review The year 2005 in net security will likely be remembered as the year of the Sony rootkit DRM controversy. In other ways the last 12 months continued the trend of profit becoming a primary driver for the creation of computer viruses. The last 12 months also witnessed a number of high-profile cybercrime prosecutions, including the sentencing of NetSky author Sven Jaschan.

[The Register - Security]

Infosecwriters.com - An Inexpensive and Versatile IDS by Dave Schwartzburg

Tue, 27 Dec 2005 16:48:58 GMT

An intrusion detection system can be an effective technical control in the modern world of information and network security. One option that provides for low cost NIDS sensor deployment is the use of the open source IDS software Snort in combination with a consumer grade LinkSys cable/DSL router and the open source firmware distribution OpenWrt. These three items together form a powerful yet inexpensive unit that delivers IDS, routing, firewall, wireless, and NAT functionality for use in a light-weight environment, i.e. consumer or small business deployments.

This document is in PDF format. To view it click here.

NORAD keeping an eye on Santa !!

Sat, 24 Dec 2005 18:51:55 GMT

Merry Christmas to all ... and to all a Good Night!!

Don't forget The Annual NORAD Tracks Santa Claus Website .They also support :French,Spanish, Deutch,Italian and Japanese.NORAD tracks Santa every Christmas eve, following his trek around the world for children everywhere. Some portions of the site require RealPlayer to work. The free version is fine.

The server I use for Privacy Digest has been hacked/compromised.

Sat, 24 Dec 2005 06:20:32 GMT

Editor: Sorry about being gone for a bit. It seems that my server has been hacked, and used as part of a DOS attack. I have replaced the system OS and am in the process of reloading/recreating all the content in Privacy Digest and the other hosted domains. Since in my opinion my ISP has been on the slow side in responding to my trouble ticket. It looks like I will be putting things back together over the night when I should be sleeping. There have hundreds of brute force attacks fended off, but this time someone got in. I will put the most visible/critical data up first, and some may have to wait till I get some sleep.

Merry Christmas and Happy New Year !!

TaoSecurity - Pre-Review: Penetration Tester's Open Source Toolkit

Fri, 23 Dec 2005 17:05:35 GMT

Today I received a copy of the new Syngress book Penetration Tester's Open Source Toolkit by Johnny Long, Chris Hurley, SensePost, Mark Wolfgang, Mike Petruzzi, et al. This book appears unnecessarily massive; it's probably 1/2 thicker than my first book, but at 704 pages it's nearly 100 pages shorter than Tao. I think Syngress used thicker, "softer" paper, if that makes sense to anyone.

The majority of the book appears to be the standard sort of hacker stuff one finds in books like Hacking Exposed, with some exceptions. The book contains two chapters on Metasploit which look helpful. I do not know yet how well these Metasploit 2.0-based chapters apply to the new Metasploit 3.0, whose alpha stage was announced last week. Similarly, chapters on Nessus may not hold up well for Nessus 3.0, also recently released.

A major selling point of the new book is its integration of the Auditor live CD. I learned that Auditor is going to merge with "competitor" IWHAX to produce BackTrack in early 2006. Consolidation among similar open source projects to pool resources and create better results? Heresy!

Editor: Buy Penetration Tester's Open Source Toolkit from our Amazon Associate store

MPAA Gives Film About Ratings an NC-17 Rating.

Sun, 11 Dec 2005 21:07:05 GMT

MPAA Gives Film About Ratings an NC-17 Rating. jtcm writes "An original documentary by Kirby Dick, called "This Film is Not Yet Rated" has been assigned an NC-17 rating by the MPAA. The film explores the MPAA's own film rating system and "its profound effect on American culture." The NC-17 rating was given due to "some graphic sexual content" and will likely limit the movie's distribution, as many theater chains will not show NC-17 movies. Among the filmmakers speaking openly in the movie are two of my personal favorites, Kevin Smith and Matt Stone. For those who are eager to view this exposé, fear not. The Independent Film Channel (IFC) will present the film uncensored and uninterrupted." Slashdot]

A gift list from 'Security Claus'.

Tue, 06 Dec 2005 17:34:10 GMT

A gift list from 'Security Claus'. Security expert Ira Winkler offers this list of gift ideas for the security-inclined and those who could use a little more security, and who doesn't? [Computerworld Privacy News]

Zone Alarm Vs 180 Solutions: Zango hooks?

Mon, 05 Dec 2005 17:39:22 GMT

Zone Alarm Vs 180 Solutions: Zango hooks? Sub-Seven writes "Found at Vitalsecurity.org, they detail how a Microsoft MVP pulled the Zango file to pieces, and discovered some interesting facts about exactly what a "simple" fun and games application does to a machine that its running on. Hooking into Windows OneCare and Microsoft Antispyware? What's that all about? " [Slashdot]

Antispyware Shootout.

