Paul Hardwick: Seminars

Castrated RFID Talk at Black Hat.

Fri, 02 Mar 2007 02:29:30 GMT

Castrated RFID Talk at Black Hat. Following a lawsuit threat, a security researcher goes ahead with a presentation on vulnerabilities in RFID access cards -- but doesn't demonstrate problems with HID Global's system. By Kim Zetter. [Wired News: Top Stories]

Battle brewing over RFID chip-hacking demo | InfoWorld | 2007-02-26 | By Paul F. Roberts

Wed, 28 Feb 2007 03:04:59 GMT

Secure card maker HID Corp. is objecting to a demonstration of a hacking tool at this week's Black Hat Federal security conference in Washington, D.C. that could make it easy to clone a wide range of so-called "proximity" door access cards.

HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's director of research and development, of possible patent infringement over a planned presentation, "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go forward, according to Jeff Moss, founder and director of Black Hat.

[ See also our Video: "Hack in action" ]

Lawsuits, patent claims silence Black Hat talk | InfoWorld | 2007-02-27 | By Paul F. Roberts

Wed, 28 Feb 2007 02:59:50 GMT

A planned talk on RFID security by a security researcher has been pulled from this week's Black Hat Federal security conference after secure card maker HID claimed the talk violated the company's patent rights and threatened to take legal action against Chris Paget, the researcher, and IOActive, Paget's employer, if the talk went forward.

The company decided to cancel the talk after all-night negotiations with HID collapsed, said Josh Pennell, CEO of IOActive. In response, Black Hat organizers were forced to tear materials out of printed show proceedings and will instead present a discussion by a representative of the ACLU on the criticality of RFID security, said Jeff Moss, founder and director of Black Hat.

A spokeswoman for HID did not immediately respond to a request for comment.

The incident recalled a 2005 dispute over a presentation at Black Hat in Las Vegas involving Cisco Systems and Michael Lynn, a security researcher who worked for Internet Security Systems at the time.

New Controversy over Black Hat Presentation.

Wed, 28 Feb 2007 02:55:39 GMT

New Controversy over Black Hat Presentation. uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure. [Slashdot]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Studios, FBI Teach Swedish Cops to Hunt File Sharers.

Fri, 23 Feb 2007 17:10:37 GMT

Studios, FBI Teach Swedish Cops to Hunt File Sharers. The FBI and the MPAA, with the Swedish antipiracy organization Antipiratbyren, are training Swedish law enforcement officers in copyright and piracy matters. [PC World: Latest Technology News]

Famed ID Thief to Speak at Security Event.

Fri, 23 Feb 2007 17:00:45 GMT

Famed ID Thief to Speak at Security Event. Frank Abagnale, subject of the film 'Catch Me If You Can', will keynote the London RSA Conference in October. [PC World: Latest Technology News]

Students get advice on online privacy

Fri, 16 Feb 2007 16:03:06 GMT

When C.L. Lindsay prepares to speak at a college, he looks for local photos online.

In less than two minutes he has dozens of photos of underage students drinking or smoking marijuana.

"I totally get that you want to take pictures," said Lindsay, who is an attorney and college student advocate. "But you do not want to put 10,000 copies up on campus." When a person posts photos online, it is the equivalent of hanging thousands of copies, he said. Lindsay spoke at Bismarck State College at noon, 2 p.m. and 7 p.m. Thursday. He spoke about privacy on the Internet and other legal issues.

Besides finding photos of debauchery, Lindsay finds identifying information, like where the person lives. He recommends people set their personal Web page security to private, so only friends can see. Then he recommends people be cautious of what they post.

Across the country, students have been kicked off sports teams, kicked out of school or suspended for items posted on their social networking Web site, Lindsay said.

Employers also are starting to screen social networking sites to weed out candidates. Lindsay cited a survey of employers that showed 40 percent of employers eliminated candidates based on online information.

People should think about what they post in terms of whether it is illegal if they did it "offline" and if they would want future employers to see it, he said.

The Shifting Strategy of IT Threats: How SMBs Succeed in a Connected World. LIVE WEBCAST

Mon, 12 Feb 2007 18:32:11 GMT

The Shifting Strategy of IT Threats: How SMBs Succeed in a Connected World. LIVE WEBCAST
(Source: MessageLabs) In this exclusive live Webcast, Chris Christiansen and a panel of security experts will examine the fundamental link between IT security and its effects on business health. Register now for this live event, premiering 2/15 at 2pm EST. [Computerworld Privacy News]

Conference Attendees Drop Ball on Wi-Fi Security.

Sat, 10 Feb 2007 22:55:59 GMT

Conference Attendees Drop Ball on Wi-Fi Security. More than half of the wireless LAN devices being used at this week's RSA Conference on information security are themselves unsecured. [PC World: Latest Technology News]

Hollywood on the Hill: Time to Bury the Broadcast Flag?

Wed, 07 Feb 2007 18:43:44 GMT

Hollywood on the Hill: Time to Bury the Broadcast Flag?

Hollywood is in full force today on Capitol Hill,hosting "The Business of Show Business Industry Symposium"(pdf) with stars such as Sex, Lies & Videotape director Steven Soderbergh and An Officer and a Gentleman Director Taylor Hackford talking about how central copyright is to the business of movie making.

We don't disagree with that notion of course, but what we don't usually agree with Hollywood about is the means by, and the degree to which, government should protect those copyrights. Over the past 5 years, Hollywood and the recording industry have pushed numerous proposals in Congress, and they have tended to fall into several categories: 1) government technology mandates like the broadcast flag; 2) expanding secondary copyright liability (like the "Induce Act"); 3) expanding the permissions culture (e.g., licensing temporary or buffer copies); and 4) increasing punishment for copyright infringement that falls just short of death by hanging. The good news is that most of these efforts have failed. The bad news is that with a Democratic-controlled Congress and one year until a Presidential election, you can bet your mortgage that they will be pushing these, and other initiatives hard in 2007.

But as time goes on and the public's (and the content industry's) use of technology and digital media change, it makes it harder and harder to make the case for these proposals. Take, for example, our favorite technology mandate, the broadcast flag. For those newcomers to this blog, the FCC's 2003 broadcast flag rules would have given the government the power to dictate technological design, and as a result, limit lawful uses of digital technology. The rules would have required FCC pre-approval for every technology that could demodulate a digital TV signal, as well as for those technologies (like Digital Video Recorders or even cellphones) that are "downstream" from digital TV devices. Public Knowledge brought a court challenge on behalf of it and eight other public interest, library and cyberliberties organizations, and in May 2005 a federal appeals court struck down the rules. Hollywood has been trying to get Congress to reinstate it ever since.

Even assuming that there was ever a rationale for the broadcast flag, does it exist anymore? And would such a rule even be in the best interests of the content industries? Let's take a look:

[Public Knowledge - Policy Blog]

When Security Companies Fail.

Wed, 07 Feb 2007 18:35:08 GMT

When Security Companies Fail.

SAN FRANCISCO: Security Fix has long pontificated on the necessity of Microsoft Windows users setting up their machines to run under "limited user" accounts. It is considered a fairly effective method for warding off spyware and virus infections on your average Windows PC.

Irony knows no bounds ... less-than-secure kiosks at the RSA Security Conference. (Brian Krebs)

The advice is not some "secret sauce" that Security Fix dreamed up. It is well known that running Windows under a user account that does not have the right to install software by default is a key safeguard for fortifying Windows machines.

