[infowarrior] - NYT: Internet Users Thinking Twice Before a Search
NYTimes.com January 25, 2006 Internet Users Thinking Twice Before a Search By KATIE HAFNER Kathryn Hanson, a former telecommunications engineer who lives in Oakland, Calif., was looking at BBC News online last week when she came across an item about a British politician who had resigned over a reported affair with a rent boy. It was the first time Ms. Hanson had seen the term, so, in search of a definition, she typed it into Google. As Ms. Hanson scrolled through the results, she saw that several of the sites were available only to people over 18. She suddenly had a frightening thought. Would Google have to inform the government that she was looking for a rent boy - a young male prostitute? Ms. Hanson, 45, immediately told her boyfriend what she had done. I told him I'd Googled 'rent boy,' just in case I got whisked off to some Navy prison in the dead of night, she said. Ms. Hanson's reaction arose from last week's reports that as part of its effort to uphold an online pornography law, the Justice Department had asked a federal judge to compel Google to turn over records on millions of its users' search queries. Google is resisting the request, but three of its competitors - Yahoo, MSN and America Online - have turned over similar information. [snip] The full story can be found at: http://tinyurl.com/dgy9k You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - The erosion of anonymous Internet speech
The erosion of anonymous Internet speech By Eric J. Sinrod http://news.com.com/The+erosion+of+anonymous+Internet+speech/2010-1028_3-603 0721.html Story last modified Wed Jan 25 04:00:00 PST 2006 The First Amendment to the U.S. Constitution safeguards freedom of speech. The right to speak freely generally includes the right to speak anonymously. And developing case law holds that the right to speak freely embraces the liberty to speak anonymously on the Internet. All well and good, right? Wrong. A law designed to thwart telephone harassment has been updated and signed into effect by President Bush. But this is troublesome. The newly updated law in part prohibits annoying Web postings or e-mails that do not disclose the true identities of the authors of this speech. Let's drill down a bit. While the U.S. constitution places an extremely high value on and provides protection for free speech, such speech is not completely unbridled. That is why our nation has a developed body of law pertaining to defamation. In a nutshell, if someone says something false about someone else that causes harm to that person, liability and monetary damages may be awarded. In the context of the Internet, it is not uncommon for people to communicate using pseudonyms. That allows them to speak freely and openly, without revealing who they really are. Once in a while, other persons or companies want to find out the identities of anonymous people who have communicated on the Internet. This is especially so if they feel that they have been defamed. So much for freedom of speech, as well as for appropriate Internet anonymity. To find out the identities of these anonymous Internet speakers, they at times must go to the Internet service providers that are the conduits of the speech at issue. To do that, a John Doe lawsuit usually is filed against the anonymous speaker at the heart of the matter. From that case, a subpoena is served on the ISP seeking the identity of the speaker. The anonymous speaker then has an opportunity to file what is called a motion to quash, which seeks to bar revelation of his or her identity. The court then is called upon to rule whether the anonymous speaker's identity should be disclosed. Because of First Amendment guarantees of freedom of speech, which the cases hold includes the right to speak anonymously on the Internet, the court normally will err on the side of protecting the identity of the speaker. That's unless the party seeking disclosure can make a prima facie showing upfront in the case that the speech at issue truly creates liability and that true harm and damage has ensued. Against this backdrop of protection of anonymous Internet speech comes the newly updated law. The Communications Act has prohibited the making of telephone calls or the utilization of telecommunications devices without disclosing (one's) identity to annoy, abuse, threaten or harass any person at the called number or who receives the communications. The same law also has been clear that the term telecommunications device...does not include an interactive computer service. This means this law has not been aimed at Internet communications. Now comes the huge qualifier. A small but important provision buried deep in last year's Violence Against Women and Department of Justice Reauthorization Act, which was just signed into law, now brings the reach of the above-quoted text home to the Internet. The provision in question applies to any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet. What does this mean? The Communications Act provides for fines and imprisonment of up to two years for violations. But taken to a logical, if extreme, conclusion, it is possible that a person who makes a Web posting or who sends an e-mail intended simply to annoy someone else while not disclosing his or her true identity could be subject to fines and jail time. So much for freedom of speech as well as for appropriate Internet anonymity. There is no requirement of harm to trigger the impact of this new law, and the annoyance standard raises a number of concerns. For example, certain speech could be true but still annoying. Should such speech be stifled? Some annoying speech can lead to very positive change--whether the speech is directed at government, companies or individuals. Plus, an annoyance standard is quite amorphous and subject to a multitude of interpretations. While cyberstalking certainly should be prevented, we should be careful not to erode our constitutionally protected rights. Copyright ©1995-2006 CNET Networks, Inc. All rights reserved. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Privacy for People Who Don't Show Their Navels
Privacy for People Who Don't Show Their Navels By JONATHAN D. GLATER http://tinyurl.com/72mp3 IT may be easy to forget that there are people who want to remain anonymous on the Web while the online world is full of those who happily post pictures of themselves and their navels for all to see. But interest in software that allows people to send e-mail messages that cannot be traced to their source or to maintain anonymous blogs has quietly increased over the last few years, say experts who monitor Internet security and privacy. People in the world are more interested in anonymity now than they were in the 1990's, when the popularity of the Internet first surged, said Chris Palmer, technology manager at the Electronic Frontier Foundation, a nonprofit group in San Francisco dedicated to protecting issues like free speech on the Web. Increasingly, consumers appear to be downloading free anonymity software like Tor, which makes it harder to trace visits to Web sites, online posts, instant messages and other communication forms back to their authors. Sales are also up at companies like Anonymizer.com, which among other things sells software that protects anonymity. I get the feeling it's going up, said Roger Dingledine, Tor's project leader. But one of the features I've been adding recently, he said, enhances anonymity protection by making it harder to count downloads of the software. Still, the number of servers forming layers in the Tor network has risen to 300 from 50 in the last year, Mr. Dingledine added. A few reasons exist for the surge, which is hard to measure - it is nearly impossible to track how many people have made themselves invisible online. People who want to continue to swap music via the Internet but fear lawsuits brought by the recording industry want to hide their identity. Some people wish to describe personal experiences that could land them in jail. And some Web authors share their thoughts about repressive regimes and face government reprisal if they are caught. The more equipment is acquired and produced by a repressive regime, the more important anonymity is, said Julien Pain, who heads the Internet freedom desk for Reporters Without Borders, an advocacy group that supports press freedom. The group has produced a guide, www.rsf.org/rubrique.php3?id_rubrique=542, for bloggers trying to protect their identities. We realized that bloggers were being arrested everywhere in the world, Mr. Pain said. One blogger in Nepal, for example, may risk arrest with every time he comments on the country's monarchy, he said. The problem is, you have on one side states with a lot of money, he said. On the other side, you have small businesses and nongovernmental organizations. Law enforcement or other government agencies have tremendous legal and technological resources to discover the identities and locations of people communicating online, though consumer software can make the task more difficult. Despite the increased interest in anonymity, software companies have moved away from marketing products that protect identities, said Chris Jay Hoofnagle, senior counsel and director of the Electronic Privacy Information Center's office in San Francisco, a public research group that focuses on privacy and free speech issues. When I came into this field, it was on the heels of the failure of a number of companies that tried very hard to create privacy enhancing technologies, Mr. Hoofnagle said. Now, though, people are more concerned about defenses that block unwanted e-mail messages and hackers seeking to steal bank accounts, credit card numbers or whole identities, said Alex Fowler, co-head of the national privacy practice at PricewaterhouseCoopers. The visibility and awareness of these issues goes much deeper into the general public than it did even five or six years ago, Mr. Fowler said. Despite increased interest in anonymity and security, some providers of online anonymity protection have not been able to turn their products into successful businesses. People who want to communicate anonymously may not want anyone to know that they have obtained software to do so, and some of the available software is free, including the Java Anonymous Proxy (anon.inf.tu-dresden.de/index_en.html). Tor, first financed by the United States Department of Defense, received support from the Electronic Frontier Foundation for a year, but the money has run out, and Mr. Dingledine is working on the project unpaid and is looking for sponsors. Tor uses onion routing, in which layers of servers separate computer users from the Web sites they visit to hide a user's location. The software is easily installed and operates in the background, simply adding icons in Windows. To make sure it is working, users can visit a site like www.showmyip.com and verify that their Internet Protocol address has changed. If it has, the software is working. The software may slow browsing, because Web pages must be transmitted through
[infowarrior] - Well-done.....Georgetown student protest Gonzales speech
http://insomnia.livejournal.com/652389.html?nc=2style=mine Alberto Gonzales spoke before law students at Georgetown today, justifying illegal, unauthorized surveilance of US citizens, but during the course of his speech the students in class did something pretty ballsy and brave. They got up from their seats and turned their backs to him. To make matters worse for Gonzales, additional students came into the room, wearing black cowls and carrying a simple banner, written on a sheet. Fortunately for him, it was a brief speech... followed by a panel discussion that basically ripped his argument a new A--hole. And, as one of the people on the panel said, When you're a law student, they tell you if say that if you can't argue the law, argue the facts. They also tell you if you can't argue the facts, argue the law. If you can't argue either, apparently, the solution is to go on a public relations offensive and make it a political issue... to say over and over again it's lawful, and to think that the American people will somehow come to believe this if we say it often enough. In light of this, I'm proud of the very civil civil disobedience that was shown here today. - David Cole, Georgetown University Law Professor It was a good day for dissent. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Sexy booth babes face fines at video game show
it¹s ok to shoot hookers in San Andreas, but bikini-clad women in a convention center is a definite no-no.. Sexy booth babes face fines at video game show Tue Jan 24, 1:58 PM ET http://news.yahoo.com/s/nm/20060124/tc_nm/media_videogames_dc LOS ANGELES (Reuters) - The video game industry's 2006 E3Expo trade show in Los Angeles is getting a make-over -- banned are the swarms of sexy, semi-clad booth babes that in years past took the unveiling of new games and technology to titillating new levels. Rules prohibiting the use of scantily clad young women to peddle video games are nothing new, but the handbook for this year's show in May outlines tough new penalties, including a $5,000 fine on the spot for the booth owner if the booth babe is semi-clad. What's new in 2006 is an update and clarification of the enforcement policies; as we do from time to time, we have taken steps to ensure that exhibitors are familiar with the policy and how it will be enforced, Mary Dolaher, E3Expo show director, said in an e-mail. She did not comment on the reasons for the change. The video game industry has come under fire from federal and local politicians, who want to limit sales of violent and sexually explicit games to minors. The handbook from the Entertainment Software Association, the show's promoter, says: Material, including live models, conduct that is sexually explicit and/or sexually provocative, including but not limited to nudity, partial nudity and bathing suit bottoms, are prohibited on the show floor, all common areas, and at any access points to the show. Exhibitors would receive one verbal warning when a violation occurs. Upon a second violation, the ESA said it would impose a $5,000 penalty, payable immediately on the site. It would also require that models comply with the dress code before returning to the floor. ESA said it has sole discretion to determine what is acceptable. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - High-Def Forced To Down-Convert
From: Monty Solomon [EMAIL PROTECTED] HIGH-DEF FORCED TO DOWN-CONVERT In deal reached by eight-company consortium By Paul Sweeting 1/23/2006 Some buyers of HD DVD and Blu-ray Disc players might not get everything they bargained for. In a deal reached this week after tense negotiations, the eight-company consortium behind the Advanced Access Content System, created for use by both high-def formats to prevent unauthorized copying, has agreed to require hardware makers to bar some high-def signals from being sent from players to displays over analog connections, sources said. Instead, the affected analog signal must be down-converted from the full 1920x1080 lines of resolution the players are capable of outputting to 960x540 lines--a resolution closer to standard DVDs than to high-def. Standard DVDs are typically encoded at 720 horizontal by 480 vertical lines of resolution. The 960x540 standard stipulated in the AACS agreement represents 50% higher resolution than standard-def, but only one-quarter the resolution of full high-def. Whether a particular movie is down-converted will be up to the studio. The players will be required to recognize and respond to a digital flag, called an Image Constraint Token, inserted into the movie data. If the flag is set to on, the player must down-convert the analog signal. If set to off, the player can pass the full high-def signal over the analog connections. The studios are divided over whether to require such down-conversion and are likely to follow separate policies. Hardware makers had generally resisted the requirement, but under the new deal, ICT recognition will be included in the AACS license that all device makers and playback software vendors will have to sign. ... http://www.dvdexclusive.com/article.asp?articleID=2657 You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Analog Hole Bill Would Impose a Secret Law
Analog Hole Bill Would Impose a Secret Law Monday January 23, 2006 by Ed Felten http://www.freedom-to-tinker.com/?p=958 If you¹ve been reading here lately, you know that I¹m no fan of the Sensenbrenner/Conyers analog hole bill. The bill would require almost all analog video devices to implement two technologies called CGMS-A and VEIL. CGMS-A is reasonably well known, but the VEIL content protection technology is relatively new. I wanted to learn more about it. So I emailed the company that sells VEIL and asked for a copy of the specification. I figured I would be able to get it. After all, the bill would make compliance with the VEIL spec mandatory the spec would in effect be part of the law. Surely, I thought, they¹re not proposing passing a secret law. Surely they¹re not going to say that the citizenry isn¹t allowed to know what¹s in the law that Congress is considering. We¹re talking about television here, not national security. After some discussion, the company helpfully explained that I could get the spec, if I first signed their license agreement. The agreement requires me (a) to pay them $10,000, and (b) to promise not to talk to anybody about what is in the spec. In other words, I can know the contents of the bill Congress is debating, but only if I pay $10k to a private party, and only if I promise not to tell anybody what is in the bill or engage in public debate about it. Worse yet, this license covers only half of the technology: the VEIL decoder, which detects VEIL signals. There is no way you or I can find out about the encoder technology that puts VEIL signals into video. The details of this technology are important for evaluating this bill. How much would the proposed law increase the cost of televisions? How much would it limit the future development of TV technology? How likely is the technology to mistakenly block authorized copying? How adaptable is the technology to the future? All of these questions are important in debating the bill. And none of them can be answered if the technology part of the bill is secret. Which brings us to the most interesting question of all: Are the members of Congress themselves, and their staffers, allowed to see the spec and talk about it openly? Are they allowed to consult experts for advice? Or are the full contents of this bill secret even from the lawmakers who are considering it? You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - CRS legal analysis on PATRIOT Act reauth
(c/o Secrecy News) PATRIOT ACT REAUTHORIZATION: A LEGAL ANALYSIS (CRS) The existing controversy over reauthorization of the USA Patriot Act -- portions of which will sunset if they are not renewed -- acquired a new dimension with the disclosure last month of an NSA domestic surveillance operation. Some now argue that the Patriot Act should not be reauthorized before the Bush Administration's claims of inherent presidential authority to conduct domestic intelligence surveillance outside of the framework of law (FISA) are confronted and clarified. The extensive new powers requested by the executive branch in its proposal to extend and enlarge the Patriot Act should under no circumstances be granted unless and until there are adequate and enforceable safeguards to protect the Constitution and the rights of the American people against the kinds of abuses that have so recently been revealed, said former Vice President Al Gore in a January 16, 2006 speech. Much of the Patriot Act is unobjectionable to anyone, and some of it is positively sensible. But it also has controversial provisions on national security letters as well as several totally extraneous provisions inserted by House Republicans. A detailed assessment of the entire piece of legislation was prepared by the Congressional Research Service. A copy was obtained by Secrecy News. See USA PATRIOT Improvement and Reauthorization Act of 2005 (H.R. 3199): A Legal Analysis of the Conference Bill, January 17, 2006: http://www.fas.org/sgp/crs/intel/RL33239.pdf You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Debunking the WMF backdoor
Debunking the WMF backdoor Thomas C. Greene, 2006-01-23http://www.securityfocus.com/columnists/382?ref=rss Claims that the WMF vulnerability was an intentional backdoor into Windows systems makes for an interesting conspiracy theory, but doesn't fit with the facts. Contrary to a recent rumor circulating on the internet, Microsoft did not intentionally back-door the majority of Windows systems by means of the WMF vulnerability. Although it is a serious issue that should be patched straight away, the idea that it's a secret back door is quite preposterous. The rumor began when popinjay expert Steve Gibson examined an unofficial patch issued by Ilfak Guilfanov, and, due to his lack of security experience, observed behavior that he could not explain by means other than a Microsoft conspiracy. He then went on to speculate publicly about this via a This Week in Tech podcast, and on his own web site. Slashdot grabbed the story, and the result is a fair number of Netizens who now mistakenly believe that the WMF flaw was created with malicious intent. What it is We think it's time that this irrational fear is put to rest. First, let's look at how the flaw works: A WMF (Windows Metafile) image can trigger the execution of arbitrary code because the rendering engine, shimgvw.dll, supports the SetAbortProc API, which was originally intended as a means to cancel a print task, say when the printer is busy with a very large job, or the queue is very long, or there is a mechanical problem, and so on. Unfortunately, due to a bit of careless coding, it is possible to cause shimgvw.dll (i.e., the Windows Picture and Fax Viewer) to execute code when SetAbortProc is invoked. A metafile is essentially a script to play back graphical device interface (GDI) calls when a rendering task is initiated. Unfortunately, and due entirely to Microsoft's carelessness whenever security competes with functionality, it is possible to point the abort procedure to arbitrary code embedded in a metafile. Gibson could not imagine why WMF rendering should need the SetAbortProc API, since, as he mistakenly believed, WMF outputs to a screen, not a printer. In fact, it can output to a printer as well. But following Gibson's erroneous assumption, the question arose: what would be the point of polling the process and allowing the user, or application, to cancel it? Having exhausted his imagination on that score, he concluded that there's no good reason for SetAbortProc to be involved in handling metafiles. The more logical explanation, Gibson reckoned, was that someone at Microsoft had deliberately back-doored Windows with this peculiar little stuff-up. And besides, the idea of compromising a computer with an image file seemed quite cloak-and-dagger, adding to the supposed mystery. Nothing new here To anyone well acquainted with Windows security, hence Microsoft's insistence on ease of use whatever the cost, the idea of intentional mischief along these lines is immediately suspect. Microsoft still encourages users to run Windows as administrators, because it believes that logging in is too much trouble for the average point-and-drool civilian. It enables scores of potentially dangerous networking services by default, lest anyone struggle to enable them as needed; and its security scheme for IE - which, instead of distrusting Web content by default, forces the user to decide whose content to trust and whose not to - is essentially a means of skirting responsibility by blaming the victim for the crushing burden of malware they are carrying. Microsoft has made a pudding of security from its earliest days, and no amount of malicious intent can possibly account for this. The company's obsession with ease of use is more than adequate to account for this and thousands of other security snafus like it. Furthermore, the WMF flaw doesn't make for a good backdoor, assuming that one would like to target a user, or class of users. For example, IE is not in itself vulnerable; the problem comes when the system renders online WMF files with shimgvw.dll. So luring a Windows user to a malicious web site is no guarantee that they will be affected, while many others, who are not targets, might well be affected. Similarly, when sending a malicious WMF file via e-mail or IM, there is no guarantee that the intended target or targets will be vulnerable. And there are plenty of other types of malicious file that can be sent or placed on line in a similar manner, so there is no distinct advantage to using WMF. It is not a powerful back door. Finally, Microsoft doesn't need this as a back door; it already has one: Windows Automatic Update. It's got Windows boxes phoning home without user interaction, identifying themselves, and downloading and installing code in the background. Technically speaking, it would not be difficult for the company to pervert this process subtly, and effectively, to target certain machines for malware. But naturally, there is no