Mon, 05 Dec 2005 17:35:40 GMT

Antispyware Shootout. An anonymous reader writes "ZDNet has published a review of 8 antispyware products from Computer Associates, Lavasoft, McAfee, Microsoft, PC Tools, Symantec, Trend Micro and Webroot. Check out the Editor's Choice. Interesting winner ...." I've used quite a number of these scanners on and on & off basis, and I think the reality is that you if you are truly to clean a machine out, you're going to need to use like three - five of these. Each of them captures a certain area, but none are the One Ring or anything. [Slashdot]

US-CERT: Never Install Audio-CD DRM Software.

Thu, 17 Nov 2005 19:42:48 GMT

US-CERT: Never Install Audio-CD DRM Software.

The United States Computer Emergency Readiness Team (US-CERT) is a part of the Department of Homeland Security that is charged with the task of "protecting the nation's Internet infrastructure" by coordinating the "defense against and responses to cyber attacks across the nation." In response to the Sony XCP DRM debacle:

US-CERT recommends the following ways to help prevent the installation of this type of rootkit:

Do not run your system with administrative privileges. Without administrative privileges, the XCP DRM software will not install.

Use caution when installing software. Do not install software from sources that you do not expect to contain software, such as an audio CD. [emphasis added]

Read the EULA (End User License Agreement) if you do decide to install software. This document can contain information about what the software may do.

Yep, you read it right. US-CERT recommends that you never install DRM software that comes with an audio-CD. Frankly, that's good advice. As for the EULA advice, it's a good idea, but Sony's problematic EULA does not tell you much about what the XCP may do.

[EFF: Deep Links]

I wonder where the readers of Privacy Digest hang out?

Mon, 14 Nov 2005 23:14:49 GMT

Administrivia: If you don't mind admitting that you read Privacy Digest and making info publicly available (some of you won't want to do this I'm sure), there is a new service called Frapper that assigns users to locations on a map. If you want you can also attach a photo. Don't worry, the photo doesn't have to be of you. I'm doing this primarily to get a feel for where my readers are. Just click on the ICON if you are interested.

Administrvia - No updates for a bit.

Mon, 24 Oct 2005 07:25:14 GMT

Administrvia: Just wanted to let you know that there will probably not be any updates for a few days. It looks like I will be without net access for my CMS/Blog update software. If you see anything big send me an e-mail so I can put it up when I get back online.

Spyware: What You Need to Know.

Tue, 18 Oct 2005 16:56:34 GMT

Spyware: What You Need to Know. Internet users hear about the dangers of spyware all the time. But what are these vile applications that install themselves on computers and web browsers, and what can a person do to avoid or eradicate them? By Kim Zetter. [Wired News: Security Blanket]

Spychips invading privacy?

Sun, 09 Oct 2005 00:51:46 GMT

Chips that track boxes on trucks and ships soon may be sophisticated enough to monitor every move of consumers, a controversial new book claims.

Experts told UPI's Wireless World that radio frequency identification technology -- mentioned as a potential privacy-invading technology by Sen. Joe Biden, D-Del., during last month's confirmation hearings for Supreme Court Justice John Roberts -- is emerging as a political and legal issue, not just a technological one.

The new book, "Spychips: How Major Corporations and the Government Plan to Track Your Every Move with RFID" (Nelson Current, October 2005), is written by Katherine Albrecht and Liz McIntyre, privacy advocates who have been investigating the impact of RFID technology.

"Police will be able to track your every move when you drive," McIntyre told Wireless World.

McIntyre's book claims RFID chips -- which emit a signal and can be tracked by special reader technologies -- are the "ultimate Big Brother."

Wired News: Spychips Sees an RFID Conspiracy

Fri, 07 Oct 2005 16:10:07 GMT

A new book by privacy advocates makes the case that corporations and government agencies are in collusion to put tiny radio transmitters on nearly everything we buy. Companies say it's about providing thought leadership, not the Mark of the Beast.

Katherine Albrecht and Liz McIntyre hope to become the twin Erin Brockoviches of RFID, by revealing the threat posed by the radio tag replacements for barcode labels.

They may get their wish, if readers believe the conclusions of the privacy advocates' new book, Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID.

Albrecht and McIntyre make a staggering accusation in Spychips: that Philips, Procter and Gamble, Gillette, NCR and IBM are conspiring with each other and the federal government to follow individual consumers everywhere, using embedded radio tags planted in their clothing and belongings.

RIAA Takes Shotgun to Traders.