So it came as a great surprise to me to discover a security gaffe at the RSA Security conference here -- one of the premiere computer security conferences in the industry. The kiosks of Microsoft Windows XP machines set up as a way for attendees to freely access e-mail from the conference floor were running under the all-powerful "administrator" account. In short, anyone could have used the terminals to download a free software program that records every keystroke typed on the terminals. That record would be extremely useful for spying on the Internet communications of executives at some of the most recognizable computer security firms in the industry.

I spent about 20 minutes watching the activity at these booths, as executives checked their e-mail messages there or logged on to their PCs remotely. Had I spent a bit more than 10 seconds at the terminals, I could have downloaded software that would let me steal user names and passwords from some of the more important companies in the information security community.

It certainly is somewhat crazy that these security practices occur at a respected security conference. But it is also revealing that so many security professionals find it acceptable to access their personal data on unfamiliar public terminals without conducting even rudimentary checks on the host system's integrity.

[Security Fix]

Gates, Ellison Tout Security At RSA Event.

Tue, 06 Feb 2007 15:27:17 GMT

Gates, Ellison Tout Security At RSA Event. The annual RSA Conference kicks off this week with keynotes from industry luminaries Bill Gates and Larry Ellison. [PC World: Latest Technology News]

DMCA Reformist To Speak at Stanford This Friday.

Tue, 30 Jan 2007 18:18:41 GMT

DMCA Reformist To Speak at Stanford This Friday.

Rep. Rick Boucher, who has long proposed legislation to reform the DMCA, will deliver a speech at Stanford Law School on Friday entitled, "Congress Must Balance its Copyright Agenda." More information is available here.

[EFF: Deep Links]

Stanford Symposium, "Search and Seizure in the Digital Age," on January 26.

Fri, 26 Jan 2007 21:18:14 GMT

Stanford Symposium, "Search and Seizure in the Digital Age," on January 26.

On January 26th, Stanford Law School will host a symposium called "Beyond a Physical Conception of the Fourth Amendment: Search and Seizure in the Digital Age." Six experts will present papers on a variety of privacy and technology issues, including RFIDs and protections for private information stored online. EFF Staff Attorneys Kevin Bankston and Kurt Opsahl will be there, and you can find out more about attending here.

[EFF: Deep Links]

NYU Colloquium on Information Technology & Society Spring 2007 Schedule.

Sun, 21 Jan 2007 04:17:14 GMT

NYU Colloquium on Information Technology & Society Spring 2007 Schedule.

The spring 2007 schedule for the Information Law Institute (NYU Law School) Colloquium on Information Technology & Society has been announced. I[base ']m excited about the opportunity to moderate the panel on [base "]A Discussion about Privacy in Web-Search[per thou] featuring Ramsey Homsany, Senior Counsel at Google.

Friday February 16, 12:30-2PM
[base "]Are Creative Commons Licenses Forever?[per thou]
Professor Tony Reese
University of Texas at Austin

Monday March 19, 8-9:30PM
** A public lecture co-sponsored with the ILI Student Association **
[base "]The Empire & the iPhone: [OE]Technology Platforms,[base '] the Commons, and the
Way We Live Now[per thou]
Professor Eben Moglen
Columbia Law and Software Freedom Law Center

Friday March 30, 12:30-2PM
[base "]A Discussion about Privacy in Web-Search[per thou]
Ramsey Homsany, Senior Counsel, Google
Daniel Howe, PhD Candidate, Computer Science, NYU
Helen Nissenbaum, Culture & Communication and ILI, NYU
Moderator: Michael Zimmer, Ph.D. Candidate, NYU

Friday April 13, 12:30-2PM
Title TBA
Professor Deirdre Mulligan,
UC Berkeley and Samuelson Law, Technology & Public Policy Clinic

Check the website for more details as the dates approach. If you want to subscribe to the mailing list, contact me.

[michaelzimmer.org]

Hacker Con Submits to Spychips.

Thu, 11 Jan 2007 03:47:01 GMT

Hacker Con Submits to Spychips. One thousand attendees of the Chaos Communication Congress voluntarily wire themselves up to RFID location-tracking devices. Just because they can. Quinn Norton reports from Berlin. [Wired News: Security Blanket]

MIT OpenCourseWare | Electrical Engineering and Computer Science | 6.912 Introduction to Copyright Law, January (IAP) 2006 | Home

Sat, 06 Jan 2007 23:31:36 GMT

Highlights of this Course

This course features video lectures and an extensive list of readings. A description of assignments is also available. This course is offered during the Independent Activities Period (IAP), which is a special 4-week term at MIT that runs from the first week of January until the end of the month.

Course Description

This course is an introduction to copyright law and American law in general. Topics covered include: structure of federal law; basics of legal research; legal citations; how to use LexisNexis(r); the 1976 Copyright Act; copyright as applied to music, computers, broadcasting, and education; fair use; Napster(r), Grokster(r), and Peer-to-Peer file-sharing; Library Access to Music Project; The 1998 Digital Millennium Copyright Act; DVDs and encryption; software licensing; the GNU(r) General Public License and free software.

MIT Offering Free Copyright Course Online.

Sat, 06 Jan 2007 23:15:59 GMT

MIT Offering Free Copyright Course Online. IANAL writes "MIT is offering Introduction to Copyright Law as a free online course. Interested Slashdotters might find it a good way to challenge their firmly held misconceptions about copyright law as it concerns fair use, Napster, Grokster, the GPL, and P2P filesharing, among other things. There's also an article about the course over on Groklaw." [Slashdot: Your Rights Online]

Computers, Freedom and Privacy - Montreal, May 1-4 2007

Fri, 29 Dec 2006 00:41:06 GMT

Come to CFP2007 in Montreal, May 1-4 2007. There's a lot at stake.

Computers, Freedom and Privacy 2007 - Call For Proposals

Fri, 29 Dec 2006 00:37:58 GMT

Call For Proposals - The deadline for proposals is January 20, 2006

The Program Committee of the Seventeenth Conference on Computers, Freedom, and Privacy (CFP2007) seeks your proposals for innovative conference sessions and speakers.

Facial-recognition software makes finding Web photos easier.

Wed, 20 Dec 2006 03:01:31 GMT

Facial-recognition software makes finding Web photos easier. Polar Rose AB plans to offer free software to make photos searchable on computers and the Internet by analyzing the contents of pictures with facial-recognition technology to locate specific faces. [Computerworld Data Mining News]

Tuesday Hearing on Critical E-Voting Evidence in Flawed Florida Election.

Mon, 18 Dec 2006 20:18:28 GMT

Tuesday Hearing on Critical E-Voting Evidence in Flawed Florida Election.

Search for Thousands of Missing Votes in Sarasota County Congressional Race

Tallahassee, Fla. - On Tuesday, December 19th, at 1 p.m., a state judge in Tallahassee, Florida, will consider whether representatives of Florida voters will gain access to voting machines and software in a contested election for the U.S. House of Representatives seat for Florida's 13th congressional district.

The Electronic Frontier Foundation (EFF) and other election advocacy groups last month filed suit on behalf of Sarasota County voters [^] both Republicans and Democrats [^] and are demanding a thorough investigation into potential electronic voting machine malfunctions. State and local election officials, however, continue to object to making the electronic voting machines and software available for examination. Tuesday's hearing will consider, among other issues, whether such materials must be made available to outside experts.

