Paul Hardwick: SCAMs, SPAM ...

Malware Threat Report for February 2007.

Sun, 04 Mar 2007 04:44:32 GMT

Malware Threat Report for February 2007. "Storm Worm," continues to severely impact worldwide mailboxes in successive waves. [GT: Security and Privacy]

Hartford Courant - Best Buy Confirms It Has Secret Website

Sun, 04 Mar 2007 04:26:10 GMT

Under pressure from state investigators, Best Buy is now confirming my reporting that its stores have a secret intranet site that has been used to block some consumers from getting cheaper prices advertised on BestBuy.com.

Company spokesman Justin Barber, who in early February denied the existence of the internal website that could be accessed only by employees, says his company is "cooperating fully" with the state attorney general's investigation.

Barber insists that the company never intended to mislead customers.

State Attorney General Richard Blumenthal ordered the investigation into Best Buy's practices on Feb. 9 after my column disclosed the website and showed how employees at two Connecticut stores used it to deny customers a $150 discount on a computer advertised on BestBuy.com.

Blumenthal said Wednesday that Best Buy has also confirmed to his office the existence of the intranet site, but has so far failed to give clear answers about its purpose and use.

"Their responses seem to raise as many questions as they answer," Blumenthal said in an interview. "Their answers are less than crystal clear."

Canadian Gov't Grants Olympics Ownership of Winter.

Sun, 04 Mar 2007 04:17:34 GMT

Canadian Gov't Grants Olympics Ownership of Winter. An anonymous reader writes "Michael Geist reports that the Canadian government has introduced new legislation that grants Vancouver Olympic organizers broad powers to police the use of any commercial use of the words associated with the Olympics. These incredibly include 'winter, Vancouver, and games.' As Geist notes, the government 'has no time to deal with spam, spyware, privacy, or net neutrality, but commits to legislation on behalf of the organizers of a sporting event?'" [Slashdot: Your Rights Online]

RIAA's 'Expert' Witness Testimony Now Online.

Sun, 04 Mar 2007 03:43:58 GMT

RIAA's 'Expert' Witness Testimony Now Online. NewYorkCountryLawyer writes "The online community now has an opportunity to see the fruits of its labor. Back in December, the Slashdot ('What Questions Would You Ask an RIAA Expert?') and Groklaw ('Another Lawyer Would Like to Pick Your Brain, Please') communities were asked for their input on possible questions to pose to the RIAA's 'expert'. Dr. Doug Jacobson of Iowa State University, was scheduled to be deposed in February in UMG v. Lindor, for the first time in any RIAA case. Ms. Lindor's lawyers were flooded with about 1400 responses. The deposition of Dr. Jacobson went forward on February 23, 2007, and the transcript is now available online (pdf) (ascii). Ray Beckerman, one of Ms. Lindor's attorneys, had this comment: 'We are deeply grateful to the community for reviewing our request, for giving us thoughts and ideas, and for reviewing other readers' responses. Now I ask the tech community to review this all-important transcript, and bear witness to the shoddy investigation and junk science upon which the RIAA has based its litigation war against the people. The computer scientists among you will be astounded that the RIAA has been permitted to burden our court system with cases based upon such arrant and careless nonsense.'" [Slashdot: Your Rights Online]

PC World - Vista's UAC Warnings Can't Be Trusted, Symantec Says

Fri, 02 Mar 2007 03:19:06 GMT

Windows Vista's User Account Control (UAC), a system that Microsoft says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, a Symantec researcher said on Wednesday.

Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry Tuesday to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

Tricking Vista's UAC To Hide Malware.

Fri, 02 Mar 2007 03:14:53 GMT

Tricking Vista's UAC To Hide Malware. Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself. [Slashdot]

You Can Plead Guilty Here.

Fri, 02 Mar 2007 02:36:31 GMT

You Can Plead Guilty Here. The RIAA unveils P2PLawsuits.com, a site that allows people turned in by their universities or ISPs for copyright infringement to settle their cases in advance of due process. In Listening Post. [Wired News: Top Stories]

Solaris Worm Blasts Way Through Operating System.

Fri, 02 Mar 2007 02:02:48 GMT

Solaris Worm Blasts Way Through Operating System. "Hi, I'm Casper, I am a bored Sun developer and I wrote this piece of code." [GT: Security and Privacy]

Malware Adopts Disguises in Attempt to Dupe IT Defenses.

Fri, 02 Mar 2007 01:55:38 GMT

Malware Adopts Disguises in Attempt to Dupe IT Defenses. Top ten threats and hoaxes reported in February 2007. [GT: Security and Privacy]

Dell Censors IdeaStorm Linux Dissent.

Fri, 02 Mar 2007 00:39:34 GMT

Dell Censors IdeaStorm Linux Dissent. thefickler writes "It seems pointless to seek ideas and feedback if you're going to ignore and delete the opinions you don't like. That's exactly what Dell is doing with its IdeaStorm website, which the company set up to solicit such ideas and feedback. Dell deleted a post linking to an article that criticizes its handling of the 'pre-installed Linux' issue." [Slashdot: Your Rights Online]

Manipulating Reputation Systems.

Fri, 02 Mar 2007 00:25:59 GMT

Manipulating Reputation Systems.

BoingBoing points to a nice pair of articles by Annalee Newitz on how people manipulate online reputation systems like eBay[base ']s user ratings, Digg, and so on.

There[base ']s a myth floating around that such systems distill an uncannily accurate folk judgment from the votes submitted by millions of ordinary citizens. The wisdom of crowds, and all that. In fact, reputation systems are fraught with problems, and the most important systems survive because companies expend great effort to supplement the algorithms by investigating abuse and trying to compensate for it. eBay, for example, reportedly works very hard to fight abuse of its reputation system.

Why do people put more faith in reputation systems than the systems really deserve? One reason is the compelling but not entirely accurate analogy to the power of personal reputations in small town gossip networks. If a small-town merchant is accused of cheating a customer, everyone in town will find out quickly and [~] here[base ']s where the analogy goes off the rails [~] individual townspeople will make nuanced judgments based on the details of the story, the character of the participants, and their own personal experiences. The reason this works is that the merchant, the customer, and the person evaluating the story are embedded in a complex, densely interconnected network.

When the network of participants gets much bigger and the interconnections much sparser, there is no guarantee that the same system will still work. Even if it does work, a large-scale system might succeed for different reasons than the small-town system. What we need is some kind of theory: some kind of explanation for why a reputation system can succeed. Our theory, whatever it is, will have to account for the desires and incentives of participants, the effect of relevant social norms, and so on.

The incentive problem is especially challenging for recommendation services like Digg. Digg assumes that users will cast votes for the sites they like. If I vote for sites that I really do like, this will mostly benefit strangers (by helping them find something cool to read). But if I sell my votes or cast them for sites run by my friends and me, I will benefit more directly. In short, my incentive is to cheat. These sorts of problems seem likely to get worse as a service grows, because the stakes will grow and the sense of community may weaken.

It seems to me that reputation systems are a fruitful area for technical, economic and social research. I know there is research going on already [~] and readers will probably chastise me in the comments for not citing it all [~] but we[base ']re still far from understanding online reputation.

Here comes image spam.

Fri, 02 Mar 2007 00:24:29 GMT

Here comes image spam. Image spam--e-mail solicitations that use graphical images of text--is not new. But its rising sophistication has made much of it invisible to spam filters so that it makes up one-third of all spam, according to Doug Bowers, director of antiabuse engineering at Symantec. E-mail traffic--83 percent of which was spam--rose in 2006, according to antispam company BorderWare, and researchers there expect image spam to grow. [CSO Online Data Security Briefing]

War of Words Erupts Between HP Scandal Players.