Wed, 05 Oct 2005 03:58:49 GMT

RIAA Takes Shotgun to Traders. The RIAA's legal campaign against online music trading has misidentified hundreds of traders and relies on bullying to get results, legal experts say. By Bruce Gain. [Wired News]

Security Resources on the Web.

Wed, 05 Oct 2005 03:23:33 GMT

Security Resources on the Web. You've read our special report; now here are some additional links to information and resources regarding online security issues. [PCWorld.com - Latest News Stories]

Review: Biometric Consortium Conference.

Thu, 22 Sep 2005 17:51:23 GMT

Review: Biometric Consortium Conference. The Biometric Consortium Conference was a great opportunity to get to know the vendor products and hear about what is going on. Opportunities have arisen to test out other modal devices so that we can expand support from simply fingerprint to a few others. We had the opportunity to speak with one of the programmers who originally ported the BioAPI Reference Implementation to Linux and learned about the history.

Michael brought 25 tux pins with him to pass out and had the last one disappeared early the 2nd day of the conference. We spoke at least once with almost every vendor there and the worst response we received to the question, do you support Linux, was "We don't right now, but would if asked". As would be expected in Crystal City, the DoD was there in force and we were approached by some of them. They are apparently very interested in Biometrics on Linux. Academic types expressed interest in working out open source, cross-platform testing suites and modular implementations of a variety of software. Perhaps we can play a role in that.

At dinner we had 4 other people join us. I had to leave early so I'm not sure all that was talked about, but the conversation was casual and enjoyed.

Apparently, Purdue University is going to be working on a Java implementation of the BioAPI. We'll have to keep an eye on that and see what ramifications it may have in our work. It could be useful. I'm wondering what license they'll put it under as well. [LinuxBiometrics.com]

Smart ID Cards Debated.

Wed, 14 Sep 2005 18:03:28 GMT

Smart ID Cards Debated. Panelists ponder whether all-in-one biometric cards are handy or hazardous. [PCWorld.com - Latest News Stories]

Brute Force - Book review

Sun, 11 Sep 2005 18:25:23 GMT

Brute Force. ijones writes "Brute Force, by Matt Curtin, is about an event that many Slashdotters will remember: the cracking of the Data Encryption Standard. In June of 1997, a 56-bit DES key was discovered, and its encrypted message decoded, by an ad-hoc distributed network of computers, cooperating over the Internet. Four and a half months earlier, RSA had issued a challenge to the cryptography community, offering $10,000 to the first group to crack a 56-bit DES encrypted message. In Brute Force, Matt Curtin offers his first-hand account of the DESCHALL team's winning effort." Read on for the rest of Jones' review. [Slashdot]

'Swift Boating' Science.

Fri, 02 Sep 2005 02:32:56 GMT

'Swift Boating' Science. Chris Mooney skillfully uncovers the Bush era's institutionalization of spinning, distorting and ignoring science in The Republican War on Science. Book review by Brian Alexander. [Wired News]

Spyware Maker Indicted on Hacking Charges.

Tue, 30 Aug 2005 15:44:41 GMT

Spyware Maker Indicted on Hacking Charges. An anonymous reader writes "The San Diego Union-Tribune is reporting that Carlos Enrique Perez Melara, the author of an investigative tool called 'Lover Spy,' has been indicted on 35 counts of federal hacking violations. This begs the question: if you develop and sell a software product, are you responsible for what your users choose to do with it?" From the article: "Perez, a native of El Salvador, probably is in the Los Angeles area, said Stewart Roberts, the second highest-ranking agent at the San Diego FBI office. Crime Stoppers has offered a $1,000 reward. Perez is charged with 35 crimes, each of which carries a potential five-year prison sentence if he is convicted. "

[Slashdot: Your Rights Online]

Flash EULA Doesn't Fit the Times.

Tue, 30 Aug 2005 15:39:41 GMT

Flash EULA Doesn't Fit the Times. cphoenix writes "The latest Flash player license seems to forbid downloading their player onto a laptop. From the License: "you may not use the Software on any non-PC product or any embedded or device versions of the above operating systems, including, but not limited to, mobile devices, internet appliances, set top boxes (STB), handhelds, PDAs, phones, web pads, tablets, game consoles, TVs, DVDs, gaming machines, home automation systems, kiosks or any other consumer electronics devices or mobile/cable/satellite/television or closed system based service." This comes at a time when laptops are outselling desktops. And to add insult to injury, "You agree that Macromedia may audit your use of the Software ... In the event that such audit reveals any use of the Software by you other than in full compliance with the terms of this Agreement, you shall reimburse Macromedia for all reasonable expenses related to such audit." [Slashdot: Your Rights Online]