_________________________________________________________________ London, Friday, August 02, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] Senate delays vote on homeland security bill [2] Bush adviser promotes 'responsible hacking' [3] Italian police nab top secret website hackers [4] Cybercafe crackdown threatens oases of privacy in Pakistan [5] Wi-Fi honeypots a new hacker trap [6] HP invokes DMCA to quash Tru64 bug report & RF rant [7] Copyright, Security, and the Hollywood Hacking Bill [8] When Dreamcasts Attack [9] Security experts take shots at effort to create new department [10] Web fraud schemes shut down by authorities [11] Online newspaper incorrectly reports death of Prince Claus [12] (UK) First e-elections "within 10 years" [13] Fair or Foul Way to Fight Pirates? [14] Are you insured against cybercrime? [15] Taft scheduled to sign Ohio's anti-spam bill today [16] New car technology worries US privacy advocates [17] Trade bill includes billions for border security technology _________________________________________________________________ News _________________________________________________________________ [1] Senate delays vote on homeland security bill By Brody Mullins and Charlie Mitchell, CongressDaily The Senate delayed a procedural vote on homeland security legislation Thursday until after the August recess-a move that further dampens the chances for Senate approval of a Homeland Security Department by the symbolic deadline of Sept. 11. Under a deal reached Thursday, senators will vote on a motion to proceed to the homeland legislation soon after returning from the upcoming four-week break. Senators had expected to vote on the motion Friday. However, Senate Appropriations Committee Chairman Robert Byrd, D-W.Va., in a series of speeches, has pleaded with senators to slow down consideration of the bill to ensure that the creation of the new Cabinet-level department gets careful thought. http://www.govexec.com/dailyfed/0802/080102cd1.htm ---------------------------------------------------- [2] Bush adviser promotes 'responsible hacking' A White House adviser is urging computer professionals and hackers to do more to help uncover software glitches. Computer security advisor Richard Clarke has told experts attending the Black Hat conference in Las Vegas they have an obligation to help. He says their help is needed because most bugs are not found by software makers themselves. http://www.ananova.com/news/story/sm_641804.html?menu=news.technology http://www.cnn.com/2002/TECH/internet/08/01/computer.security.ap/index.html ---------------------------------------------------- [3] Italian police nab top secret website hackers Italian police say they have caught two groups of hackers who broke into top secret US websites, including those run by the army, navy, and the NASA space agency. Police have identified 14 people, including four minors and several computer workers, who belong to the two groups - one calls itself "Mentor" and the other "Reservoir Dogs". http://www.abc.net.au/news/scitech/2002/08/item20020802000120_1.htm ---------------------------------------------------- [4] Cybercafe crackdown threatens oases of privacy in Pakistan Ian Fisher The New York Times Friday, August 2, 2002 LAHORE, Pakistan Shahid Masood is a bit down on the Internet these days. But he has never seen anyone who looks like a terrorist at the cybercafe he owns here. Mostly, he says, his customers are boys trying to look at naked girls. "People do not use it in a positive manner," he said in this vibrant city with two universities and many students - enthusiastic customers if not always rich ones. "Most of the people access porn sites. Then it is e-mail and chat sites. Otherwise, there is not much usage of the Internet." http://www.iht.com/articles/66490.html ---------------------------------------------------- [5] Wi-Fi honeypots a new hacker trap By Kevin Poulsen, SecurityFocus Online Posted: 30/07/2002 at 05:16 GMT Hackers searching for wireless access points in the nation's capital may soon war drive right into a trap. Last month researchers at the government contractor Science Applications International Corporation (SAIC) launched what might be the first organized wireless honeypot, designed to tempt unwary Wi-Fi hackers and bandwidth borrowers and gather data on their techniques and tools of choice. http://www.theregister.co.uk/content/55/26434.html ---------------------------------------------------- [Rick posted a good rant which is posted below the article's url. WEN] [6] HP invokes DMCA to quash Tru64 bug report By John Leyden Posted: 31/07/2002 at 12:37 GMT Hewlett Packard has threatened to use computer crime laws and the controversial Digital Millennium Copyright Act to muzzle a group of security researchers who unearthed a flaw in its Tru64 operating system. The threat comes in a letter to SnoSoft from HP Veep Kent Ferson warning that the security researchers "could be fined up to $500,000 and imprisoned for up to five years" for its role in publishing code that demonstrated the vulnerability, CNET's Declan McCullagh reports. http://www.theregister.co.uk/content/55/26468.html ---------- Forwarded message ---------- Date: Wed, 31 Jul 2002 09:37:50 -0400 From: Richard Forno <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [infowarrior] - Comment on DMCA, Security, and Vuln Reporting Given the recent news about HP using DMCA to shutter a Bugtraq disclosure of Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my comments of-value and worthy of relaying onto the list. The News.Com story with more details is at : http://news.com.com/2100-1023-947325.html?tag=fd_lede - ----------RFF Comments I find it sadly amusing that technology companies see "security debate" on the same