[infowarrior] - Bounty: Dual-Boot an IntelMac
http://winxponmac.com/The%20Contest.html My MacBook is shipping on the 15th of February. I told my boss that this would replace my IBM desktop and I could boot Windows XP on it. I am still confident it can be done. I am pledging $100 of my own money and offering anyone else who would like the instructions on how to Dual boot these two operating systems the ability to donate some of their money into the pot as a reward for the person / group that can make dual-booting Mac OS X and Windows XP happen on an Intel Mac. Good Luck, The Rules 1. Instructions must boot Windows XP (at least), not Vista or any other version of Windows. 2. Windows must be able to coexist with Mac OS X and each system may not interfere with the operation of the other (basically a traditional dual boot system where one OS is running at a time) 3. Your method, upon starting the computer, must offer the user to boot either OS X or Windows XP (hint: GRUB) 4. The first person to email complete instructions, including pictures of the boot process to [EMAIL PROTECTED] will be the winner. Instructions will be peer reviewed once they are received and once the solution is guaranteed working, the prize money will be transferred via paypal 5. You give this website the rights to post your solution 6. If it is determined impossible to boot Windows on the Mac by March 23, 2006, all donations will be donated to a charitable cause (please send suggestions to [EMAIL PROTECTED]). If you donated prior to 2006/01/23 2:10pm CST, and you do not wish to donate to charity, I will return your money minus the paypal fee http://winxponmac.com/The%20Contest.html You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Intel Macs only one fourth, not four times faster - report
Original URL: http://www.reghardware.co.uk/2006/01/23/intel_macs_25pc_faster/ Intel Macs only one fourth, not four times faster - report By Andrew Orlowski in San Francisco Published Monday 23rd January 2006 19:41 GMT Comment Don't say we didn't warn you. But when the world's last great computer company decided to tie its fortunes to the world's slowest chip company, the reality was never going to match the hype. Macworld has gotten hold of the x86 iMacs and run some benchmarks (http://www.macworld.com/2006/01/features/imaclabtest1/index.php). There's lots of good news for speed-starved Mac users. The iMac boots in 25 seconds, and shaves the time taken to perform some mathematically-intensive tasks by a third. But on the whole, the results show a speed bump of only a measly quarter over today's overclocked G4 and new G5 processors. Unfortunately, our tests suggest that the remarkable results of Apple's published tests aren't reflected in most of the real-world applications we tested. Based on our initial tests, the new Core-Duo-based iMac seems to be 10-20 per cent faster than its predecessor when it comes to native applications, with some select tasks showing improvement above and beyond that, writes Macworld's Jason Snell. So at this stage, the empirical evidence suggests quite a different story to the 4x improvement over the G5 projected by the reality distortion field of Apple CEO Steve Jobs, and quoted in Apple literature. Apple quotes a 2x improvement for x86 Macs over their G5 predecessors. And yet it's barely 25 per cent. Under the Rosetta emulation - a British invention from Manchester - PPC applications running in x86 performed at about half speed. With the exception of iTunes, which encoded audio files a third as fast as it would have done running on a decent processor, such as the IBM G5. So what can we conclude from this? Well, it's worth examining what Apple really wants from a move to Intel. If we look hard, then better performance per watt or even simply better performance doesn't make for the most convincing explanation. Only once in the past two decades has Intel been able to claim the performance crown, very briefly in late 1995 when its Pentium Pro knocked DEC's Alpha chip off the top of the benchmarks. On desktop performance alone, Intel has been bested for several years by AMD's far more competitive Athlon chip. Intel's next generation 64-bit processor Itanium is a billion dollar dud, and it failed to crank much advantage out of the deep-pipelined Pentium 4, which always ran hotter, and more inefficiently, than generations of Athlon or RISC processors. So last year Intel finally tore up its roadmaps, abandoning its Athlon-killer P7 core for future desktops, and leaving us to look forward to derivatives of third-generation mobile chips. These will be powering Microsoft PCs - and now Apple computers, too - for the next few years. When Microsoft chose a next-generation chip for its Xbox 360 console - something expected to have a life of five years - it chose a dual-core PowerPC processor, the platform Apple was abandoning. For all his legendary power of persuasion, Jobs doesn't seem to have much luck with microprocessor suppliers. He failed to persuade Motorola to invest in the G4 and failed to persuade IBM to provide competitive chips for Apple, although IBM has been able to pull a rabbit out of the hat for Microsoft, and an alliance with Sony and IBM for Cell-based hardware should be a potent combination. So Intel makes a lot of chips, but they're never the best. Tell us something new, you're thinking. Why did Apple move to Intel, then, really? Intel justifiably remains one of the most lauded companies on the planet not for the quality of its chips, but for its consistent innovation in production. It's a manufacturing company first and foremost, and its RD is geared towards keeping its facilities full. What falls off the end of the Intel production doesn't really matter. This hardly helps you, dear reader, as you're waiting for a window to refresh, or a QuickTime export to finish, but it's the reason for Intel's importance in the global economy, when superior products from Texas Instruments, IBM and AMD are available. The markets demand consistency, and only Intel can satisfy the need for consistent production levels without some disruption. So where does this fit in to Apple's future plans? With iPod revenues now matching computer revenues, the computer business is now far less important to Apple than it was. And more importantly, consumer music devices is where all the growth is. Putting Intel Inside was never the smartest technical decision. But it makes it easier for Apple to move to a software licensing business for Mac OS X, or sell the computer business completely. For now, perhaps Apple's creative agency can do something with a snail. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe.
[infowarrior] - UPN, WB to Combine to Form New Network
UPN, WB to Combine to Form New Network http://www.washingtonpost.com/wp-dyn/content/article/2006/01/24/AR2006012400 657.html By SETH SUTEL The Associated Press Tuesday, January 24, 2006; 12:01 PM NEW YORK -- Two small, struggling television networks, UPN and WB, will merge to form a new network called The CW, executives from the companies that own them said Tuesday. The announcement was made by executives from CBS Corp., which owns UPN, and Warner Bros., a unit of Time Warner Inc., which owns WB. Both UPN and WB had struggled to compete against larger rivals in the broadcast TV business, including Walt Disney Co.'s ABC, News Corp.'s Fox, General Electric Co.'s NBC and CBS Corp.'s CBS. The new network will launch in the fall, the executives said, and both UPN and WB will shut down. It will be a 50-50 partnership between Warner Bros. and CBS, and the network will be carried on stations owned by the Tribune Co., which is a minority owner of the WB network. Among the Tribune's TV stations that will join the new network are its flagship WGN in Chicago as well as WPIX in New York, and KTLA in Los Angeles. Leslie Moonves, chief executive of CBS Corp., said the new network will air 30 hours of programming seven days a week aimed in part at young audiences. Barry Meyer, the head of Warner Bros., said the network would be run by the current executives of UPN and WB. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Verizon Slapped for Crippling Bluetooth
Verizon Slapped for Crippling Bluetooth http://us.gizmodo.com/gadgets/cellphones/verizon-slapped-for-crippling-bluet ooth-150376.php Verizon has been getting weasely with some of its customers in California who bought its Motorola v710 Bluetooth-³capable² phone on or before January 31, 2005. Preliminary approval of the settlement was granted in a California court for a class-action suit against the company because it didn¹t accurately tell prospective customers that its Bluetooth features weren¹t what they appeared to be. Verizon said the phone ³works with a PC² but left out that part about how you can¹t wirelessly sync photos or contacts or any other files using Bluetooth. Small detail, Verizon. Customers who fell for the scheme will have their choice of a $25 credit, the right to cancel the service without further fees along with a refund, or credit toward a new handset if they want to stay with Verizon. Sounds like a slap on the wrist to the telecom giant. Perhaps the company should be required to state ³We Cripple Bluetooth² on all its advertisements. When, oh when will this greedy, clueless company stop crippling Bluetooth? Verizon should be setting up a website to handle the class-action claims soon. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - White House on PR path over domestic surveillance
White House on PR path over domestic surveillance By James Gerstenzang, Tribune Newspapers: Los Angeles Times; Times staff writers Peter Wallsten and Greg Miller contributed to this report Published January 22, 2006 http://www.chicagotribune.com/news/nationworld/chi-0601220429jan22,1,1331353 .story?coll=chi-newsnationworld-hed WASHINGTON -- The Bush administration is launching an aggressive effort to convince Americans that a National Security Agency program of domestic eavesdropping is legal and justified. With public opinion polls indicating that Americans are evenly divided over the program, President Bush's top political lieutenants on Friday used the surveillance program in speeches to Republican activists as a weapon against Democrats. The president and other senior administration officials had shied away from talking extensively about the NSA's program of monitoring certain phone calls and other communication between Americans and persons overseas. The program immediately became controversial when it was revealed last month, because the monitoring occurred without court approval. Bush had secretly approved it after the Sept. 11 terrorist attacks. The president and other senior officials will be making a series of speeches and visits this week in Washington and beyond. They are trying to build new support for the program two weeks before the Senate begins hearings on it, while also taking advantage of underlying public support for aggressive actions intended to head off terrorist strikes. Bush is expected to deal with the issue during a planned speech Monday in Kansas. At the same time, Lt. Gen. Michael Hayden, the deputy director of national intelligence who headed the NSA when the eavesdropping program was developed, is scheduled to speak at the National Press Club. On Tuesday, Atty. Gen. Alberto Gonzales is to deliver a speech about the spying, and on Wednesday Bush will visit the NSA headquarters outside Washington. We are stepping up our efforts to educate the American people about this vital tool in the war on terrorism ahead of the congressional hearing scheduled for early February, White House press secretary Scott McClellan said. Many Democrats say that Bush, by authorizing the NSA to intercept some phone calls without approval from a special national security court, violated the 1978 law regulating intelligence-gathering in the United States. Congress spent seven years considering and enacting the Foreign Intelligence Surveillance Act, Sen. Edward Kennedy (D-Mass.) said Friday in a written statement. It was not a hastily conceived idea. Now, the administration has made a unilateral decision that congressional and judicial oversight can be discarded, in spite of what the law obviously requires. We need a thorough investigation of these activities. Beyond making its legal arguments, the administration is reaching out to the court of public opinion. Republican political operatives have discerned what they believe is the program's political potential. Asked which is their greater concern, that the government's anti-terrorism policies had not gone far enough to protect the country or had gone too far in restricting civil liberties, 46 percent of those surveyed in a recent poll said the government had not done enough. Some 33 percent said it had gone too far. The poll, conducted Jan. 4-8 by the Pew Research Center for the People and the Press, also found that 48 percent of respondents thought that monitoring Americans suspected of terrorist ties without court permission was generally right, and 47 percent thought it was generally wrong. In short, said Andrew Kohut, the center's director, a surveillance program that had drawn sharp criticism when it was first disclosed has been transformed from an accusation to a debatable issue. Support for the administration's eavesdropping program, Kohut said, hinges on people seeing this as going after the bad guys rather than as an infringement on civil liberties. Republicans believe the spying debate works in their favor, allowing them to paint Democrats as weak on terrorism. Ken Mehlman, the Republican National Committee chairman, told reporters on the sidelines of the GOP's winter meeting in Washington on Friday that the program would be a crucial element of the party's strategy in this year's congressional campaign. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Supreme Court Rejects BlackBerry Appeal
Supreme Court Rejects BlackBerry Appeal http://www.washingtonpost.com/wp-dyn/content/article/2006/01/23/AR2006012300 512_pf.html By Yuki Noguchi Washington Post Staff Writer Monday, January 23, 2006; 1:00 PM The Supreme Court today rejected a petition from BlackBerry maker Research in Motion Ltd. for a rehearing of its patent-infringement case. The Canadian maker of the popular wireless e-mail device has been locked in litigation against NTP Inc., a McLean-based patent-holding company that holds the licenses for the technology. RIM may face a court-ordered shut down of most of its 4 million BlackBerrys in the United States if it cannot settle its case with NTP. The company has said, however, that is developing a technological work-around that skirts the patent infringement. RIM has also asked the U.S. Patent and Trademark Office to review NTP's patents with the hopes that they would be declared invalid. In 2002, a jury found RIM violated several key NTP patents and ordered it to pay royalties, which as of November had accrued to more than $250 million. The Supreme Court's denial closed the final path for RIM to avoid liability, NTP said in a statement today. NTP is an investor in RIM competitor Good Technology Inc., and has licensing agreements with other wireless e-mail companies, such as Nokia Corp. and Visto Inc. A spokesman for RIM played down the significance of today's ruling. RIM has consistently acknowledged that Supreme Court review is granted in only a small percentage of cases and we were not banking on Supreme Court review, marketing vice president Mark Guibert said in a statement. The Patent Office continues its reexaminations with special dispatch, RIM's legal arguments for the District Court remain strong and our software work-around designs remain a solid contingency. © 2006 The Washington Post Company You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Yahoo, MS: No personal data surrendered
(I wonder if Google's resistance hadn't made frontpage news, if these companies would even be saying anything right now...rf) Yahoo, MS: No personal data surrendered http://upi.com/NewsTrack/view.php?StoryID=20060123-031414-2463r WASHINGTON, Jan. 23 (UPI) -- Yahoo and Microsoft say they did not turn over any private information to the government when they complied with a subpoena. Google has refused to comply with the demand to supply six months of search data. The Justice Department is seeking the information in an effort to revive the Child Online Protection Act, which was overturned two years ago by the Supreme Court, by determining whether filtering software does the job of keeping children away from hardcore porn sites. Both Microsoft and Yahoo say that they provided data that contained nothing that would allow the government to identify specific users of their search engines, the San Jose Mercury News reported. While Google's refusal to comply with the subpoena is based on claims of shielding proprietary information, privacy is clearly an issue. Google's acceding to the request would suggest it is willing to reveal information about those who use its services, Ashok Ramani, a lawyer representing Google, said in a letter to the Justice Department. This is not a perception that Google can accept. © Copyright 2006 United Press International, Inc. All Rights Reserved You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Text of GEN Hayden remarks on NSA spying
23 January 2006 Source: http://www.dni.gov/release_letter_012306.html REMARKS BY GENERAL MICHAEL V. HAYDEN PRINCIPAL DEPUTY DIRECTOR OF NATIONAL INTELLIGENCE AND FORMER DIRECTOR OF THE NATIONAL SECURITY AGENCY ADDRESS TO THE NATIONAL PRESS CLUB WHAT AMERICAN INTELLIGENCE ESPECIALLY THE NSA HAVE BEEN DOING TO DEFEND THE NATION NATIONAL PRESS CLUB WASHINGTON, D.C. 10:00 A.M. EST MONDAY, JANUARY 23, 2006 MR. HILL: Good morning. My name is Keith Hill. I'm an editor/writer with the Bureau of National Affairs, Press Club governor and vice chair of the club's Newsmaker Committee, and I'll be today's moderator. Today, we have General Michael Hayden, principal deputy director of National Intelligence with the Office of National Intelligence, who will talk about the recent controversy surrounding the National Security Agency's warrantless monitoring of communications of suspected al Qaeda terrorists. General Hayden, who's been in this position since last April, is currently the highest ranking military intelligence officer in the armed services, and he also knows a little something about this controversy because in his previous life he was NSA director when the NSA monitoring program began in 2000 -- 2001, sorry. So with that, I will turn the podium over to General Hayden. GEN. HAYDEN: Keith, thanks. Good morning. I'm happy to be here to talk a bit about what American intelligence has been doing and especially what NSA has been doing to defend the nation. Now, as Keith points out, I'm here today not only as Ambassador John Negroponte's deputy in the Office of the Director of National Intelligence, I'm also here as the former director of the National Security Agency, a post I took in March of 1999 and left only last spring. Serious issues have been raised in recent weeks, and discussion of serious issues should be based on facts. There's a lot of information out there right now. Some of it is, frankly, inaccurate. Much of it is just simply misunderstood. I'm here to tell the American people what NSA has been doing and why. And perhaps more importantly, what NSA has not been doing. Now, admittedly, this is a little hard to do while protecting our country's intelligence sources and methods. And, frankly, people in my line of work generally don't like to talk about what they've done until it becomes a subject on the History Channel. But let me make one thing very clear. As challenging as this morning might be, this is the speech I want to give. I much prefer being here with you today telling you about the things we have done when there hasn't been an attack on the homeland. This is a far easier presentation to make than the ones I had to give four years ago telling audiences like you what we hadn't done in the days and months leading up to the tragic events of September 11th. Today's story isn't an easy one to tell in this kind of unclassified environment, but it is by far the brief I prefer to present. Now, I know we all have searing memories of the morning of September 11th. I know I do. Making the decision to evacuate non- essential workers at NSA while the situation was unclear; seeing the NSA counterterrorism shop in tears while we were tacking up blackout curtains around their windows; like many of you, making that phone call, asking my wife to find our kids, and then hanging up the phone on her. Another memory for me comes two days later -- that's the 13th of September -- when I addressed the NSA workforce to lay out our mission in a new environment. It was a short video talk; we beamed it throughout our headquarters at Fort Meade and globally throughout our global enterprise. Now, most of what I said was what anyone would expect. I tried to inspire: our work was important; the nation was depending on us. I tried to comfort: Look on the bright side, I said to them, right now a quarter billion Americans wish they had your job, being able to go after the enemy. I ended the talk by trying to give a little perspective. I noted that all free peoples have had to balance the demands of liberty with the demands of security, and historically, historically we Americans have been able to plant our flag well down the spectrum toward liberty. Here was our challenge, I said, and I'm quoting from that presentation: We are going to keep America free by making Americans feel safe again. But to start the story with that Thursday, December 13th, is a bit misleading. It's a little bit like coming in near the end of the first reel of a movie. To understand that moment and that statement, you would have to know a little bit about what had happened to the National Security Agency in the preceding years. Look, NSA intercepts communications, and it does so for only one purpose -- to protect the lives, the liberties and the well-being of the citizens of the United States from those who would do us harm. By the late 1990s, that job was becoming increasingly more difficult. The explosion of modern communications
[infowarrior] - The Recording Industry's Confusion
http://biz.yahoo.com/ap/060123/france_music_downloads.html?.v=1 But for record companies, the growth of legitimate downloads and the partial victory against piracy have come at a price. Many in the industry are concerned that the scramble to license out catalog for digital sales has done lasting damage to profitability. Piracy is bad for us. Legitimate sales of music online is bad for us, too. Anyone else thing the recording industry has gone completely nuts?? -rf You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Intel Core Duo problems, so quickly after release?
