Paul Hardwick: Studies

Malware Threat Report for February 2007.

Sun, 04 Mar 2007 04:44:32 GMT

Malware Threat Report for February 2007. "Storm Worm," continues to severely impact worldwide mailboxes in successive waves. [GT: Security and Privacy]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Feinstein to GAO: Investigate E-voting System.

Thu, 22 Feb 2007 16:56:31 GMT

Feinstein to GAO: Investigate E-voting System.

During the 2006 election in Florida, electronic voting machines may have "undercounted" to the tune of 18,000 votes in Sarasota County. But because the new machines were not designed to provide paper receipts, there is no way to double check the vote.

Now, Senator Dianne Feinstein of California has taken action. Last week, she asked the Government Accountability Office (GAO) to investigate electronic voting systems that do not provide voter-verified paper ballots. Senator Feinstein specifically highlighted the problems in Florida, and asked for a "top to bottom investigation"

"Should the GAO become aware of any systems that are prone to software malfunctions, are susceptible to fraud, or use hardware design that would lead to voting system problems, I would request that you also inspect those systems," writes Senator Feinstein.

EFF and a coalition of voting integrity groups, representing Sarasota County voters, have filed suit in state court in Tallahassee asking for a re-vote in Florida's 13th congressional district. To find out more about EFF's work defending your right to vote, visit our E-voting page.

[EFF: Deep Links]

Next Generation Data Auditing for Data Breach Detection and Risk Mitigation.

Fri, 16 Feb 2007 16:05:39 GMT

Next Generation Data Auditing for Data Breach Detection and Risk Mitigation. (Source: Tizor) This white paper reviews cases of mass data theft from the data source and provides a best practices approach for protecting your organization's sensitive data and valuable brand equity from a major data breach. Find out how to effectively secure valuable company data and download this whitepaper. [Computerworld Privacy News]

U.S. Government Readying Massive Cybersecurity Test.

Wed, 14 Feb 2007 00:16:58 GMT

U.S. Government Readying Massive Cybersecurity Test. The U.S. Department of Homeland Security is planning a large-scale test of the nation's response to a cyberattack, to be held in early 2008. [PC World: Latest Technology News]

Mobile Attacks Jumped Fivefold in 2006, Study Says.

Wed, 14 Feb 2007 00:14:44 GMT

Mobile Attacks Jumped Fivefold in 2006, Study Says. The number of security attacks reported by mobile phone operators in 2006 jumped fivefold over the year before, a McAfee study reports. [PC World: Latest Technology News]

Unfairly Caught in Viacom's Dragnet? Let Us Know!

Mon, 12 Feb 2007 02:58:53 GMT

Unfairly Caught in Viacom's Dragnet? Let Us Know!

As an RIAA spokesperson famously put it when asked about the spectacle of file-sharing lawsuits against innocent grandparents, "when you go fishing with a driftnet, sometimes you catch a dolphin."

Well, with its 100,000 DMCA takedown notices aimed at YouTube users, now it's Viacom that is netting its share of dolphins. Among the 100,000 videos targeted for takedowns was a home movie shot in a BBQ joint, a film trailer by a documentarian, and a music video (previously here) about karaoke in Singapore. None of these contained anything owned by Viacom. For its part, Viacom has admitted to "no more than" 60 mistakes, so far. Yet each mistake impacts free speech, both of the author of the video and of the viewing public.

If they are making these kinds of blatant mistakes, who can tell how many fair uses of Viacom content they also targeted in their 100,000 takedowns? Hundreds? Thousands? If Viacom made a clear mistake and your clip contains no content from Viacom-owned copyrighted works, sending a simple DMCA counter-notice to YouTube may be enough to do the job. But if you're attempting to make a fair use of Viacom's works, it may make more sense to go to court to assert your rights. More information about your options is available at the Fair Use Network.

Has your video been removed from YouTube based on a bogus Viacom takedown? If so, contact information@eff.org --we may be able to help you directly or help find another lawyer who can. In this situation, as in so many others, EFF will work to make sure that copyright claims don't squelch free speech.

We've put together a video version of this post on YouTube, which you can embed on your website or blog. Check it out, Digg it and spread the word -- the more it rises in YouTube's listings, the more likely it will be seen by users who have received takedowns:

[EFF: Deep Links]

Study Notes Link Between IT Sabotage, Work Behavior.

Thu, 08 Feb 2007 17:37:54 GMT

Study Notes Link Between IT Sabotage, Work Behavior. Workers who sabotage corporate systems are almost always IT workers who exhibit specific negative office behavior according to recent research. [PC World: Latest Technology News]

Study: Weak Passwords Really Do Help Hackers.

Thu, 08 Feb 2007 17:35:01 GMT

Study: Weak Passwords Really Do Help Hackers. Left online for 24 days to see how hackers would attack them, Linux PCs with weak passwords were hit by some 270,000 intrusion attempts. [PC World: Latest Technology News]

TiVo sees if you skip those ads

Mon, 05 Feb 2007 18:37:53 GMT

TiVo revealed the other day that it's offering TV networks and ad agencies a chance to receive second-by- second data about which programs the company's 4.5 million subscribers are watching and, more importantly, which commercials people are skipping.

This raises a pair of troubling questions: Is TiVo, which revolutionized TV viewing with its digital video recording technology, now watching what people watch? And is it selling that sensitive info to advertisers and others?

The answers, apparently, are no and no.

"I promise with my hand on a Bible that your data is not being archived and sold," said Todd Juenger, TiVo's vice president and general manager of audience research and measurement.

"We don't know what any particular person is watching," he said. "We only know what a random, anonymous sampling of our user base is watching."

Still, privacy advocates say TiVo's new data service -- dubbed StopWatch -- reflects the growing ease with which companies could, if they so choose, collect and exploit vast amounts of information about consumers' everyday habits.

"It's a constant struggle to maintain your privacy in the modern era," said Kurt Opsahl, a staff attorney at San Francisco's Electronic Frontier Foundation. "We have entered an era in which more and more information about you is being collected and maintained."

He added: "In the past, you had a lot of privacy protection because information about you was too difficult to collect and sort. Now that protection is gone because computers can do it."

TiVo's potential to monitor (and embarrass) millions of people was made clear in 2004 after Janet Jackson's right breast made a surprise appearance during the Super Bowl halftime show.

TiVo reported that this fleeting glimpse of celebrity flesh "drew the biggest spike in audience reaction TiVo has ever measured ... as hundreds of thousands of households used TiVo's unique capabilities to pause and replay live television to view the incident again and again."

Confidential Data Lost Via USB Drives and Other Mobile Devices, New Survey Finds.

Fri, 02 Feb 2007 07:20:37 GMT

Confidential Data Lost Via USB Drives and Other Mobile Devices, New Survey Finds. Data loss prevention at the endpoint is top priority for IT security. [GT: Security and Privacy]

Congress Hears From Muzzled Scientists.

Fri, 02 Feb 2007 03:05:52 GMT

Congress Hears From Muzzled Scientists. BendingSpoons writes "More than 120 scientists across seven federal agencies have been pressured to remove the phrases 'global warming' and 'climate change' from various documents. The documents include press releases and, more importantly, communications with Congress. Evidence of this sort of political interference has been largely anecdotal to date, but is now detailed in a new report by the Union of Concerned Scientists. The House Oversight and Government Reform Committee held hearings on this issue Tuesday; the hearing began by Committee members, including most Republicans, stating that global warming is happening and greenhouse gas emissions from human activity are largely to blame. The OGR hearings presage a landmark moment in climate change research: the release of the 2007 report by the Intergovernmental Panel on Climate Change. The IPCC report, drafted by 1,250 scientists and reviewed by an additional 2,500 scientists, is expected to state that 'there is a 90% chance humans are responsible for climate change' -- up from the 2001 report's 66% chance. It probably won't make for comfortable bedtime reading; 'The future is bleak', said scientists." [Slashdot: Your Rights Online]

Study Finds IE7 + EV SSL Won't Stop Phishing.