level as "piracy" or "copyright controls." What it really serves as is a corporate secrecy tool and (as was said) cudgel against any and all potential enemies. HP, in its infinite corporate and legal wisdom - the same wisdom shared by Ken Lay, Jeff Skilling, Fritz "Hollywood" Holings, and Bernie Ebbers - has opened a Pandora's Box here. Next you'll see folks saying that public disclosure of the generic password on the default Unix "guest" account will be prosecutable under DMCA, or that a given exploit uses a "buffer overflow" to cause its damage is likewise criminal to speak of. It's bad enough that black markers might become illegal, isn't it? But the madness continues. While I disagree with Adobe's use of DMCA last year against Dmitry, at least their claim was somehow - admitted tangentally - related to copyright protection. HP's case is just absurd and has nothing to do with copyrights and everything to do with avoiding embarassment and taking responsibility for their product's shortcomings. I believe system-level security is MUTUALLY-EXCLUSIVE from copyright protection -- or more accurately, the 'economic security' of the vendors. Taking reasonable steps - including public disclosure of exploits and their code - to protect a user's system from unauthorized compromise IN NO WAY impacts the copyright rights of HP, unless HP wrote the exploit code that's being publicly shared w/o permission....in which case it's truly their fault then. Regardless, either way you look at it, they're using DMCA to conceal their embarassment and duck responsibility. The way we're going, thanks to HP's legal geniuses, we may as well call NIST, NSA, SANS, and IETF to rewrite a new 'industry standard' definition for 'computer security' that places the vendor's profit and public image above the confidentiality, integrity, and availability of end-user data and systems. For all intents and purposes, Congress has already done that with DMCA and Berman's proposed "Hollywood Hacking" Bill -- they just forgot to inform (or seek counsel from) those of us working in the real information security community. Bleeping idiots. Congress and Corporate America. When it comes to technology policy, neither has the first clue . No wonder we're in the state we're in. rick infowarrior.org - -- You are a subscribed member of the infowarrior list. Visit www.infowarrior.org/lists for list information or to unsubscribe. This message may be redistributed freely in its entirety. ---------------------------------------------------- [7] Copyright, Security, and the Hollywood Hacking Bill Proposed copyright enforcement legislation may circumvent fundamental constitutional protections and create chaos on the Internet. By Richard Forno Jul 31, 2002 Copyright enforcement, the attempt by the entertainment industry to prop up their obsolete business models, is increasingly a danger to the legitimate use of information technology and, by extension, the future of the Internet community. The latest troubling development in copyright enforcement is a bill recently introduced in the Congress by Howard Berman (D-CA). This bill would allow copyright holders to disable computers used to illegally trade copyrighted material, such as music and movies. Copyright holders would be exempt from computer hacking laws, and allowed to disable P2P networks allegedly used in illegal file sharing by various technical means currently prohibited by existing computer crime laws. It would grant copyright holders legal carte blanche to ping, probe, scan, disrupt, attack, and crack remote computer systems or infrastructures to ensure no copyright infringements are taking place. Not only that, but under the bill, the copyright holder is not liable for any damages beyond $50 resulting from their on-line copyright enforcement. (For the full text of the proposed legislation, please click here.) http://online.securityfocus.com/columnists/99 ---------------------------------------------------- [8] When Dreamcasts Attack White hat hackers use game consoles, handheld PCs to crack networks from the inside out. By Kevin Poulsen, Jul 31 2002 5:26PM LAS VEGAS--Cyberpunks will be toting cheap game consoles on their utility belts this fall if they follow the lead of a pair of white hat hackers who demonstrated Wednesday how to turn the defunct Sega Dreamcast into a disposable attack box designed to be dropped like a bug on corporate networks during covert black bag jobs. The "phone home" technique presented by Aaron Higbee of Foundstone and Chris Davis from RedSiren Technologies at the Black Hat Briefings here takes advantage of the fact that firewalls effective in blocking entry into a private network, are generally permissive in allowing connections the other way around. http://online.securityfocus.com/news/558 ---------------------------------------------------- [9] Security experts take shots at effort to create new department By Molly M. Peterson, National Journal's Technology Daily President Bush's proposal to create a Homeland Security Department-and the disparate House and Senate bills to implement the sweeping plan-do not adequately address several issues that are crucial to the government's ability to effectively combat terrorism, several national security experts said Wednesday. "The problem of intelligence sharing and intelligence fusion is not addressed by this reorganization," Michele Flournoy, a senior adviser for international security at the Center for Strategic and International Studies (CSIS), said during a forum sponsored by the Cato Institute. Flournoy said the new department should include a "national intelligence fusion center" to improve intelligence agencies' ability to share information with each other and with federal, state and local law enforcement