http://geek.com/news/geeknews/2006Jan/bch20060123034350.htm Today is January 23, 2006, making it less than 20 days since the Core Duo was officially released, and T-minus ?? days until Core Solo is officially released. Yet, if we turn to Intel's Errata documentation for the Core Duo and Core Solo lines, we already find 34 known problems. That averages out to an error-and-a-half found every day since the chips were released. snip Still, the Core Duo and Core Solo processors are just out of the gates, and this high number of immediate errata should leave one a little chilled, I'd say. Releasing a brand new processor with 34 known errors seems almost criminal to me, especially with some of the more obnoxious ones highlighted above. If you're thinking about buying a Core Duo-based machine, you might want to stop by Intel's documentation department and pick up the latest errata updates, which are promised to be released on the following dates: February 15, March 15, April 19, May 17, June 14, July 19, August 16, September 13, October 18, November 15, December 13. http://geek.com/news/geeknews/2006Jan/bch20060123034350.htm You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Windows Vista device drivers to require digital signatures
Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista Updated: January 19, 2006 ** http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx ** For Windows Vista and later versions of the Windows family of operating systems, kernel-mode software must have a digital signature to load on x64-based computer systems. This paper describes how to manage the signing process for kernel-mode code for Windows Vista, including how to obtain a Publisher Identity Certificate (PIC), guidelines for protecting keys, and how to sign a driver package by using tools that are provided in the Windows Driver Kit (WDK). Why digital signatures? For both consumer and enterprise users of Windows around the world, protecting personal and corporate data remains a top concern. Microsoft is committed to implementing new ways to help restrict the spread of malicious software. Digital signatures for kernel-mode software are an important way to ensure security on computer systems. Digital signatures allow the administrator or end user who is installing Windows-based software to know whether a legitimate publisher has provided the software package. When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers' software was running on the system at the time of the error. Software publishers can then use the information provided by Microsoft to find and fix problems in their software. What this means for Windows Vista. To increase the safety and stability of the Microsoft Windows platform, beginning with Windows Vista: Users who are not administrators cannot install unsigned device drivers. Drivers must be signed for devices that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands. Unsigned kernel-mode software will not load and will not run on x64-based systems. Note: Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems. This applies for any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services. To optimize the performance of driver verification at boot time, boot-driver binaries must have an embedded Publisher Identity Certificate (PIC) in addition to the signed .cat file for the package. What this means for software publishers. For vendors who publish kernel-mode software, this policy has the following effects: For any kernel-mode component that is not already signed, publishers must obtain and use a PIC to sign all 64-bit kernel-mode software that will run on x64-based systems running Windows Vista. This includes kernel-mode services software. Publishers who provide 64-bit device driver or other kernel-mode software that is already signed through the Windows Logo Program or that has a Driver Reliability Signature do not need to take additional steps except for the special case of boot-start drivers. Drivers for boot-start devices must include an embedded PIC. This requirement applies for these devices: CD-ROM, disk drivers, ATA/ATAPI controllers, mouse and other pointing devices, SCSI and RAID controllers, and system devices. This information applies for the following operating systems: Microsoft Windows Vista (for x64-based systems) Microsoft Windows Server code name Longhorn You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Forgot What You Searched For? Google Didn't
Forgot What You Searched For? Google Didn't By Leslie Walker Saturday, January 21, 2006; D01 http://www.washingtonpost.com/wp-dyn/content/article/2006/01/20/AR2006012001 799_pf.html The Justice Department may have done us all a big favor by issuing subpoenas to Internet search engines to find out what people are researching online. Not because that data could help shield children from online porn, which was the government's stated goal in demanding data from Google and three other search firms. Rather, the request -- and Google's refusal to fork over its search data -- is putting a helpful public spotlight on the vast amount of personal information being stored, parsed and who knows what else by the Web services we increasingly rely on to manage our lives. Even though the government has demanded no personal information -- only a list of Web queries divorced from the names of those submitting them -- Google is resisting partly on grounds that turning over the data might create a public perception that it would readily cough up personal factoids, if asked. So that raises the question: What, exactly, does Google know about us? In my case, a lot. I've done a great deal of beta testing of Google services, including Gmail, Orkut social networking, Froogle shopping lists, personal search and a custom home page. Most are linked by my Gmail address and account name. Google has a wealth of data about me, especially through its personal search service, a tool that only collects data on you if you elect to turn it on, as I have. That service gives me -- along with Google, and maybe the government should it ever suspect me of a crime -- access to every query I've typed while signed into Google, organized by a clickable calendar. Clicking on Nov. 3 produces a page listing all 27 queries I submitted while signed into Google that day. I'm not sure I'd want the government to see the ones on panties and underpants. (Sorry, but I'm not going to tell you why I entered those words, except to say it was unrelated to porn.) And it's no one's business why I looked up Herman Miller chair, redhead or Ocean City either. My stored history is so detailed it shows I clicked on none of the results from those queries, but I did click on results from four searches that day. The five sites I visited are even listed. Google doesn't keep such detailed data on anonymous users who don't sign in. Unless users tweak their Web browser settings, Google stores a tracking cookie or small file on each user's computer to store items such as the address of their computer, type of Web browser used, and date and time of each query submitted. A Google spokesman said that data are not currently correlated with each user's search query, but Google's technology and privacy policies would allow the company to do so if it chose. Search histories already are creeping into criminal trials. A North Carolina man, Robert Petrick, who was convicted in November of murdering his wife, ran suspicious Internet searches immediately before and after she was dumped in a lake. His queries? Body decomposition, rigor mortis, neck, snap and break, along with topics relating to the depth of the lake where her body turned up. Those searches were stored on the hard drives of the computers Petrick used, but they could just as easily have been stored by Google had Petrick turned on the archiving feature that I use. Our personal search histories are highly sensitive information -- and obviously open to misinterpretation -- because they offer such a unique view into what we are thinking. Most of us routinely ask Google questions about religion, social behavior, sex, work -- whatever pops into our heads. And those queries are mere rocks in a growing mountain of profiling data about us being compiled by many other Web services, not just Google. Over at Amazon, hackers or government investigators might have a field day if they gained access to the 171 items on my supposedly private wish list. (I'm too lazy to ever delete anything, and I use Amazon's wish list as a bookmarking tool.) It's one thing for our personal data to be stored on our own computers, which theoretically we could erase (a harder task than it seems, actually) whenever we choose. It's quite another to have so much personal activity logged and analyzed by distant, impersonal Web sites. There is simply no telling how much long-term control we are giving up over our digital reputations in these still-early days of the Web. So if the government scares people into thinking more about their own Internet histories by slapping subpoenas on the search engines, maybe that's not a bad thing. © 2006 The Washington Post Company You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Cringley on Wiretapping: Hitler on Line One
Hitler on Line One There's a Long History of Intercepting Foreign Communications, and Some of It May Have Been Legal http://www.pbs.org/cringely/pulpit/pulpit20060119.html By Robert X. Cringely Who is listening-in on your phone calls? Probably nobody. Right now, there is huge interest in phone tapping in the United States because the Bush Administration (through the National Security Agency) was caught listening in without appropriate court orders. What I have noticed is that, for all the talking and writing on this subject, there seems to be very little real information being presented. So this column is my attempt to share what I've learned about the topic. It might surprise you. Intercepting communications for purposes of maintaining national security is nothing new. From before Pearl Harbor through 1945, EVERY trans-Atlantic phone call, cable and indeed letter was intercepted in Bermuda by the Coordinator of Information (COI) in the White House and later by the Office of Strategic Services (OSS). Sir William Stephenson revealed this in his autobiography, A Man Called Intrepid. They literally tapped the undersea cables and shipped all post to Europe through Bermuda, where every single call was monitored, every cable printed out, and every letter opened. FDR and Churchill needed intelligence and they took the steps they needed to get it. The computer monitoring of cell phone conversations pales in both scale and significance. One fun fact from that monitoring: The CEO of International Telephone Telegraph (ITT) reportedly spoke with Adolf Hitler on the phone from New York City every week of the war. According to the book The Sovereign State of ITT, the call was placed from New York to South America, and then used a cable from South America to Berlin. Key companies that maintained the German telephone network were ITT subsidiaries at that time, and communications were obviously of strategic importance for Germany; thus Hitler needed to speak with the CEO every week. ITT never stopped running the German phones during the war and were evidently allowed to continue doing so to gather just this sort of intelligence (that's me putting a positive spin on a disturbingly ambiguous relationship). So information technology's ability to eliminate borders in warfare is nothing new, even though it seemed to take the New York Times by surprise! Following the war, the Bell Operating Companies cooperated in national security wiretapping for years based only on the delivery of the so-called Hoover Letter, under the hand of FBI Director J. Edgar Hoover. As a result of that cooperation, ATT was ultimately the defendant in 18 national security lawsuits, all of which involved wiretaps of U.S. citizens' domestic communications where there was no prior judicial authorization. The trial court and the D.C. Circuit Court of Appeals decided that ATT had not violated any constitutional right or law. Keep in mind that international calls or communications were not at issue. In 1967, the U.S. Supreme Court ruled that telephone surveillance was technically a search, and thus prohibited by the Fourth Amendment to the Constitution unless conducted with a court order. In 1972 the Supreme Court handed down a unanimous opinion that clarified the scope of the Executive Branch to engage in wiretapping without prior judicial approval, saying that the Nixon Administration needed warrants for every domestic phone and wire tap. Even after this decision, however, the Executive Branch continued to conduct electronic surveillance of international communications without prior judicial approval (Republican and Democratic administrations alike), according to people working in these areas for the phone company at that time. Because the objects of those searches were presumed not to be U.S. citizens (whether they actually were or not), the taps were allowed. Jumping to the present day, in the United States there were two categories of phone taps and two major laws governing phone taps -- that is until the Bush Administration invented whole new versions of both. The two laws are the Community Assistance for Law Enforcement Act (CALEA) and the Foreign Intelligence Surveillance Act (FISA). CALEA is for domestic wiretaps and FISA is for international wiretaps. Each requires a report to Congress every year and for the 2004 year (the most recent reported) each had slightly over 1700 qualifying wiretaps. Each law also requires a court order for every tap, though under FISA there is some leeway, and in theory such court orders can be obtained retroactively in any case within 72 hours. To this point what we have been considering are technically called intercepts -- listening to phone calls and recording the information they contain. Most phone taps in the U.S. aren't conducted that way at all. On top of the approximately 3,500 CALEA and FISA intercepts conducted each year, there are another 75,000 domestic phone taps called pen/traps by the telephone
[infowarrior] - In the interest of helping journalists cover Oracle..
(c/o Jericho) http://www.osvdb.org/blog/?p=86 In the interest of helping journalists cover Oracle.. perhaps they should just move to a templated form to save time? --- By [YOUR_NAME] [YOUR TITLE], [YOUR PUBLICATION] [DATE] Oracle released on [DAY_OF_WEEK] fixes for a [LONG/HUGE/MONSTROUS] list of security vulnerabilities in [ONE/MANY/ALL] of its products. The quarterly patch contained patches for [NUMBER] vulnerabilities. Titled Critical Patch Update, the patch provides [FIXES/REMEDIES/MITIGATION] for [NUMBER] flaws in the Database products, [NUMBER] flaws in the Application Server, [NUMBER] flaws in the COllaboration Suite, [NUMBER] of flaws in the E-Business Suite, [NUMBER] of flaws in the PeopleSoft Enterprise Portal, and [NUMBER] of flaws in the [NEW_TECHNOLOGY_OR_ACQUISITION]. Many of the flaws have been deemed critical by Oracle, meaning they are trivial to exploit, were likely discovered around 880 days ago, and are trivially abused by low to moderately skilled [HACKERS/ATTACKERS/CRACKERS]. [DULL_QUOTE_FROM_COMPANY_WHO_DISCOVERED_NONE_OF_THE_FLAWS] security company [COMPANY] said yesterday as they upped their internet risk warning system number (IRWSN) to [ARBITRARY_NUMBER]. This is another example of why our products will help protect customers who chose to deploy Oracle software [ARBITRARY_CSO_NAME] stated. [COMPLETELY_BULLSHIT_QUOTE_ABOUT_PROACTIVE_SECURITY_FROM_ORACLE countered Mary Ann Davidson, CSO at Oracle. These hackers providing us with free security testing and showing their impatience after 880 days are what causes problems. If these jackass criminals would stop being hackers, our products would not be broken into and our customers would stay safe! Oracle has been criticized for being slow to fix security flaws by everyone ranging from L0rD D1cKw4v3R to US-CERT to the Pope. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Senators threaten new Net porn crackdown
Senators threaten new Net porn crackdown By Declan McCullagh http://news.com.com/Senators+threaten+new+Net+porn+crackdown/2100-1028_3-602 9005.html Story last modified Thu Jan 19 16:44:00 PST 2006 WASHINGTON--U.S. senators on Thursday blasted what they called an explosion in Internet pornography and threatened to enact new laws aimed at targeting sexually explicit Web sites. At an afternoon hearing convened here by the Senate Commerce Committee, Chairman Ted Stevens, an Alaska Republican, lashed out at an adult entertainment industry representative, saying that the industry needs to take swift moves to devise a rating system and to clearly mark all its material as adult only. I think any adult producer would agree, said Paul Cambria, counsel to the Adult Freedom Foundation, which represents companies offering lawful adult-oriented entertainment. It would just be a matter of organizing the industry, he added. My advice is you tell your clients they better do it soon, because we'll mandate it if they don't, Stevens said. Though it wasn't mentioned at the hearing, Web browsers have long supported the Internet standard called PICS, or Platform for Internet Content Selection. Internet Explorer, for instance, permits parents to disable access to Web sites rated as violent or sexually explicit. Many adult Web sites have voluntarily labeled themselves as sexually explicit. Playboy.com and Penthouse.com, for instance, rate themselves using a variant of PICS created by the nonprofit Internet Content Rating Association. In addition, mandatory rating systems have frequently been struck down by courts as an affront to the First Amendment's guarantee of freedom of expression. Judges have ruled it unconstitutional for governments to enforce the Motion Picture Association of America's movie-rating system. The Supreme Court has said that the right to speak freely encompasses the right not to speak--including the right not to be forced to self-label. Sen. Blanche Lincoln, an Arkansas Democrat, talked up her bill that she and a handful of Democrats announced last year. It proposes a 25 percent excise tax on revenue from most adult-oriented sites and a requirement that all such sites use an age-verification system. Too few adult Web sites are taking the extra step to create another obstacle, another barrier, that can keep youngsters from accessing or stumbling on pornography, Lincoln said. The proposals at Thursday's hearing were uncannily reminiscent of similar complaints from politicians a decade ago. In January 1996, Congress approved the Communications Decency Act, which was soundly rejected by the U.S. Supreme Court. Congress also approved a ban on computer-generated child pornography--which was also shot down by the justices on free-speech grounds. The hearing occurred one day after U.S. Justice Department lawyers filed paperwork in a California federal court in an attempt to force Google to turn over logs from its search engine. The reason, the Justice Department said, is to prepare for an October 2006 trial over a lawsuit from the American Civil Liberties Union challenging the Child Online Protection Act. That 1998 law, which restricts the posting of sexually explicit material deemed harmful to minors on commercial Web sites, was effectively frozen through a 2004 Supreme Court decision. The justices forwarded it back to a lower court for a full trial. On the Google case, what is your reaction to Google's position that (the Justice Department's request) is an invasion of their privacy? Sen. Daniel Innouye, the committee's top-ranking Democrat, asked Bush administration representatives. Deputy Assistant Attorney General Laura Parsky declined to comment, saying it was a dispute currently before the courts. Parsky and an FBI official applauded the idea of new laws, saying they would welcome additional tools from Congress but were doing the best with what they had now. But congressional intervention has historically provided anything but a panacea to the availability of pornography online, said Tim Lordan, executive director of the Internet Education Foundation, a nonprofit group that counts representatives from America Online, VeriSign and the World Wide Web Consortium among its board members. Sen. Inouye of Hawaii took a similarly cautious stance, pointing to a poll that said 70 percent of parents were concerned about pornography but at the same time didn't want the government to step in. My concern is that this matter has incensed members of Congress to agree that if the industry is not going to act upon it, Congress will, he said. And often times Congress does a lousy job. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - DRM Becomes a Balancing Act
DRM Becomes a Balancing Act By Ed Sutherland http://www.internetnews.com/stats/article.php/3578746 Companies walk a tightrope when it comes to protecting copyrighted work with Digital Rights Management (DRM), according to a new report. Sony's recent DRM fiasco highlighted the tightrope content producers are currently walking, according to Ben Macklin of eMarketer. Getting DRM right is made even more important as more people turn to the Internet for audio and video. By 2008, nearly half of U.S. broadband subscribers (76.5 million people) will use online digital content, according to eMarketer. Just 31 percent of Internet users consumed digital content in 2004. By 2010, 78 percent of U.S. households will subscribe to broadband, according to Todd Chanko, an analyst with JupiterResearch. (JupiterResearch and internetnews.com are owned by Jupitermedia.) Television remains the content king, attracting 1 billion households worldwide. New channels for broadband are emerging, with approximately 30 million broadband users, accessing online audio and video content each week in the U.S. in order to share or record digital content, according to Macklin. Content providers can either get a piece of the action, or risk having their content avoided because of tight restrictions from DRM and restrictive terms-of-service agreements, according to the report entitled Digital Rights Management: Finding the Right Balance. Used effectively, DRM technologies have the potential to open up these new channels to traditional publishers and producers, said Macklin. In November Sony recalled nearly 50 CDs after consumers charged the music giant was using a form of DRM, possibly opening computers to malware. Aside from the rootkit, Sony was being generous allowing three copies to be made, said Chanko. What mistake did Sony make when implementing a DRM for CDs? According to Chanko, it was a terrifyingly simple one. They underestimated the fallout from the impact of their DRM on people's PCs. He added that an unintended result from the Sony DRM episode may be greater attention by consumers on individual recording companies. Previously, consumers focused on the artist. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Account Hijackings Force LiveJournal Changes
http://blogs.washingtonpost.com/securityfix/ Account Hijackings Force LiveJournal Changes LiveJournal, an online community that boasts nearly 2 million active members, on Thursday announced sitewide changes for users logging into their accounts -- changes prompted by a hacker group's successful hijacking of potentially hundreds of thousands of user accounts. In an alert posted to its user forum, LiveJournal said it was instituting new login procedures for users because recent changes to a popular browser have enabled malicious users to potentially gain control of your account. Company officials could not be immediately reached for comment. I also put in a query to Six Apart, which owns LiveJournal (and the service we use to produce this blog), but have yet to hear from them either. An established hacker group known as Bantown (I would not recommend visiting their site at work) claimed responsibility for the break-in, which it said was made possible due to a series of Javascript security flaws in the LiveJournal site. A trusted source in the security community put me in touch with this group, and several Bantown members spoke at length in an online instant-message chat with Security Fix. During the chat, members of the group claimed to have used the Javascript holes to hijack more than 900,000 LiveJournal accounts. (Although I quote some of them in this post, I have chosen to omit their individual hacker handles -- not because we're trying to protect their identities, but because a few of them could be considered a tad obscene.) LiveJournal's stats page says the company has more than 9.2 million registered accounts, but that only 1.9 million of them are active in some way. The largest percentage of users are located in the United States and Russia. Bantown members said they created hundreds of dummy member accounts featuring Web links that used the Javascript flaws to steal cookies (small text files on a Web-browsing computer that can be used to identify the user) from people who clicked on the links. Armed with those cookies, the hackers were then able to either log in as the victim, or arbitrarily post or delete entries on the victim's personal page. It is impossible to know how many of these are nonfunctional, but we have an 85% success rate on usage, so it may be fair to state that 85% of those are valid, one member of Bantown told Security Fix. However, we have only used approximately five hundred of these cookies so far, so it is impossible to tell whether this sample is statistically valid. Still, a massive number have been compromised. Normally, sites like LiveJournal prohibit the automated creation of accounts by using so-called captcha images, online Turing Tests that require the user to read a series of slightly malformed numbers and letters and input them into a Web site form before a new account can be created. The idea is to stymie automated programs created by spammers who try to register new accounts for the sole purpose of using them to hawk their wares. But Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same. According to Bantown, the group has been doing this for months, and LiveJournal was only alerted to the problem after the specially crafted URLs the hackers created started setting off antivirus warnings when some users clicked on the links. What eventually led LiveJournal to discover and patch our first vulnerability is that McAfee's full [computer security] suite actually has some preliminary protection against cross-site scripting attacks, one group member said. It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar Javascript flaws on the LiveJournal site that could be used conduct the same attack. Group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. Anytime you have large groups of computer users aggregating at such places, they are going to be seen as a target-rich environment by hackers and hacker groups. Over the past several months, a number of exploits have been released to help users or attackers circumvent the security of online forums. So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.) You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are
[infowarrior] - How to Foil Search Engine Snoops
How to Foil Search Engine Snoops http://www.wired.com/news/technology/1,70051-0.html By Ryan Singel | Also by this reporter On Thursday, The Mercury News reported that the Justice Department has subpoenaed search-engine records in its defense of the Child Online Protection Act, or COPA. Google, whose corporate credo famously includes the admonishment Don't Be Evil, is fighting the request for a week's worth of search engine queries. Other search engines have already complied. The government isn't asking for search engine users' identifying data -- at least not yet. But for those worried about what companies or federal investigators might do with such records in the future, here's a primer on how search logs work, and how to avoid being writ large within them. Why do search engines save logs of search terms? Search companies use logs and data-mining techniques to tune their engines and deliver focused advertising, as well to create cool features such as Google Zeitgeist. They also use them to help with local searches and return more relevant, personalized search results. How does a search engine tie a search to a user? If you have never logged in to search engine's site, or a partner service like Google's Gmail offering, the company probably doesn't know your name. But it connects your searches through a cookie, which has a unique identifying number. Using its cookies, Google will remember all searches from your browser. It might also link searches by a user's IP address. How long do cookies last? It varies. Yahoo sets a cookie that expires in June 2006. A new cookie from Google expires in 2036. What if you sign in to a service? If you sign in on Google's personalized homepage or Yahoo's homepage, the companies can then correlate your search history with any other information, such as your name, that you give them. Why should anyone worry about the government requesting search logs or bother to disguise their search history? Some people simply don't like the idea of their search history being tied to their personal lives. Others don't know what the information could be used for, but worry that the search companies could find surprising uses for that data that may invade privacy in the future. For example, if you use Google's Gmail and web optimizing software, the company could correlate everyone you've e-mailed, all the websites you've visited after a search and even all the words you misspell in queries. What's the first thing people should do who worry about their search history? Cookie management helps. Those who want to avoid a permanent record should delete their cookies at least once a week. Other options might be to obliterate certain cookies when a browser is closed and avoid logging in to other services, such as web mail, offered by a search engine. How do you do that with your browser? In Firefox, you can go into the privacy preference dialog and open Cookies. From there you can remove your search engine cookies and click the box that says: Don't allow sites that set removed cookies to set future cookies. In Safari, try the free and versatile PithHelmet plug-in. You can let some cookies in temporarily, decide that some can last longer or prohibit some sites, including third-party advertisers, from setting cookies at all. While Internet Explorer's tools are not quite as flexible, you can manage your cookies through the Tools menu by following these instructions. Have search histories ever been used to prosecute someone? Robert Petrick was convicted in November 2005 of murdering his wife, in part based on evidence that he had googled the words neck, snap and break. But police obtained his search history from an examination of his computer, not from Google. Can I see mine? Usually, no. But if you want to trace your own Google search histories and see trends, and you don't mind if the company uses the information to personalize search results, you can sign up for Google's beta search history service. Could search histories be used in civil cases? Certainly. Google may well be fighting the government simply on principle -- or, as court papers suggest, to keep outsiders from using Google's proprietary database for free. But a business case can also be made that if users knew the company regularly turned over their records wholesale to the government, they might curtail their use of the site. A related question is whether Google or any other search engine would fight a subpoena from a divorce attorney, or protest a more focused subpoena from local police who want information on someone they say is making methamphetamines. What if I want more anonymity than simply deleting my cookie when I'm searching? If you are doing any search you wouldn't print on a T-shirt, consider using Tor, The Onion Router. An EFF-sponsored service, Tor helps anonymize your web traffic by bouncing it between volunteer servers. It masks the origins and makes it easier to evade filters, such as those installed by
[infowarrior] - New Senate Broadcast Flag Bill Would Freeze Fair Use
New Senate Broadcast Flag Bill Would Freeze Fair Use January 20, 2006 http://www.eff.org/deeplinks/archives/004340.php Draft legislation making the rounds in the U.S. Senate gives us a preview of the MPAA and RIAA's next target: your television and radio. You say you want the power to time-shift and space-shift TV and radio? You say you want tomorrow's innovators to invent new TV and radio gizmos you haven't thought of yet, the same way the pioneers behind the VCR, TiVo, and the iPod did? Well, that's not what the entertainment industry has in mind. According to them, here's all tomorrow's innovators should be allowed to offer you: customary historic use of broadcast content by consumers to the extent such use is consistent with applicable law. Had that been the law in 1970, there would never have been a VCR. Had it been the law in 1990, no TiVo. In 2000, no iPod. Fair use has always been a forward-looking doctrine. It was meant to leave room for new uses, not merely customary historic uses. Sony was entitled to build the VCR first, and resolve the fair use questions in court later. This arrangement has worked well for all involved -- consumers, media moguls, and high technology companies. Now the RIAA and MPAA want to betray that legacy by passing laws that will regulate new technologies in advance and freeze fair use forever. If it wasn't a customary historic use, federal regulators will be empowered to ban the feature, prohibiting innovators from offering it. If the feature is banned, courts will never have an opportunity to pass on whether the activity is a fair use. Voila, fair use is frozen in time. We'll continue to have devices that ape the VCRs and cassette decks of the past, but new gizmos will have to be submitted to the FCC for approval, where MPAA and RIAA lobbyists can kill it in the crib. The new legislation, being circulated by Senator Gordon Smith (R-Ore.), is the first step down that path (and is eerily reminiscent of the infamous 2002 Hollings Bill). It would impose a broadcast flag mandate on all future digital TVs and radios, much like legislation discussed by the House last year. We've covered the broadcast flag and radio flag extensively in the past. These measures would impose federal regulations on all devices capable of receiving digital television and digital radio signals. What's worse, the regulations won't do a thing to stop piracy, since there are plenty of other ways to copy these broadcasts. Sen. Smith's bill would retroactively ratify the FCC's broadcast flag regulations, rejected by the courts last year. This effort to impose content protection mechanisms in all future TVs is still just as terrible an idea now as ever. The bill would also give the FCC authority to regulate the design of digital radios (both terrestrial HD Radio and XM and Sirius satellite). The bill envisions an inter-industry negotiation with a preordained outcome -- federal regulations mandating content protection mechanisms in all future HD Radio and satellite radio receivers. The FCC regulations could make room for customary historic uses of broadcast content by consumers to the extent such use is consistent with applicable law. Presumably, that means you could design a digital device just as good as an analog cassette deck, but no better. Sorry, Sen. Smith, but American innovators and music fans deserve better. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - NSA Guide to Sanitizing Word and PDF documents
(c/o Secrecy News) The National Security Agency has issued new guidance to assist officials in redacting (censoring) documents in Microsoft Word format and producing unclassified Adobe Portable Document (PDF) files without inadvertently disclosing sensitive information. MS Word is used throughout the DoD and the Intelligence Community (IC) for preparing documents, reports, notes, and other formal and informal materials. PDF is often used as the format for downgraded or sanitized documents. There are a number of pitfalls for the person attempting to sanitize a Word document for release. For example, As numerous people have learned to their chagrin, merely converting an MS Word document to PDF does not remove all [sensitive] metadata automatically. This paper describes the issue, and gives a step-by-step description of how to do it with confidence that inappropriate material will not be released. See Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF, National Security Agency, December 13, 2005: http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Security Firm Offers Ad Space In Bug Report
Security Firm Offers Ad Space In Bug Report http://internetweek.cmp.com/showArticle.jhtml?articleId=177102488 By Gregg Keizer Courtesy of TechWeb News An anonymous security researcher who tried to sell an Excel vulnerability on eBay last month now stands to make more than $600 in an auction of ad space in the report issued when the bug is fixed by Microsoft. In early December, someone identified only by the eBay member name fearwall posted the spreadsheet vulnerability on the online auction service, which yanked the listing when the bidding reached $60. Microsoft later confirmed the vulnerability in Excel and said it was investigating the problem, but wouldn't commit to patching it. The researcher is now working with security company HexView, which plans to release a full analysis of the bug once Microsoft publishes a patch. The caveat: the analysis will include two 400-character text ads for products chosen by the two highest bidders in a private auction. Do not miss your chance to get noticed, HexView said in a statement posted to its Web site. Our disclosure is expected to draw the attention of many people, including your prospective customers. The ad will be published as a 400-character paragraph within the disclosure called 'You may also find interesting.' Bidding begins at $600, said HexView, and will be conducted via e-mail. The proceeds will be split between fearwall and HexView, said Max Solonski, a principal consultant with the company, in an e-mail interview. It is not 50/50, and 'fearwall' takes the greater chunk since it was his idea, said Solonski. He also seems to be obsessed with open source donations and the vast amount of the collected funds may go that way. Not even HexView is sure if the concept of advertising in a bug report is a viable way to turn vulnerability research into cash. While it seems logical to advertise products that address the vulnerability along with the description of the vulnerability, it may as well affect the image of the advertiser since vulnerability disclosures are commonly considered 'a bad thing,' said Solonski. The concept of paying for vulnerabilities, however, isn't new. Better known security companies such as iDefense (part of VeriSign) and TippingPoint (part of 3Com) pay bounties on bugs reported to their research teams, and crow when the program bears fruit. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - NSA Guide to Sanitizing Word and PDF documents
(c/o Secrecy News) The National Security Agency has issued new guidance to assist officials in redacting (censoring) documents in Microsoft Word format and producing unclassified Adobe Portable Document (PDF) files without inadvertently disclosing sensitive information. MS Word is used throughout the DoD and the Intelligence Community (IC) for preparing documents, reports, notes, and other formal and informal materials. PDF is often used as the format for downgraded or sanitized documents. There are a number of pitfalls for the person attempting to sanitize a Word document for release. For example, As numerous people have learned to their chagrin, merely converting an MS Word document to PDF does not remove all [sensitive] metadata automatically. This paper describes the issue, and gives a step-by-step description of how to do it with confidence that inappropriate material will not be released. See Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF, National Security Agency, December 13, 2005: http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Republican group pays $100 to spy on college professors
Rightwing group offers students $100 to spy on professors http://www.guardian.co.uk/usa/story/0,12271,1689653,00.html?gusrc=rss Dan Glaister in Los Angeles Thursday January 19, 2006 The Guardian It is the sort of invitation any poverty-stricken student would find hard to resist. Do you have a professor who just can't stop talking about President Bush, about the war in Iraq, about the Republican party, or any other ideological issue that has nothing to do with the class subject matter? If you help ... expose the professor, we'll pay you for your work. For full notes, a tape recording and a copy of all teaching materials, students at the University of California Los Angeles are being offered $100 (£57) - the tape recorder is provided free of charge - by an alumni group. Lecture notes without a tape recording net $50, and even non-attendance at the class while providing copies of the teaching materials is worth $10. But the initiative has prompted concerns that the group, the brainchild of a former leader of the college's Republicans, is a witch-hunt. Several targeted professors have complained, figures associated with the group have distanced themselves from the project and the college is studying whether the sale of notes infringes copyright and contravenes regulations. The Bruin Alumni Association's single registered member is Andrew Jones, a 24-year-old former student who gained some notoriety while at the university for staging an affirmative action bake sale at which ethnic minority students were offered discounts on pastries. His latest project has academics worrying about moves by rightwing groups to counter what they perceive to be a leftist bias at many colleges. The group's website, uclaprofs.com, lists 31 professors whose classes it considers worthy of scrutiny. The professors teach classes in history, African-American studies, politics, and Chicano studies. Their supposed radicalism is indicated on the site by a rating system of black fists. The organisation denies on the website that it is conducting a vendetta against those with differing political views. We are concerned solely with indoctrination, one-sided presentation of ideological controversies and unprofessional classroom behaviour, no matter where it falls on the ideological spectrum. But in another posting, it is clear just where on the spectrum the group thinks the bias might fall. One aspect of this radicalisation, outlined here, is an unholy alliance between anti-war professors, radical Muslim students and a pliant administration. Working together, they have made UCLA a major organising centre for opposition to the war on terror. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - In Threat to Internet's Clout, Some Are Starting Alternatives
(c/o Scott B) Snipped from: http://online.wsj.com/article/SB113763907007950547.html?mod=todays_us_page_o ne In Threat to Internet's Clout Some Are Starting Alternatives By CHRISTOPHER RHOADS Staff Reporter of THE WALL STREET JOURNAL January 19, 2006; Page A1 More than a decade after the Internet became available for commercial use, other countries and organizations are erecting rivals to it -- raising fears that global interconnectivity will be diminished. German computer engineers are building an alternative to the Internet to make a political statement. A Dutch company has built one to make money. China has created three suffixes in Chinese characters substituting for .com and the like, resulting in Web sites and email addresses inaccessible to users outside of China. The 22-nation Arab League has begun a similar system using Arabic suffixes. The Internet is no longer the kind of thing where only six guys in the world can build it, says Paul Vixie, 42 years old, a key architect of the U.S.-supported Internet. Now, you can write a couple of checks and get one of your own. To bring attention to the deepening fault lines, Mr. Vixie recently joined the German group's effort. Alternatives to the Internet have been around since its beginning but none gained much traction. Developing nations such as China didn't have the infrastructure or know-how to build their own networks and users generally didn't see any benefit from leaving the network that everyone else was on. Now that is changing. As people come online in developing nations that don't use Roman letters -- especially China with its 1.3 billion people -- alternatives can build critical mass. Unease with the U.S. government's influence over a global resource, and in some cases antipathy toward the Bush administration, also lie behind the trend. You've had some breakaway factions over the years, but they've had no relevance, says Rodney Joffe, the chairman of UltraDNS, a Brisbane, Calif., company that provides Internet equipment and services for companies. But what's happened over the past year or so is the beginning of the balkanization of the Internet. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - FBI publishes 2005 computer crime survey
FBI publishes 2005 computer crime survey Kelly Martin 2006-01-18 http://www.securityfocus.com/brief/109?ref=rss The FBI has published their 2005 computer crime survey, with responses from over 2,000 public and private organizations located across four U.S. states. The survey, published today and freely available as a PDF, provides some startling statistics on the state of computer security attacks and defense technologies used by all sizes of organizations. Among the findings, nearly nine out of ten organizations experienced security incidents in the past year. Over 64% of respondents incurred a financial loss as a result of computer crime - yet only 9% reported these incidents to law enforcement. The United States and China top of the list as by far the worst offenders, together accounting as the source of more than half of all external intrusion attempts. However, not surprisingly the survey also reports that 44% of all reported intrusions were sourced as internal to the organization affected. The official FBI Computer Crime Survey, which differs from the annual CSI/FBI Computer Crime and Security Survey, is being covered by a wide range of news sources and industries and can surely be used by organizations large and small to justify additional investments in security personnel, training and technologies for 2006. Survey -- http://www.fbi.gov/publications/ccs2005.pdf You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Google Rebuffs Feds on Search Requests
Google Rebuffs Feds on Search Requests http://www.washingtonpost.com/wp-dyn/content/article/2006/01/19/AR2006011901 453_pf.html By MICHAEL LIEDTKE The Associated Press Thursday, January 19, 2006; 8:07 PM SAN FRANCISCO -- Google Inc. is rebuffing the Bush administration's demand for a peek at what millions of people have been looking up on the Internet's leading search engine _ a request that underscores the potential for online databases to become tools for government surveillance. Mountain View-based Google has refused to comply with a White House subpoena first issued last summer, prompting U.S. Attorney General Alberto Gonzales this week to ask a federal judge in San Jose for an order to hand over the requested records. The government wants a list all requests entered into Google's search engine during an unspecified single week _ a breakdown that could conceivably span tens of millions of queries. In addition, it seeks 1 million randomly selected Web addresses from various Google databases. In court papers that the San Jose Mercury News reported on after seeing them Wednesday, the Bush administration depicts the information as vital in its effort to restore online child protection laws that have been struck down by the U.S. Supreme Court. Yahoo Inc., which runs the Internet's second-most used search engine behind Google, confirmed Thursday that it had complied with a similar government subpoena. Although the government says it isn't seeking any data that ties personal information to search requests, the subpoena still raises serious privacy concerns, experts said. Those worries have been magnified by recent revelations that the White House authorized eavesdropping on civilian communications after the Sept. 11 attacks without obtaining court approval. Search engines now play such an important part in our daily lives that many people probably contact Google more often than they do their own mother, said Thomas Burke, a San Francisco attorney who has handled several prominent cases involving privacy issues. Just as most people would be upset if the government wanted to know how much you called your mother and what you talked about, they should be upset about this, too. The content of search request sometimes contain information about the person making the query. For instance, it's not unusual for search requests to include names, medical profiles or Social Security information, said Pam Dixon, executive director for the World Privacy Forum. This is exactly the kind of thing we have been worrying about with search engines for some time, Dixon said. Google should be commended for fighting this. Every other search engine served similar subpoenas by the Bush administration has complied so far, according to court documents. The cooperating search engines weren't identified. Sunnyvale, Calif.-based Yahoo stressed that it didn't reveal any personal information. We are rigorous defenders of our users' privacy, Yahoo spokeswoman Mary Osako said Thursday. In our opinion, this is not a privacy issue. Microsoft Corp. MSN, the No. 3 search engine, declined to say whether it even received a similar subpoena. MSN works closely with law enforcement officials worldwide to assist them when requested, the company said in a statement. As the Internet's dominant search engine, Google has built up a valuable storehouse of information that makes it a very attractive target for law enforcement, said Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. The Department of Justice argues that Google's cooperation is essential in its effort to simulate how people navigate the Web. In a separate case in Pennsylvania, the Bush administration is trying to prove that Internet filters don't do an adequate job of preventing children from accessing online pornography and other objectionable destinations. Obtaining the subpoenaed information from Google would assist the government in its efforts to understand the behavior of current Web users, (and) to estimate how often Web users encounter harmful-to-minors material in the course of their searches, the Justice Department wrote in a brief filed Wednesday Google _ whose motto when it went public in 2004 was do no evil _ contends that submitting to the subpoena would represent a betrayal to its users, even if all personal information is stripped from the search terms sought by the government. Google's acceding to the request would suggest that it is willing to reveal information about those who use its services. This is not a perception that Google can accept, company attorney Ashok Ramani wrote in a letter included in the government's filing. Complying with the subpoena also wound threaten to expose some of Google's crown-jewel trade secrets, Ramani wrote. Google is particularly concerned that the information could be used to deduce the size of its index and how many computers it uses to crunch the requests. This information would be highly
[infowarrior] - OpEd: What Are They Doing With All Our Data?
http://www.courant.com/news/opinion/op_ed/hc-donohue0117.artjan17,0,992533.s tory?coll=hc-headlines-oped What Are They Doing With All Our Data? Laura K. Donohue January 17 2006 Congress will soon hold hearings on the National Security Agency's domestic spying program, secretly authorized by President Bush in 2002. But that program is just the tip of the iceberg. Since Sept. 11, 2001, the expansion of efforts to gather and analyze information on U.S. citizens is nothing short of staggering. The government collects vast troves of data, including consumer credit histories and medical and travel records. Databases track Americans' networks of friends, family and associates, not just to identify who is a terrorist but to try to predict who might become one. Remember Total Information Awareness, retired Adm. John Poindexter's effort to harness all government and commercial databases to preempt national security threats? The idea was that disparate, seemingly mundane behaviors can reveal criminal intent when viewed together. More disturbing, it assumed that deviance from social norms can be an early indicator of terrorism. Congress killed that program in 2003, but according to the Associated Press, many related projects continued. The Defense Advanced Research Projects Agency runs a data-mining program called Evidence Extraction and Link Discovery, which connects pieces of information from vast amounts of data sources. The Defense Intelligence Agency trawls intelligence records and the Internet to identify Americans connected to foreign terrorists. The CIA reportedly runs Quantum Leap, which gathers personal information on individuals from private and public sources. In 2002, Congress authorized $500 million for the Homeland Security Department to develop data mining and other advanced analytical tools. In 2004, the General Accounting Office surveyed 128 federal departments and agencies to determine the extent of data mining. It found 199 operations, 14 of which related to counterterrorism. What type of information could these mine? Your tax, education, vehicle, criminal and welfare records for starters. But also other digital data, such as your travel, medical and insurance records - and DNA tests. Section 505 of the Patriot Act (innocuously titled Miscellaneous National Security Authorities) extends the type of information the government can obtain without a warrant to include credit card records, bank account numbers and information on Internet use. Your checking account may tell which charities or political causes you support. Your credit card statements show where you shop, and your supermarket frequent-buyer-card records may indicate whether you keep kosher or follow an Islamic halal diet. Internet searches record your interests, down to what, exactly, you read. Faith forums or chat rooms offer a window into your thoughts and beliefs. E-mail and telephone conversations contain intimate details of your life. A University of Illinois study found that in the 12 months following Sept. 11, federal agents made at least 545 visits to libraries to obtain information about patrons. This isn't just data surveillance. It's psychological surveillance. Many Americans might approve of data mining to find terrorists. But not all of the inquiries necessarily relate to terrorism. The Patriot Act allows law enforcement officers to get sneak and peek warrants to search a home for any suspected crime - and to wait months or even years to tell the owner they were there. Last July, the Justice Department told the House Judiciary Committee that only 12 percent of the 153 sneak and peek warrants it received were related to terrorism investigations. The FBI has used Patriot Act powers to break into a judge's chambers and to procure records from medical clinics. Documents obtained by the American Civil Liberties Union recently revealed that the FBI used other new powers to eavesdrop on environmental, political and religious organizations. When Congress looks into domestic spying in the war on terror, it should ask a series of questions: First, what information, exactly, is being collected? Are other programs besides the president's NSA initiative ignoring traditional warrant requirements? Are federal agencies dodging weak privacy laws by outsourcing the job to private contractors? Second, who has access to the data once it is collected, and what legal restrictions are set on how it can be used or shared? Third, who authorized data mining, and is its use restricted to identifying terrorists? Fourth, what is the collective effect of these programs on citizens' rights? Privacy certainly suffers, but as individuals begin to feel inhibited in what they say and do, free speech and freedom of assembly also erode. Fifth, how do these data collection and mining operations deal with error? As anyone who's tried to dispute an erroneous credit report can attest, once computer networks exchange data, it may be difficult to
[infowarrior] - JSG: Mass Spying Means Gross Errors
Mass Spying Means Gross Errors http://www.wired.com/news/columns/1,70035-0.html By Jennifer Granick | Also by this reporter The United States government either currently has, or soon will have, new technology that makes mass surveillance possible. The next question for citizens and other policy makers is whether and when to use this capability. Often, people say that we must do anything and everything to stop terrorism. This answer is easy in a world where we know that technologies of mass surveillance, or TMS, are effective against terrorism, where we have unlimited resources for national security, and where there's no cost when the technology malfunctions, is intentionally abused or innocently misused. We don't live in that fictional world, so as citizens and policy makers, we have more-difficult choices to make. Recent government surveillance programs demonstrate our increased capacity for mass surveillance. For example, the Communications Assistance for Law Enforcement Act, or CALEA, requires phone companies to build mass surveillance capabilities into their networks. Privacy advocate Phil Zimmerman has pointed out that through CALEA the FBI requested technological surveillance capabilities far beyond the capacity of the judicial system to approve warrants or the FBI to monitor. This suggests that law enforcement plans to automate or computerize the monitoring process -- probably by deploying voice-recognition technology to look for hits that could be followed up on with human-monitored wiretaps. Proposals to install face-recognition technology at airports and public gatherings, to data-mine collections of government and commercial databases, and to profile airline passengers are feasible only with modern technology. When it broke the illegal wiretap story, The New York Times stated that it was withholding certain technical information not publicly known about U.S. surveillance capabilities. Commentators from Ars Technica and other publications assembled comments from officials familiar with the program that, in total, suggested that the National Security Agency was using new technological capabilities. These comments included President Bush's effort to distinguish between detecting terrorism, for which he claims no warrant is required, and monitoring terrorists, for which he claims the FISA warrant process is designed and followed: We use FISA still. But FISA is for long-term monitoring. There is a difference between detecting so we can prevent, and monitoring. And it's important to know the distinction between the two. We used the (FISA) process to monitor. But also we've got to be able to detect and prevent. The president is correct that FISA only allows targeted surveillance of identified or particularly described individuals. He's wrong to suggest that the FISA warrant requirement doesn't apply to mass surveillance. To the contrary, it means our current laws generally prohibit mass surveillance of American citizens without probable cause. But should they? Now that we have the power, should we use it? Harvard Law School professor Charles Fried argues that mass surveillance is an urgent necessity: In the context of the post-9/11 threat, which includes sleeper cells and sleeper operatives in the United States, no other form of surveillance is likely to be feasible and effective. But this kind of surveillance may not fit into the forms for court orders because their function is to identify targets, not to conduct surveillance of targets already identified. Even retroactive authorization may be too cumbersome and in any event would not reach the initial broad scan that narrows the universe for further scrutiny. Moreover, it is likely that at the first, broadest stages of the scan, no human being is involved -- only computers. Finally, it is also possible that the disclosure of any details about the search and scan strategies and the algorithms used to sift through them would immediately allow countermeasures by our enemies to evade or defeat them. In concluding that TMS are required, Fried makes several assumptions. He assumes that mass surveillance is effective. He assumes that other intelligence methods and prevention techniques, including human monitoring, developing sources, reducing incentives to support or hide terrorists, physical security and tracing financial and material assistance from terrorist groups, will not be feasible, and will be less, rather than more, necessary if we utilize TMS. He suggests that the enemy's ability to defeat surveillance is a function of public disclosure of the search techniques. Each of these assumptions deserves further scrutiny. There are few, if any, studies demonstrating the effectiveness of mass surveillance. People with something to hide are adept at speaking in codes. Teenagers tell their parents they are going to the movies when they are going to drink beer. Attackers know to misspell the victim's name, as journalist Daniel Pearl's
[infowarrior] - New Firefox feature eases spying on users
New Firefox feature eases spying on users http://weblogs.mozillazine.org/darin/archives/009594.html A new proposed feautre in Firefox/Mozilla automates a common web-linking technique in a way that raises grave concerns about user-privacy. A common practice for some web-sites is to send people who click on links to a server that first counts their click and then redirects them to the link's destination. Firefox's new ping attribute proposal for links lets web-authors do this in a less-transparent, but more efficient way, so that when you click on a link, a ping is sent to a server (or group of servers) to notify it of your click while your browser loads the destination page. I'm sure this may raise some eye-brows among privacy conscious folks, but please know that this change is being considered with the utmost regard for user privacy. The point of this feature is to enable link tracking mechanisms commonly employed on the web to get out of the critical path and thereby reduce the time required for users to see the page they clicked on. Many websites will employ redirects to have all link clicks on their site first go back to them so they can know what you are doing and then redirect your browser to the site you thought you were going to. The net result is that you end up waiting for the redirect to occur before your browser even begins to load the site that you want to go to. This can have a significant impact on page load performance. I understand the motivation for this, but the implementation sounds fishy. I'd prefer a system that obtained user-consent for any pinging that took place, and that allowed ping-blocking by site, ping-server or across all sites. That would let users control their experience and their privacy. Otherwise, this feature just eases the technological burdens associated with spying on users. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - FW: Final Call for Abstracts: New Geographies of Surveillance
Title: FW: Final Call for Abstracts: New Geographies of Surveillance Final Call for Abstracts Royal Geographical Society / Institute of British Geographers Annual International Conference 2006, 30 August - 1st September 2006 at the Royal Geographical Society with IBG, London New Geographies of Surveillance A double session co-sponsored by Urban Geography Research Group, Political Geography Research Group and Surveillance Society. Abstract deadline: 23rd January Session co-ordinated by: Dr David Murakami Wood, University of Newcastle; Professor Steve Graham, University of Durham; and Dr Nick Fyfe, University of Dundee. With current concern over global terrorism and the 'permanent state of emergency' that constitutes the war on terrorism, surveillance has become a key strategy and a point of conflict and debate. Recent years have seen a massive expansion in surveillance practices and technologies across spatial scales from the body to the global, in settings from the urban, through the natural environment to the virtual, and involving actors from state institutions to private corporations, individual people and nonhumans. The spread and intensification of surveillance has serious sociospatial consequences in every domain from the life-chances of individuals to the fate of nations; and the development and form of cities, urban space and urban culture. This Session will showcase the emerging critical geographies of surveillance. Topics include: * theorising new geographies of surveillance; * local, national, regional and global trends in surveillance; * case studies of new surveillance technologies and practices; * surveillance and the practice of geography (such as GIS and geodemographics); * surveillance, justice and exclusion; * surveillance, governance, regulation and democracy; * surveillance, intelligence, war and terrorism; * surveillance, territoriality and borders; * surveillance, cities and urbanity; * surveillance and crime; * surveillance and the body; * surveillance and the nonhuman; * resistance to surveillance; etc. Please send all submissions, using the abstract submission form at http://www.rgs.org/category.php?Page=ac2006 http://www.rgs.org/category.php?Page=ac2006 to: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] The deadline for all abstracts is January 23rd, 2006. Dr David Murakami Wood Global Urban Research Unit (GURU) School of Architecture Planning and Landscape, University of Newcastle upon Tyne, UK. Exchange Visiting Fellow, School of Social Sciences, Waseda University, Tokyo, Japan. (January to April 2006).
[infowarrior] - Children can¹t ³opt out² of Pentagon recruitment database
Mining for kids: Children can¹t ³opt out² of Pentagon recruitment database http://www.vermontguardian.com/national/012006/Pentagon.shtml By Kathryn Casa | Vermont Guardian posted January 17, 2006 Parents cannot remove their children¹s names from a Pentagon database that includes highly personal information used to attract military recruits, the Vermont Guardian has learned. The Pentagon has spent more than $70.5 million on market research, national advertising, website development, and management of the Joint Advertising Market Research and Studies (JAMRS) database a storehouse of questionable legality that includes the names and personal details of more than 30 million U.S. children and young people between the ages of 16 and 23. The database is separate from information collected from schools that receive federal education money. The No Child Left Behind Act requires schools to report the names, addresses, and phone numbers of secondary school students to recruiters, but the law also specifies that parents or guardians may write a letter to the school asking that their children¹s names not be released. However, many parents have reported being surprised that their children are contacted anyway, according to a San Francisco-based coalition called Leave My Child Alone (LMCA). ³We hear from a lot of parents who have often felt quite isolated about it all and haven¹t been aware that this is happening all over the country,² said the group¹s spokeswoman, Felicity Crush. Parents must contact the Pentagon directly to ask that their children¹s information not be released to recruiters, but the data is not removed from the JAMRS database, according to Lt. Col. Ellen Krenke, a Pentagon spokeswoman. Instead, the information is moved to a suppression file, where it is continuously updated with new data from private and government sources and still made available to recruiters, Krenke said. It¹s necessary to keep the information in the suppression file so the Pentagon can make sure it¹s not being released, she said. Krenke said the database is compiled using information from state motor vehicles departments, the Selective Service, and data-mining firms that collect and organize information from private companies. In addition to names, addresses, Social Security numbers, and phone numbers, the database may include cell phone numbers, e-mail addresses, grade-point averages, ethnicity, and subjects of interest. She said the Pentagon spends about $500,000 annually to purchase the data from private companies, and has paid more than $70 million since 2002 to Mullen Advertising a Massachusetts firm whose clients include General Motors, Hooked on Phonics, XM Satellite Radio, and 3Com to target recruiters¹ messages toward teens and young adults. The Boston Business Journal reported in October that the Pentagon had spent a total of $206 million on the JAMRS program to date, and could spend another $137 million over the next two years. Invasion of privacy? The JAMRS program ³provides the services with contact information on millions of prospective recruits annually Beyond list management services, DM outreach initiatives include targeted fulfillment pieces directed at influencers,² according to the program¹s password-protected website. In real terms, what that rhetoric looks like at the other end can stack up to harassment, said Crush. ³Kids have been relentlessly harassed,² she said, ³things like persistent phone calls and you can¹t remove your phone numbers from their list because it¹s the government; people being called on numbers that have been listed as private, or for emergency only; kids under 17 called at home, night after night, and not being given a realistic picture about life in the military, particularly during a time of war.² Her organization contends that the Pentagon¹s conduct is illegal under the federal Privacy Act, which requires notification and public comment whenever new data is being compiled on individuals by any branch of government. The Pentagon maintains it has provided that notice, posted in the Federal Register on May 23, but LMCA and other JAMRS critics point out that because new data is being collected daily, JAMRS is failing to fulfill the notification requirements of the Privacy Act. Last fall, 100 privacy and civil rights groups sent a letter to Defense Secretary Donald Rumsfeld urging him to dismantle the database. ³The Privacy Act requires that agencies publish in the federal register upon establishment or revision a notice of the existence and character of the system of records² 30 days before the publication of information, they noted. ³The maintenance of a system of records without meeting the notice requirements is a criminal violation of the Privacy Act.² But Barry Steinhardt, director of the ACLU¹s Technology and Liberty Project in New York, said protection offered by the Privacy Act the 1974 statute aimed at reducing the government¹s collection of
[infowarrior] - Feds aim for more data sharing by terrorist screeners
CNET News.comhttp://www.news.com/ Feds aim for more data sharing by terrorist screeners By Anne Broache http://news.com.com/Feds+aim+for+more+data+sharing+by+terrorist+screeners/21 00-7348_3-6027824.html Story last modified Tue Jan 17 15:04:00 PST 2006 WASHINGTON--The Bush administration said Tuesday that it would make greater use of what the U.S. government calls travel intelligence, or methods of linking databases to try to detect terrorists before they travel. The renewed emphasis on travel intelligence came at an event held here by Secretary of State Condoleeza Rice and Homeland Security Secretary Michael Chertoff. They also said the federal government would move more toward digitized applications and videoconferencing with visa applicants. It is a vital national interest for America to remain a welcoming nation even as we strengthen security in the fight against terrorism, Rice said, echoing remarks by President Bush at a summit for university presidents earlier this month. Modern technology, Chertoff added, is a means to meeting that end. The two federal agencies define travel intelligence as a way to detect the way suspected terrorists travel. One governmental body that coordinates such data is the Terrorist Screening Center, created as the result of a presidential mandate in 2003. It's the spot where all of our information that we're collecting is run through and checked against any kind of watch list or terrorist nexus, said Jarrod Agen, a Homeland Security spokesman. The center does not collect information of its own. That task belongs to the Terrorist Threat Integration Center, a joint project run by Homeland Security, the Pentagon, the CIA and the FBI. Instead, the Terrorist Screening Center's database, which contains information about actual or suspected errorists, simply consolidates information that law enforcement, the intelligence community, the State Department, and others already possess and makes it accessible for query to those who need it--federal security screeners, state and local law enforcement officers, and others, according to a government fact sheet. It's up to individual agencies to decide who can access the data and whose records to make accessible to those screeners. The government's use of passenger data in various screening programs has been a sore spot in recent years, drawing outcry from privacy advocates. Last year, the Transportation Security Administration took heat from government auditors for failing to disclose exactly how and why it had collected personal information on a quarter of a million airline passengers. It has also been less than forthcoming about a planned prescreening system known as Secure Flight. State and Homeland Security screeners already use information culled from visa applications and airline passenger records to compare against watch lists, Agen said, but as new travel documents are used, we want to continue to keep everyone trained up to the latest information. By the end of the year, the U.S. government plans to begin issuing only passports with embedded computer chips--a move it says will deter forgers and imposters and reduce wait times at border entry points--even as privacy concerns linger over the tiny radio frequency identification chips they're supposed to contain. The passports' second phase was scheduled to begin this week at San Francisco International Airport. New visa application procedures On the welcome-mat front, the officials said their goal is to migrate to an entirely paperless visa application process sometime in the future, though they didn't specify a timetable. As part of that effort, the State Department plans to test an online application system for business-related visas, though it didn't specify when. The agency also intends to try out digital videoconferencing in hopes that the technique can one day substitute for in-person interviews with visa applicants. Right now, foreign visa seekers must apply in person at their local consulate, which can sometimes be hundreds of miles away. At a background briefing after Rice's and Chertoff's speeches, a senior State Department official who did not want to be identified acknowledged that the tactic could create new avenues for fraud. But if upcoming pilot tests conducted in the United Kingdom and other countries show that the technology can be used without introducing new possibilities for fraud, it could be the biggest qualitative change in the way we handle visas in 150 years, he predicted. The departments also hope to set up a Global Enrollment Network--essentially a single, secure database in which both departments, regardless of who collected the information first, could deposit personal information from travel-document applications. Employees of both departments could then access that database in order to verify the identities of travelers arriving at various border entry points. The goal is to get information only one time from the applicant, and
[infowarrior] - Felten: CGMS-A + VEIL = SDMI ?
CGMS-A + VEIL = SDMI ? Tuesday January 17, 2006 by Ed Felten http://www.freedom-to-tinker.com/?p=955 I wrote last week about the Analog Hole Bill, which would require almost all devices that handle analog video signals to implement a particular anti-copying scheme called CGMS-A + VEIL. Today I want to talk about how that scheme works, and what we can learn from its design. CGMS-A + VEIL is, not surprisingly, a combination of two discrete signaling technologies called CGMS-A and VEIL. Both allow information to be encoded in an analog video signal, but they work in different ways. CGMS-A stores a few bits of information in a part of the analog video signal called the vertical blanking interval (VBI). Video is transmitted as a series of discrete frames that are displayed one by one. In analog video signals, there is an empty space between the frames. This is the VBI. Storing information there has the advantage that it doesn¹t interfere with any of the frames of the video, but the disadvantage that the information, being stored in part of the signal that nobody much cares about, is easily lost. (Nowadays, closed captioning information is stored in the VBI; but still, VBI contents are easily lost.) For example, digital video doesn¹t have a VBI, so straight analog-to-digital translation will lose anything stored in the VBI. The problem with CGMS-A, then, is that it is too fragile and will often be lost as the signal is stored, processed, and translated. There¹s one other odd thing about CGMS-A, at least as it is used in the Analog Hole Bill. It¹s remarkably inefficient in storing information. The version of CGMS-A used there (with the so-called RCI bit) stores three bits of information (if it is present), so it can encode eight distinct states. But only four distinct states are used in the bill¹s design. This means that it¹s possible, without adding any bits to the encoding, to express four more states that convey different information about the copyright owner¹s desires. For example, there could be a way for the copyright owner to signal that the customer was free to copy the video for personal use, or even that the customer was free to retransmit the video without alteration. But our representatives didn¹t see fit to support those options, even though there are unused states in their design. The second technology, VEIL, is a watermark that is inserted into the video itself. VEIL was originally developed as a way for TV shows to send signals to toys. If you pointed the toy at the TV screen, it would detect any VEIL information encoded into the TV program, and react accordingly. Then somebody got the idea of using VEIL as a ³rights signaling² technology. The idea is that whenever CGMS-A is signaling restrictions on copying, a VEIL watermark is put into the video. Then if a signal is found to have a VEIL watermark, but no CGMS-A information, this is taken as evidence that CGMS-A information must have been lost from that signal at some point. When this happens, the bill requires that the most restrictive DRM rules be applied, allowing viewing of the video and nothing else. Tellingly, advocates of this scheme do their best to avoid calling VEIL a ³watermark², even though that¹s exactly what it is. A watermark is an imperceptible (or barely perceptible) component, added to audio or video signal to convey information. That¹s a perfect description of VEIL. Why don¹t they call it a watermark? Probably because watermarks have a bad reputation as DRM technologies, after the Secure Digital Music Initiative (SDMI). SDMI used two signals, one of which was a ³robust² watermark, to encode copy control information in content. If the robust watermark was present but the other signal was absent, this was taken as evidence that something was wrong, and strict restrictions were to be enforced. Sound familiar? SDMI melted down after its watermark candidates all four of them were shown to be removable by an adversary of modest skill. And an adversary who could remove the watermark could then create unprotected copies of the content. Is the VEIL watermark any stronger than the SDMI watermarks? I would expect it to be weaker, since the VEIL technology was originally designed for an application where accidental loss of the watermark was a problem, but deliberate removal by an adversary was not an issue. So how does VEIL work? I¹ll write about that soon. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Hey, Baby Bells: Information Still Wants to Be Free
Hey, Baby Bells: Information Still Wants to Be Free http://www.freepress.net/news/13358 From New York Times, January 15, 2006 By Randall Stross At the top of my wish list for next year¹s Consumer Electronics Show is this: the introduction of broadband service across the country that is as up to date as that 103-inch flat-screen monitor just introduced by Panasonic. The digital lifestyle I see portrayed so alluringly in ads is not possible when the Internet plumbing in our homes is as pitiful as it is. The broadband carriers that we have today provide service that attains negative perfection: low speeds at high prices. It gets worse. Now these same carriers led by Verizon Communications and BellSouth want to create entirely new categories of fees that risk destroying the anyone-can-publish culture of the Internet. And they are lobbying for legislative protection of their meddling with the Internet content that runs through their pipes. These are not good ideas. Slow broadband seems to be our cursed lot. Until we get an upgrade or rather an upgrade to an upgrade the only Americans who will enjoy truly fast and inexpensive service will be those who leave the country. In California, Comcast cable broadband provides top download speeds of 6 megabits a second for a little more than $50 a month. That falls well short, however, of Verizon¹s 15-megabit fiber-based service offered on the East Coast at about the same price. But what about the 100-megabit service in Japan for $25 month? And better, much better: Stockholm¹s one-gigabit service that is, 1,000 megabits, or more than 1,300 times faster than Verizon¹s entry-level DSL service for less than 100 euros, or $120, a month. One-gigabit service is not in the offing in the United States. What the network carriers seem most determined to sell is a premium form of Internet service that offers a tantalizing prospect of faster, more reliable delivery but only if providers like Google, Yahoo and Microsoft pay a new charge for special delivery of their content. (That charge, by the way, would be in addition to the regular bandwidth-based Internet connection charges that their carriers already levy.) An executive vice president of Verizon, for example, said last week that the proliferation of video programs offered via the Internet opens a new opportunity for his company: a new class of premium online delivery for Web sites wishing to pay extra to give smooth video streams to their customers in the Verizon service area. The executive, Thomas J. Tauke, said that a fast lane for premium content providers would not reduce the quality of regular service for everyone else, and that sites could choose not to sign up without suffering retribution. ³To the best of my knowledge,² he said, ³there¹s no negative.² From the consumer¹s perspective, given the dismal state of the status quo, shouldn¹t any service improvement be welcomed? The short answer is: not necessarily. For one thing, the occasional need for a preferential fast lane for streaming video that is, moving pictures displayed as fast as they arrive, rather than downloaded first and played from memory exists in the United States only because our standard broadband speeds are so slow. Were we ever to become a nation with networks supporting gigabit service, streaming video would not require special handling. Perhaps more important, the superabundance of content in the Internet¹s ecosystem is best explained by its organizing principle of ³network neutrality.² The phrase refers to the way the Internet welcomes everyone who wishes to post content. Consumers, in turn, enjoy limitless choices. Rather than having network operators select content providers on our behalf the philosophy of the local cable company the Internet allows all of us to act as our own network programmers, serving a demographic of just one person. Today, the network carrier has a minor, entirely neutral role in this system providing the pipe for the bits that move the last miles to the home. It has no say about where those bits happened to have originated. Any proposed change in its role should be examined carefully, especially if the change entails expanding the carrier¹s power to pick and choose where bits come from a power that has the potential to abrogate network neutrality. This should be taken into account when Baby Bells say they need to extract more revenue from their networks in order to finance service improvements. Consumers will pay one way or the other, whether directly, as Internet access fees, or indirectly, as charges when a content company opts for special delivery and passes along its increased costs to its customers. It would be better for the network carriers to continue to do as they have, by charging higher rates for higher bandwidth. (Sign me up for that one-gigabit service.) Left unmentioned in Verizon¹s pitch is the concentration of power that it enjoys in its service area, which would allow
[infowarrior] - Text of Al Gore's MLK Speech
Congressman Barr and I have disagreed many times over the years, but we have joined together today with thousands of our fellow citizens-Democrats and Republicans alike-to express our shared concern that America's Constitution is in grave danger. In spite of our differences over ideology and politics, we are in strong agreement that the American values we hold most dear have been placed at serious risk by the unprecedented claims of the Administration to a truly breathtaking expansion of executive power. As we begin this new year, the Executive Branch of our government has been caught eavesdropping on huge numbers of American citizens and has brazenly declared that it has the unilateral right to continue without regard to the established law enacted by Congress to prevent such abuses. snip http://rawstory.com/admin/dbscripts/printstory.php?story=1723 You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Good article on tech overload in our lives
(I agree w/this article 100% and do some of the very same things as those mentionedrf) One Answer to Too Much Tech: Sorry, I'm Not Here By Jose Antonio Vargas Washington Post Staff Writer Monday, January 16, 2006; C01 http://www.washingtonpost.com/wp-dyn/content/article/2006/01/15/AR2006011501 015_pf.html You get text messages on your cell phone, but you never, ever send one. You don't do certain e-mails during the day, only at night, after 9. You carry your BlackBerry everywhere you go, except on the golf course. That's Bruce Blakeney's only decree: No CrackBerry on the course. Never mind social manners. This is a very personal rule, strictly enforced. I'm an IT manager. I'm on call 7 by 24. But, see, it's like this: You have to take time for yourself. What do you most enjoy doing as a hobby? To me, it's golf, says Blakeney, 46, who usually putts around the Enterprise Golf Course in Mitchellville, where he lives. And I don't carry a thing when I'm golfing. Not a thing . I would never get to really enjoy myself if I carried my BlackBerry with me. In these multitasking, hyperkinetic, gadget-obsessed times -- when 19-year-old Daisy Castillo feels naked without her cell phone, when 27-year-old Sonia Gioseffi can't do cardio at the gym on the treadmill without her iPod -- it helps to have a few rules in place, no matter how arbitrary, no matter how nonsensical, while clicking our lives away in the techno-sphere. We want control. Or, more to the point, we like to think we are in control. So Todd Liu, 24, an elementary school teacher, doesn't do personal e-mails at work. Dallas Carson, 28, a clinical psychologist, always steps outside -- outside a theater, outside a coffee shop, outside a friend's apartment, just outside -- to take a call on his cell phone. Nakia Bittle, 27, an office assistant, turns her cell phone off the moment she steps into her house. If you need to call me, you can call my home phone. But if you don't have my home number, says Bittle, laughing, then you're not supposed to have it. In a land where you can upload or download just about anything, the person with the rulebook is king. Or so he thinks. With the number of options people have -- we've got laptops, cell phones, Treos, BlackBerrys, iPods, you name it -- we're overwhelmed. In the past, people defined themselves by what they did or used. Now you define yourself by what you don't do or don't buy, says Kevin Kelly, former executive editor of Wired magazine, that venerated bible of gizmos, and author of New Rules for the New Economy: 10 Radical Strategies for a Connected World. Kelly abides by several rules. He doesn't own a BlackBerry, although he's quick on e-mail. He owns a cell phone, but there's only one person who knows the number, his wife Gia-Miin. He's got a theory for this idiosyncratic brand of individual rulemaking, and he calls it the neo-Amish. For his next book, What Technology Wants, he has visited the Amish frequently in Pennsylvania, taking careful notes of how they adopt -- or reject -- new technologies. The Amish use disposable diapers but don't allow zippers on their clothing. They use rollerblades but cannot drive or own cars. (They can take rides, though.) There is no firm consistency, Kelly explains. These rules might not make perfect sense for outsiders, he adds, but for the Amish, they're logical, a way of lessening their ties to technology, of saying no, thank you to the next hot new thing when most of society -- that means the rest of us -- almost always responds with a hyperventilating Yes! Many of us have this neo-Amish pattern in our use of technology, and it's our own way to exert some sort of power over it, Kelly says. These gadgets are supposed to be serving us, but we have so many of them that we feel like we're enslaved to our servants. So we create restrictions to show who's boss. Like, I may be a slave to e-mail, but I don't text-message, therefore I really have the upper hand. Grant McCracken, a cultural anthropologist, offers this view: We're in this process of balancing out the benefits of technology to the costs of technology. In the beginning of the cell-phone era, when cell phones looked like bricks, everyone thought owning one was all benefits, no cost, says McCracken, a member of MIT's comparative media studies program and the former director of the Institute for Contemporary Culture at the Royal Ontario Museum. It wasn't until later, he says, that we realized that there were downsides to being connected 24/7, every day, every week. Before the cell phone, we can always say, 'Oh, I was in the yard when you phoned,' says McCracken. Now the last remaining excuse you have is, 'Oops, I'm in a dead zone.' This is the curse of digital slavery. Cole McGee, a 33-year-old consultant, is trying to get out of those invisible handcuffs. She has two self-imposed rules, both freshly minted. One, no listening to her iPod on the Metro. Two, no bringing her BlackBerry to bed. On