Mon, 29 Jan 2007 20:11:05 GMT

Study Finds IE7 + EV SSL Won't Stop Phishing. An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued." [Slashdot]

The Anatomy of Pump N' Dump Stock Spamming.

Tue, 23 Jan 2007 02:05:31 GMT

The Anatomy of Pump N' Dump Stock Spamming. giorgiofr writes "Laura Frieder and Jonathan Zittrain have analyzed pump n' dump spam activity in their paper 'Spam Works: Evidence from Stock Touts and Corresponding Market Activity'. Unbelievably, it appears that spammers are able to achieve a 5% gain on pumped stock before dumping it, along with a dramatic increase in transaction volume of the stock. From the synopsis: ' We suggest that the effectiveness of spammed stock touting calls into question prevailing models of securities regulation that rely principally on the proper labeling of information and disclosure of conflicts of interest to protect consumers, and we propose several regulatory and industry interventions. Based on a large sample of touted stocks listed on the Pink Sheets quotation system, we find that stocks experience a significantly positive return on days prior to heavy touting via spam. Volume of trading responds positively and significantly to heavy touting.'" [Slashdot]

The Chilling Effect - CSOonline.com

Wed, 17 Jan 2007 19:48:28 GMT

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.

Last February at Purdue University, a student taking "cs390s--Secure Computing" told his professor, Dr. Pascal Meunier, that a Web application he used for his physics class seemed to contain a serious vulnerability that made the app highly insecure. Such a discovery didn't surprise Meunier. "It's a secure computing class; naturally students want to discover vulnerabilities."

They probably want to impress their prof, too, who's a fixture in the vulnerability discovery and disclosure world. Dr. Meunier has created software that interfaces with vulnerability databases. He created ReAssure, a kind of vulnerability playground, a safe computing space to test exploits and perform what Meunier calls "logically destructive experiments." He sits on the board of editors for the Common Vulnerabilities and Exposures (CVE) service, the definitive dictionary of all confirmed software bugs. And he has managed the Vulnerabilities Database and Incident Response Database projects at Purdue's Center for Education and Research in Information and Assurance, or Cerias, an acronym pronounced like the adjective that means "no joke."

When the undergraduate approached Meunier, the professor sensed an educational opportunity and didn't hesitate to get involved. "We wanted to be good citizens and help prevent the exploit from being used," he says. In the context of vulnerable software, it would be the last time Meunier decided to be a good citizen. Meunier notified the authors of the physics department application that one of his students--he didn't say which one--had found a suspected flaw, "and their response was beautiful," says Meunier. They found, verified and fixed the bug right away, no questions asked.

But two months later, in April, the same physics department website was hacked. A detective approached Meunier, whose name was mentioned by the staff of the vulnerable website during questioning. The detective asked Meunier for the name of the student who had discovered the February vulnerability. The self-described "stubborn idealist" Meunier refused to name the student. He didn't believe it was in that student's character to hack the site and, furthermore, he didn't believe the vulnerability the student had discovered, which had been fixed, was even connected to the April hack.

The detective pushed him. Meunier recalls in his blog: "I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student." Meunier's stomach knotted when some of his superiors sided with the detective and asked him to turn over the student. Meunier asked himself: "Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?" Later, Meunier recast the downward spiral of emotions: "I was miffed, uneasy, disillusioned."

This is not good news for vulnerability research, the game of discovering and disclosing software flaws. True, discovery and disclosure always have been contentious topics in the information security ranks. For many years, no calculus existed for when and how to ethically disclose software vulnerabilities. Opinions varied on who should disclose them, too. Disclosure was a philosophical problem with no one answer but rather, schools of thought. Public shaming adherents advised security researchers, amateurs and professionals alike to go public with software flaws early and often and shame vendors into fixing their flawed code. Back-channel disciples believed in a strong but limited expert community of researchers working with vendors behind the scenes. Many others' disclosure tenets fell in between.

California Monitoring Program Reports Votes Cast on Electronic Machines Were Accurately Recorded.

Thu, 11 Jan 2007 22:11:09 GMT

California Monitoring Program Reports Votes Cast on Electronic Machines Were Accurately Recorded. "The results of the report confirm for voters that their votes were successfully recorded November 7, 2006." [GT: Security and Privacy]

Computers, Freedom and Privacy - Montreal, May 1-4 2007

Fri, 29 Dec 2006 00:41:06 GMT

Come to CFP2007 in Montreal, May 1-4 2007. There's a lot at stake.

Computers, Freedom and Privacy 2007 - Call For Proposals

Fri, 29 Dec 2006 00:37:58 GMT

Call For Proposals - The deadline for proposals is January 20, 2006

The Program Committee of the Seventeenth Conference on Computers, Freedom, and Privacy (CFP2007) seeks your proposals for innovative conference sessions and speakers.

Computer Security Expert Edward W. Felten Joins EFF Board of Directors.

Thu, 21 Dec 2006 15:56:12 GMT

Computer Security Expert Edward W. Felten Joins EFF Board of Directors.

Princeton Professor Behind Important E-voting Vulnerability Research

San Francisco - The Electronic Frontier Foundation (EFF) welcomes the newest member of its Board of Directors, computer security expert Edward W. Felten. A professor of Computer Science and Public Affairs at Princeton University, Felten recently demonstrated the ability to manipulate results on a Diebold electronic voting machine -- showing that the equipment was extremely vulnerable to "vote-stealing" attacks that would undermine the accuracy of vote counts.

Felten's research interests include computer security and privacy -- especially relating to media and consumer products -- and technology law and policy. He has published about 80 papers in the research literature and two books. Felten was the lead computer science expert witness for the Department of Justice in the Microsoft antitrust case. He has also testified before the Senate Commerce Committee on digital television technology and regulation and before the House Administration Committee on electronic voting.

Felten is the founding Director of Princeton's Center for Information Technology Policy, and his weblog, at freedom-to-tinker.com, is widely regarded for its commentary on technology, law, and policy. In 2004, Scientific American magazine named Felten to its list of 50 worldwide science and technology leaders.

"EFF confronts critically important issues on the cutting edge of technology and freedom," said Felten. "My research and EFF's work have often intersected over the years, and I'm very pleased to take the next step and join the board as we strive to keep the digital world innovative, free, and secure."

In 2001, Felten and EFF sued the Recording Industry Association of America and the Secure Digital Music Initiative in a case challenging the constitutionality of the Digital Millennium Copyright Act (DMCA). EFF honored Felten with a Pioneer Award in 2005, which recognizes those who have made outstanding contributions to the development of computer-mediated communications and empower individuals in using computers and the Internet. He had previously served on EFF's advisory board.

"I have always been a huge fan of Ed's work, using his technical expertise to expose weak and vulnerable technologies to those of us more technically challenged," said EFF Executive Director Shari Steele. "I'm delighted to have him join EFF's Board of Directors."

Other members of EFF's executive board include Brad Templeton, John Perry Barlow, David Farber, John Gilmore, Brewster Kahle, Joe Kraus, Lawrence Lessig, and Pamela Samuelson.

Contact:

Shari Steele
Executive Director
Electronic Frontier Foundation
ssteele@eff.org

[EFF: Breaking News]

Help EFF Investigate Invasive Travel Screening Program.

Thu, 21 Dec 2006 15:43:12 GMT

Help EFF Investigate Invasive Travel Screening Program.