According to the electronic voting machines used during the November general election, more than 18,000 people in Sarasota County [^] approximately 15% of the voter turnout [^] did not cast a vote for any congressional candidate for this hotly contested seat. Instead of performing a robust analysis of the County's voting machines and software, the Florida Elections Canvassing Commission certified Vern Buchanan as the winner by 363 votes. The voters' lawsuit contends that thousands of voters were likely disenfranchised by machine-related problems.

WHAT:
Fedder v. Gallagher

WHEN:
1 p.m.
Tuesday, December 19

WHERE:
Leon County Courthouse
301 S. Monroe St.
Tallahassee, FL 32301

For more on the Florida lawsuit:
http://www.eff.org/news/archives/2006_11.php#005020

For more on EFF's E-Voting work:
http://www.eff.org/Activism/E-voting/

Contacts:

Matt Zimmerman
Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

[EFF: Breaking News]

Speakers at ABA National Security Law Conference Confront NSA Surveillance Program and Leaks of Classified Information to the Press.

Sun, 10 Dec 2006 17:14:43 GMT

Speakers at ABA National Security Law Conference Confront NSA Surveillance Program and Leaks of Classified Information to the Press.

Speakers at the 16th annual review of National Security Law, held November 30-December 1, 2006, in Washington, D.C., addressed topics ranging from accountability for actions by private security contractors on the battlefield to civil litigation against terrorists and their bankers. Approximately 440 lawyers attended the conference, which was sponsored by the ABA Committee on Law and National Security, by the Center for National Security Law at the University of Virginia School of Law, and by the Center on Law, Ethics, and National Security at Duke University School of Law. Conference materials, which include several insightful papers, are available online.

In a speech at the conference, Representative Jane Harmon, the out-going ranking member of the House Intelligence Committee, described Congressional efforts to get executive branch officials to brief the members of the House and Senate Intelligence Committee about the NSA's domestic surveillance program. A video and audio copy of her remarks is available online. She said that only after the Senate Intelligence Committee threatened to delay confirmation hearings regarding General Michael Hayden's nomination to serve as CIA Director did executive officials agree to brief the Intelligence Committees about the NSA program. Ibid. at 15:30

Having received the classified briefing about the NSA program earlier this year, Representative Harmon said "As one of the few people outside the White House and NSA briefed into this program, I assure you that the program can be conducted pursuant to the Foreign Intelligence Surveillance Act." Id. at 15:51. Given that Representative Harmon has heard classified details about the NSA program that the Bush Administration has refused to disclose publicly, including in the dozens of pending lawsuits challenging the NSA program, her assertion that program could be conducted within FISA constraints is important. It directly contradicts the Administration's claims that the NSA cannot run the program in a manner that complies with FISA.

[Privacy and Security Law Blog]

ModSecurity v2.0 Webcast.

Thu, 07 Dec 2006 22:22:25 GMT

ModSecurity v2.0 Webcast.

In response to many of the common questions and issues posted to the mail-list, we at Breach Security decided to host a webcast to help provide answers and shed some light on the new v2.0 features - http://www.modsecurity.org/training/. This is the first of many training programs to support and enhance your use of ModSecurity and its dynamic web application security protection.

If you are interested in free training on:

The latest news on ModSecurity
Overview of he new features and rule sets in ModSecurity 2.0
How to install/deploy ModSecurity v2.0
How to migrate ModSecurity configuration and rules to the ModSecurity 2.0 format
Tips and tricks on using ModSecurity v2.0

The webcast is scheduled for Thursday, December 14th 2006 at 1:00pm EST. To register please click here.

[Web Security Blog]

Care Records conference opens and closes debate.

Mon, 27 Nov 2006 17:24:50 GMT

Care Records conference opens and closes debate.

Questions, questions, questions

The third annual Care Record Development Board get-together got underway yesterday (Thursday), bringing together "key stakeholders" in the government's proposed digitising of the UK's medical records.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Is DRM Good Or Bad For Consumers?

Thu, 09 Nov 2006 04:04:24 GMT

Is DRM Good Or Bad For Consumers? Experts at FTC event debate positive and negative effects of DRM on consumers. [PC World: Latest Technology News]

China: We don't censor the Internet. Really | CNET News.com

Tue, 31 Oct 2006 18:24:18 GMT

ATHENS, Greece--While many countries block off some Web sites, China has long drawn heightened scrutiny because of the breadth and sophistication of its Internet censorship

Which is why it came as a surprise on Tuesday when a Chinese government official claimed at a United Nations summit here that no Net censorship existed at all.

The only problem: Few cases of Net censorship are as carefully and publicly documented as the Great Firewall of China. A study by researchers at Harvard Law School found 19,032 Web sites that were inaccessible inside China.

A report from a consortium of British, American and Canadian universities concluded: "China's Internet-filtering regime is the most sophisticated effort of its kind in the world. Compared to similar efforts in other states, China's filtering regime is pervasive, sophisticated and effective."

In fact, Google has cited China's intermittent blocking of Google.com as the primary factor in the company's creation of the Google.cn censored search site.

Protect Your Digital Freedom!

Wed, 25 Oct 2006 21:18:47 GMT

Protect Your Digital Freedom!

The Digital Freedom Campaign was launched today, and I was delighted to join my colleagues from the Consumer Electronics Association, the Media Access Project, Computer and Communications Industry Association and The Electronic Frontier Foundation at a press conference to talk about the campaign. My statement is here.

The purpose of the campaign is to build grassroots support for copyright laws that protect, rather than limit, creativity, innovation, free speech and competition. While attempts by the content industry to strengthen copyright further through increased penalties, government technology mandates and lawsuits is nothing new, the past several months have seen perhaps the greatest onslaught of legislation and litigation since Public Knowledge was founded five years ago. You can read about those initiatives here, here and here. These efforts have been particularly irksome because the industry won the Grokster case at the Supreme Court (and just recently at the district court), has been successful in its lawsuits against individuals, got Congress to pass the Family Entertainment and Copyright Act, which gives the industry special protection for âo[ogonek]pre-releaseâo� works, and has entered into agreements with ISPs to pass on warning notices to individuals they believe to be engaged in illegal file sharing. So to paraphrase the immortal words of Howard Beale - Weâo[dot accent]re as mad as hell and we are not going to take it any more.

[Public Knowledge - Policy Blog]

Broadcast Flag video.

Wed, 25 Oct 2006 21:15:52 GMT

Broadcast Flag video.

On Friday, PK will be hosting a Higher-Education discussion on the Broadcast Flag. For that meeting, we created a video, much like the net neutrality video, to help explain, in simple terms, what the flag is all about.

You can find it on Youtube here or see it below:

[Public Knowledge - Policy Blog]

Democracy Now! | FCC Commissioner Michael Copps and Juan Gonzalez on the Color of Media Consolidation

Wed, 25 Oct 2006 20:44:02 GMT

Copps and Gonzalez spoke at last week's town hall meeting in New York on diversity and media ownership. The FCC is reconsidering a number of broadcast rules -including whether a single company should be able to own both a newspaper and television station in the same market. [includes rush transcript]

A town hall meeting on diversity and media ownership was held last week here in New York City. All five commissioners from the Federal Communications Commission were invited. Only two showed up - Commissioners Michael Copps and Jonathan Adelstein. More than 300 activists and citizens came out to show their opposition to further media consolidation as the FCC reconsiders a number of broadcast rules - including whether a single company should be able to own both a newspaper and television station in the same market.

Michael Copps, FCC Commissioner.
Juan Gonzalez, Daily News columnist and Democracy Now co-host.