Fri, 02 Mar 2007 00:20:30 GMT

War of Words Erupts Between HP Scandal Players. The attorney for the ousted HP chairman fired back at public comments made by board rival about the HP pretexting scandal. [PC World: Latest Technology News]

New SpamtaLoad Worm is Starting to Spread Rapidly, Says Report.

Wed, 28 Feb 2007 23:38:46 GMT

New SpamtaLoad Worm is Starting to Spread Rapidly, Says Report. "This type of malicious code is not usually the end in itself." [GT: Security and Privacy]

Verizon Wireless wins injunction against text spam | CNET News.com

Wed, 28 Feb 2007 22:43:47 GMT

Verizon Wireless said Monday that it has won a permanent injunction against a company it accused of sending text message spam, a significant step in keeping the unsolicited messages off cell phones.

In the judgment, Specialized Programming and Marketing and its owner, Charles Henderson, are prohibited from sending text message spam to Verizon Wireless customers. They are also required to pay damages in excess of $200,000. Verizon Wireless filed the suit after nearly 100,000 text messages were sent to Verizon Wireless customers offering them a prize vacation for a cruise to the Bahamas.

Initially, Verizon Wireless filed the suit against Passport Holidays in October 2005 in U.S. District Court in Trenton, N.J. The mobile operator won a permanent injunction against Passport Holidays in February 2006 to stop the company from sending further spam. Passport also was required to pay $10,000 in damages to Verizon Wireless.

During litigation, Passport Holidays named Specialized Programming and Marketing and Henderson as the company and individual that actually sent the spam that formed the basis for the suit. In February 2006, Verizon Wireless filed an amended complaint naming Specialized Programming and Marketing and Henderson. This latest decision brings the case to a conclusion, Verizon Wireless said.

Verizon Wins Injunction Against Text Spammer.

Wed, 28 Feb 2007 03:10:08 GMT

Verizon Wins Injunction Against Text Spammer. bulled writes "CNet is running a story illustrating the US court system's ongoing harsh opinion about unwarranted communications of any kind. Verizon Wireless recently won a lawsuit against a company that was delivering massive numbers of spam text messages to its customers. Specialized Programming and Marketing and Henderson was ordered to pay more than $200,000 in damages to Verizon Wireless, some two years after Verizon filed the suit against the company. In 2005 Specialized Programming sent some 100,000 emails to Verizon phones. Verizon now has an injunction against the Marketing firm, another win for a company that has developed a reputation for going after spammers." [Slashdot]

Windows Genuine Advantage's newest setting: "you might be a pirate"

Wed, 28 Feb 2007 01:28:12 GMT

Windows Genuine Advantage is an anti-piracy tool loathed by many, tolerated by some, and even appreciated by others. How you feel about it may depend in part on whether or not you've been caught in its snares: the "authentic software" validation tool is known to have falsely identified thousands of "pirated" Vista installs.

As Microsoft steps up its war against piracy, the company has decided to slightly nuance Windows Genuine Advantage (WGA). Rather than identify users as either in the clear or not, the company has added a third classification for users who set off some, but not all of WGA's undisclosed piracy-detection functionality. Users will now find that Windows XP installs are labeled as genuine, non-genuine or "not sure."

While Microsoft has not responded to requests for comment, it's quite obvious what is going on here: Microsoft has added "not sure" as a way of cutting down on the number of false positives associated with WGA. As many as one in five PCs were failing WGA checks, but this new setting should both reduce this and give Microsoft the chance to investigate further the kinds of things that are landing folks in the "not sure" category.

Although the Windows Genuine Advantage Notification tool is "optional," Microsoft is in the process of pushing out the tool as a "critical" and thus automatic update (affectionately dubbed WGA Notifications 1.7 KB905474). The update has been known about for over a month, but users are just now seeing it show up as a critical update to Windows XP.

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Windows Genuine Advantage Gets More Lenient.

Tue, 27 Feb 2007 21:37:02 GMT

Windows Genuine Advantage Gets More Lenient. Troglodyte writes in with word that Microsoft is revamping its Windows Genuine Advantage program so that it labels fewer users pirates. WGA now has a third category besides "genuine and "not genuine," called "not sure." Quoting: "[I]t's quite obvious what is going on here: Microsoft has added 'not sure' as a way of cutting down on the number of false positives associated with WGA. As many as one in five PCs were failing WGA checks, but this new setting should both reduce this and give Microsoft the chance to investigate further the kinds of things that are landing folks in the 'not sure' category." [Slashdot]

EMI to Apple, Microsoft: Ditching DRM is going to cost you

Mon, 26 Feb 2007 22:48:25 GMT

Earlier this month it was widely reported that EMI was indeed ready to cast DRM into the dark abyss and earn the company the honorable status of being the first major music label to realize that DRM alienates honest customers. As it turns out, the company is indeed open to the possibility of ditching DRM, but they expect to be paid well for it, and the online music retailers aren't ready to meet their demands.

EMI is the only major record label to seriously consider abandoning the disaster that is DRM, but earlier reports that focused on the company's reformist attitude apparently missed the mark: EMI is willing to lose the DRM, but they demand a considerable advance payment to make it happen. According to Bloomberg, EMI has backed out of talks for now because no one will pay what they're asking. No dollar amounts are known at this time.

Phishing Sites Explode on the Web.

Mon, 26 Feb 2007 22:37:14 GMT

Phishing Sites Explode on the Web. Online criminals are thriving even in the face of new automated defenses. [PC World: Latest Technology News]

Fool Me Once, Shame On You But Fool Me Twice....

Mon, 26 Feb 2007 22:27:39 GMT

Fool Me Once, Shame On You But Fool Me Twice....

In aiming to settle a class action suit, a group of companies is throwing a proverbial pie in the face of affected consumers.

A Security Fix reader forwarded an e-mail about a benefit he allegedly was eligible to collect as a result of a class-action settlement over services offered by a subsidiary of Experian, one of the three major credit reporting bureaus.

I immediately sensed a phishing scam after reviewing the e-mail and the third-party site touted in the message, which asks the visitor to enter a Social Security number and birth date. But it turns out that the site is legitimate, although extremely insensitive to consumers.

The class-action case referenced in the e-mail is the latest in a series of lawsuits against Consumerinfo.com. The firm promised free credit reports but allegedly failed to clarify that it would charge a customer's credit card $79.95 for a "credit monitoring service."

In yet another insult for affected consumers, the Web site providing more information about the settlement encourages affected individuals to further expose their personal data online.

Consumerinfo.com agreed last week to pay $300,000 to settle charges brought by the Federal Trade Commission that it violated the terms of a previous settlement with the agency over the misleading "free credit reports." It was originally fined $950,000.

The impersonal e-mail was sent to consumers from browningnotice@gardencitygroup.com. It begins: "NOTICE FROM FEDERAL COURT. PLEASE READ. Records show that you entered into an agreement over the Internet with Consumerinfo.com or an Experian entity to purchase any Credit Check or Credit Check Monitoring (which were formerly known as CreditCheck Monitoring Service), Credit Manager (including Yahoo! Credit Manager), Triple Alert, or Triple Advantage credit-monitoring product, or you paid for a credit score sold on a Web site that also sold one of these credit-monitoring products, between June 17, 1998 and December 27, 2006. If so, you may be eligible to receive a benefit under the proposed settlement."

So, exactly what is this perk? It's 60 days of free credit monitoring service from Experian. If you don't cancel this "benefit," Experian will bill you $9.95 per month after the initial 60 days.

The e-mail details the terms of the settlement:

"If you choose credit monitoring, and you don't cancel your credit-monitoring membership after using your code to obtain the credit monitoring benefit but prior to the expiration of the 60 day, settlement benefit period, you will be billed at the then-applicable rate, which is currently $9.95, for each month that you continue your membership."