For several years, the Department of Homeland Security has been treating innocent travelers like suspected terrorists by using the Automated Targeting System (ATS) to assign them "risk assessment" scores. This invasive data-mining program was only recently revealed to the public, and EFF is attempting to document the system's effect on law-abiding individuals.

If you have experienced difficulties when entering or leaving the United States, we'd like to hear from you. We are particularly interested in hearing from folks who have had repeated problems, or have been told by government agents that they are on a "list" or that there is some unexplained "problem" that needs to be resolved. Please share your story with us by writing travel@eff.org and providing as much detail as possible. We will treat all responses confidentially and may contact you to follow-up.

[EFF: Deep Links]

MySpace Passwords Aren't So Dumb.

Wed, 20 Dec 2006 06:21:38 GMT

MySpace Passwords Aren't So Dumb. An analysis of 34,000 MySpace accounts stolen in a phishing attack reveals that the site's young users generally choose smarter passwords than corporate wage slaves. Commentary by Bruce Schneier. [Wired News: Top Stories]

Lawsuit Demands Answers About Government's Secret 'Risk Assessment' Scores.

Wed, 20 Dec 2006 03:05:42 GMT

Lawsuit Demands Answers About Government's Secret 'Risk Assessment' Scores.

Millions of U.S. Travelers Affected by Giant Data-Mining Program

Washington, D.C. - The FLAG Project at the Electronic Frontier Foundation (EFF) filed suit against the Department of Homeland Security (DHS) in federal court today, demanding immediate answers about an invasive and unprecedented data-mining system deployed on American travelers.

The Automated Targeting System (ATS) creates and assigns "risk assessments" to tens of millions of citizens as they enter and leave the country. In November, DHS announced that the program would launch on December 4, but Homeland Security Secretary Michael Chertoff later admitted that the program had already been in operation for several years.

"The news of this secret program sparked a nationwide uproar. DHS needs to provide answers, and provide them quickly, to the millions of law-abiding citizens who are worried about this 'risk assessment' score that will follow them throughout their lives," said EFF Senior Counsel David Sobel.

Under ATS, individuals have no way to access information about their "risk assessment" scores or to correct any false information about them. But while you cannot see your score, it will be made readily available to untold numbers of federal, state, local, and foreign agencies. The government will retain the data for 40 years.

While the publicly available information about ATS is disturbing enough, there are many critical details the government did not disclose. For example, DHS has not announced what the consequences might be of a "risk assessment" score that indicates an individual might be a threat. EFF's suit demands an urgent and expedited response to the Freedom of Information Act (FOIA) request filed earlier this month, including all Privacy Impact Assessments for the ATS, all records that describe redress for individuals who believe the system includes inaccurate information, and all records that discuss potential consequences for travelers as a result of the system.

"ATS is precisely the sort of system that Congress sought to prohibit with the Privacy Act of 1974," said Sobel. "DHS needs to abide by the law and give Americans the information they deserve about this dangerous program."

Congressional leaders have indicated that they are likely to convene hearings on ATS when the new Congress convenes in January. Today's lawsuit cites that pending oversight as an additional reason why DHS must release details about the system on an expedited basis.

For the FOIA complaint filed against the Department of Homeland Security:
http://www.eff.org/Privacy/ats/ats_complaint.pdf

For more on the ATS program and other travel screening issues:
http://www.eff.org/privacy/travel/

Contacts:

David Sobel
Senior Counsel
Electronic Frontier Foundation
sobel@eff.org

Marcia Hofmann
Staff Attorney
Electronic Frontier Foundation
marcia@eff.org

[EFF: Breaking News]

FTC To Investigate 'Viral Marketing' Practices.

Mon, 18 Dec 2006 22:06:33 GMT

FTC To Investigate 'Viral Marketing' Practices. mcflaherty writes "The Federal Trade Commission has stated that it is going to investigate the use of 'Viral Marketing' by corporations. This is the type of advertising that seeks to start a word of mouth campaign for the product via consumers themselves. Previously, consumers themselves set the buzz. But lately advertisement firms are stepping up to the plate themselves, seeding the market with buzz that looks independent of the company, but is in fact funded by them. The crew at Penny Arcade contend that corporate generated buzz is not Viral Marketing, and perhaps Guerrilla Marketing would be a more apt term. Either way, it appears to be a profitable advertising model." [Slashdot: Your Rights Online]

FCC Won't Release Cell Carrier Reliability Data.

Mon, 18 Dec 2006 21:59:24 GMT

FCC Won't Release Cell Carrier Reliability Data. imuffin writes "MSNBC is reporting that the FCC has been collecting data on the reliability of different cell phone carriers in the US. This data could be invaluable to consumers trying to choose a company to sign a lengthy contract with. Just the same, the FCC won't release the data to consumers, citing national security risks. The data collection on cell services began in 2004, but were simultaneously pulled from public view. FOIA requests to obtain the data have been denied, and commentators feel this is simply for the government's convenience." From the article: "'There is nothing mysterious behind it, it is corporate competition protection,' said [terrorism analyst Roger Cressey] ... 'The only reason for the government to not let these records get out is then one telco provider could run a full-page ad saying 'the government says we're more reliable.'' Cressey added that he couldn't imagine a scenario where the reports would be valuable to terrorists." [Slashdot: Your Rights Online]

LiveScience.com - White House Tightens Publishing Rules for USGS Scientists

Mon, 18 Dec 2006 21:57:19 GMT

The Bush administration is clamping down on scientists at the U.S. Geological Survey, who study everything from caribou mating to global warming, subjecting them to controls on research that might go against official policy.

New rules require screening of all facts and interpretations by agency scientists. The rules apply to all scientific papers and other public documents, even minor reports or prepared talks, according to documents obtained by The Associated Press.

Top officials at the Interior Department's scientific arm say the rules only standardize what scientists must do to ensure the quality of their work and give a heads-up to the agency's public relations staff.

"This is not about stifling or suppressing our science, or politicizing our science in any way,'' Barbara Wainman, the agency's director of communications, said Wednesday. "I don't have approval authority. What it was designed to do is to improve our product flow.''

Some agency scientists, who until now have felt free from any political interference, worry that the objectivity of their work could be compromised.

"I feel as though we've got someone looking over our shoulder at every damn thing we do. And to me that's a very scary thing. I worry that it borders on censorship,'' said Jim Estes, an internationally recognized marine biologist who works for the geological unit. "The explanation was that this was intended to ensure the highest possible quality research,'' said Estes, a researcher at the agency for more than 30 years. "But to me it feels like they're doing this to keep us under their thumbs. It seems like they're afraid of science. Our findings could be embarrassing to the administration.''

The new requirements state that the USGS's communications office must be "alerted about information products containing high-visibility topics or topics of a policy-sensitive nature.''

The agency's director, Mark Myers, and its communications office also must be told -- prior to any submission for publication -- "of findings or data that may be especially newsworthy, have an impact on government policy, or contradict previous public understanding to ensure that proper officials are notified and that communication strategies are developed.''

Consumers Willing to Trade Privacy for Personalization, Survey Says

Thu, 14 Dec 2006 20:06:40 GMT

Consumers Willing to Trade Privacy for Personalization, Survey Says.

A new study by ChoiceStream, a (surprise!) provider of online personalization products, announces their latest personalization survey reveals an increasing number of web users are willing to provide personal information in order to receive personalized services. From the summary at EContent:

According to the survey, the number of consumers willing to provide demographic information in exchange for a personalized online experience has grown over the past year, increasing 24% to a total of 57% of all respondents. The Survey also finds an increase in the number of consumers willing to allow websites to track their clicks and purchases, increasing 34% from the previous year. However, the results show no significant decline in the number of consumers concerned about the security of their personal data online, with 62% expressing concern in 2006 vs. 63% in 2005.