Unblinking: New Perspectives on Visual Privacy in the 21st Century. (symposium)

Wed, 11 Oct 2006 06:54:14 GMT

Unblinking Symposium.

I just came across an amazing-looking multi-disciplinary symposium on privacy and surveillance at Berekely: Unblinking: New Perspectives on Visual Privacy in the 21st Century.

The program is quite impressive, including Ian Kerr (who gave the keynote last week at our IINW symposium), Julie Cohen, and Helen Nissenbaum (my dissertation advisor).

I[base ']d love to attend, but it is the same weekend as the annual meeting of the Society for Social Studies of Science in Vancouver, where I will be presenting the paper on the [base "]alues and pragmatic action: The challenges of engagement with technical design communities[base ']Äù that Noemi and I have been working on.

[michaelzimmer.org]

Barlow to MPAA: Don't Worry, Be Happy, and Lose the P2P War.

Fri, 25 Aug 2006 16:56:31 GMT

Barlow to MPAA: Don't Worry, Be Happy, and Lose the P2P War.

BBC News recently recorded a debate about P2P between MPAA President Dan Glickman and EFF Co-Founder John Perry Barlow. Watch the whole thing here, and don't miss another classic Barlow quote:

"The good news is that you guys have managed to buy every major legislative body in the planet, but you know the problem is, the bad news is that you're up against a dedicated foe that is younger and smarter than you are and will be alive when you are dead, and has historical forces on its side, and is using its technological acumen very adeptly to ward off all of your efforts of control and you're gonna lose that one. I mean you're fifty-five years old and these kids are seventeen and they're just smarter than you are. So you're gonna lose that one. But the good news is you guys are mean sons of bitches and you've been figuring out ways to rip off audiences and artists for centuries really, and all you gotta do is get outta bed a little earlier in the morning for a spell and you'll find new ways of doing this. I have every faith in you and you should give yourselves a little credit, instead of howling that you're going to be victimized. It's not like you to be victimized."

In other words, the movie industry will live on -- and find a veritable pot of gold waiting for it -- when it stops threatening innovators and fans with lawsuits and DRM.

[EFF: Deep Links]

Developing and Implementing an Operating Systems Security course with Labs.

Thu, 10 Aug 2006 19:50:56 GMT

Developing and Implementing an Operating Systems Security course with Labs. Harry Bulbrook writes this paper. Durham Technical Community College is developing a security course based on securing operating systems. This paper will present a list of course objectives and an outline for a developing a security course based on securing operating systems. In addition, several lab exercises will be developed and presented, including auditing and monitoring (through log files), and locking down access (including implementation of password policies.) By Harry Bulbrook. [Infosec Writers Latest Security Papers]

Defcon Speakers Team Up to Fight 'Queen Bots'.

Thu, 10 Aug 2006 18:45:42 GMT

Defcon Speakers Team Up to Fight 'Queen Bots'.

Imagine for a moment that our central defense against bank robbers was a technology that recognized criminals based largely upon their physical appearance. Now imagine that the bad guys had figured out a way to rapidly and automatically change not only their facial structure, but their height, weight, clothing and method of attack. The net result those attacks would ultimately be more successful and profitable bank robberies, encouraging the bad guys to step up the frequency and brazenness of their attacks.

That is a rough analogy for describing the dirty little secret of the anti-virus industry today -- that the authors of computer worms and viruses designed to turn regular computers into spam-spewing and data-stealing zombies or "bots" are increasingly outpacing the security vendors, by automatically updating the genetic makeup of their creations before anti-virus companies have time to ship updates to their detection files. As a result, we have an industry whose business is predicated on 10 to 20 percent of its customers being successfully attacked before it can even begin to respond, according to some estimates.

In light of this trend, some security experts say it is high time for anti-virus companies to put aside their competitive interests and partner with the various public-sector malware collection and analysis projects. At the Defcon hacker conference in Las Vegas last week, Internet pioneer Paul Vixie and Georgia Institute of Technology bot researcher David Dagon presented blueprints for an industrywide, automated "malware repository" designed specifically to address the problem of self-updating bot programs, which they called "queen bots."

[Security Fix]

Tracking the Congressional attention span

Tue, 08 Aug 2006 17:50:44 GMT

While text mining 330,000 New York Times articles poses an interesting challenge, it's not as interesting as sifting through 70 million words (from over 70,000 unique documents) found in the Congressional Record. A team of political science researchers has done just that (PDF), and found that their software was able to answer questions too difficult for humans to handle on their own.

The Congressional Record is a unique source of political information. It contains verbatim transcripts of floor speeches made in both the House and the Senate and provides a view of political debate far more nuanced than the one provided by election returns, opinion polls, and vote counts.

But how to make use of that vast treasure trove of words? The research team notes that the Record has rarely been used as a source for analysis because "it contains too much information to absorb manually." Even with a large team of grad students at their disposal, researchers find it difficult to tag more than a small subset of the speeches in question, and computers have not traditionally been useful for mining text.

Tracking the Congressional Attention Span.

Tue, 08 Aug 2006 17:48:15 GMT

Tracking the Congressional Attention Span. Turismo writes "Ars Technica covers a new research project that uses computers to look at 70 million words from the Congressional Record. The project's goal was to track what our representatives were talking about at any given time, and researchers were able to do it without human training or intervention. From the article: '...researchers found, for instance, that "judicial nominations" have consumed steadily more Congressional attention between 1997 and 2004. In fact, the topic produced the most number of words published in a single "day" of the Congressional Record: 230,000 on November 12, 2003.' It looks like automated topic analysis has truly arrived."[Slashdot]

Editor: Just remember, not everything in the Congressional Record was actually said by that person. They are allowed to include large amounts of prepared statements in written form in such a way that you can't tell the difference.

DefCon Delays Can't Stop the Madness.

Sun, 06 Aug 2006 20:01:30 GMT

DefCon Delays Can't Stop the Madness.

LAS VEGAS, Aug. 4 -- DefCon, the nation's largest annual hacker conference, is well underway here at the Riveria Hotel and Casino, and as usual there is just far too much to see and do to really take it all in. The conference hit a minor speed bump this morning, after the local fire marshal took her sweet time inspecting the conference setup, pushing back all of the first day's talks by a full two hours. Conspiracy theories abound as to why the con was delayed, but the most oft-uttered explanation is that perhaps the inspector has a general distaste for the type of crowd in attendance here.

There are more plausible explanations: The sheer size of this year's con is enough to make anyone in charge of crowd control blink twice in amazement. This place is completely packed, teeming with at least 6,000 hackers (the conference organizers had 6,000 badges to give out, and they ran out of them shortly after registration began).

I've also heard from several attendees that the hotel's sprinkler system was hacked, as well as the devices that control the elevators. I've not been able to confirm either claim yet, but I'm told that hacking hotel elevators is fairly regular occurence at DefCon and hardly a challenge for this bunch. I rode the elevators early in the day and was perplexed to find the digital floor level indicator displaying the hotel's top floor just after I'd gotten on the lift from the ground floor. Last year, someone hacked into the ATM at the Alexis Park Hotel (the site of the past three DefCons), though I have yet to spot a cash machine anywhere near the main area of the Riviera.

Already, there are dozens of names on the "Wall of Sheep," a running tally of the unsuspecting or foolhardy souls who venture to log in to various unencrypted Web sites over the hotel's wired, wireless or Bluetooth networks. As of 3 p.m. PT Friday I spotted at least five Myspace.com user-account credentials on the wall, as well as user name and password info for someone at networking giant Cisco and another at a Hawaii state government Web site. At the rate the sheep are piling up this year, we are likely to see more than 100 victims listed on the wall.