If you were an individual burned by this bogus "free credit report" offer who wasn't already insulted enough, go to browningsettlement.com, the site erected by Melville, N.Y.-based Garden City Group, a company that administers class action settlements.

The Web site includes a link to "update your contact information," where it asks a visitors to enter a Social Security number and birth date. Phishing scams almost always try to dupe people into entering personal data at fake bank and e-commerce sites by blasting out e-mails telling people they need to "update" their information. I spoke with the contact who registered the site, Frank Dmuchowski, but he referred me without comment to Garden City's public relations staff. That person in turn referred me to a woman at Experian, with whom I'm currently playing phone tag.

How else does this whole operation resemble a phishing scam? The e-mail does not address the recipient by name. It contains some very elaborate explanations and legalese that is somewhat akin to a Nigerian scheme. There is also the element of urgency. Recipients are told that if they do not respond within a given period of time, they will give up their rights to sue the company in as part of a class in any other lawsuit. Maybe that's one reason why we have seen phishing scams disguised as settlement offers succeed so well: settlement companies are conditioning consumers to respond to them, and the federal courts are encouraging this practice.

But wait, there's more. While a federal court has deemed it acceptable for companies like the Garden City Group to communicate with people this way via e-mail, anyone who wants to object or exclude themselves from the settlement terms must do so by snail mail by May 15. Anyone who wants to accept the dubious settlement benefit, however, is free to do so by e-mail.

Please do not let this May 15 deadline slip away. Write to the Browning Settlement Administrator to tell the court why you think the settlement stinks:

Objections-Browning Settlement Administrator
P.O. Box 91141
Seattle, WA 98111-9241

In addition, you can request to speak in court about the fairness of the settlement at a hearing on July 31.

Under federal law, all U.S. citizens are eligible for a free copy of their credit report from each of the three major credit reporting bureaus: Experian, Equifax and Trans Union. Consumers should take advantage of this benefit, but only by visiting http://www.annualcreditreport.com or calling a toll-free number: 1-877-322-8228. You will get the most mileage out of your free reports if you scatter them across the entire calendar year by contacting a different credit bureau every four months.

Update, 3:50 p.m.: I heard from Experian spokesperson Heather Greer, who said that all communications were reviewed and approved by the court in accordance with the settlement." With regard to this settlement, we felt that this was the best way to inform consumers as soon as possible as to the products they were entitled to as part of the class," Green said. She added that the settlement site also includes a toll-free number (1-800-399-4322) that consumers also can use to either opt-out or accept the terms of the settlement.

[Security Fix]

Fraudsters Declare War on Anti-Scam Services.

Sun, 25 Feb 2007 04:15:24 GMT

Fraudsters Declare War on Anti-Scam Services.

Spammers have been attacking and threatening several of the groups and individuals who have been performing some of the most important work in hobbling online scams, spam and computer viruses.

The SANS Internet Storm Center on Thursday found a piece of malicious code (called "sans.exe") designed to update a group of several thousand infected computers that SANS has been monitoring. The code includes text strings that suggest an attack on the center if two of its crime fighters don't stop interfering with his money-making spam operations. The message, in part, read:

"You better f*** off SANS.org especially that [SANS chief technology officer] Johannes Ullrich (phone and e-mail address deleted) and Kevin Hong (phone and e-mail address deleted). I really don't have anything against you, just piss off alright?" [sic]

"I guess we always felt like this [was] going to happen at some point," Ullrich said in an online chat with Security Fix this morning. "Adding taunts like this to their code isn't what you would expect from a professional criminal trying to stay low profile. [It] points to a more juvenile 'hooligan' mentality," than hardened cyber crook.

Last month, a number of anti-spam Web sites came under a sustained "distributed denial of service" (DDoS) attack, an electronic assault during which the attackers use thousands of compromised personal computers to overwhelm a target with so much bogus traffic that the PCs can't accommodate legitimate visitors.

The attacks were made possible by tens of thousands - perhaps millions - of computers infected by the recent e-mail virus known as the "Storm worm. The virus links all infected computers into a peer-to-peer data network using the same technology as the eDonkey file-sharing network. The attackers later instructed the networked machines to attack sites such as spam trackers Spamhaus and the personal Web site of Joe Stewart, the SecureWorks researcher who conducted some of the most detailed analysis of the Storm worm.

The Web sites for CastleCops -- an all-volunteer, online scam fighting community -- also have been under a consistent denial-of-service attack for the past couple of weeks. Its main site and user forum are not working again this morning. Security Fix has spotlighted the laudable work this volunteer group does in bringing down phishing Web sites and analyzing new malicious software.

CastleCops co-founder Robin Laudanski said the intermittent site shutdowns have been inconvenient, but added that they have bolstered support for the group from within the security community.

"I take [the attacks] as a compliment because if we weren't putting a dent in the bad guys' pocketbooks, we wouldn't be getting attacked," Laudanski said. "It means we're being a pain, and that we're doing something right."

[Security Fix]

RIAA to Parents: Pop-Ups + Viruses = Piracy!

Sun, 25 Feb 2007 04:01:25 GMT

RIAA to Parents: Pop-Ups + Viruses = Piracy!

If a parent sees pop-up ads and viruses on her computer, she can be sued for copyright infringement by the RIAA.

At least that's what the RIAA is arguing in a recent court filing in the Capitol v. Foster case, in which a federal judge made the RIAA cough up attorney's fees to a mother, Debra Foster, who had been sued because her daughter was file sharing. The RIAA lawyers had dawdled in dismissing their complaint against Foster, even after her child admitted to being the file-sharer in the house (the RIAA went ahead and got a default judgment against the child).

This new filing marks the first time the RIAA has explained its claim that parents are liable for the infringements committed by their children (a theory that has never been accepted by any court, to the best of my knowledge). The argument is pretty remarkable, built on a house of cards including the notion that "everyone knows" pop-up ads and viruses signify piracy! Here's the relevant portion of the RIAA brief:

Given that it has been established that the Kazaa file-sharing program was on the Foster family's computer, the evidence would have established that the Kazaa icon was clearly visible on the computer when defendant was using it and that there were likely a substantial number of pop-up advertisements, the types of which have been associated with the Kazaa program.

In other words, the RIAA believes that pop-up ads and a system tray icon should put every parent on the hook for every download on the computer.

In addition, it is undisputed that defendant had an account with Cox Communications. Defendant's subscriber agreement with Cox made clear that defendant, as the account holder, was responsible for what is done on her account. ...

Here, the RIAA is trying to make a private contract between Cox and the parent into a promise to the RIAA. Of course, since this is standard boilerplate in ISP customer agreements, this argument would apply equally to every broadband subscriber, whether parent, employer, library, or school.

Finally, plaintiffs believe that discovery would have revealed substantial other evidence of defendant's knowledge and material assistance in the underlying infringements. For example, the computer may well have been in a common area such that defendant heard music coming from the computer when admitted infringer Amanda Foster was using it. In addition, the evidence may have established, as it has in other similar cases, that there were viruses on the computer due to Kazaa and that defendant may have had work done on the computer that would have revealed the existence of the file-sharing program. ...

Yes, parents, that means every time you hear music emanating from a computer, the RIAA believes you have a legal duty to check the copyright pedigree of its source. Oh, and if your computer has a virus, same answer.

Similarly, plaintiffs believe that, had they been given the opportunity, they would have been able to prove vicarious infringement. Specifically, plaintiffs would have proved that, as a parent, defendant had the full right and ability to control her daughter's use of the computer at issue. Most parents impose restrictions on computer usage by their children (e.g., rules about pornography sites and chat rooms), and plaintiffs believe that defendant would have done so as well. Plaintiffs further would have proven that defendant had a direct financial interest in her daughter's infringing activities, which, of course, involve substantial sums of money in terms of the value of the recordings at issue and the potential liabilities resulting from such activities.