officials. The new department also should establish an information classification system that could enable law enforcement officials to contribute to intelligence analysis projects, she said. http://www.govexec.com/dailyfed/0702/073102td1.htm ---------------------------------------------------- [10] Web fraud schemes shut down by authorities By Reuters July 30, 2002, 11:15 AM PT Federal and state law enforcement authorities said Tuesday that they had taken action against 19 Internet-based scams they say collectively bilked consumers out of millions of dollars. Work-at-home schemes, auction fraud, deceptive use of junk e-mail, securities fraud and other schemes were targeted by a broad Internet law enforcement effort including state attorneys general, local law enforcement authorities and a number of federal agencies. Several cases have been settled already, with punishments ranging from seven-year jail sentences to agreements by defendants to stop their schemes. http://news.com.com/2100-1017-947219.html?tag=cd_mh ---------------------------------------------------- [11] Online newspaper incorrectly reports death of Prince Claus 25/07/2002 Editor: Joe Figueiredo On July 24th, the web version of the Dutch daily, the Haagsche Courant, was one of several Dutch online newspapers to incorrectly report the death of Prince Claus, the Dutch prince consort, who is currently lying in intensive care at an Amsterdam hospital. http://www.europemedia.net/shownews.asp?ArticleID=11704 ---------------------------------------------------- [With the current state of security. Not really. WEN] [12] First e-elections "within 10 years" Britain could have its first e-general election by the end of the decade, according to the chairman of the Electoral Commission. But Sam Younger warns that the Government needs to set out a clearer vision of the future of voting if it is to meet its target of an "e-enabled" election sometime after 2006. It believes it would be "premature" to claim it is on track for this goal. http://www.thisislondon.com/dynamic/news/story.html?in_review_id=656508&in_revie w_text_id=627443 ---------------------------------------------------- [13] Fair or Foul Way to Fight Pirates? Tech Firms and Hollywood Divided Over Proposed Bill to Stop Piracy By Peter Barnes, Tech Live Washington, D.C., Bureau Chief July 31 - Record companies are supporting a new bill in Congress that would let them legally disable peer-to-peer (P2P) networks - and even target individual computers - to fight digital piracy. Observers say chances are remote that the so-called Peer to Peer Piracy Prevention Act will pass Congress. The proposal represents the latest round in the battle between content companies and technology firms over how to control illegal copying and distribution of copyright material on the Web. http://abcnews.go.com/sections/scitech/TechTV/techtv_piracybill020731.html ---------------------------------------------------- [14] Are you insured against cybercrime? Almost certainly not UK IT directors are largely unaware of the concept of IT insurance, according to a firm which specialises in IT insurance. http://www.silicon.com/bin/bladerunner?30REQEVENT=&REQAUTH=21046&14001REQSUB=REQ INT1=54636 ---------------------------------------------------- [15] Taft scheduled to sign Ohio's anti-spam bill today By Andrew Welsh-Huggins The Associated Press COLUMBUS - After someone relayed thousands of pornographic e-mails through a client's Internet connections, Barry Hassler was happy to support an Ohio bill trying to crack down on unwanted e-mail known as spam. But Mr. Hassler has doubts about the effectiveness of the legislation he supported. "It's hard to track down the real source of this information to be able to prosecute someone," said Mr. Hassler, founder of HCST, an Internet service provider in suburban Dayton. "To this day, we don't know where these messages originated from." http://enquirer.com/editions/2002/08/01/loc_taft_scheduled_to.html ---------------------------------------------------- [16] New car technology worries US privacy advocates 14:59 Thursday 1st August 2002 Rachel Konrad, CNET News.com Data designed to aid emergency workers in case of a crash could fall into the wrong hands say opponents General Motors will begin installing new sensors and communications systems into vehicles next year that could save lives but might raise privacy concerns. At a news conference Wednesday, emergency medical doctors and highway safety advocates praised the GM's Advanced Automatic Crash Notification (AACN) as a life-saving system by the giant automaker. http://news.zdnet.co.uk/story/0,,t271-s2120194,00.html ---------------------------------------------------- [17] Trade bill includes billions for border security technology By William New, National Journal's Technology Daily The bill to renew presidential trade-negotiating authority passed by the Senate Thursday includes billions of dollars earmarked for new border security technologies and contains explicit negotiating objectives on e-commerce and services. The Senate passed the bill, H.R. 3009, by a vote of 64-34. Sections of the bill that would reauthorize the Customs Service have attracted mixed reactions from the high-tech industry and civil liberties groups. "It's good for Customs, and it's good for the tech industry because it provides the funds to modernize the system and gives us an opportunity to do the work," said former customs attorney Joseph Tasker, now senior vice president at the Information Technology Association of America. http://www.govexec.com/dailyfed/0802/080102td2.htm ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> - --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body - --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk