Re: [Full-disclosure] How Prosecutors Wiretap Wall Street
The law of bailment applies, I would submit, to information sent on wires. The act of sending something out is not handing it to the public domain (though it may arrive in the public domain, depending on intent). However the law of bailments seems to have been ignored by many, even though it has been around for hundreds of years. (mind: I am not a lawyer - have just read some books - and speak for myself.) -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Paul Schmehl Sent: Saturday, November 07, 2009 8:53 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How Prosecutors Wiretap Wall Street --On November 7, 2009 4:06:42 PM -0600 mikelito...@hushmail.com wrote: But to gather intelligence about what terrorists are up to, even if a US citizen is involved, should not require a warrant. This is all well and good, until the definition of terrorist is changed and you become labeled a terrorist because your reason is suddenly counterproductive to someone else's opinion. You must apply the warrant requirement consistently. Otherwise, when interpretation of the word terrorist changes, it affects the meaning of the law. Sure. I agree with that. I think it's also important that law enforcement activities have much more stringent requirements than military intelligence has. The former is directed toward citizens, the latter toward enemies the military has to deal with. And call me crazy, but I'm just not willing to assume that someone won't abuse the power of being able to surveil US citizens and do exactly what Nixon did, spy on their competition/detractors. Surely you can admit that some people do things that they wouldn't normally do when big money and big power are involved. After all, Those who cannot learn from history are doomed to repeat it. Don't be so naive to think it can't happen again. Of course. I've never said they didn't. In fact I've stated that people in government have the same range of motives that people not in government have, including the seven deadly sins, if you will. But I've also pointed out that they are not totally evil either, as some seem to think. There are also good people in government just as there are in every other walk of life. Intelligence works best in a world of secrecy. So does deception. Significantly more so, in fact. As I've pointed out now several times, it's analogous to people that get all hot and bothered by the fact that admins have access to the data on their computers. Yes, but that computer probably doesn't belong to me but instead to my employer. If it belongs to me, you better have a policy that prevents me from using it at work, and/or a login disclaimer informing me of your right to monitor what I do if I connect to your network. If not, you better damn well have a warrant if you want to take a look at my property. Therein lies the rub. Whose property are the bits on the wire? Once you've clicked on send, be it email or im or twitter or whatever, does that transmission still belong to you? I would submit that it does not, and that the privacy laws that protect you and your house and belongings can no longer be sensibly applied. Even you send a private email, to whom does it belong while it's in the process of transmission? And as far as I know, there's no login disclaimer on the interwebs that allows the government to monitor what I do on that network, nor on the telephone, or my mobile phone contract. Really? To whom does your response to me belong? What about the email you send to a friend? A stranger? And twitter posts? Blog comments? Etc., etc. Does it really make sense to extend your privacy rights to those things that you have sent into the public domain? And how do you draw the line legally at what the government can look at without a warrant and what they must get a warrant for when they can't even know what's on the network without first connecting to it to look? Should we forbid them to ever connect simply because something they could potentially see is private? And is it really private? And if they already have a warrant to monitor all communications of a known terrorist, what happens when those communications include a US person? All they allowed to monitor since they already have a warrant, even though they don't have one for the US person? From what I've read getting a warrant in 72 hours is almost impossible. Ahah! Now we're on to something. Here's an idea. Make it easier to get that warrant when you need it. Improve the process, so that when requested, a warrant can be turned around in hours, not days. Don't remove the requirement altogether. That's simply inviting trouble. I completely agree. I also think the definitions need to be much clearer, so that intelligence people understand exactly where the fences are.
[Full-disclosure] DoS vulnerability in Internet Explorer
Hello participants of Full-Disclosure! I want to warn you about Denial of Service vulnerability in Internet Explorer. Yesterday I already informed Microsoft. This attack I called DoS via homepage. DoS: http://websecurity.com.ua/uploads/2009/IE%20DoS%20Exploit10.html With this exploit in IE6 the browser blocks, so it's become impossible to use it and it's only possible to close it (via Task Manager). With this exploit in IE7 the browser freezes after click on the link . Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.0.6000.16711) and previous versions (and possible next versions too). I mentioned about this vulnerability at my site (http://websecurity.com.ua/3658/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Dark home
Hello participants of Full-Disclosure! After the article Dark side of bookmarks (http://websecurity.com.ua/3643/), I’ll draw you attention to another aspect of security which concerned with web browsers. This time about attacks via homepage function. In article Dark home (http://websecurity.com.ua/3660/) I'll tell you about risks of homepage function in browsers. There are possible next attacks via homepage function: 1. Spam. 2. Phishing. 3. Malware spreading. 4. DoS attacks. You can read the article Dark home at my site: http://websecurity.com.ua/3660/ Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability Advisory ID: cisco-sa-20091109-tls http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml Revision 1.0 For Public Release 2009 November 9 1600 UTC (GMT) Summary === An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml. Affected Products = Cisco is currently evaluating products for possible exposure to these TLS issues. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated. Vulnerable Products - --- This section will be updated when more information is available. Products Confirmed Not Vulnerable - - The following products are confirmed not vulnerable: * Cisco AnyConnect VPN Client This section will be updated when more information is available. Details === TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. An industry-wide vulnerability exists in the TLS protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. The following Cisco Bug IDs are being used to track potential exposure to the SSL and TLS issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams. Registered Cisco customers can view these bugs via Cisco's Bug Toolkit: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl ++ | Product |Bug ID | |+---| | Cisco Adaptive Security| CSCtd01491| | Device Manager (ASDM) | | |+---| | Cisco AON Software | CSCtd01646| || | |+---| | Cisco AON Healthcare for | CSCtd01652| | HIPAA and ePrescription| | |+---| | Cisco Application and | CSCtd01529| | Content Networking System | | | (ACNS) Software| | |+---| | Cisco Application | CSCtd01480| | Networking Manager | | |+---| | Cisco ASA 5500 Series | CSCtd00697| | Adaptive Security | | | Appliances | | |+---| | Cisco ASA Advanced | | | Inspection and Prevention | CSCtd01539| | (AIP) Security Services| | | Module | | |+---| | Cisco AVS 3100 Series | CSCtd01566| | Application Velocity | | | System | | |+---| | Cisco Catalyst 6500 Series | CSCtd06389| | SSL Services Module| | |+---| | Firewall Services Module | CSCtd04061| | FWSM | | |+---| | Cisco CSS 11000 Series | CSCtd01636| | Content Services Switches | | |+---| | Cisco Unified SIP Phones | CSCtd01446
Re: [Full-disclosure] How Prosecutors Wiretap Wall Street
I fail to see how that applies. The law of bailment basically means that you continue to own a possession, the physical possession of which you *temporarily* grant to another party. (Allowing someone to drive your car, for example, but expecting them to return it when they're done.) When you send a twitter or email, etc., you don't have any intention of continuing to possess the property. The reason you sent the communication is so that someone else could *receive* it from you, not so they could watch it for you temporarily. When you send a letter to someone you don't continue to possess the letter. The recipient does. --On Monday, November 09, 2009 10:40 AM -0500 glenn.everh...@chase.com wrote: The law of bailment applies, I would submit, to information sent on wires. The act of sending something out is not handing it to the public domain (though it may arrive in the public domain, depending on intent). However the law of bailments seems to have been ignored by many, even though it has been around for hundreds of years. (mind: I am not a lawyer - have just read some books - and speak for myself.) -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Paul Schmehl Sent: Saturday, November 07, 2009 8:53 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How Prosecutors Wiretap Wall Street --On November 7, 2009 4:06:42 PM -0600 mikelito...@hushmail.com wrote: But to gather intelligence about what terrorists are up to, even if a US citizen is involved, should not require a warrant. This is all well and good, until the definition of terrorist is changed and you become labeled a terrorist because your reason is suddenly counterproductive to someone else's opinion. You must apply the warrant requirement consistently. Otherwise, when interpretation of the word terrorist changes, it affects the meaning of the law. Sure. I agree with that. I think it's also important that law enforcement activities have much more stringent requirements than military intelligence has. The former is directed toward citizens, the latter toward enemies the military has to deal with. And call me crazy, but I'm just not willing to assume that someone won't abuse the power of being able to surveil US citizens and do exactly what Nixon did, spy on their competition/detractors. Surely you can admit that some people do things that they wouldn't normally do when big money and big power are involved. After all, Those who cannot learn from history are doomed to repeat it. Don't be so naive to think it can't happen again. Of course. I've never said they didn't. In fact I've stated that people in government have the same range of motives that people not in government have, including the seven deadly sins, if you will. But I've also pointed out that they are not totally evil either, as some seem to think. There are also good people in government just as there are in every other walk of life. Intelligence works best in a world of secrecy. So does deception. Significantly more so, in fact. As I've pointed out now several times, it's analogous to people that get all hot and bothered by the fact that admins have access to the data on their computers. Yes, but that computer probably doesn't belong to me but instead to my employer. If it belongs to me, you better have a policy that prevents me from using it at work, and/or a login disclaimer informing me of your right to monitor what I do if I connect to your network. If not, you better damn well have a warrant if you want to take a look at my property. Therein lies the rub. Whose property are the bits on the wire? Once you've clicked on send, be it email or im or twitter or whatever, does that transmission still belong to you? I would submit that it does not, and that the privacy laws that protect you and your house and belongings can no longer be sensibly applied. Even you send a private email, to whom does it belong while it's in the process of transmission? And as far as I know, there's no login disclaimer on the interwebs that allows the government to monitor what I do on that network, nor on the telephone, or my mobile phone contract. Really? To whom does your response to me belong? What about the email you send to a friend? A stranger? And twitter posts? Blog comments? Etc., etc. Does it really make sense to extend your privacy rights to those things that you have sent into the public domain? And how do you draw the line legally at what the government can look at without a warrant and what they must get a warrant for when they can't even know what's on the network without first connecting to it to look? Should we forbid them to ever connect simply because something they could potentially see is private? And is it really private? And if they
Re: [Full-disclosure] How Prosecutors Wiretap Wall Street
The only property in a tweet or email is intellectual property, and that remains the property of the sender... in my jurisdiction, at least, which isn't even a US one. Also, this is the most pathetic nerd-fight I have seen for many a year. 2009/11/10 Paul Schmehl pschmehl_li...@tx.rr.com I fail to see how that applies. The law of bailment basically means that you continue to own a possession, the physical possession of which you *temporarily* grant to another party. (Allowing someone to drive your car, for example, but expecting them to return it when they're done.) When you send a twitter or email, etc., you don't have any intention of continuing to possess the property. The reason you sent the communication is so that someone else could *receive* it from you, not so they could watch it for you temporarily. When you send a letter to someone you don't continue to possess the letter. The recipient does. --On Monday, November 09, 2009 10:40 AM -0500 glenn.everh...@chase.com wrote: The law of bailment applies, I would submit, to information sent on wires. The act of sending something out is not handing it to the public domain (though it may arrive in the public domain, depending on intent). However the law of bailments seems to have been ignored by many, even though it has been around for hundreds of years. (mind: I am not a lawyer - have just read some books - and speak for myself.) -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Paul Schmehl Sent: Saturday, November 07, 2009 8:53 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How Prosecutors Wiretap Wall Street --On November 7, 2009 4:06:42 PM -0600 mikelito...@hushmail.com wrote: But to gather intelligence about what terrorists are up to, even if a US citizen is involved, should not require a warrant. This is all well and good, until the definition of terrorist is changed and you become labeled a terrorist because your reason is suddenly counterproductive to someone else's opinion. You must apply the warrant requirement consistently. Otherwise, when interpretation of the word terrorist changes, it affects the meaning of the law. Sure. I agree with that. I think it's also important that law enforcement activities have much more stringent requirements than military intelligence has. The former is directed toward citizens, the latter toward enemies the military has to deal with. And call me crazy, but I'm just not willing to assume that someone won't abuse the power of being able to surveil US citizens and do exactly what Nixon did, spy on their competition/detractors. Surely you can admit that some people do things that they wouldn't normally do when big money and big power are involved. After all, Those who cannot learn from history are doomed to repeat it. Don't be so naive to think it can't happen again. Of course. I've never said they didn't. In fact I've stated that people in government have the same range of motives that people not in government have, including the seven deadly sins, if you will. But I've also pointed out that they are not totally evil either, as some seem to think. There are also good people in government just as there are in every other walk of life. Intelligence works best in a world of secrecy. So does deception. Significantly more so, in fact. As I've pointed out now several times, it's analogous to people that get all hot and bothered by the fact that admins have access to the data on their computers. Yes, but that computer probably doesn't belong to me but instead to my employer. If it belongs to me, you better have a policy that prevents me from using it at work, and/or a login disclaimer informing me of your right to monitor what I do if I connect to your network. If not, you better damn well have a warrant if you want to take a look at my property. Therein lies the rub. Whose property are the bits on the wire? Once you've clicked on send, be it email or im or twitter or whatever, does that transmission still belong to you? I would submit that it does not, and that the privacy laws that protect you and your house and belongings can no longer be sensibly applied. Even you send a private email, to whom does it belong while it's in the process of transmission? And as far as I know, there's no login disclaimer on the interwebs that allows the government to monitor what I do on that network, nor on the telephone, or my mobile phone contract. Really? To whom does your response to me belong? What about the email you send to a friend? A stranger? And twitter posts? Blog comments? Etc., etc. Does it really make sense to extend your privacy rights to those things that you have sent into