I can[base ']t find a link to the report (here is the 2005 version [PDF]), but this is an interesting trend. My first reaction is to wonder how informed general Internet users are about the potential to aggregate and transfer personal information they decide to provide to gain some level of personalization. Do users think their information remains generally anonymous? Do they presume it is only used for personalization, and not aggregated for other purposes, or made available to other organizations (marketers, law enforcement, etc). Much more work needs to be done to fully understand people[base ']s preferences and expectations regarding the use of their personal data for personalization services.

[via Pogo Was Right]

[michaelzimmer.org]

How Much Privacy? - Forbes.com

Sun, 10 Dec 2006 21:55:20 GMT

ComScore Networks is the Big Brother of the Internet. The widely-used online research company takes virtual photos of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. Then comScore aggregates the information into market analysis for its over 500 clients, including such large companies as Ford Motor, Microsoft and The New York Times Co.

ComScore says that its participants are willing exhibitionists, happily selling their online privacy for gift certificates and free screensavers. But two computer scientists are raising new questions about comScore, claiming that company tracking software is being installed without consent on an unknown number of computers.

"[The] software is sneaking onto users' computers without the user agreeing to receive it," says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall. (Edelman and Howes spend their days patrolling the Internet for new threats.)

ComScore (revenues: $50 million) denies the allegations, saying the company would never install software without permission. "There is spyware out there, but that's not what we do," says comScore chairman and co-founder Gian Fulgoni. "We get explicit permission before our software is put on someone's machine." But privacy officer Chris Lin acknowledges seeing some unauthorized downloads several months ago. She says the company didn't distribute the nonconsensual software and immediately cut it off from comScore servers.

This isn't the company's first dalliance into apparent voyeurism: Two years ago, university IT managers busted comScore for tricking students into installing tracking software packaged with a free Web-accelerator program. Students were often unaware that they were being watched. comScore has since discontinued the program, called MarketScore.

But comScore remains the only major online research company that partners with third-parties. Outside distributors bundle its surveillance software with desirable free programs like games or videos.

Slashdot | Market Research Company Secretly Installs Spyware

Sun, 10 Dec 2006 21:47:59 GMT

An anonymous reader writes "Forbes reports that two security experts are raising new questions about comScore, claiming that company's tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co." --- From the article: "'[The] software is sneaking onto users' computers without the user agreeing to receive it,' says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall."

Jailed media worldwide hits record: U.S. watchdog - Reuters.com

Fri, 08 Dec 2006 15:21:51 GMT

The number of journalists jailed worldwide for their work rose for the second year with Internet bloggers and online reporters now one third of those incarcerated, a U.S.-based media watchdog said on Thursday.

A Committee to Protect Journalists census found that a record 134 journalists were in jail on December 1 -- an increase of nine from the 2005 tally -- in 24 countries with China, Cuba, Eritrea and Ethiopia the top four nations to imprison media.

While print reporters, editors and photographers again made up the largest number of jailed journalists -- with 67 cases -- there were 49 imprisoned Internet journalists, making them the second biggest category, the New York-based committee said.

"We're at a crucial juncture in the fight for press freedom because authoritarian states have made the Internet a major front in their effort to control information," Committee Executive Director Joel Simon said in a statement.

"China is challenging the notion that the Internet is impossible to control or censor, and if it succeeds there will be far-ranging implications, not only for the medium but for press freedom all over the world."

Online Media Representatives Face Jail.

Fri, 08 Dec 2006 15:17:12 GMT

Online Media Representatives Face Jail. OSDNBoss writes "According to the US Watchdog Committee to Protect Journalists a total of 134 journalists were in jail on December 1, 49 of which were Internet journalists. China leads the way with the highest number in jail. I'm sure the censors have already blocked Slashdot and other news and opinion sites in the countries mentioned. It begs the question, however, as the blogosphere grows are online journalists and editors more or less protected than their print and TV counterparts?" From the article: "China is challenging the notion that the Internet is impossible to control or censor, and if it succeeds there will be far-ranging implications, not only for the medium but for press freedom all over the world." [Slashdot: Your Rights Online]

RFID Guardian Project ( Faculty of Science : Vrije Universiteit )

Thu, 07 Dec 2006 18:53:03 GMT

Our paper at USENIX Lisa 2006 just won theBest Paper Award!
The RFID Guardian Project is a collaborative project focused upon providing security and privacy in Radio Frequency Identification (RFID) systems. The goals of our project are to:

Investigate the security and privacy threats faced by RFID systems
Design and implement real solutions against these threats
Investigate the associated technological and legal issues

The namesake of our project is the RFID Guardian: a mobile battery-powered device that offers personal RFID security and privacy management. One the focuses of our project is to build an RFID Guardian prototype.

Spam is Back.

Thu, 07 Dec 2006 18:17:32 GMT

Spam is Back.

A quiet trend broke into the open today, when the New York Times ran a story by Brad Stone on the recent increase in email spam. The story claims that the volume of spam has doubled in recent months, which seems about right. Many spam filters have been overloaded, sending system administrators scrambling to buy more filtering capacity.

Six months ago, the conventional wisdom was that we had gotten the upper hand on spammers by using more advanced filters that relied on textual analysis, and by identifying and blocking the sources of spam. >akismet), but that could change. If the blog spammers get as clever as the email spammers, we[base ']ll be in big trouble.

[Freedom to Tinker]

Justice Official Opens Spying Inquiry - New York Times

Wed, 29 Nov 2006 21:16:32 GMT

After months of pressure from Congressional Democrats, the Justice Department's inspector general said Monday that his office had opened a full review into the department's role in President Bush's domestic eavesdropping program and the legal requirements governing the program.

Democrats said they saw the investigation as a welcome step that could answer questions about the operations and legal underpinnings of the program, which allows the National Security Agency to monitor, without obtaining court warrants, the international communications of Americans and others inside this country with suspected terrorist ties.

"This is a long overdue investigation of a highly controversial program," said Representative John Conyers Jr., the Michigan Democrat who will take over as chairman of the House Judiciary Committee.

Audio captchas when visual images are unusable

Wed, 29 Nov 2006 20:15:21 GMT

Audio captchas when visual images are unusable Posted by T.V. Raman, Research Scientist

From time to time, our own T.V. Raman shares his tips on how to use Google from his perspective as a technologist who cannot see -- tips that sighted people, among others, may also find useful. - Ed.

Wikipedia defines 'captcha' as an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart" -- a word which is trademarked by Carnegie Mellon University. Most web users think of captchas as those hard to read distorted letters or images that one often is confronted by when websites attempt to verify that they're indeed talking to a live human. Google Accounts support captchas. Of course, bloggers (no matter which platform they use) can also use them to prevent comment spam.

Captchas were never intended to be purely visual -- however, most initial implementations used fuzzy images, and in attempting to lock out automated agents also inadvertently locked out people unable to see the image. As an alternative to these, this past spring Google Services that require verification began to provide an audio alternative -- people have the option of listening to a sequence of spoken digits that they then type into a form field to verify to the web application that there is indeed a live human at the other end.

To keep the audio captcha as challenging as the visual captcha when confronted by automated agents, we add some distortion to the spoken digits, and we're still experimenting with different distortion techniques to ease the burden on the genuine human user while locking out automated agents. We welcome feedback on the effectiveness of these techniques from you (we automatically collect feedback from those evil automated agents pretending to be human) :-).

You can easily spot the availability of audio captchas by the presence of the well-recognized "wheelchair" icon for accessibility --- the image is tagged with appropriate alt text to help blind users. Incidentally you donít have to be visually impaired to use the audio captcha; if you are in a situation where you find it hard to view the visual captcha -- either because you're at a non-graphical display, or because the specific visual challenge we offered you turned out to be unusable in a given situation, feel free to give the audio captcha a try. We've worked hard to ensure that the audio captchas work on different hardware/software combinations, and you do not need any special hardware (or software) other than a sound card to be able to use them. - A Googler [Official Google Blog]

Report: Firefox 2.0 Trumps IE7 In Phish-Fighting.