[infowarrior] - Researcher: Sony BMG rootkit still widespread
Researcher: Sony BMG rootkit still widespread Robert Lemos, SecurityFocus 2006-01-16 http://www.securityfocus.com/news/11369 WASHINGTON D.C. -- Hundreds of thousands of networks across the globe, including many military and government networks, appear to still contain PCs with the controversial copy-protection software installed by music discs sold by media giant Sony BMG, a security researcher told attendees at the ShmooCon hacking conference this weekend. Building on previous research that suggested some 570,000 networks had computers affected by the software, infrastructure security expert Dan Kaminsky used a different address used by the copy protection software to estimate that, a month later, 350,000 networks--many belonging to the military and government--contain computers affected by the software. It is unquestionable that Sony's code has gotten into military and government networks, and not necessarily just U.S. military and government networks, Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains. The latest research results comes as Sony BMG is attempting to finish up this particular embarrassing chapter in the company's use of digital-rights management software. Earlier this month, a New York district court judge gave the nod to a settlement penned by Sony BMG and the attorneys for six class-action lawsuits in the state. More than 15 other lawsuits are pending against the media giant, according to court filings. The controversy surrounds several flaws in two types of copy-protection software used on Sony BMG music CDs and the company's previous practices of hiding the software from a computer's user and making removal of the software extremely inconvenient. The two practices--considered unfair by the Attorney General for the State of Texas, whose office sued Sony BMG--resemble rootkit techniques used by malicious Internet attackers. Sony BMG uses two types of digital-rights management (DRM) software: the Extended Copy Protection (XCP) program created by First 4 Internet and the MediaMax program created by SunnComm. Kaminsky's research uses a feature of domain-name system (DNS) servers: The computers will tell whether an address has recently been looked up by the server. The security researcher worked from a list of 9 million domain-name servers, about 3 million of which are reachable by computers outside their networks. Kaminskly sent DNS requests to the 3 million systems, asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches. During his first survey, carried out over three days in mid-November, he found 568,000 DNS servers had previously been asked to look up three different server addresses used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet. The most recent survey, which lasted between December 15 and December 23, he found 350,000 servers had the unique address in their caches. While other factors may increase or decrease the number, Kaminsky continues to stress that the experiment is about finding out the magnitude of the impact of Sony BMG's software. The data shows that this is most likely a hundreds-of-thousands to millions of victims issue, Kaminsky said. The data might also show how widespread piracy has become. The 52 music titles released with the XCP software were only released in North America, he said. However, the network apparently affected by the Sony BMG issue covered 135 countries. About 4.7 million discs were manufactured and about 2.1 million had sold, according to Sony statements. The global scope is the big mystery here, he said. It is fairly likely that a lot of the discs were pirated. In December, Sony BMG changed the banner ad that displays on PCs that play a CD to a graphic that requests them to download the uninstaller. The graphical reminder showed that Sony BMG is taking the threat seriously, Kaminsky said, and could be responsible for much of the decrease in his numbers. Sony BMG could not be reached for comment on Monday. While the security issues related to the copy-protection software have apparently affected U.S. government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School. I don't see the federal government suing a big company like Sony, she said. The fact that military networks have likely been affected by this won't change that. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list
[infowarrior] - Spy Agency Data After Sept. 11 Led F.B.I. to Dead Ends
January 17, 2006 Spy Agency Data After Sept. 11 Led F.B.I. to Dead Ends (NYTimes) By LOWELL BERGMAN, ERIC LICHTBLAU, SCOTT SHANE and DON VAN NATTA Jr. http://tinyurl.com/aldyu This article is by Lowell Bergman, Eric Lichtblau, Scott Shane and Don Van Natta Jr. WASHINGTON, Jan. 16 - In the anxious months after the Sept. 11 attacks, the National Security Agency began sending a steady stream of telephone numbers, e-mail addresses and names to the F.B.I. in search of terrorists. The stream soon became a flood, requiring hundreds of agents to check out thousands of tips a month. But virtually all of them, current and former officials say, led to dead ends or innocent Americans. F.B.I. officials repeatedly complained to the spy agency that the unfiltered information was swamping investigators. The spy agency was collecting much of the data by eavesdropping on some Americans' international communications and conducting computer searches of foreign-related phone and Internet traffic. Some F.B.I. officials and prosecutors also thought the checks, which sometimes involved interviews by agents, were pointless intrusions on Americans' privacy. As the bureau was running down those leads, its director, Robert S. Mueller III, raised concerns about the legal rationale for the eavesdropping program, which did not seek court warrants, one government official said. Mr. Mueller asked senior administration officials about whether the program had a proper legal foundation, but deferred to Justice Department legal opinions, the official said. President Bush has characterized the eavesdropping program, which focused on the international communications of some Americans and others in the United States, as a vital tool against terrorism; Vice President Dick Cheney has said it has saved thousands of lives. But the results of the program look very different to some officials charged with tracking terrorism in the United States. More than a dozen current and former law enforcement and counterterrorism officials, including some in the small circle who knew of the secret eavesdropping program and how it played out at the F.B.I., said the torrent of tips led them to few potential terrorists inside the country they did not know of from other sources and diverted agents from counterterrorism work they viewed as more productive. We'd chase a number, find it's a schoolteacher with no indication they've ever been involved in international terrorism - case closed, said one former F.B.I. official, who was aware of the program and the data it generated for the bureau. After you get a thousand numbers and not one is turning up anything, you get some frustration. Intelligence officials disagree with any characterization of the program's results as modest, said Judith A. Emmel, a spokeswoman for the director of national intelligence's office. Ms. Emmel cited a statement at a briefing last month by Gen. Michael V. Hayden, the country's second-ranking intelligence official and the director of the N.S.A. when the eavesdropping program was started. I can say unequivocally that we have gotten information through this program that would not otherwise have been available, General Hayden said. The White House and the F.B.I. declined to comment on the program or its results. The differing views of the value of the N.S.A.'s foray into intelligence-gathering in the United States may reflect both bureaucratic rivalry and a culture clash. The N.S.A., an intelligence agency, routinely collects huge amounts of data from across the globe that may yield only tiny nuggets of useful information; the F.B.I., while charged with fighting terrorism, retains the traditions of a law enforcement agency more focused on solving crimes. It isn't at all surprising to me that people not accustomed to doing this would say, 'Boy, this is an awful lot of work to get a tiny bit of information,' said Adm. Bobby R. Inman, a former N.S.A. director. But the rejoinder to that is, Have you got anything better? Several of the law enforcement officials acknowledged that they might not know of arrests or intelligence activities overseas that grew out of the domestic spying program. And because the program was a closely guarded secret, its role in specific cases may have been disguised or hidden even from key investigators. Still, the comments on the N.S.A. program from the law enforcement and counterterrorism officials, many of them high level, are the first indication that the program was viewed with skepticism by key figures at the Federal Bureau of Investigation, the agency responsible for disrupting plots and investigating terrorism on American soil. All the officials spoke on condition of anonymity because the program is classified. It is coming under scrutiny next month in hearings on Capitol Hill, which were planned after members of Congress raised questions about the legality of the warrantless eavesdropping. The program was disclosed in December by The New York
[infowarrior] - Why's it so hard to get 'Buffy' on my iPod?
Why's it so hard to get 'Buffy' on my iPod? By Declan McCullagh http://news.com.com/Whys+it+so+hard+to+get+Buffy+on+my+iPod/2100-1041_3-6026 753.html Story last modified Fri Jan 13 03:58:00 PST 2006 SAN FRANCISCO--Buying an iPod is easy. Filling it with video turns out to be much more difficult. Apple Computer's iTunes store, of course, offers a few TV downloads for purchase at $1.99 each. Those include a smattering of shows from NBC, USA Network and the Sci-Fi Channel. The selections are likely to improve, just as the iTunes lineup has gradually expanded to include additions like the Greatful Dead. special coverage Apple's new crop Sink your teeth into all the news from this week's Macworld Expo. But that won't help anyone who owns a video iPod today and wants to watch something beyond Lost or Desperate Housewives. It especially won't help someone with a library of DVDs that would make perfect iPod fodder. Some products announced at the Macworld 2006 conference here this week try to make this task easier. Elgato Systems' new EyeTV 2 is a visually appealing upgrade to the company's TV tuning software. It requires that you have one of Elgato's external USB or Firewire-connected tuners. (They're Mac-specific, but plenty of Windows equivalents, such as the Cats Eye USB HDTV tuner and MyTV ToGo, exist.) After plugging the $350 EyeTV 500 box into my Apple PowerBook, I could select which broadcast TV programs I wanted to watch. The EyeTV 500 receives only digital signals, which yielded about a dozen channels in downtown San Francisco. The software is straightforward, and the reworked layout now resembles iTunes: Click on a program name to record, then manage saved recordings in playlists. All that was painless enough. The problem came when translating my saved high-resolution TV shows to the lower-resolution, typically 320x240 pixel format that works best on the iPod. On an 18-month-old PowerBook with a 1.3GHz G4 processor and 512MB of RAM, the process was painfully slow. Converting a 1920x1080 version of a single episode of Malcolm in the Middle took more than three hours. The poor little laptop just wasn't up to the task. The good news is that once the conversion was finished, the show automatically popped up in iTunes. And it's possible to set an option to convert TV programs as soon as they're recorded, which means the process takes place in the background--as long as you don't mind waiting. The copyright law obstacle But my fiancee and I have relatively few TV shows recorded, and we have far more DVDs. Because we're flying from San Francisco to Ft. Lauderdale, Fla., later this month, I wanted to transfer some of her Sex and the City episodes to an iPod. Unfortunately, the software to do so isn't legal to distribute in or import into the U.S., thanks to the Digital Millennium Copyright Act. Section 1201 of the law bans software designed for circumventing a technological measure--in this case, the CSS, a copy-protection algorithm in commercial DVDs. That's led to a bizarre legal result. Because of a twist in the law, the software to move DVDs onto a video iPod is illegal to sell but probably legal to use--if you can get it. You're permitted to do it, but nobody's permitted to help you, says Peter Jaszi, who teaches copyright law at American University in Washington D.C.. And you're not permitted to help anyone else. (Although, Jaszi cautions, that's not a perfect argument because it relies on a legal theory that hasn't been tested in the courts.) Fortunately, the DMCA doesn't apply internationally. I found Macintosh OS X software called HandBrake that's available from a server in France. (Windows users have options like DVDx and DVDDecrypter.) HandBrake turned out to be almost as straightforward as EyeTV 2. After scanning a DVD, it lets you choose which titles to save (movies tend to have one long title, while TV shows have multiple). On a PowerBook G4 with a 1.67GHz processor and 1GB of RAM, ripping a 48-minute TV show took about two hours. The wait was worth it. At 320x240 pixels, DVDs look stunning on the iPod's screen, and a 48-minute TV segment took up 300MB. That means about 20 shows can be squeezed onto a 60GB iPod--far more Sex and the City episodes that anyone really needs. The Usenet option The problem with both of these techniques--over-the-air TV and DVD conversion--is that they're slothful. Waiting for a video file to be converted on a computer that's not top-of-the-line feels like a throwback to the 1980s, when BBS users waited hours for an 800KB file to be sucked through a modem's tiny pipe. One solution is to download pre-converted files already in the iPod's relatively low resolution. File-swapping networks are one way to do this, but for those people worried about ending up on at the business end of a lawsuit, there's Guba. Guba is a Web-based front end to Usenet, optimized for unlimited downloads of TV shows for a $15 monthly fee. At Macworld, the company announced
[infowarrior] - USDA Using Satellites to Monitor Farmers
USDA Using Satellites to Monitor Farmers http://apnews.myway.com/article/20060113/D8F3Q1F84.html Jan 13, 7:44 AM (ET) By ROXANA HEGEMAN WICHITA, Kan. (AP) - Satellites have monitored crop conditions around the world for decades, helping traders predict futures prices in commodities markets and governments anticipate crop shortages. But those satellite images are now increasingly turning up in courtrooms across the nation as the Agriculture Department's Risk Management Agency cracks down on farmers involved in crop insurance fraud. The Agriculture Department's Farm Service Agency, which helps farmers get loans and payments from a number of its programs, also uses satellite imaging to monitor compliance. Across government and private industry alike, satellite imaging technology is being used in water rights litigation and in prosecution of environmental cases ranging from a hog confinement facility's violations of waste discharge regulations to injury damage lawsuits stemming from herbicide applications. The technology is also used to monitor the forestry and mining industries. A lot of farmers would be shocked at the detail you can tell. What it does is keep honest folks honest, said G.A. Art Barnaby Jr., an agricultural economist at Kansas State University. Satellite technology, which takes images at roughly eight-day intervals, can be used to monitor when farmers plant their acreage, how they irrigate them and what crops they grow. If anomalies are found in a farm's insurance claim, investigators can search satellite photos dating back years to determine cropping practices on individual fields. What's catching the attention of Barnaby and others is a spate of recent cases involving the use of satellite imaging to prosecute farmers. The largest so far has been a North Carolina case in which a couple faked weather damage to their crops by having workers throw ice cubes onto a tomato field and then beat the plants. In September, Robert Warren was sentenced to six years and four months in prison, while his wife, Viki, was sentenced to five years and five months. They were also ordered to forfeit $7.3 million and pay $9.15 million in restitution. The Warrens and at least three other defendants pleaded guilty. But in one related trial that went to a jury, prosecutors used satellite images and testimony from a satellite image analyst to present their case. It was impressive to the jury to have this presentation about this eye in the sky and satellite imagery and a trained expert, said Richard Edwards, the assistant U.S. Attorney in North Carolina who prosecuted the case. In our case it did not make the case, but it sure helped and strengthened and improved the case. The Risk Management Agency is involved in three other multimillion-dollar crop insurance fraud cases that have yet to be filed that will rival the Warren case in scope, said Michael Hand, RMA's deputy administrator for compliance. While fewer than 100 cases have been prosecuted using satellite imaging since the RMA started its crackdown in 2001, data mining - coupled with satellite imaging - pinpoints about 1,500 farms annually that are put on a watch list for possible crop fraud, Hand said. Ground inspections are done on the suspect farms throughout the growing season. The agency says its spot checklist generated by the satellite data has saved taxpayers between $71 million and $110 million a year in fraudulent crop insurance claims since 2001. The agency stepped up its enforcement after the Agriculture Risk Protection Act of 2000 mandated it use data mining to ferret out false claims, Hand said. Every year, it ships claims data to the Center for Agriculture Excellence at Tarleton State University in Stephensville, Texas, where analysts look for anomalies in claims. They generate a list of claims for further investigation, with satellite imaging pulled on the most egregious cases. Just as U.S. satellites kept track of things like the wheat harvest in the former Soviet Union, other countries have also launched satellites to monitor American crops. Germany, France and others have satellites monitoring crop conditions, and many other private firms sell those images in the U.S. Everybody spies on everybody. I was stunned to hear that myself, Edwards said. Someday, I may have to rely on a French satellite to convict an American citizen. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - First usable version of Chandler free/open PIM is out
(c/o boingboing) First usable version of Chandler free/open PIM is out Chandler is a free and open personal organizer being developed by the Open Source Applications Foundation, with design by Andy Hertzfeld of the original MacOS GUI team. Eventually it's meant to integrate email as well as calendaring and to-do items, but for now it's just the latter -- that said, the latest release, 0.6, is finally something in shape that's usable by civilians. The Chandler application development arc is a little reminiscent of Mozilla/Firefox: a slow start that lays a solid foundation, with major changes visible at each milestone. http://chandler.osafoundation.org/ You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Some Safety and Reliability Questions About DRM