By this logic, the more responsible you are as a parent, the more the RIAA will be entitled to collect from you. Moreover, the RIAA is confusing the benefit to the child with the benefit to the parent. As every parent knows, just because your kids wants a new CD doesn't mean you would have bought it for them.

Let's be clear what this pretzel logic is really all about -- the RIAA wants to reach a hand into every parent's pocket in order to fuel their mass litigation campaign, irrespective of whether the law supports this. But there is a bigger risk, as well. If court's accept this argument in file-sharing cases, the RIAA will have a precedent to use against every employer, every library, and every school for every copyright infringement committed on its computers. So I'm on the side of the judge in Capitol v. Foster, who dubbed these RIAA arguments "untested and marginal."

For more on parental liability in RIAA file sharing lawsuits, take a look at the memo we prepared on the subject in 2005 (soon to be updated in light of more recent authorities, including Capitol v. Foster).

[EFF: Deep Links]

Pharming Attack Targeted Bank Customers Worldwide.

Fri, 23 Feb 2007 16:58:49 GMT

Pharming Attack Targeted Bank Customers Worldwide. A pharming attack that targeted online banking customers in the U.S., Europe and Asia-Pacific has been shut down. [PC World: Latest Technology News]

Microsoft to Tighten Anti-Piracy Noose in Vista.

Thu, 22 Feb 2007 16:10:50 GMT

Microsoft to Tighten Anti-Piracy Noose in Vista.

In response to "overly optimistic" sales forecasts for its Vista operating system, Microsoft Corp. plans to "dial up" the anti-piracy technology built into this latest version of Windows. No doubt this move will boost Microsoft's sales to some degree, but if previous experience with Microsoft's anti-piracy methods in Windows XP is any indicator, this new effort is just as likely to alienate or anger many legitimate users.

CEO Steve Ballmer revealed the anti-piracy plans in a conference call with Wall Street financial analysts last week, according to this Computerworld article. "'One way Microsoft can bump up Windows sales is to tighten the screws on pirates,' Ballmer said. "Piracy reduction can be a source of Windows revenue growth, and I think we'll make some piracy improvements this year."

The Computerworld story says the expansion of the Windows Genuine Advantage plan is part of an effort to squeeze more revenue from China, India, Brazil, Russia and other emerging markets.

Online PC help forums are littered with reports from legitimate Windows users who have been errantly flagged as software pirates by Microsoft, so here's hoping that the company can iron out some of the kinks in its anti-piracy detection and reporting technology.

[Security Fix]

'Hoax' stuns classical music world.

Thu, 22 Feb 2007 16:01:34 GMT

'Hoax' stuns classical music world.

Joyce Hatto: the greatest pianist no-one has heard of

Gramophone magazine has unearthed what one sound recording expert describes as "the biggest attempt at recording theft ever."

[The Register - Music and Media]

Editor: Sounds like a perfect example of GIGO (Garbage In Garbage Out). Remember, just because it's on a computer, doesn't mean that' it is accurate.

RIAA Hires Artists, Then Sends In the SWAT team.

Mon, 19 Feb 2007 21:58:44 GMT

RIAA Hires Artists, Then Sends In the SWAT team. cancan writes "The NY times is carrying an article about how the RIAA is hiring hip hop artists to make mix tapes, and then helping the police raid their studios. In the case of DJ Drama and DJ Don Cannon, they were raided by SWAT teams with their guns drawn. The local police chief said later that they were 'prepared for the worst.' Men in RIAA jackets helped cart away 'evidence'. Just the same, 'Record labels regularly hire mixtape D.J.'s to produce CDs featuring a specific artist. In many cases, these arrangements are conducted with a wink and a nod rather than with a contract; the label doesn't officially grant the D.J. the right to distribute the artist's songs or formally allow the artist to record work outside of his contract.' " --- This is more of the shenanigans that we've previously discussed on the site. [Slashdot: Your Rights Online]

Dodgy Ad Reported on MSN Messenger.

Mon, 19 Feb 2007 21:49:50 GMT

Dodgy Ad Reported on MSN Messenger. Microsoft apparently yanks promos that peddled 'security fix' through misleading threats. [PC World: Latest Technology News]

Half of pirated Vista is malware.

Mon, 19 Feb 2007 01:35:42 GMT

Half of pirated Vista is malware. You can't cheat an honest person, they say. Like generations of scammers before them, some malware writers are taking that "advice" to heart, releasing their Trojan software and keyloggers as "cracked" versions of Vista oon peer-to-peer service. Who's going to turn them in, after all -- a would-be pirate? [Computerworld Security News]

Getting Clueful: Five Things You Should Know About Fighting Spam - technology - CIO

Mon, 19 Feb 2007 00:11:21 GMT

The battle for your users' e-mail inboxes probably will never end, but it's not a failure of technology. Experienced e-mail and system administrators share the key points they really, really wish you understood.

5 Things the Boss Should Know About Spam Fighting.

Mon, 19 Feb 2007 00:09:51 GMT

5 Things the Boss Should Know About Spam Fighting. Esther Schindler writes "Sysadmins and email administrators were asked to identify the one thing they wish the CIO understood about their efforts to fight spam. The CIO website is now running their five most important tips, in an effort to educate the corporate brass. Recommendations are mostly along the lines of informing corporate management; letting bosses know that there is no 'silver bullet', and that the battle will never really end. There's also a suggestion to educate on technical matters, bringing executives into the loop on terms like SMTP and POP. Their first recommendation, though, is to make sure no mail is lost. 'This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream.'" [Slashdot]

MPAA Violates Another Software License.

Sun, 18 Feb 2007 23:45:13 GMT

MPAA Violates Another Software License. Patrick Robib, a blogger who wrote his own blogging engine called Forest Blog recently noticed that none other than the MPAA was using his work, and had completely violated his linkware license by removing all links back to the Forest Blog site, not crediting him in any way. The MPAA blog was using the Forest Blog software, but had completely stripped off his name, and links back to his site. He only found about it accidentally when he happened to visit the MPAA site. [Slashdot: Your Rights Online]

FTC Files Complaint Against Pretexters.

Sun, 18 Feb 2007 20:04:09 GMT

FTC Files Complaint Against Pretexters. FTC says pretexting violates federal law, targets companies involved in HP scandal. [PC World: Latest Technology News]

DirectRevenue to Pay $1.5M in Adware Settlement.

Sun, 18 Feb 2007 19:58:55 GMT

DirectRevenue to Pay $1.5M in Adware Settlement. FTC charges that New York firm infected victims' computers with adware. [PC World: Latest Technology News]

Three Minutes: The FTC Chief Takes on Cybercrime.

Sun, 18 Feb 2007 19:56:30 GMT

Three Minutes: The FTC Chief Takes on Cybercrime. Computer crimes and annoyances are an increasing part of the FTC's work, says Deborah Platt Majoras. [PC World: Latest Technology News]

Drive-By Pharming Attack Could Hit Home Networks - CBRonline.com

Fri, 16 Feb 2007 18:46:15 GMT

Security researchers at Symantec Corp and Indiana University have figured out a way to compromise home networks using a single line of JavaScript in a web page.

The attack, which they have called "drive-by pharming", would enable attackers to convincingly pretend to be any web site on the internet, making it fairly trivial to repeatedly phish for sensitive information, install malware on users' machines, or steal email.

"When I tried it out for first time, when I wrote the proof-of-concept, I had a moment of internal panic when I saw how easy it was to do," said Symantec senior principal researcher Zulfikar Ramzan, and one of the paper's authors.

Don't panic yet. There are no bad guys known to be using the technique, and making your network completely invulnerable is a simple case of setting a strong router password, if you have not done so already.