Wed, 15 Nov 2006 01:15:21 GMT

Report: Firefox 2.0 Trumps IE7 In Phish-Fighting.

Update, 3:24 PM ET: The text below was changed to clarify Mozilla's role as author of the report and the role of third-party testing and verification companies. Also, the data about this report that I promised earlier can be found at this link.

Original Post from Earlier Today:

The newly released Mozilla Firefox 2.0 and Microsoft Internet Explorer 7 Web browsers both include new technology to help flag and block phishing sites -- those authentic-looking Web sites set up by scammers to trick users into entering personal financial information.

So how do the browsers stack up against one another in a no-holds-barred, anti-phishing slugfest? One third-party test that pitted the browsers against two week's worth of phishing sites concluded that Firefox's phish net may have fewer holes than IE's.

The evidence comes in a report released today by Mozilla which shows the results of testing each browser against the same phishing sites flagged by contributors to Phishtank, an anti-phishing network run by OpenDNS. Mozilla is the author of the report, but they hired software testing firm SmartWare to conduct the testing, and they commissioned iSEC Partners to validate the test methodology and findings.

Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 blocked 117 sites that Firefox did not.

Before I go any further with the numbers, I think it's important to offer a little background on how the phish-filtering technology is set up within both browsers. With IE7, the user is asked upon installation whether he wants to allow the browser to auto-check all Web sites against a Microsoft database. (More about how this technology works in IE7 is online here, and the obvious privacy issues are discussed here.)

Firefox's default setting, in contrast, uses a blacklist of known phishing sites that is stored on the user's computer and updated approximately every 30 minutes. Alternatively, Firefox users can opt to turn auto-detect on, in which case the browser will check Web sites the user visits by checking them against a database maintained by Google. (More about the service is online here.)

Back to the numbers: The testers found that with IE7's auto-check turned off, the browser blocked less than two percent of all phishing sites thrown at it. With the phone-home option turned on, IE blocked 66 percent of the scam sites.

In its default configuration, Firefox 2.0 blocked close to 79 percent of all phishing sites during the test period; with the "Ask Google" option enabled, Mozilla's browser blocked nearly 82 percent of all scam pages.

While I applaud Microsoft and Mozilla for their first efforts, the reality is that -- depending on which browser (and setting) you use -- anywhere from 20 to 40 percent of the phishing scams are going to sneak past undetected. I'm not saying this is an easy problem to solve: It certainly isn't. But I'm left wondering whether a stronger "whitelist" approach that involves identifying legitimate banking sites might prove to be a more effective strategy, or at least a highly complementary one.

As Security Fix noted last week, Mozilla, Microsoft and other browser makers are teaming up with Web site certificate authorities to try to make it more obvious when a user is truly at a verified banking site as opposed to a convincing fake. It may turn out that phishers will come up with a clever way to spoof these "supercerts" as well. But it seems to me that combined with an oft-updated blacklist, the whitelist approach has the greatest potential to bring the number of phishing scams that go undetected by either browser well down into the single digits.

Avivah Litan, an online fraud analyst with Gartner Inc., agreed. "With crooks moving these phishing sites from place to place within minutes, it's really hard to keep a blacklist up-to-date," Litan said "The future of [browser-based anti-phishing technology] is whitelisting, backed up with heuristics" that allow the browser to detect unidentified phishing links as suspicious.

For its part, Microsoft pointed to a report the company commissioned earlier this year that gave Microsoft's anti-phishing measures top marks compared with other browsers and technologies. The report highlights the fact that IE7 didn't raise any alarm bells about legitimate sites, a problem known in the business as a "false positive." It's not hard to see why that factor alone would be a paramount concern for Microsoft: A legitimate company whose site was errantly blocked by IE7 most likely would file a lawsuit against Microsoft in a heartbeat.

The SmartWare study doesn't appear to have addressed the problem of false-positives to any meaningful degree. Still, what I especially like about the Phishtank-based study is that it is premised on open-source information that everyone has the same access to. In contrast, the founders of 3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."

Incidentally, any serious Mozilla-using phish fighters out there who want an easier way to submit "phishy" sites to Phishtank should check out this Firefox add-on.

[Security Fix]

Nations that Censor the Net (Businessweek)

Mon, 13 Nov 2006 23:22:09 GMT

Reporters Without Borders calls out China, Myanmar, Belarus, and 10 other countries for quashing online political and religious expression

As effective as the Internet may be in spreading dissent, the methods used to suppress opposition on the Web are no less pervasive. Reporters Without Borders, a Paris group that does advocacy work for press freedom, has compiled a list of the countries that it says go the furthest to censor the Internet.

"We wanted to raise awareness of the history of censorship in these countries among democratic nations, who tend to take advantage of Internet freedoms," says Reporters Without Borders spokeswoman Lucie Morillon. "But we also wanted to provide a means for people in repressed countries to show solidarity."

The group recently staged a 24-hour protest in public spaces of New York and Paris, condemning China and 12 other countries for their steps toward repressive censorship of Internet journalists. The group cited the wrongful jailing of at least 61 "cyber-dissident" reporters, 52 of whom currently remain in Chinese prisons.

Top 10 List of Worldwide Internet Censors.

Mon, 13 Nov 2006 23:16:15 GMT

Top 10 List of Worldwide Internet Censors. PreacherTom writes "Reports of internet censorship are nothing new and are quite expected from countries whose leadership depends on controlling the popular worldview. Reporters Without Borders, a Paris group that does advocacy work for press freedom, puts a number to the trend with a list of the countries that it says go the furthest to censor the Internet. Photos document the worldwide protests and continuing struggles. Not surprisingly, China is described as the pioneer of internet censors, dedicating more resources than any other country to restrict online freedoms." This week we also discussed the Reporters Without Borders' 13 Enemies of the Internet list.[Slashdot: Your Rights Online]

Privacy and Security Law Blog: Confidential Information Should Be Encrypted or Not Stored on Laptops

Fri, 10 Nov 2006 23:31:52 GMT

81% of U.S. businesses surveyed this year reported that, in the previous 12 months, at least one of their laptops or other portable electronic devices had been lost or stolen. U.S. Survey: Confidential Data at Risk, 5 Privacy & Security Law Report 1162 (2006). When a laptop is lost or stolen, unencrypted data on the computer can easily be accessed. Even if a user name and password are needed to sign on to the laptop, the hard drive can be removed in a few seconds and all data on the hard drive can be copied to another computer or to a storage device in minutes.

Despite the high risk sensitive data may be obtained from lost or stolen laptops, many businesses continue to allow employees to store such information on laptops and to take the laptops home, on business trips, and on vacations. Business managers should consider whether their current laptop security practices are sufficient. If a business' trade secrets, attorney-client privileged information, customer lists, or financial information are obtained from a lost or stolen laptop, affected shareholders, employees, or business partners may argue that the business failed to take adequate steps to safeguard the data.

Avivah Litan, vice president and analyst at the Gartner Group, said in a recent interview: "Frankly, there is no excuse anymore not to encrypt data on laptops and mobile devices. . . . The cost for laptop encryption is $40 or less per laptop. . . . [T]here is no excuse today. It is really bordering on negligence." An Interview with Experts on the Cost of Ensuring Data Security, 6 Privacy Advisor 20, 23 (2006). Every company with sensitive data on mobile devices should consider whether the data should be encrypted.

US.gov tunes out scathing RFID privacy report.

Fri, 10 Nov 2006 03:07:22 GMT

US.gov tunes out scathing RFID privacy report.

DHS committee study 'disavowed'

An external security advisory committee reporting to the US Department of Homeland Security has produced a highlight critical report (PDF) advising against the use of RFID technology in government documents.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Electronic Voting Machine Headaches Shut Out Citizens.

Thu, 09 Nov 2006 06:46:56 GMT

Electronic Voting Machine Headaches Shut Out Citizens.

Delays Mean Long Lines for Voters in Florida, Utah, and Other States

San Francisco - Problems with electronic voting machine failures kept some polls from opening, created long lines, and left many voters puzzled about whether their votes were counted in Tuesday's high stakes election.

The Electronic Frontier Foundation (EFF) joined a nationwide team of technology lawyers and other experts staffing nationwide call centers and legal command posts on Election Day. The volunteers chronicled election problems, assisted voters, and worked with election officials to pull malfunctioning machines wherever possible. By 8:00 pm ET on Tuesday, over 17,000 incidents, including machine-related problems, had been reported to the Election Protection Coalition's 866-OUR-VOTE hotline.

The types of machine problems reported to EFF volunteers were wide-ranging in both size and scope. Polls opened late for machine-related reasons in polling places throughout the country, including Ohio, Florida, Georgia, Virginia, Utah, Indiana, Illinois, Tennessee, and California. In Broward County, Florida, voting machines failed to start up at one polling place, leaving some citizens unable to cast votes for hours. EFF and the Election Protection Coalition sought to keep the polling place open late to accommodate voters frustrated by the delays, but the officials refused. In Utah County, Utah, more than 100 precincts opened one to two hours late on Tuesday due to problems with machines. Both county and state election officials refused to keep polling stations open longer to make up for the lost time, and a judge also turned down a voter's plea for extended hours brought by EFF.

"If election officials insist on depending on this unreliable technology, they should be prepared to react appropriately when things go wrong," said EFF Legal Director Cindy Cohn. "Voters should not have to bear the brunt of this poor planning. We are very disappointed that the court did not recognize that."

"Jumping vote" problems -- touchscreen machines displaying selections not intended by voters -- once again appeared across the country and across machine models. Some voters again encountered difficulty making or changing selections on touchscreen machines, resulting in long lines and frustrated voters leaving polling places. Optical scan machines also broke down in many places, most prominently in Cook County, Illinois, but also in Los Angeles, California, also leading to long delays for voters.

The national monitoring campaign was developed after many states hastily implemented flawed electronic voting machines and related election procedures. Twenty-three states still do not require a paper record of all votes, despite the demonstrated technical failures of e-voting machines in the 2004 presidential election. Without a record, voters cannot verify that the e-voting machines are recording their votes as intended, and election officials cannot conduct recounts. In addition, most of these machines use "black box" software that hasn't been publicly reviewed for security.

But poorly designed systems are not the only problem. Most election workers remain woefully under-trained regarding potential e-voting problems. Vendor technicians frequently have unsupervised access to voting equipment, and local election officials routinely deny attempts to examine e-voting audit data.

Along with supporting local election reform, EFF has helped Congressional Rep. Rush Holt's Voter Confidence and Increased Accessibility Act garner immense, bipartisan support. The bill contains several critically important election reforms, including the requirement of a paper trail for all electronic voting machines, random audits, and public availability of all code used in elections.

"Voters deserve these practical election reforms -- not long lines and unverifiable results," said EFF Staff Attorney Matt Zimmerman.

For the latest election news:
http://www.eff.org/deeplinks/

For more on EFF's e-voting efforts:
http://www.eff.org/Activism/E-voting/

Contacts:

Cindy Cohn
Legal Director
Electronic Frontier Foundation
cindy@eff.org

Matt Zimmerman
Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

[EFF: Breaking News]

Reports note that US ranks near the bottom for privacy protection, on par with Russia, China, and Malaysia -- and also is flunking on press freedoms

Thu, 09 Nov 2006 01:22:00 GMT

Reports note that US ranks near the bottom for privacy protection, on par with Russia, China, and Malaysia -- and also is flunking on press freedoms. Posted by Bruce E.H. JohnsonPrivacy International has issued its annual Privacy and Human Rights Study analyzing privacy protections around the world. The study ranks the United States near the bottom for privacy protections, calling it an "extensive surveillance society." In failing to... [Privacy and Security Law Blog]

RFID Journal - Germany's BKA Uses RFID to Test Criminal-ID Software - RFID (Radio Frequency Identification) Technology News & Features

Mon, 30 Oct 2006 19:26:42 GMT

Oct. 30, 2006--Germany's Bundeskriminalamt (BKA), or Federal Criminal Investigation Office, is using RFID as part of a test of facial-recognition software. The trial began this month and will last until January.

The country's Federal Ministry of the Interior authorized the test in mid-February, which is being held in the main railway station in Mainz, a city not far from Frankfurt. The project gained new relevance in August when police foiled a plot to blow up regional trains in Germany. Video monitoring of passengers in train stations played a key role in identifying the attempted terrorists.

Feds Leapfrog RFID Privacy Study.

Mon, 30 Oct 2006 19:24:04 GMT

Feds Leapfrog RFID Privacy Study. A Homeland Security advisory panel finds serious privacy and security problems with RFID. But the report is stalled, while the government rolls out new ID cards using the controversial technology. By Ryan Singel. [Wired News: Security Blanket]

FCW.com - EU needs RFID privacy regs, study finds

Sun, 29 Oct 2006 06:13:23 GMT

The European Union needs to consider adopting a solid legal framework to ensure that the use of radio frequency identification technology does not infringe on privacy, a top official of the European Commission, the executive branch of the EU, told an RFID conference Oct. 16.

The EU also needs to standardize its RFID frequencies in the 865 to 868 MHz frequency band, according to a commission background paper presented at the conference. The commission said it expects to complete a draft spectrum decision by the end of this year.

It has recently completed a six-month consultation with public and industry stakeholders on the use of RFID tags in the EU. Viviane Reding, European commissioner for information society and media, told the conference that "the overriding message that comes out of the consultation is that citizens have concerns over privacy issues."

Study: Customers don't want data handled by outside vendors.

Fri, 27 Oct 2006 02:59:45 GMT

Study: Customers don't want data handled by outside vendors. Customers whose data is exposed in a security breach involving a third-party vendor are less forgiving than when their data is lost by the company they do business with, according to a study of data breaches by the Ponemon Institute. [Computerworld Privacy News]

Privacy Lost: Does anybody care? - Privacy Lost - MSNBC.com

Mon, 16 Oct 2006 22:14:43 GMT

Someday a stranger will read your e-mail, rummage through your instant messages without your permission or scan the Web sites you've visited -- maybe even find out that you read this story.

You might be spied in a lingerie store by a secret camera or traced using a computer chip in your car, your clothes or your skin.

Perhaps someone will casually glance through your credit card purchases or cell phone bills, or a political consultant might select you for special attention based on personal data purchased from a vendor.

In fact, it's likely some of these things have already happened to you.

Who would watch you without your permission? It might be a spouse, a girlfriend, a marketing company, a boss, a cop or a criminal. Whoever it is, they will see you in a way you never intended to be seen -- the 21^st century equivalent of being caught naked.

Psychologists tell us boundaries are healthy, that it's important to reveal yourself to friends, family and lovers in stages, at appropriate times. But few boundaries remain. The digital bread crumbs you leave everywhere make it easy for strangers to reconstruct who you are, where you are and what you like. In some cases, a simple Google search can reveal what you think. Like it or not, increasingly we live in a world where you simply cannot keep a secret.

The key question is: Does that matter?

For many Americans, the answer apparently is "no."

No, young shoppers do not want to pay with chip in skin.