The conference tracks here have for the most part been fairly solid and largely devoid of half-baked presentations. Defcon speaker Rick Hill -- a security engineer for Reston, Va.-based IT consulting firm Tenacity Solutions Inc. -- showed an innovative method for locating wireless networks using a kit he installed atop a replica of the 1950s research rocket Nike Smoke. In the rocket's nose cone, Hill embedded an Ipaq handheld computer with an attached 802.11b/g wireless card, as well as an onboard computer and a powerful antenna. He tested the rocket in a rural area of Culpeper, Va., shooting the missile up to an altitude of 6,800 feet, with a large parachute allowing the rocket more than six minutes of scanning for wireless networks within a 50-mile radius.

While the entire mission was a success, that particular launch netted only two networks. Hill said the technique showed its promise, but also the method's inherent limitations -- testing such projectiles in densely populated areas would be dangerous (and probably illegal ... Hill had to get clearance from the Federal Aviation Administration, required for any launch higher than 2,000 feet). For anyone interested in additional specifications on this project, I hope to be able to post a copy of his slides here, but for now the file upload tool we're using says it's too large (the PDF is more than 3.4 megabytes).

Collin Mulliner, a member of the Trifinite Group, which researches mobile device security issues, pointed to a number of exploitable flaws he found in wireless handheld Pocket PC phones powered by Windows CE 4.2x that could be used to remotely install software on the phones. You can check out his presentation here.

Jay Beale, a researcher with the security consultancy group Intelgaurdians, gave an entertaining and excellent talk on weaknesses he found while reviewing the firewall that ships with Mac OS X systems. Beale said that while the Mac firewall is not turned on by default, his research showed some pretty big holes in the hacker shield. Beale found that the firewall that comes with Mac OS X Panther does not block simple pings (network probes used to tell whether a host on the network is reachable) or communications sent via the user datagram protocol (UDP).

Unlike the "transfer control protocol" (TCP), which requires a three-way "handshake" between, say, a Web browser and a Web site to ensure that all of the data segments in the request are reliably exchanged, UDP traffic doesn't bother to check whether everything is sent the way it was meant to. While data requests and transfers over UDP do not provide the reliability and ordering guarantees of TCP traffic, such requests are much faster than TCP connections, and such are more ideally suited for data exchanges that demand swiftness, such as streaming media applications and Internet-based telephone conversations, for example.

The firewall that ships with Mac OS X Tiger doesn't block incoming ping or UDP traffic either unless the user clicks on the "advanced" tab of the firewall settings, Beale said. But even users who click on the "block UDP traffic" box in the firewall's advanced settings won't be completely protected, as his research showed that the firewall will still allow UDP traffic as long as it appears to have been generated by either the service that dynamically assigns network addresses to new devices on the network, or comes from a Mac service called Zeroconf (a.k.a "Bonjour"), an OS X feature designed to make it easy for Apple applications and devices like iTunes, wireless cameras and printers to communicate with the system.

The upshot of this weakness, Beale said, is that it is enough for an attacker to mimic the types of network signals sent by devices using these communications channels in order to bypass the OS X firewall and scan a targeted system, whereapon the attacker could learn not only the security update or patch level of the machine, but also the machine's assigned name (which could hold clues as to specific username accounts on the system), as well as which applications are running on the computer.

Beale is perhaps best known as the author of Bastille, a program designed to harden the security of machines running different flavors of the Linux operating system. Beale said that in the next week or so he plans to release a version of Bastille for OS X users. Security Fix will post another entry when Beale finishes work on the tool. More information from his talk is available via these slides that he made available.

[Security Fix]

How to clone the copy-friendly biometric passport.

Fri, 04 Aug 2006 17:06:17 GMT

How to clone the copy-friendly biometric passport.

So easy the manual tells you that you can do it

Analysis At Black Hat yesterday, security consultant Lukas Grunwald of German company DN-Systems demonstrated the cloning of a biometric passport, observing beforehand to Wired that the "whole passport design is totally brain damaged." But should we be surprised? Not exactly, because that's precisely what it says on the tin.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Black Hat and Defcon 2006: Security Fix Heads to Vegas.

Tue, 01 Aug 2006 19:37:36 GMT

Black Hat and Defcon 2006: Security Fix Heads to Vegas.

Security Fix is headed to Las Vegas for the better part of the next week to cover two back-to-back hacker conferences. The first is Black Hat USA 2006, which runs Wednesday and Thursday and caters to security professionals and researchers whose bosses can afford to foot the $1,200 to $1,600 registration fees. The other is Defcon, 72 straight hours of presentations and non-stop hacker fun starting Friday morning.

Security researchers plan to detail more than a dozen new software and hardware security flaws at this year's Black Hat. While many of the presentations at Defcon will be retreads of those offered at Black Hat, no doubt there will be quite a few new security holes unveiled there as well.

Last year's Black Hat was overshadowed by a talk given by Mike Lynn, who quit his job at Atlanta-based Internet Security Systems Inc. in order to present his research on serious security flaws in Cisco Systems routers, the networking devices responsible for directing much of the Internet's traffic (Lynn since landed a job working for Cisco arch-rival Juniper Networks.

For more background on that controversy, check out the archives. Interestingly enough, Cisco has stepped up as a one of three "platinum" sponsors of this year's Black Hat (along with Microsoft and Ernst & Young); I couldn't find any mention of ISS as a sponsor of this year's con.

Probably one of the more newsy and relevant talks at Black Hat this year will be given in part by another researcher who recently left ISS -- David Maynor, who is now a senior researcher at Secure Works (also headquartered in Atlanta). Maynor and Jon "Johnny Cache" Ellch will show how flawed software drivers in common wireless devices can open up almost any laptop to hijacking by the bad guys. Check back with Security Fix on Wednesday for an exclusive inside look at their research.

Dan Larkin, unit chief of the FBI's Internet Crime Complaint Center, will be the keynote speaker on Day 1 of Black Hat, discussing "war stories and trends" in the government's ongoing battle with increasingly organized cyber criminals. The first session on Day 2 features the annual "Meet the Feds" panel. Featured speakers include David Thomas, chief of the FBI's counterterrorism/counterintelligence and criminal computer intrusion investigations; Jim Christy, director of the Defense Cyber Crime Institute (DCCI), and Linton Wells, principal deputy assistant secretary of defense (networks and Information integration) at the Department of Defense. Hackers at Defcon also will have a chance to meet the feds.

Prior to last year's trip to Vegas, I spoke with Jack Holleran, formerly head of the National Security Agency's National Computer Security Center. Holleran is now retired and is one of countless folks helping to organize the two conferences along with Black Hat and Defcon founder Jeff Moss.

When I spoke with Holleran recently, he recounted a notable "Meet the Feds" panel several years back. Someone on the panel invited anyone in the room to stand up if they had ever probed someone's network defenses without the target's permission. Holleran recalled that a good portion of the hackers in the room proudly stood up. Those standing were then asked to sit down if what had made them stand up wasn't so felonious as to land them in jail for a long time. Holleran said all but a handful of defiant young hackers took a seat. At that point, several law enforcement officials on the panel quickly pulled out cameras from beneath the table, pointed them at the crowd and began snapping away -- thus giving the feds photographs of potentially prosecutable attendees.