The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces.

The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers.

The attacker would have to persuade the user to visit the web page containing the attack code. This could be done with spammed links, or by inserting it into a page on a compromised web server on a popular site.

Drive-By Pharming Attack Could Hit Home Networks.

Fri, 16 Feb 2007 18:42:34 GMT

Drive-By Pharming Attack Could Hit Home Networks. Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks. [Slashdot]

Apple Works To Stave Off Big Mac Attack.

Fri, 16 Feb 2007 15:54:56 GMT

Apple Works To Stave Off Big Mac Attack.

Apple Inc. on Thursday issued patches to plug five separate security holes in software included on its Mac OS X computers. Mac users can download the free updates through the Mac's built-in software update feature or directly from Apple downloads.

The five flaws were vulnerabilities identified in January as part of the controversial Month of Apple Bugs project. Among those addressed in this go-round's batch are bugs in iChat, Apple's built-in instant messaging software and Finder, the Mac's ubiquitous file-search capability.

Mac users hope that Apple soon will issue a remedy for the flaw the MoAB curators detailed in the software update function on Apple. That's the same program that the company uses to push security fixes to its customers. I've received a half dozen e-mails from Mac users wondering how to mitigate the threat from this particular flaw. By my count, Apple still has to address at least 15 Mac-specific vulnerabilities highlighted in the MoAB project. But it's not clear which, if any, of these flaws are serious.

While there are scant indications that any nefarious characters are busy exploiting the weaknesses noted by the MoAB crew, it might benefit Apple and their customers if the firm explained how users could minimize their exposure to any of these potentially serious vulnerabilities.

"It should be very interesting to see what security changes Apple institutes in OS X 10.5, and if they dedicate more resources to improving the base security of the operating system," said Gartner analyst Rich Mogull. "Now that Apple is becoming more of a target, they should take advantage of the opportunity to improve fundamental platform security before we start seeing more exploits in the wild."

[Security Fix]

The Dangers of Default Passwords.

Fri, 16 Feb 2007 15:48:27 GMT

The Dangers of Default Passwords.

Stroll through any neighborhood with an open laptop in hand and you will probably notice your machine automatically connecting to various wireless Internet routers that local residents have set up. If you are given a connection that allows you to surf the Web, chances are very good that you can also assume control over the same network that gave you the access.

In my experience, few people who operate wide-open wireless networks -- those unprotected by even the simplest encryption technology -- ever bother to change the default user name and password needed to reconfigure the router. Perhaps consumers who operate open networks aren't terribly worried about their neighbors "sniffing" the ambient wireless airwaves for passwords and other sensitive data. But it may be that a person running a router under the default factory settings has more to fear from a malicious Web site than a local interloper.

Researchers at Symantec Corp. have devised a series of "proof-of-concept" exploits that show how an Internet user running any one of several name-brand, $50 - $100 routers under the default factory settings could be in a world of trouble in a very short time, just by browsing to a malicious Web site. One of the easiest ways to commandeer a factory-set wireless router remotely is through the use of Javascript, a powerful Web programming language that makes it easy for Web sites to monkey with or otherwise manipulate a computer's settings.

For example, a nasty site could use Javascript to change the default settings on a router so that anytime the victim tries to visit a bank Web site he or she is silently redirected to a counterfeit site set up to steal online banking credentials (this is a type of phishing attack known as "pharming.") Or, the attackers could poke holes in the router's built-in firewall to allow certain types of traffic to slip through.

Zulfikar "Zully" Ramzan, senior principal researcher at Symantec, said he successfully tested such scenarios using mock Web pages and some of the more popular routers on the market today, including those sold by Linksys, D-Link and Netgear. "Using the same techniques, an attacker could create a very simple Web page that when viewed by a Web browser could change the default settings on a router," he said.

The reason this has the potential to be such a problem is that a broadband router sits apart from the user's computer, so it's likely to be one of those set-it-and-forget-it type appliances. Indeed, if a malicious Web site succeeded in altering the default settings on a router, the router might be the last place most users -- even security professionals -- would look to as the source of the problem.

Michael Sutton, security evangelist for Atlanta based SPI Dynamics, said Javascript's flexibility and power make it an increasingly common component of cyber attacks.

"People are always coming out with new tricks with Javascript, but the reality is that it's a very powerful language and if you can convince someone to run your code by visiting your site, you effectively control their actions," Sutton said.

So what's the takeaway here? Whether you're using a wired or wireless router to split traffic on your home network, make sure you change the default password. A comprehensive list of default usernames and passwords for just about every commercial router is already available online. If you're the forgetful type, write down your router password and store it in a safe place. Even if you don't remember it, all consumer Internet routers ship with a tiny pinhole in the back that -- with the aid of something pointy and a steady grip -- allow you to reset the router to the factory settings (and back to the default password).

Also, consider browsing the Web with Mozilla's Firefox; with it, you can use the excellent "noscript" add-on that allows you to control which sites should be permitted to run Javascript inside of the browser. It's not a perfect solution, but it has saved my bacon on more than a few occasions. If anyone is aware of a similar add-on for Internet Explorer 7, please drop a pointer to it in the comments section below.

[Security Fix]

Free Speech group EFF needs videographer in Syracuse (CraigsList)

Fri, 16 Feb 2007 03:26:39 GMT

Date: 2007-02-15, 9:12PM EST

we are looking for someone who has a good-quality Mini-DV camera and can produce good lighting (natural is fine) and sound (onboard is fine, it just has to be very clear) for a brief videotaped statement.

this is to support an online free speech case.

details here:
http://www.10zenmonkeys.com/2006/11/01/eff-crook-dmca-lawsuit/

the subject to be shot is in/around Syracuse. we may be able to pay expenses for travel by car. if you respond to this note, EFF lawyers will contact you with more info.

this video will be distributed widely across the webernets and we can offer a prominent production credit, as well as the warm, fuzzy feeling that you've helped EFF's ongoing defense of digital free speech.

please respond with with your availability over the next week or so.

ID Theft: Where you live makes a difference, study finds.

Fri, 16 Feb 2007 01:47:49 GMT

ID Theft: Where you live makes a difference, study finds. New York, California, Nevada and Arizona are among the riskiest U.S. states for ID theft, while Wyoming, Vermont, Montana and North Dakota are among the safest, according to a study by ID Analytics Inc. [Computerworld Privacy News]

Drive-by Web Attack Could Hit Home Routers.

Thu, 15 Feb 2007 22:18:30 GMT

Drive-by Web Attack Could Hit Home Routers. If you haven't changed the default password on your home router, do so now. [PC World: Latest Technology News]

Media Giant Bullies Internet Critic.

Thu, 15 Feb 2007 22:14:41 GMT

Media Giant Bullies Internet Critic.

Discovery Communications Tries to Chill Speech with Baseless Legal Claims

San Francisco - The Electronic Frontier Foundation (EFF) warned Discovery Communications, Inc., today to cease its demands for the removal of an online template that uses humor to help people criticize the media company.

The "SpankMaker," located at http://www.spankmymarketer.com/, helps users create parodies of a controversial marketing campaign in connection with a Discovery television production. The online tool provides images from the marketing campaign and Discovery's corporate websites, and allows users to modify them with commentary.

A lawyer for Discovery has demanded that the website operator remove the template, claiming it infringes Discovery's copyright and is used to defame the company. But in a letter sent in response today, EFF outlines how the use of the images in the template is clearly a non-infringing parody. EFF also explains that the comments that offended Discovery are not libelous and that, in any event, Section 230 of the Communications Decency Act protects the creator of the SpankMaker from liability for comments written by others.

"Once again, a business is trying to use false legal claims to chill criticism," said Staff Attorney Corynne McSherry. "Fortunately, more and more, the targets of these kinds of threats are fighting back."

EFF's letter is part of its ongoing campaign to protect online free speech. Earlier this month, EFF provided legal support for environmental activists who were threatened by the Chicago Auto Show after posting an Internet parody. In November, EFF reached an agreement with the corporate owners of the popular children's television character Barney the Purple Dinosaur to withdraw meritless legal threats against a website publisher who parodied the character.

For EFF's response letter:
http://eff.org/legal/cases/discoverycom_v_rubinstein/response_letter.pdf

Contact:

Corynne McSherry
Staff Attorney
Electronic Frontier Foundation
corynne@eff.org

[EFF: Breaking News]

Valentine Or Virus?

Thu, 15 Feb 2007 00:28:39 GMT

Valentine Or Virus?

It could be a Happy Virus Day for you as virus writers love to take advantage of the blizzard of e-greeting cards swirling around the Internet.

Finnish anti-virus firm F-Secure warns that the poisoned love letters already are circulating. The company says it has intercepted a nasty virus included in a spam campaign. The virus is disguised as a Valentine's Day greeting relayed via e-greeting card giant AmericanGreetings.com. According to F-Secure, when an e-card recipient clicks on the related e-mail link, it redirects you to a page asking you to install a fake Macromedia Flash Player by Adobe. This player actually is a Trojan horse program that downloads and installs a password-stealing virus onto the user's system.

I've never been fond of the e-greeting card industry, mainly because it conditions people to click on e-mail links they weren't necessarily expecting or have no reason to trust.

Please be careful about clicking on links in any e-greetings you receive today. If you absolutely must watch some dancing chocolates or flying hearts via Flash animation but are not sure whether you already have a Flash player, this link here will help. It will tell you if you have it installed and which version you're running. Windows users with Flash installed should be running the latest 9.0.28.0 version.

If you need a current version or wish to install it, download it directly from the source.

[Security Fix]

Dutch Hacker Appeals Jail Sentence.

Thu, 15 Feb 2007 00:23:48 GMT

Dutch Hacker Appeals Jail Sentence. The leader of a gang that committed what has been described as the Netherland's biggest cybercrime is appealing his sentence. [PC World: Latest Technology News]

U.S. Researchers Claim New System Kills Worm Outbreaks.

Thu, 15 Feb 2007 00:21:19 GMT

U.S. Researchers Claim New System Kills Worm Outbreaks. Technique claims to be able to stop Internet worms within milliseconds of an outbreak. [PC World: Latest Technology News]

RIAA to ISPs: Help Us Sue Your Customers Better.

Wed, 14 Feb 2007 04:59:43 GMT

RIAA to ISPs: Help Us Sue Your Customers Better.

As if suing thousands of music fans isn't bad enough, now the RIAA wants to conscript ISPs into helping them streamline the shakedowns. The major record labels sent a letter to ISPs across the country asking them to trade away customers' rights and make the overzealous file sharing lawsuits more profitable -- and the RIAA even has the audacity to suggest that this all for your own good.

ISPs currently have no obligation to maintain IP log files, and that's a good thing when it comes to protecting your privacy. Those log files can serve as Internet breadcrumbs -- your ISP and any third party that has access to them can retrace your online activities.

But the RIAA wants ISPs to maintain (and disclose) a customer's IP logs for six months whenever the RIAA says the user may have infringed copyright. In exchange, the record companies will reduce its initial lawsuit settlement demands. Of course, the actual customer would have no say in the matter. The RIAA letter says it wants the information kept because it could "exculpate" the customer, but of course those same records can also implicate the user. Funny, the labels don't mention that.

EFF and others have long warned that copyright claims could become an altar on which personal privacy is sacrificed. Now the RIAA wants your ISP to voluntarily wield the knife, and there's no telling what else the RIAA might ask for once this cut has been made

The RIAA also wants ISPs to keep customers in the dark about their legal options. Before the RIAA has even verified that the user is correctly identified, it wants ISPs to send along a note saying the user might be sued and can already settle potential claims. At the same time, the RIAA scolds ISPs for giving information to their customers that could help provide sound legal counsel. Instead, the RIAA wants ISPs to direct subscribers solely to the RIAA.

In other words, the RIAA wants it to be harder for customers to find out that settling early might be a bad idea. Does the RIAA readily tell customers that parents are generally not liable for infringements committed by their kids, or that bankruptcy might be a last-ditch option for some, or that the record labels have occasionally sued the wrong people? Doubtful. The RIAA's letter notes that some people have been told that "the RIAA could have been incorrect in identifying your IP address" -- which of course is true -- and "directed the subscriber to certain websites, instead of having him contact the RIAA." We suspect those websites include EFF's resources as well as the Subpoena Defense website.

It's possible that, after the fact, a given user might have preferred a cheaper, earlier settlement, but neither ISPs nor fans should have to make the remarkably perverse choice laid out in the RIAA's "offer." As we've pointed out repeatedly, the record labels could help forge a better way forward to get artists paid without suing fans or further endangering their privacy.

The last time we checked, ISPs don't work for the RIAA, so until the major record labels come to their collective senses, ISPs shouldn't be handmaidens in their misguided lawsuit campaign.

[EFF: Deep Links]

Valentine Spam, Valentine Virus.

Wed, 14 Feb 2007 01:56:23 GMT

Valentine Spam, Valentine Virus. "As Valentine's Day approaches this year we are already seeing a proliferation of computer threats." [GT: Security and Privacy]

Schneier: Why Microsoft Sold Out Consumers in Vista.

Wed, 14 Feb 2007 00:19:17 GMT

Schneier: Why Microsoft Sold Out Consumers in Vista.

Today, the PC industry needs Hollywood more than Hollywood needs the PC. Most consumers rely on traditional consumer electronics devices to view DVDs and TV content, but companies like Microsoft are betting on the converged digital home and desperately want a bigger piece of the media device market. Because of the DMCA, Microsoft has to get permission to build devices compatible with Hollywood's DRMed content. So when Hollywood demanded that Microsoft lard Vista with restrictions to access high-def DVD and digital cable content, the software giant was in a weak bargaining position.

But as Bruce Schneier explains in a recent editorial (via BoingBoing), Vista's DRM may also be a play to turn the tables and turn Microsoft's platform into a distribution channel on which Hollywood relies:

"[W]hile it may have started as a partnership, in the end Microsoft is going to end up locking the movie companies into selling content in its proprietary formats.
"We saw this trick before; Apple pulled it on the recording industry. First iTunes worked in partnership with the major record labels to distribute content, but soon Warner Music's CEO Edgar Bronfman Jr. found that he wasn't able to dictate a pricing model to Steve Jobs. The same thing will happen here; after Vista is firmly entrenched in the marketplace, Sony's Howard Stringer won't be able to dictate pricing or terms to Bill Gates. This is a war for 21st-century movie distribution and, when the dust settles, Hollywood won't know what hit them....

"Microsoft is reaching for a much bigger prize than Apple: not just Hollywood, but also peripheral hardware vendors. Vista's DRM will require driver developers to comply with all kinds of rules and be certified; otherwise, they won't work. And Microsoft talks about expanding this to independent software vendors as well. It's another war for control of the computer market."

Schneier overstates his case a bit when he says Microsoft could have simply refused Hollywood's demands for DRM and Hollywood would have released today's high-def video content for Vista anyway. But he's right that Microsoft would very much like to lock content vendors into a distribution channel that it controls, including for channels like IPTV and digital downloads. And the more Hollywood depends on Microsoft, the more Microsoft may be able to limit competition from other tech companies' platforms and devices.

[EFF: Deep Links]

Copyright collective wants iPod levy

Mon, 12 Feb 2007 03:16:29 GMT

OTTAWA- Canada's Private Copyright Collective is taking another stab at introducing levies on digital music players and memory cards.

The charges could add as much as $75 to the price of a new Apple iPod.

The collective, which seeks to compensate artists for unauthorized copying of their music, said Friday it's taking a new tack after a 2003 Federal Court of Appeals decision rejected the levies.

The court overturned the Copyright Board of Canada's approval of the charges after protests by a coalition of industry groups that included retailers Wal-Mart, Staples Business Depot and Future Shop.

The collective had argued the memory inside a digital audio device such as an iPod is an audio recording medium primarily used to store music, and therefore should be subject to the Canadian Copyright Act.

The act states an audio recording medium is "a medium regardless of its material form on which a recording can be reproduced."

The court, however, found the memory can't be defined as an audio recording medium.

Now, the group is going after the devices themselves. It says devices such as the iPod can be classified as a "recording medium" and should be subject to taxation.

"It is simply a matter of fairness that the creators of content, the creators of culture actually, should receive some compensation for the large volume of unauthorized and uncontrollable copying onto these media," said collective chair Claudette Fortier. "Private copying is a fact - Canadians do it."

The group is responsible for collecting a levy on blank recording media and distributing the money to those entitled to royalties.

In other words, every time a Canadian buys a blank CD, or audio cassette today a portion of the cost is sent to artists all over the world such as Kid Rock, Justin Timberlake and Paris Hilton.

In its new submission to the Copyright Board, the collective is proposing levies of $5 on devices with up to one gigabyte (GB) of memory, $25 for one to 10 GB, $50 for between 10 GB and 30 GB and $75 for over 30 GB. That would take the price of Apple's 30GB iPod to $365 from $290, a 26 per cent increase.

The group is also asking for levies of $2 to $10 for memory cards, which are primarily used to store photographs in digital cameras.

It's also asking for eight-cent increases to the current 21-cent levy on blank CD media and 77-cent charge for CD-R Audio, CD-RW Audio and MiniDiscs.

Unfairly Caught in Viacom's Dragnet? Let Us Know!

Mon, 12 Feb 2007 02:58:53 GMT

Unfairly Caught in Viacom's Dragnet? Let Us Know!

As an RIAA spokesperson famously put it when asked about the spectacle of file-sharing lawsuits against innocent grandparents, "when you go fishing with a driftnet, sometimes you catch a dolphin."

Well, with its 100,000 DMCA takedown notices aimed at YouTube users, now it's Viacom that is netting its share of dolphins. Among the 100,000 videos targeted for takedowns was a home movie shot in a BBQ joint, a film trailer by a documentarian, and a music video (previously here) about karaoke in Singapore. None of these contained anything owned by Viacom. For its part, Viacom has admitted to "no more than" 60 mistakes, so far. Yet each mistake impacts free speech, both of the author of the video and of the viewing public.

If they are making these kinds of blatant mistakes, who can tell how many fair uses of Viacom content they also targeted in their 100,000 takedowns? Hundreds? Thousands? If Viacom made a clear mistake and your clip contains no content from Viacom-owned copyrighted works, sending a simple DMCA counter-notice to YouTube may be enough to do the job. But if you're attempting to make a fair use of Viacom's works, it may make more sense to go to court to assert your rights. More information about your options is available at the Fair Use Network.

Has your video been removed from YouTube based on a bogus Viacom takedown? If so, contact information@eff.org --we may be able to help you directly or help find another lawyer who can. In this situation, as in so many others, EFF will work to make sure that copyright claims don't squelch free speech.

We've put together a video version of this post on YouTube, which you can embed on your website or blog. Check it out, Digg it and spread the word -- the more it rises in YouTube's listings, the more likely it will be seen by users who have received takedowns:

[EFF: Deep Links]

The Business of Threatening New Technologies.

Mon, 12 Feb 2007 02:56:11 GMT

The Business of Threatening New Technologies.

This week, Hollywood started to ramp up its lobbying efforts by holding a symposium in D.C. called "The Business of Show Business." During a luncheon speech, Warner Bros Chairman and CEO Barry Meyer took some shots at Consumer Electronics Association President and CEO Gary Shapiro and stated, "history shows that [the major movies studios] are often adapters and embracers of new technologies."

...except for all those times when they've tried to crush innovation instead. In response, CEA has published this open letter [DOC] from Shapiro that makes the real historical record plain: (links, mine)

"In the last few decades, the motion picture industry came late to digital television and actually used every means possible to block new useful technology. Consider:
- the lawsuit seeking to stop the VCR
- the efforts to pass legislation blocking video rentals
- the lawsuit against ReplayTV, a PVR start-up, (the company was bankrupted by the lawsuit)
- the lawsuit against ClearPlay, a company with technology that deleted obscene content
- the lawsuit against Sima, a company which sells editing technology to wedding videographers
- the lawsuit against Kaleidescape, a company that lets consumers send lawfully acquired DVDs around their home
- the lawsuit against Load 'N Go, a company which sold pre-loaded iPods with DVDs, as long as the consumer also bought the DVD.

"The recent legislative efforts to mandate technological changes to stop copying, block the so-called 'analog hole' and impose other 'fixes' on the technology industry certainly make your claim of embracing new technology a bit hollow.

"We both agree that those who profit from the unauthorized, mass redistribution of content do so illegally. And we both agree that the creative community deserves fair compensation for its works, which are enjoyed by so many around the world. Where we apparently disagree is in how to treat ordinary, law-abiding citizens. Consumers should not expect free, but they do expect freedom -- the freedom to enjoy their lawfully acquired content when, where and how they want. That freedom is enabled by today's digital world and should be embraced by the content community."

Read the whole letter here [DOC], as well as Shapiro's speech at CES [PDF].

[EFF: Deep Links]

House Gets New Pretexting Bill.

Mon, 12 Feb 2007 02:50:04 GMT

House Gets New Pretexting Bill. Two U.S. representatives introduce a law to give the U.S. Federal Trade Commission authority over imposters who gain access to private telephone records. [PC World: Latest Technology News]

Big Win for Innocent RIAA Defendant.

Thu, 08 Feb 2007 18:24:17 GMT

Big Win for Innocent RIAA Defendant.

Good news today from the great state of Oklahoma. Debbie Foster, a single mom who was improperly sued by the RIAA back in 2004 for file sharing, has won back her attorneys' fees. The decision today is one of the first in the country to award attorneys fees to a defendant in an RIAA case over music sharing on the Internet.

Last year, Judge Lee R. West dismissed the case against her with prejudice after it became clear that Ms. Foster was simply the Internet access account holder in her home and had no knowledge or experience with file sharing software. EFF, Public Citizen, the ACLU, and the American Association of Law Libraries filed an amicus brief in the case, supporting Ms. Foster's motion for fees.

In his ruling, Judge West found that the RIAA had asserted an untested and marginal theory that veered toward "frivolous and unreasonable" by suing Foster for contributory and vicarious copyright infringement when the only evidence against her was her name on the household Internet account. Much like the judge in Elektra v. Santangelo, West expressed skepticism that "an Internet-illiterate parent, who does not know Kazaa from a kazoo" could be held liable for children in her home downloading music illegally unless the parent had knowledge of the conduct or had giver her permission to do so. West also hinted that the RIAA might have pursued the secondary liability claims "to press Ms. Foster into settlement after they ceased to believe she was a direct or 'primary' infringer."

Finding that in the face of these claims, "her only alternative to litigating ... was to capitulate to a settlement for a violation she insists she did not commit" and that "[s]uch capitulation would not advance the aims of the Copyright Act," the Court awarded Ms. Foster her attorneys fees and costs.

We applaud Judge West for standing up to the RIAA and recognizing the importance of helping people like Debbie Foster push back against their overzealous litigation campaign.

[EFF: Deep Links]

FTC Issues Fraud and ID Theft Data for 2006.