Mon, 16 Oct 2006 21:44:31 GMT

No, young shoppers do not want to pay with chip in skin.

One of my pet peeves is the misuse of statistics in reporting. Here[base ']s an example that happens to intersect with issues of privacy.

The Daily Mail is featuring a story titled [base "]Young shoppers want to pay with chip in skin[per thou], extolling the fact that teenagers are willing to have microchip implants as a means of paying in stores. But three paragraphs into the story you discover that only around 8 percent of 13 to 19-year-olds are open to the idea of microchip implants.

Wow, 8%. That means 92% don[base ']t want to pay with implanted microchips. Of course, a headline like [base "]Eleven-twelfths of teens don[base ']t want anything to do with becoming digitally-enhanced consumer cyborgs[per thou] doesn[base ']t sell papers.

A broader concern here is that when these kind of memes start circulating - that kids think its no big deal to have chips implanted linked to their personal & financial information - general expectations of privacy and informational norms start to change.

[found via Canadian Privacy Law Blog]

[michaelzimmer.org]

Software Being Developed to Monitor Opinions of U.S. - New York Times

Wed, 11 Oct 2006 03:00:00 GMT

WASHINGTON, Oct. 3 -- A consortium of major universities, using Homeland Security Department money, is developing software that would let the government monitor negative opinions of the United States or its leaders in newspapers and other publications overseas.

Such a "sentiment analysis" is intended to identify potential threats to the nation, security officials said.

Researchers at institutions including Cornell, the University of Pittsburgh and the University of Utah intend to test the system on hundreds of articles published in 2001 and 2002 on topics like President Bush's use of the term "axis of evil," the handling of detainees at GuantÃ¡namo Bay, the debate over global warming and the coup attempt against President Hugo ChÃ¡vez of Venezuela.

A $2.4 million grant will finance the research over three years.

Feds Really Do Fear Hippy Terror

Fri, 29 Sep 2006 02:15:07 GMT

Feds Really Do Fear Hippy Terror.
If you were curious, as I was, why the notional evildoers in DHS's anti-cyber terror wargame Cyber Storm were anti-globalization lefties instead of home grown right wing extremists or al Qaida, it turns out the threat model was completely in keeping with the Bush administration's assessment of where terrorists are festering.

From the very end of the government's newly-and-partially-declassified National Intelligence Estimate summary:

Anti-U.S. and anti-globalization sentiment is on the rise and fueling other radical ideologies. This could prompt some leftist, nationalist, or separatist groups to adopt terrorist methods to attack US interests. The radicalization process is occurring more quickly, more widely, and more anonymously in the Internet age, raising the likelihood of surprise attacks by unknown groups whose members and supporters may be difficult to pinpoint.

We judge that groups of all stripes will increasingly use the Internet to communicate, propagandize, recruit, train, and obtain logistical and financial support.

If you accept all that, it begins to make sense that someone like the fictional Worldwide Anti-Globalization Alliance, and its radical arm, the Black Hood Society, would be the first to launch devastating cyber attacks against the power grid, air traffic control, etc., as laid out in a "For Official Use Only" DHS presentation (.ppt) given to industry security professionals last June.

But Salon wonders why the NIE neglects threats from the other end of the ideological spectrum, given that the worst pre-9/11 U.S. terror attack occurred when right-winger Timothy McVeigh blew up the federal building in Oklahoma City.

That this claim about "leftist" terrorist groups made it into the NIE summary is particularly significant in light of the torture and detention bill that is likely soon to be enacted into law. That bill defines "enemy combatant" very broadly (and the definition may be even broader by the time it is enacted) and could easily encompass domestic groups perceived by the administration to be supporting a "terrorist agenda."

Similarly, the administration has claimed previously that it eavesdrops on the conversations of Americans only where there is reasonable grounds (as judged by the administration) to believe that one of the parties is affiliated with a terrorist group. Does that include "leftist" groups that use the Internet to organize?

Good question. If you're part of a group in the mold of Cyber Storm's villainous "Freedom Not Bombs," you may want to switch away from AT&T as your long distance carrier ASAP.

Actually, you're probably using Working Assets already, you cyber terrorist scumbag.
[27B Stroke 6]

Some Sobering Security Stats.

Tue, 26 Sep 2006 13:19:24 GMT

Some Sobering Security Stats.

Symantec today released its latest report on Internet security, cataloging 2,249 software vulnerabilities discovered or reported from January through June 2006 -- the most the company has ever recorded in a six-month period.

Nearly 80 percent of the vulnerabilities were considered easily exploitable and involved applications like Web browsers or software such as blogging and shopping cart programs.

Hackers often use Web application flaws to deface Internet sites -- thousands of sites are defaced each day thanks to this class of vulnerabilities. Annoying as they are, however, defacements aren't the real problem. Criminals can exploit the same Web application flaws to gain access to sensitive databases, access that can drive credit card and identity theft. Online criminals also can use Web app flaws to hijack legitimate sites and redirect visitors to sites that try to install spyware and other malicious programs.

Web application flaws can even cause a Web site to become a drone in a massive army of computers that organized criminals use to launch crippling and extortionist attacks against other Web sites. According to Symantec's stats, the first six months of 2006 brought an average of 6,110 distributed denial-of-service attacks (DDoS) each day.

That figure is a low-ball number, as Symantec only measured DDoS attacks in cases where the perpetrators faked the Internet addresses of the compromised computers doing the attacking. With millions of compromised machines on the 'Net these days available for use in DDoS attacks, spoofing the source Internet address of drone computers is really not necessary, and the practice is now a lot less common than it used to be.

Other stats of interest in the report: Microsoft's Internet Explorer was the most frequently targeted Web browser, with 47 percent of all attacks. Mozilla's Firefox and other browsers had the most number of flaws -- 47 -- (IE had 38), but IE continued to have the largest window of exposure to known security flaws.

A PDF copy of the Symantec report can be downloaded here.

[Security Fix]

Security Analysis (and Response) of Diebold Voting Machines.

Sat, 23 Sep 2006 23:18:27 GMT

Security Analysis (and Response) of Diebold Voting Machines.

Ari Feldman, Alex Halderman, and Ed Felton released an amazing paper on the security of Dielbold's e-voting technology. The paper is accompanied by a ten-minute video that demonstrates some of the vulnerabilities they've uncovered. Here is the paper's abstract:

Security Analysis of the Diebold AccuVote-TS Voting Machine

Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
Princeton University

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities -- a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures.

Along with the various weaknesses they discuss in the paper, Felton later discovered that the lock "securing" the machine's components from outside tampering could be opened with a standard hotel mini-bar key. Unbelievable.

Predictably, Dielbold responded (PDF) with their PR team in full spin mode, but Felton easily dispenses with their generally off-point retorts. Felton's conclusion:

Secure voting equipment and adequate testing would assure accurate voting -- if we had them. To our knowledge, every independent third party analysis of the AccuVote-TS has found serious problems, including the Hopkins/Rice report, the SAIC report, the RABA report, the Compuware report, and now our report. Diebold ignores all of these results, and still tries to prevent third-party studies of its system.

If Diebold really believes its latest systems are secure, it should allow third parties like us to evaluate them.

[michaelzimmer.org]

Privacy Expert on Feds' Identity Theft Recs.

Thu, 21 Sep 2006 17:30:44 GMT

Privacy Expert on Feds' Identity Theft Recs.
s noted earlier today, a federal task force recommended some changes to how the federal government, states and the law deal with the growing problem of identity theft and identity fraud.

What does Beth Givens, the head of the Privacy Rights Clearinghouse which works to help identity theft victims, think of the suggestions?

The recommendations are as fine as far as they go. Some are quite good, for example the uniform police report, I think that's quite excellent.