Also at Black Hat '06, Dan Moniz and HD Moore will be showing how common cross-site scripting flaws in popular social networking sites like Myspace.com and Xanga.com could be combined with Web browser vulnerabilities to power an Internet worm capable of infecting millions of users in a very short time frame. Whether their demo goes off without a hitch is of little concern, as their concept is ripe for exploitation (cross-site scripting flaws are ubiquitous on most major Web sites, and new browser flaws are discovered every day). On Monday, HD wrapped up his Month of Browser Bugs, wherein he detailed a new, previously undocumented browser security flaw for each day in July. Security Fix will have an exclusive look at their research just prior to their talk on Thursday afternoon.

Another talk likely to garner attention will be given by Jeremiah Grossman and TC Niedzialkowski, who will present research on how to hack private corporate Intranets using Javascript. Also, an entire track of Day 2 at Black Hat will feature various presentations on the growing threat from rootkits, tools that bad guys and malware are increasingly using to remain hidden and deeply entrenched on computers that they have infiltrated

Those are just a few highlights from this year's jam-packed conference schedule. Check back all week for updates.

[Security Fix]

Hackers Fight Authority in NYC at Hope 6.

Sat, 29 Jul 2006 16:55:46 GMT

Hackers Fight Authority in NYC. The Man keeping you down? The sixth-annual Hackers on Planet Earth conference doles out briefings on picking locks, jamming phones and beating wiretaps. There was only one arrest. Annalee Newitz reports from New York. [Wired News: Security Blanket]

Dick Hardt - Identity 2.0: Identity Protocols, Today and Tomorrow.

Wed, 26 Jul 2006 18:08:43 GMT

Dick Hardt - Identity 2.0: Identity Protocols, Today and Tomorrow. How we prove who we are while controlling our privacy in an online world that offers ever more opportunities for collaboration, participation and communication is becoming an increasingly important and complex issue. In this talk from the 2005 Web2.0 conference, Dick Hardt, CEO of Sxip Identity, walks through his view of personal identity and how it could be managed more successfully in the online environment. [IT Conversations]

HOPE Conference Number Six

Fri, 21 Jul 2006 04:51:44 GMT

The HOPE conferences have been running since 1994. HOPE stands for Hackers On Planet Earth and it has become a gathering point for thousands of computer hackers, phone phreaks, net activists, government spooks, and a whole lot of curious people from all corners of the globe.
The HOPE Conference starts Friday at Hotel Pennsylvania in NYC on July 21, 22, and 23, 2006.

Senators call for more RFID education.

Mon, 17 Jul 2006 15:40:28 GMT

Senators call for more RFID education. Two members of the U.S. Senate launched an RFID (radio frequency identification) caucus Thursday, with the purpose of educating lawmakers on the benefits of the expanding technology. [Computerworld Privacy News]

Video and Transcripts of GPLv3 Event Now Online.

Fri, 14 Jul 2006 16:05:39 GMT

Video and Transcripts of GPLv3 Event Now Online. H4x0r Jim Duggan writes "When Free Software Foundation Europe organised the recent GPLv3 conference in Barcelona, they recorded the whole two days on video, and have now put online the video and audio recordings. There's also a transcript of Richard Stallman's presentation, and of Eben Moglen's presentation, both of which include the Q&A sessions. The videos are all available by BitTorrent, so a slashdotting should be okay. Enjoy!" [Slashdot: Your Rights Online]

Microsoft to Show Vista at Hacker Conference.

Wed, 12 Jul 2006 20:36:08 GMT

Microsoft to Show Vista at Hacker Conference. Company will offer an inside look at the security features in the new OS. [PC World: Latest Technology News]

Blue Box Podcast Spring VON #1 - Phil Zimmermann interview about Zfone.

Mon, 10 Jul 2006 15:40:38 GMT

Blue Box Podcast Spring VON #1 - Phil Zimmermann interview about Zfone.

Synopsis: Interview with Phil Zimmermann about his new Zfone project, the ZRTP protocol and other related topics. The interview was recorded at the Spring VON show in San Jose, California, on March 16, 2006.

Welcome a special edition of Blue Box: The VoIP Security Podcast from the floor of the Spring 2006 VON conference in San Francisco, CA. In this interview with Phil Zimmermann we talk about his Zfone project and how it has evolved since it was first announced in January (which we covered here). Phil explains the origins of his ideas, how Zfone works, how ZRTP works and how people can get involved with the public Zfone beta program. More information is available at http://www.philzimmermann.com/

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. The interview runs about 22 minutes.

[Blue Box: The VoIP Security Podcast]

Blue Box Podcast SE009: VoIP Security Presentation to IP Telephony for Government Conference - April 18, 2006.

Mon, 10 Jul 2006 15:36:34 GMT

Blue Box Podcast SE009: VoIP Security Presentation to IP Telephony for Government Conference - April 18, 2006.

Synopsis: Special edition with a presentation on VoIP Security given by Dan York at the IP Telephony for Government conference on April 18, 2006, in Arlington, VA.

Welcome to a special edition of Blue Box: The VoIP Security Podcast where we present a recording of a presentation that Dan York gave on April 18, 2006, in Arlington, Virginia, at the IP Telephony Solutions for Government conference sponsored by the Homeland Defense Journal and IT*Security Magazine. In this presentation, Dan provides an introduction to VoIP security issues, discusses threats and briefly touches on best practices to protect against those threats.

Download the show here (MP3, 38MB) or subscribe to the RSS feed to download the show automatically.

You may also download the presentation slides to follow along during the recording. The total show runs about 41 minutes.

[Blue Box: The VoIP Security Podcast]

The Fourth of July, 2006 is Privacy Digest's 7th Anniversary

Mon, 03 Jul 2006 17:14:11 GMT

Tomorrow, The Fourth of July 2006, Privacy Digest will have been publishing as this domain for seven years. We were actually around a bit longer as part of another blog. But on July 4, 1999, I decided that the issue was important enough to warrant it's own dedicated domain.

If you would like to help out my Amazon wishlist has a few things I need. More ideas on ways to support us can be found here.

Content Discontent, and Why the Discovery Channel Gets It.

Fri, 30 Jun 2006 17:14:11 GMT

Content Discontent, and Why the Discovery Channel Gets It.

Last Friday, PK took a field trip out to the Digital Media Conference in McLean, Virginia, to catch up on the latest happenings in, um, Digital Media. The morning sessions opened with 'Industry Roundtable: Perspectives from Leading Associations and Interest Groups' featuring representatives from the content industry (MPAA, RIAA, DiMA, ESA) and device manufacturers (CEA). As you can see, the panel was a little stacked. At past panels, moderator Greg Arlen (check out his account of the day) wore a referee's jersey to keep things under control, but this time opted for an equally effective sports-themed tie. Congratulations to CEA's Michael Petricone for his spirited defense of consumers' rights.

What was striking about the panel was not the content industry's legislative agenda (the usual: analog hole, broadcast flag, and opposing DMCA reform), but the disconnect from the rest of the conference. The room was mostly empty, while the room next door - a panel focusing on 'the Battle for the Digital Consumer'[~]was packed. The consensus in that room, and really of the conference, was that the winners of the digital media game would be those who could give consumers what they wanted when they wanted it.

The question left unasked and unanswered by the content industry reps was the long term viability of a business that is openly antagonistic to the desires of its customers [sigma]

And yet, content matters! One of the recurring themes of Friday's conference was that the companies best positioned to take advantage of the new market were those who owned their own content. Why? Because then you don't need to deal with the licensing battles that hinder any innovation in content delivery. While the big industry associations are using litigation, legislation and even international treaties to lock down content, some people are getting out there, distributing their content, and making money.