Thu, 08 Feb 2007 17:31:26 GMT

FTC Issues Fraud and ID Theft Data for 2006.

Unauthorized credit card charges were the leading contributor to more than $1.1 billion bilked in reported consumer fraud complaints last year, according to new figures released today by the Federal Trade Commission.

Shop-at-home/catalog sales and prizes and sweepstakes accounted for nearly 15 percent of all fraud-related complaints, followed closely by Internet services and online auctions. While the FTC's data tracks both online and offline fraud, the commission said some 60 percent of fraud complaints stemmed from transactions where the initial contact with the consumer was over e-mail (45 percent) and the Web (15 percent). (The PDF version of the FTC report is here.)

Credit-card fraud was the most common source of reported losses, followed by phone or utilities fraud (16 percent), bank fraud (16 percent) and employment fraud (14 percent). The latter category usually involved the unauthorized use of someone's Social Security number in order to secure employment.

Claudia Bourne Farrell, a spokesperson for the FTC, was herself a victim of employment fraud.

"I learned about it when the Internal Revenue Service asked why I wasn't declaring income and paying taxes on my job" at a Washington, D.C., restaurant, she said. Investigators later linked the identity thief to a local man using her Social Security number under the name Claudio Farrell.

While consumers are usually reimbursed by their bank for fraudulent credit- and debit-card charges, fraud that results from new accounts being opened in a victim's name -- from new cell phone and utility services ordered by the fraudsters -- represent a far more serious type of fraud, said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse.

"Usually, when a new account is opened in your name, the monthly statements go to a drop box or the criminal's address, and the victim doesn't generally find out about it until they go to open a new line of credit or orders a copy of their credit report," Givens said. "This is the most difficult type of fraud to erase from your file." A victim must do a great deal of work to expunge the fraudulent accounts from their credit files, she said.

The FTC warned that the percentage of fraud complaints where wire transfers were the reported payment method continued to increase last year. Most wire transfer losses are associated with Internet auction scams, where auctioneers simply take the money but never ship the promised merchandise. Twenty-three percent of the consumers reported fraud incidents where wire transfer was the payment method, an increase of eight percentage points from calendar year 2005, the FTC said.

California, Texas and Florida led the nation in the total number of identity and consumer fraud cases that were reported last year. Virginia and Maryland were sixth and eighth, respectively, in the rankings of consumer fraud complaints per 100,000 people by state. Maryland came it at No. 11 in the rankings of reported identity theft cases per 100,000 people, while Virginia came in at 15 in the same measure.

For Washington, D.C., the FTC said there were 1,904 complaints made by city residents last year about consumer fraud or identity theft. The Washington region in general ranked 110 in fraud complaints out of the top 400 metropolitan areas in the country.

Consumers in the 18-29 age set were the largest age group that reported losses from fraud. That finding closely mirrors other studies that have identified younger online users as those most likely to be defrauded or scammed.

The overall number of fraud complaints was down slightly from 2005, but the FTC noted that one major data contributor did not properly catalog many of its complaints, so comparisons with previous years are difficult.

The FTC and consumer advocates urge consumers to keep a close eye on their credit files for signs of fraudulent activity. Under federal law, consumers are entitled to a free copy of their credit report each year. Consumers can order their free credit report by visiting AnnualCreditReport.com.

[Security Fix]

FTC: Identity Theft Remains Top Consumer Complaint.

Thu, 08 Feb 2007 17:27:49 GMT

FTC: Identity Theft Remains Top Consumer Complaint. Identity theft complaints remained a top priority for U.S. consumers last year, the FTC says. [PC World: Latest Technology News]

RIAA urges Apple to spread DRM far and wide.

Thu, 08 Feb 2007 17:22:06 GMT

RIAA urges Apple to spread DRM far and wide.

Steve, you're so smart

The RIAA has seized on the weakest part of Steve Jobs' anti-DRM manifesto by banging on Apple to license its FairPlay technology to other companies.

[The Register - Music and Media]

UK to jail privacy violators

Wed, 07 Feb 2007 19:52:28 GMT

In a move to crack down on the illegal trade in personal information UK courts will soon start jailing people who trade in, or deliberately misuse, the personal data of others, according to the Department for Constitutional Affairs.

Today's decision follows a public consultation on increasing penalties for deliberate and wilful misuse of personal data and is part of the Government's strategy on data sharing to deliver better public services to individuals.

The British Government has been increasingly concerned about an apparent growth in the trade in personal data, especially to companies that engage in spam email and cold calling marketing tactics, and under the new regulation, offenders could face up to two years in prison.

The current penalty of a small fine in the Data Protection Act have not provided a sufficiently strong deterrent.

Jail for Selling Email Lists to Spammers.

Wed, 07 Feb 2007 19:39:19 GMT

Jail for Selling Email Lists to Spammers. amigoro writes "UK will start jailing the people who trade in email addresses, or any other personal data. The current Data Protection Act only fines people who do that, but the money one can make from trading in personal information was far higher than the measly GBP 5000 one had to pay if caught. The new regulations will result in a two year prison sentence for violating the Act." [Slashdot: Your Rights Online]

Hollywood on the Hill: Time to Bury the Broadcast Flag?

Wed, 07 Feb 2007 18:43:44 GMT

Hollywood on the Hill: Time to Bury the Broadcast Flag?

Hollywood is in full force today on Capitol Hill,hosting "The Business of Show Business Industry Symposium"(pdf) with stars such as Sex, Lies & Videotape director Steven Soderbergh and An Officer and a Gentleman Director Taylor Hackford talking about how central copyright is to the business of movie making.

We don't disagree with that notion of course, but what we don't usually agree with Hollywood about is the means by, and the degree to which, government should protect those copyrights. Over the past 5 years, Hollywood and the recording industry have pushed numerous proposals in Congress, and they have tended to fall into several categories: 1) government technology mandates like the broadcast flag; 2) expanding secondary copyright liability (like the "Induce Act"); 3) expanding the permissions culture (e.g., licensing temporary or buffer copies); and 4) increasing punishment for copyright infringement that falls just short of death by hanging. The good news is that most of these efforts have failed. The bad news is that with a Democratic-controlled Congress and one year until a Presidential election, you can bet your mortgage that they will be pushing these, and other initiatives hard in 2007.

But as time goes on and the public's (and the content industry's) use of technology and digital media change, it makes it harder and harder to make the case for these proposals. Take, for example, our favorite technology mandate, the broadcast flag. For those newcomers to this blog, the FCC's 2003 broadcast flag rules would have given the government the power to dictate technological design, and as a result, limit lawful uses of digital technology. The rules would have required FCC pre-approval for every technology that could demodulate a digital TV signal, as well as for those technologies (like Digital Video Recorders or even cellphones) that are "downstream" from digital TV devices. Public Knowledge brought a court challenge on behalf of it and eight other public interest, library and cyberliberties organizations, and in May 2005 a federal appeals court struck down the rules. Hollywood has been trying to get Congress to reinstate it ever since.

Even assuming that there was ever a rationale for the broadcast flag, does it exist anymore? And would such a rule even be in the best interests of the content industries? Let's take a look:

[Public Knowledge - Policy Blog]

FTC to release ID theft data.

Tue, 06 Feb 2007 02:08:11 GMT

FTC to release ID theft data. The Federal Trade Commission on Wednesday will release its latest "Consumer Sentinel" statistical analysis on identity theft, a precursor to a more comprehensive report later this year on ID fraud. [Computerworld Privacy News]

Super Bowl-Related Web Sites Hacked.

Mon, 05 Feb 2007 18:54:25 GMT

Super Bowl-Related Web Sites Hacked. A recent vist to some Super Bowl host sites could mean an infected PC. [PC World: Latest Technology News]