But there are some things missing. I was surprised they didn't touch specifically on the whole matter of the Medicare card having the SSN printed on it and the military id number being your SSN, We see a great deal of identity theft that is caused because millions and millions of Americans are forced to carry these cards in their pockets.

And when those wallets are stolen, they don't have their SSN card in there but they certainly have their Social Security number in there.

The other thing they missed the biggest issue of all which is prevention.

Identity theft is at epidemic proportions because credit issuers are giving credit to crooks. Now why aren't credit issuers doing a better job of identifying illegitimate applications?

Givens points to some complicated rulemaking that was left to the Federal Trade Commission and the Federal Reserve Board when Congress passed the Fair and Accurate Credit Transactions Act in 2003. That bill contained a number of consumer protections, such as free annual credit reports (get yours here).

One of the rules still being developed is known as the "Red Flag" rulemaking, which details the kinds of data discrepancies that credit issuers would be required to look for.

The Red Flag rules say, "Hey, credit issuers, if there is an address discrepancy (between what is on an application and what is in your credit file) maybe that's a red flag. So it's the rulemaking that requires credit issuers to pay attention to the anomalies and discrepancies that could be an indicator of fraud. And it has taken so long for even the agencies to issue the rules.

What they need to do is issue the regulations and not let it drag on anymore because that's where the rubber meets the road in terms of identity theft prevention.

Givens says if a credit issuer were to ignore the most prominent red flags on an ongoing basis, then the FTC could have reason to investigate or punish the company.

Given that credit issuers currently are liable and pay for most credit fraud, why haven't they stopped identity theft by tightening the loose standards of an instant credit society, say by requiring a phone call or email to your contact information on record?

Apparently, they are still making more money by extending credit to lots and lots people with minimal evaluation of the applications, than they are losing from the small percentage of those that are fraudulent.

I suppose the algebra is still on the plus side

[27B Stroke 6]

People prefer iPods to biometric passports.

Wed, 20 Sep 2006 15:48:33 GMT

People prefer iPods to biometric passports.

Anyone for an iDcard?

The Home Office has tried to frighten people into taking its identity plans seriously by publishing a marketing survey it said proved their passports were easy targets for ruthless criminals.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Freedom to Tinker - Security Analysis of the Diebold AccuVote-TS Voting Machine

Thu, 14 Sep 2006 18:29:14 GMT

Today, Ari Feldman, Alex Halderman, and I released a paper on the security of e-voting technology. The paper is accompanied by a ten-minute video that demonstrates some of the vulnerabilities and attacks we discuss. Here is the paper's abstract:

Security Analysis of the Diebold AccuVote-TS Voting Machine

Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
Princeton University

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities -- a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures.

CDT Offers Framework for Evaluating DRM.

Fri, 08 Sep 2006 03:53:50 GMT

CDT Offers Framework for Evaluating DRM. The Center for Democracy & Technology (CDT) today released a document designed to help promote a greater public understanding of the choices and tradeoffs associated with products and services that include Digital Rights Management (DRM) technology. The paper details a series of "metrics" for evaluating DRM that fall into four major categories: transparency, effect on use, collateral impact, and purpose/consumer benefit. The paper is aimed at fostering greater public understanding and discussion of DRM, on the assumption that marketplace pressures from an informed consumer base can help promote a market for digital media products that is diverse, competitive, and responsive to reasonable consumer expectations. [Center for Democracy and Technology]

EETimes.com - Survey says security issues can be fixed

Fri, 01 Sep 2006 00:26:07 GMT

A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations.

The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006.

The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.

The failure to implement such technologies can kick the door open to attackers. In 88 percent of the cases in the DOJ report, the attacker accessed one or more privileged user accounts, obtaining IDs and passwords by network sniffing, using password-cracking programs or colluding with insiders and employees who later left the organizations. The full results of the report can be found at Phoenix Technologies https://www.phoenix.com/cybercrime.

Another study released this week shows that almost two-thirds of security executives are convinced they have no way to prevent a data breach. In addition, most of them believe their organizations lack the accountability and resources necessary to enforce data security policy compliance. The report, called the "National Survey on the Detection and Prevention of Data Breaches," was prepared by the Ponemon Institute, a privacy and security research firm, and PortAuthority Technologies, a developer of Information Leak Prevention (ILP) solutions.

The report surveyed 853 U.S.-based information security professionals, finding that, despite increased attention and media and public scrutiny, data security still is flummoxing many U.S. corporations. Among the key findings: 59 percent of companies believe they can detect a data breach, but 63 percent believe they can't prevent one -- with high false-positive rates, ineffective policy enforcement and overly costly leak prevention technologies comprising a big part of the problem. Full results of the study are available upon request from the Ponemon Institute http://www.ponemon.org or Port Authority Technologies www.portauthoritytech.com/breachsurvey .

Study Reveals Most Network Attacks Used Stolen IDs, Passwords.

Wed, 30 Aug 2006 00:33:37 GMT

Study Reveals Most Network Attacks Used Stolen IDs, Passwords. DOJ data shows cost to individual organizations up to $10 million per occurrence [GT: Security and Privacy]

Evolution Major Vanishes From Approved Federal List - New York Times

Mon, 28 Aug 2006 03:30:52 GMT

Evolutionary biology has vanished from the list of acceptable fields of study for recipients of a federal education grant for low-income college students.

The omission is inadvertent, said Katherine McLane, a spokeswoman for the Department of Education, which administers the grants. "There is no explanation for it being left off the list," Ms. McLane said. "It has always been an eligible major."

Another spokeswoman, Samara Yudof, said evolutionary biology would be restored to the list, but as of last night it was still missing.

If a major is not on the list, students in that major cannot get grants unless they declare another major, said Barmak Nassirian, associate executive director of the American Association of Collegiate Registrars and Admissions Officers. Mr. Nassirian said students seeking the grants went first to their college registrar, who determined whether they were full-time students majoring in an eligible field.

"If a field is missing, that student would not even get into the process," he said.

That the omission occurred at all is worrying scientists concerned about threats to the teaching of evolution.

[...]

Mr. Nassirian said people at the Education Department had described the omission as "a clerical mistake." But it is "odd," he said, because applying the subject codes "is a fairly mechanical task. It is not supposed to be the subject of any kind of deliberation."

"I am not at all certain that the omission of this particular major is unintentional," he added. "But I have to take them at their word."

Scientists who knew about the omission also said they found the clerical explanation unconvincing, given the furor over challenges by the religious right to the teaching of evolution in public schools. "It's just awfully coincidental," said Steven W. Rissing, an evolutionary biologist at Ohio State University.

Jeremy Gunn, who directs the Program on Freedom of Religion and Belief at the American Civil Liberties Union, said that if the change was not immediately reversed "we will certainly pursue this."

Dr. Rissing said removing evolutionary biology from the list of acceptable majors would discourage students who needed the grants from pursuing the field, at a time when studies of how genes act and evolve are producing valuable insights into human health.

"This is not just some kind of nicety," he said. "We are doing a terrible disservice to our students if this is yet another example of making sure science doesn't offend anyone."

Broadband Abroad: Internet Connectivity Outside of the United States - Yahoo! News

Mon, 28 Aug 2006 03:15:04 GMT

Nearly 60 publications in countries ranging from Australia and Bangladesh to Venezuela and Vietnam either carry the PC World name or are associated with us in some way. So we asked editors at several of them to tell us how their readers get online. Not surprisingly, our colleagues report that many countries are substantially ahead of the United States in many respects.

For example, in the United Kingdom, you can buy DSL service with a download speed of up to 24 megabits per second. In Denmark, some people have fiber-optic connections as fast as 100 mbps. And in Italy and Spain, broadband service is cheap, and dial-up service is free (except for the cost of the local call). Still, many countries have their own connection quirks; read about them below.