People like the Discovery Channel. In the first keynote of the day, Dawn McCall of the Discovery Networks International described the over 100 unique outlets her company uses to get their content to consumers. A fleet of cable networks, but also podcasts, webcasts, mobile devices, iTunes downloads, HD, even tours of national parks on Google Earth. You name it, they do it. She credited her company's explosive growth to the decision to own their own content, and a deliberate effort to be platform neutral.

Changing the content to fit the platform, rather than forcing the platform to fit the content. Interesting idea, but one you won't hear much around Washington these days.

[Public Knowledge - Policy Blog]

Schneier on Security: Ignoring the 'Great Firewall of China'

Wed, 28 Jun 2006 15:26:11 GMT

Richard Clayton is presenting a paper (blog post here) that discusses how to defeat China's national firewall:

Calif. Dept of Consumer Affairs' Zettel to Speak at ID Theft Conference.

Wed, 21 Jun 2006 19:34:05 GMT

Calif. Dept of Consumer Affairs' Zettel to Speak at ID Theft Conference. FDIC will hold a symposium on the importance of continued consumer confidence in e-commerce [GT: Security and Privacy]

Mine Data Not Details.

Sun, 18 Jun 2006 21:47:58 GMT

Mine Data Not Details.

Wired News is carrying an AP report of the workshop on the Data Surveillance and Privacy Protection I attended at Harvard University's Center for Research on Computation and Society a few weeks ago, where a common theme was coming up with ways to ensure that law enforcement, intelligence agencies and private companies can sift through huge databases without seeing names and identifying details in the records. It is a nice synopsis, and mentions the amazing work of Latanya Sweeney of Carnegie Mellon University (who has shown that 87 percent of Americans can be personally identified by records listing only their birth date, gender and ZIP code) as well as Rebecca Wright[base ']s update on the progress of the PORTIA (Privacy, Obligations and Rights in Technologies of Information Assessment) project, of which I[base ']m affiliated.

[michaelzimmer.org]

(IN)SECURE Magazine Issue 7.

Thu, 08 Jun 2006 14:16:28 GMT

(IN)SECURE Magazine Issue 7. Articles in this issue include: SSH port forwarding: security from two perspectives, part one, An inside job, CEO spotlight: Q and A with Patricia Sueltz at SurfControl, Server monitoring with munin and monit, Compliance vs. awareness in 2006, 2005 *nix malware evolution, Overview of quality security podcasts and coverage of Infosecurity 2006 and InfoSec World 2006. [(IN)SECURE Magazine Notifications RSS]

DHS Privacy Committee hearing in San Francisco today.

Wed, 07 Jun 2006 16:31:08 GMT

DHS Privacy Committee hearing in San Francisco today.

As I noted here two weeks ago, the USA Department of Homeland Security's Data Privacy and Integrity Advisory Committee holds it's first-ever public hearing in San Francisco today at the Clift Hotel (Ava and Rita Rooms), 495 Geary Street, 2 blocks from Union Square.

It's an all-day meeting, from 8:30 a.m. to 5:15 p.m., but the Committee has allocated only an hour and a quarter at the end of the day to public testimony. According to an e-mail message I got from the Committee staff:

We have added 15 minutes of open comment period for individuals to sign up to speak on the day of the meeting for 3 minutes each. You are welcome to speak during this time period and we look forward to your participation. If you are interested in speaking, please sign up with Mr. Lane Raffray of the Privacy Office staff when you arrive.

Here's what I hope to say in my three minutes, if I get a chance (also here as a PDF):

Testimony to the USA Department of Homeland Security
Data Privacy and Integrity Advisory Committee

Unlike the members of this Committee and of today's panels , my background and expertise are in the travel industry, travel technology, and advocacy for travellers.

There are two sorts of "expectations of privacy": those that people actually have, and those that the law presumes us to have. But by either measure, expectations of privacy in public spaces are not just about our right to be in those places, but about our right to move through them.

"To assemble" is not just to be together but to come together. When we assembled here today from throughout the country, by various means of travel, our journeys were acts of assembly directly protected by the First Amendment.

Freedom to assemble is an inalienable human right, not a privilege to which citizens have to prove our entitlement. We expect that our privacy includes the right to move through public places, on public rights-of-way and by common carriers, without let or hindrance and without demands for government-mandated credentials.

Orders restricting the right to travel should be issued only on the basis of a judicial finding, subject to adversarial challenge and due process. That's what's required -- thousands of times every day -- when someone in imminent danger of domestic violence seeks an order restraining the right to use the public right-of-way adjacent to their home by someone they believe poses them a danger. No lesser standard should be applied in the case of people alleged to pose a danger in other places.

We also expect that, while our movements may be observed, the government will not âo[ogonek]keep a file" on us without due cause.

But given the ease of data mining, and the ease of government access to commercial data, there is no longer a meaningful distinction between event logging and the construction of personal dossiers, or between logs held by private entities and those accessible to the government. To allow unregulated commercial logging of events, especially those identifiable with a time, a location, and an individual (travel reservations being the canonical example), is in effect to allow the operation of a continuous system of universal suspicionless surveillance, in flagrant violation of our expectations of privacy

Perhaps the most egregious invasion of travellers' privacy comes when we are compelled by the government to provide information to commercial entities , as a condition of the exercise of our right to assemble by common carrier, without any constraint whatsoever on the ability of those commercial entities to retain, use, or sell that data.

I urge this Committee to recognize the centrality of travel to the privacy impact of DHS activities, and to focus your work on the specific issues of the right to assemble, the mandate for travel credentials, the basis and procedures for government orders restricting travel by specific individuals, the retention and use of reservation logs, government mandates for the provision of information to non-governmental entities, and the need for a Federal privacy law applicable to commercial travel data.

I look forward to assisting the Committee in these endeavors.

Sincerely,

Edward Hasbrouck
San Francisco, CA, USA
7 June 2006

[The Practical Nomad]

Wired News: Crashing the Wiretapper's Ball

Sat, 03 Jun 2006 03:25:28 GMT

There were European heavyweights like Ericsson and Siemens, American giants like Raytheon and light-heavyweights like VeriSign and Agilent, along with a vast host of leaner, more specialized, surveillance outfits such as Verint, Narus and the like. They offered equipment and services capable of every manner of radio frequency and packet interception, with user interfaces and database structures designed to manage and deliver not just information but "actionable data," properly organized and formatted for easy prosecutions.

Certain conference sessions, according to the schedule, were "open to sworn law enforcement agents only." But there was no discrimination between the more punctilious law enforcement agencies of democratic nations and those hailing from quarters where darker practices are commonplace.

[...]

Certain conference sessions, according to the schedule, were "open to sworn law enforcement agents only." But there was no discrimination between the more punctilious law enforcement agencies of democratic nations and those hailing from quarters where darker practices are commonplace.

Eavesdropping on the Wiretappers.

Sat, 03 Jun 2006 03:19:48 GMT

Eavesdropping on the Wiretappers.

Thomas Greene filed a great story in Wired News today on his crashing of the wiretapping/eavesdropping convention known as ISS World.

While spending three days drinking beers and smoking cigarettes to get the scoop, Greene managed to rip a copy of the CD presentations to his hard drive and drink his way into a conversation with engineers who make snooping products that can land in the clutches of dictators.

"Well, it's quite an issue," I said. "This is the equipment of totalitarianism, and the only things that can keep a population safe are decent law and proper oversight. I want to know what they think when they learn that China, or Syria, or Zimbabwe is getting their hands on it."

"You really need to educate yourself," he insisted. "Do you think this stuff doesn't happen in the West? Let me tell you something. I sell this equipment all over the world, especially in the Middle East. I deal with buyers from Qatar, and I get more concern about proper legal procedure from them than I get in the USA."

"Well, perhaps the Qataris are conscientious," I said, "and I'm prepared to take your word on that, but there are seriously oppressive governments out there itching to get hold of this stuff."

He sneered again. "Do you think for a minute that Bush would let legal issues stop him from doing surveillance? He's got to prevent a terrorist attack that everyone knows is coming. He'll do absolutely anything he thinks is going to work. And so would you. So why are you bothering these guys?"

"It's a valid question," I insisted. "This is powerful stuff. In the wrong hands, it could ruin political opponents; it could make the state's power impossible to challenge. The state would know basically everything. People would be getting rounded up for thought crimes."

Now, I'm a little jealous since I wanted to go to this conference and had a long conversation with one Tatiana Lucas, who identified herself as the director of the ISS World conference.

Lucas told me that press wasn't allowed in the conference.

"We have nothing to hide," Lucas said. "We just do not want any distractions."

Lucas went on to say that press wasn't allowed to go to ISS World any more because they were too dumb to understand CALEA.

"The press has a tendency to misquote," Lucas said, heaping particular scorn on USA Today's story about BellSouth and Verizon working with the NSA, which both companies have since denied.

Lucas added the press would only distract law enforcement officials from bastions of openness such as Russia, Pakistan and Bahrain (a country where it is illegal to criticize the state religion or the king and, all emails and phone calls are monitored, according to the U.S. State Department).

But Lucas said she might be able to accommodate our request for a press pass "if you help us to promote our conference."

Hearing me take notes, Lucas oddly then accused me of violating her rights by 'recording her' (one would think the director of a conference about 'lawful intercepts' would know the difference between taking notes and recording a phone call). She then accused me of being rude and asked for my editor's name and phone number.

She promised she'd have her boss, one Dr. Jerry Lucas, call me back to discuss why the conference, devoted to issues that are very much in the news, was closed to the press.

When she called my editor, she made the same promise.

Of course, Dr. Lucas never called back, we never got the press pass, but Thomas Greene still got the story.

And it turned out to be probably more damning than the one that would have been told by a reporter inside the convention.

It's ironic that spooks so often remind us that we've got nothing to fear from their activities if we've got nothing nasty to hide, while they themselves are rarely comfortable without multiple layers of secrecy, anonymity and plausible deniability. While there was little or nothing at the conference worth keeping secret, the sense of paranoia was constant. The uniformed guard posted to the entrance was there to intimidate, not to protect. [...]

The project of "lawful interception" is huge, grotesquely expensive, controversial, infused with unnecessary secrecy and often useless against the most important suspects it purports to target.

It poses a tremendous threat to human rights and dignity in countries without adequate legal safeguards, and still invites occasional abuses in countries with them. Its costs are paid by citizens who are deliberately kept in the dark about how much they're paying for it, how effective it is in fighting crime and how susceptible it is to abuse. And that's the way the entire cast of characters involved wants to keep it.

Full story.

Tags: ISSWorld, ISS, NSA

[27B Stroke 6]

Lecture Slides and Video Archives - Audio: University of Washington Cryptography Lecture Archive

Fri, 26 May 2006 02:44:45 GMT

The University of Washington Computer Science department has made CSEP 590 cryptography lectures available in PDF, PPT, video, and audio format. Those interested in learning more about cryptography from an academic perspective will surely find this interesting.

Data Surveillance and Privacy Protection Workshop.

Wed, 24 May 2006 16:43:33 GMT

Data Surveillance and Privacy Protection Workshop.

On June 3, I will be attending this workshop on Data Surveillance and Privacy Protection hosted by Harvard University[base ']s Center for Research on Computation and Society:

Although there has been significant public attention to the civil liberties issues of data surveillance over the past few years, there has been little discussion of the actual techniques that could be employed in any but the most restricted settings. Likewise, there has been little discussion of methods and technologies for conducting data surveillance while respecting privacy and preserving civil liberties.

Today[base ']s newspapers and TV shows are preoccupied with NSA wiretaps and the accidental release of names and social security numbers. Meanwhile, a far more pervasive surveillance infrastructure is being created around us: the routine use of database information for law enforcement, counter-terrorism, and commercial markets.

The Center for Research on Computation and Society (CRCS) is a new research center with a mission to develop a clear understanding of issues of technology and public policy where the actual technology makes a difference, and to pursue innovative computer science and technology research informed by that understanding.

Some of the issues that we would like to explore at the workshop include:

Techniques for mining databases within and between organizations without exposing proprietary or privacy-sensitive information.

Techniques that are planned for deployment (or are actually being used) to survey hospital admissions data for evidence of epidemics or bioterror attacks.

Techniques that have been tried, or proposed, for finding terrorists or criminals through the examination of transactional information.

Techniques that could be used to automatically detect phishing attacks or other kinds of financial fraud.

The workshop is free, but you must register.

[michaelzimmer.org]

CFP: Identity and Identification in a Networked World Graduate Student Symposium.

Fri, 19 May 2006 17:17:14 GMT

CFP: Identity and Identification in a Networked World Graduate Student Symposium.

[I am one of the organizers the following graduate student symposium to be held this fall at NYU]

CALL FOR PAPERS

Identity and Identification in a Networked World:
A Multidisciplinary Graduate Student Symposium

When: September 29-30, 2006
Where: New York University
Submission deadline: July 5, 2006

Increasingly, who we are is represented by key bits of information scattered throughout the data-intensive, networked world. Online and off, these core identifiers mediate our sense of self, social interactions, movements through space, and access to goods and services. There is much at stake in designing systems of identification and identity management, deciding who or what will be in control of them, and building in adequate protection for our bits of identity permeating the network.

The symposium will examine critical and controversial issues surrounding the socio-technical systems of identity, identifiably and identification. The goal is to showcase emerging scholarship of graduate students at the cutting edge of humanities, social sciences, artists, systems design & engineering, philosophy, law, and policy to work towards a clearer understanding of these complex problems, and build foundations for future collaborative work.

[michaelzimmer.org]

IT Conversations: Dick Hardt - Identity 2.0

Mon, 15 May 2006 17:06:17 GMT

Dick Hardt begins his talk with a brief overview of notions of identity and how that compares with what is actually required in an increasingly digitised world. According to Hardt, Identity 2.0 is definitely coming, but in what shape and delivered by what technologies remains unknown and unknowable at the moment.

Hardt differentiates Identity 1.0 from Identity 2.0 by describing the move from a directory centric environment where authentication means simply that your identity is registered on a web site's directory to a user centric environment where an identity can truly be applied to a variety of web sites. He believes this will happen because the recent history of technological initiatives shows that open and simple wins out.

The bulk of Hardt's talk comprises an examination of the possible drivers for this switch to Identity 2.0. He looks at the enterprise, at government, at banking, at consumers, and at the large portal sites to determine who has both motive and influence. His conclusion may be surprising.

HOPE Number Six

Sat, 13 May 2006 23:07:15 GMT

New York City Hotel Pennsylvania on July 21, 22, and 23, 2006.