Some Safety and Reliability Questions About DRM ~ by Victor Yodaiken President and CEO, FSMLabs http://www.groklaw.net/article.php?story=2006084253232 Digital Rights Management (DRM) technologies are supposed to protect digitized ³content², like movies and musical performances from being illicitly copied or used. DRM technology is sometimes described as security technology when it is really licensing technology - something very different. In fact, DRM may decrease security and reliability. Consider what might happen if a computer equipped with DRM technologies was also used for the primary telephone of some unlucky person who opened his email mail to find a spammer had sent him a pirated copy of a song. The song begins to play automatically just as our fictional victim recognizes that he is experiencing a heart attack and he desperately clicks the Skype window to dial emergency services. But all he sees on the screen is a big notice: DETECTION OF UNLICENSED USE OF MEDIA: SYSTEM SHUT DOWN. Is this a realistic scenario? Based on the recent Sony BMG fiasco, it is. Sony BMG put DRM software onto CDs that broke the basic system security and made the entire system slower and less reliable. Imagine that your children put such a CD on your computer and opened an avenue for hackers to make copies of your business memos and personal email. Imagine what would happen to the PC running a safety monitoring system for a nuclear power plant that was also used by a technician who wanted to listen to CDs on the job. We are entering the era of ubiquitous and safety critical computing, but the developers of DRM technologies seem to believe that computers are nothing more than personal entertainment systems for consumers. This belief is convenient, because creating DRM mechanisms that respect security, safety, and reliability concerns is going to be an expensive and complex engineering task. Our company sells real-time control software that runs on standard platforms - the combination of standard operating systems and processors and we have customers using Linux and PCs to control robots, telecommunications switches, electric power lines, and machine tools. We're worried about how DRM technology either built into the base hardware or into network services will interact with software that provides safety critical services or that manipulates confidential data or that has timing constraints. Here are some issues: 1. One goal of DRM developers is to prevent ³digitization². For example, they want to make sure it is hard to play a CD on one device in front of a microphone that records it, free of DRM, onto another device. But it would be bad if our poor heart attack victim had evaded his email-induced problem only to find the Skype call interrupted because a music CD playing in his office triggered an anti-copying DRM mechanism. Another example I like to bring up is an armed robber wearing a Mickey-Mouse t-shirt with some embedded DRM triggering patterns in it - and a security camera that obligingly shuts down when it detects the pattern. 2. If DRM is going to work, it will need to be enforced by a web of reinforcing mechanisms: the processor will have a hardware ID and a hardware locked key that will be inspected by the operating system which will have its own keys that will be required by databases and media players and network devices. What happens if a network card breaks and is replaced - causing the DRM system to conclude hardware has changed? Do we need to wait for new keys? 3. How will DRM-locked and DRM-free systems interact? The computer that controls a medical blood test machine should not have DRM mechanisms on it, but will that cause problems when it tries to transmit results to a DRM-locked server? It's certainly plausible that DRM mechanisms will be built into the network hardware/software combination on the server and it will be tempting to make servers that refuse messages from ³unsafe² (DRM-free) sites. 4. Who controls DRM authenticity keys? Can a record company in dispute with an artist deny that artist keys needed so that her new works can be published directly or by a second company? What happens if your company's design documents or advertising or spreadsheets get caught up in DRM controls - who do you call to get a key? If you have data in one database or file system and you switch, can you export the data without permission of the vendor of the first system? Will DRM keys be under the control of companies with an interest in denying their competitors access to the market? 5. If someone wants to develop a media player used in a manufacturing system, will a DRM-enforcing operating system or computer board refuse to allow the media player access to video ports without a DRM key? What about drivers for nonstandard devices - will these trigger DRM issues? 6. Will DRM actions interfere with system timing? If DRM mechanisms are built
[infowarrior] - National uniform driver's license law is 'nightmare'
http://www.usatoday.com/tech/news/techpolicy/2006-01-12-uniform-drivers-lice nse_x.htm National uniform driver's license law is 'nightmare' By Brian Bergstein, Associated Press An anti-terrorism law creating a national standard for all driver's licenses by 2008 isn't upsetting just civil libertarians and immigration rights activists. State motor vehicle officials nationwide who will have to carry out the Real ID Act say its authors grossly underestimated its logistical, technological and financial demands. In a comprehensive survey obtained by The Associated Press and in follow-up interviews, officials cast doubt on the states' ability to comply with the law on time and fretted that it will be a budget buster. It is just flat out impossible and unrealistic to meet the prescriptive provisions of this law by 2008, Betty Serian, a deputy secretary of the Pennsylvania Department of Transportation, said in an interview. Nebraska's motor vehicles director, responding to the survey by the American Association of Motor Vehicle Administrators, said that to comply with Real ID her state may have to consider extreme measures and possibly a complete reorganization. And a record-sharing provision of Real ID was described by an Illinois official as a nightmare for all states. Can we go home now?? the official wrote. States use a hodgepodge of systems and standards in granting driver's licenses and identification cards. In some places, a high school yearbook may be enough to prove identity. A major goal of Real ID which was motivated by the Sept. 11 attacks, whose perpetrators had legitimate driver's licenses is to unify the disparate licensing rules and make it harder to fraudulently obtain a card. The law also demands that states link their record-keeping systems to national databases so duplicate applications can be detected, illegal immigrants caught and driving histories shared. State licenses that fail to meet Real ID's standards will not be able to be used to board an airplane or enter a federal building. The law, which was attached to a funding measure for the Iraq war last May, has been criticized by civil libertarians who contend it will create a de facto national ID card and new centralized databases, inhibiting privacy. Obstacles to compliance UNIFORM IDs: The Real ID Act sets national standards for driver's licenses. The law also seeks to ensure that immigrants can't get licenses that outlast their legal status in the country. BIG HURDLES: States worry that logistical, technological and financial demands will prevent meeting the law's May 2008 deadline. WHAT'S NEXT: States hope for specific guidance from the Department of Homeland Security. State laws and computing systems will need overhaul. State organizations such as the National Governors Association have blasted the law as well. Many states will have to amend laws in order to comply. Jeff Lungren, a spokesman for Real ID's principal backer, House Judiciary Committee Chairman James Sensenbrenner, R-Wis., said there is no chance states might win a delay of the 2008 deadline. We gave three years for this process, he said. Every day that we continue to have security loopholes, we're at greater risk. The August survey by the motor vehicle administrators' group, which has not been made public, asked licensing officials nationwide for detailed reports on what it will take to meet Real ID's demands. It was not meant to produce an overall estimate of the cost of complying with Real ID. But detailed estimates produced by a few states indicate the price will blow past a February 2005 analysis by the Congressional Budget Office, which estimated Congress would need to spend $100 million reimbursing states. Pennsylvania alone estimated a hit of up to $85 million. Washington state projected at least $46 million annually in the first several years. Separately, a December report to Virginia's governor pegged the potential price tag for that state as high as $169 million, with $63 million annually in successive years. Of the initial cost, $33 million would be just to redesign computing systems. It remains unclear how much funding will come from the federal government and how much the states will shoulder by raising fees on driver's licenses. If you begin to look at the full ramifications of this, we are talking about billions and billions of dollars. Congress simply passed an unfunded mandate, said Barry Steinhardt, director of the technology and liberty project at the American Civil Liberties Union. Every motorist in America is going to pay the price of this, of the Congress' failure to do a serious exploration of the cost, the complexity, of the difficulty. The survey respondents and officials interviewed by the AP noted that many concerns might be resolved as the Department of Homeland Security clarifies its expectations for the law such as whether existing licenses can be grandfathered in before it takes effect May 11,
[infowarrior] - Good article on time to patch by OS vendors
http://blogs.washingtonpost.com/securityfix/2006/01/a_timeline_of_m.html Brian Krebs on Computer Security A Time to Patch A few months back while researching a Microsoft patch from way back in 2003, I began to wonder whether anyone had ever conducted a longitudinal study of Redmond's patch process to see whether the company was indeed getting more nimble at fixing security problems. For many years, Microsoft has been criticized for taking too long to issue patches, especially when compared with patch releases for flaws found in operating systems or software applications maintained by the open source community, such as Linux or Mozilla's Firefox browser. But I wanted to find out for myself just how long Microsoft takes on average to issue fixes for known software flaws. Finding no such comprehensive research, Security Fix set about digging through the publicly available data for each patch that Microsoft issued over the past three years that earned a critical rating. Microsoft considers a patch critical if it fixes a security hole that attackers could use to break into and take control over vulnerable Windows computers. For each patch, Security Fix looked at the date Microsoft Corp. was notified about a problem and then how long it took the company to issue a fix for said problem. In most cases, information about who discovered the vulnerability and when they reported it to Microsoft or disclosed it in public was readily available through various citations by Mitre, which maintains much of that data on the common vulnerabilities and exposures (CVE) list. In some cases, however, that submission or disclosure date was not publicly available, and required Security Fix to contact the individual discoverer and get the dates directly from them. In about a dozen cases, the discoverer of a vulnerability did not respond to information requests or the flaw appeared to have been found internally at Redmond, and in those instances Microsoft filled in the blanks. Here's what we found: Over the past three years, Microsoft has actually taken longer to issue critical fixes when researchers waited to disclose their research until after the company issued a patch. In 2003, Microsoft took an average of three months to issue patches for problems reported to them. In 2004, that time frame shot up to 134.5 days, a number that remained virtually unchanged in 2005. Below are three spreadsheets detailing our findings for the past three years. The documents are downloadable either as Microsoft Excel files or regular HTML files: Download 2005patchlist.xls Download 2005patchlist.htm Download 2004patchlist.xls Download 2004patchlist.htm Download 2003patchlist.xls Download 2003patchlist.htm In the first column of each spreadsheet, you should see a hyperlinked MS number that will take you to the Microsoft advisory for that patch. Next to that column is a link to the CVE entry, which contains quite a bit more information about how each flaw was discovered and by whom. The data show that one area where Microsoft appears to be fixing problems more quickly is when the company learns of security holes in its products at the same time as everyone else. Advocates of this controversial full disclosure approach believe companies tend to fix security flaws more quickly when their dirty laundry is aired for all the world to see, and at least on the surface that appears to be the case with Microsoft. It is important to note, however, that in nearly all full-disclosure cases cited here, news of the vulnerability was also issued alongside computer code demonstrating how attackers might exploit the flaw. In cases where Microsoft learned of a flaw in its products through full disclosure, the company has indeed gotten speedier. In 2003, it took an average of 71 days to release a fix for one of these flaws. In 2004 that time frame decreased to 55 days, and in 2005 shrank further to 46 days. The company also seems to have done a better job convincing security researchers to give it time to develop a patch before going public with their vulnerability findings. In 2003, Microsoft learned of at least eight critical Windows vulnerabilities through full disclosure. Last year, this happened half as many times. I spoke at length about this project with Stephen Toulouse, a security program manager at Microsoft. (Toulouse's team also verified the data in the Excel spreadsheets that accompany this post). Toulouse said that if Microsoft is taking longer to release patches for known vulnerabilities, it is because the company has placed a renewed focus on ensuring that each patch comprehensively fixes the problem throughout the Windows operating system and that each fix does not introduce new glitches in the process. Toulouse said developing a patch to mend a security hole is usually the easiest part. Things get more problematic, he said, during the testing process. If testers find a bug, the patch developers incorporate the fix into all relevant
[infowarrior] - Symantec provides hiding place for hackers
Symantec provides hiding place for hackers By Joris Evers http://news.com.com/Symantec+provides+hiding+place+for+hackers/2100-1002_3-6 026203.html Story last modified Wed Jan 11 17:20:00 PST 2006 Symantec has released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans, Symantec said in an advisory released Tuesday. This could potentially provide a location for an attacker to hide a malicious file on a computer, Symantec said. The Cupertino, Calif., security provider is not aware of any attempts by hackers to conceal malicious code in the folder. This update is provided proactively to eliminate the possibility of that type of activity, it said. Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC security fiasco. The record label was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology also offered a hiding place for malicious software. When the recovery feature was first introduced, hiding the directory helped ensure that a user would not accidentally delete the files in it, Symantec said. In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory, the company said in its advisory. Security monitoring company Secunia rates the issue not critical. Symantec itself deems the risk impact low. Symantec credits Mark Russinovich, the Sysinternals researcher who also investigated the Sony rootkit, and F-Secure, a Finnish security company that has a rootkit detection product, for helping it address the SystemWorks issue. The Norton update will display the previously hidden NProtect directory in the Windows interface, which will allow it to be scanned by antivirus products, Symantec said. The new version is available through the Symantec LiveUpdate service. Installing the software will require a system reboot. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Geocode capability increases on Mac OSX
(c/o D) Yesterday both Google and Garmin announced support for OSX 10.4. Google announced Google Earth, and Garmin is now (or will soon be) providing hardware support for their GPS devices. The announcements are not buried on their sites either. Both sites have the announcements prominently displayed. http://earth.google.com/ http://www.garmin.com/pressroom/corporate/011006.html Garmin is presently a bigger name in the GPS/GIS community than Google, and is the biggest name in GPS, so this is big news. It could possibly even stimulate other vendors to begin porting to the platform. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Zero-day holiday
Zero-day holiday Kelly Martin, http://www.securityfocus.com/columnists/377?ref=rss A few hundred million Windows XP machines lay vulnerable on the Web today, a week after a zero-day exploit was discovered. Meanwhile, new approaches and ideas from the academic world - that focus exclusively on children - may give us hope for the future after all. For this month¹s column I had planned to write a positive, cheerful article on some of the ways security has advanced over the past year. But the Microsoft zero-day vulnerability discovered on December 27th, 2005 has caused much activity and stress in the security community, and therefore I will first digress with some short commentary. There are some great things happening in the world of computers and networks, but today¹s Windows XP security response isn¹t one of them. 0-day holiday With the Windows XP WMF vulnerability and exploit discovered on December 27th, we are all faced with a very difficult situation. Incredibly, most of the world¹s computers have been suddenly found vulnerable to massive data theft and criminal use when they reach out onto the Internet - ripe for exploitation with great ease, even by unskilled hackers. How simple this is to do on a web page or through email, here at the beginning of 2006, is just astonishing. While there have been many unpatched vulnerabilities for Windows over the years, some with effective exploits available, nothing quite reaches the magnitude of the situation we¹re in today. Microsoft customers are in big trouble. In my time at SecurityFocus, I have never seen such potential for damage or such a far-reaching vulnerability. The RPC DCOM vulnerability in 2003 saw the creation of the Blaster worm and its variants. Blaster alone infected more than 25 million machines. Today we have an exploit that can elude even anti-virus and IDS sensors and compromise a system very easily. It¹s frightening. In some ways, it's also much worse - and much easier to infect machines with strong border security. Even without an email-bourne virus I anticipate the WMF vulnerability is going to create greater waves than Blaster when all is said and done. A single wrong click, even by an experienced security professional, and it¹s game over. A simple search in Google and one click is all it takes. A week after the zero-day vulnerability bites hard one of the world¹s most influential software companies, we¹re told it will be still another week until there is a fix. Based on the severity of this issue, the time delay is unacceptable. Installing the unofficial patch is highly recommended. But what else can we do? Microsoft needs help from the security community. The community needs to help Microsoft and Microsoft customers now more than ever. I truly believe that millions of computers - perhaps tens of millions - are being compromised by criminals right now. These include computers inside government, military, and scientific installations. And millions of home computers. Pretty much anyone who can reach the Web, receive email or instant messages is vulnerable. Actual numbers and damage estimates, if they are ever known, will follow in the weeks and months. We encourage readers to use our free mailing lists - including Bugtraq - to share information on workarounds to this problem, and how these can be applied in your environment. As one of the cornerstones of the security community, we encourage you to ask the hard questions and do whatever it takes to protect the networks you work on from today¹s massive Windows XP exploit threat. Let us hope that law enforcement and politicians take note of this situation in the weeks and months that follow, and craft (or enforce) legislation and risk management that might help. Now, onto more positive things. 21-day holiday With nothing positive to say about today¹s zero-day Windows exploit situation, I¹d like to look at the bright side of computers, networks and security for a moment. A few months ago at the United Nation¹s World Summit, the brilliant researchers and visionaries at MIT and the MIT Media Lab showed a prototype of a robust, inexpensive green computer - a $100 laptop for every child, complete with a hand-crank for power. Widely covered in the media, this is one of the greatest initiatives I have ever seen to help spread education and knowledge - in a safe and secure environment - to some of the world¹s poorest children through the use of computers. I've been watching this with great interest since it was first announced a year ago. MIT¹s Nicholas Negroponte made a passionate speech about the importance of education in the developing world, and how a new ubiquitous, inexpensive communication and learning tool known as the $100 computer can make a major difference in the lives of the poorest of the poor. I found it interesting that when asked about the details of the technology behind the $100 computer, Negroponte repeatedly dodged the technology and focused on the aspect of education
[infowarrior] - Symantec Caught in Norton 'Rootkit' Flap
http://www.eweek.com/print_article2/0,1217,a=169032,00.asp Symantec Caught in Norton 'Rootkit' Flap January 11, 2006 By Ryan Naraine Symantec Corp. has fessed up to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers. The anti-virus vendor acknowledged that it was deliberately hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk. Symantec, of Cupertino, Calif., is the second commercial company caught in the flap over the use of rootkit-type techniques to hide files on computers. Rootkits are programs that are used to give a remote user access to a compromised system while avoiding detection from security scanners. Music company Sony BMG faced a firestorm of criticism after anti-rootkit scanners fingered the use of stealthy rootkit-type techniques to cloak its DRM scheme. After malicious hackers used the Sony DRM rootkit as a hiding place for Trojans, the company suspended the use of the technology and recalled CDs with the offending copy protection mechanism. A spokesman for Symantec referenced the Sony flap in a statement sent to eWEEK, but downplayed the risk to consumers. In light of current techniques used by today's malicious attackers, Symantec re-evaluated the value of hiding the [previously cloaked] directory. Though the chance of an attacker using [it] as a possible attack vector is extremely slim, Symantec's update further protects computers by displaying the directory, the spokesman said. Microsoft to zap Sony DRM 'rootkit.' Click here to read more. He explained that the feature, called Norton Protected Recycle Bin, was built into Norton SystemWorks with a director called NProtect that is hidden from Windows APIs. Because it is cloaked, files in the NProtect directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer, the company admitted, noting that the updated version will now display the previously hidden directory in the Windows interface. Despite the very low risk of this vulnerability, Symantec is strongly recommending that SystemWorks users update the product immediately to ensure greater protection. To date, Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder, the spokesman added. Mark Russinovich, the Windows internals guru who blew the whistle on Sony's controversial DRM rootkit, was credited with the SystemWorks discovery along with researchers at Finnish anti-virus vendor F-Secure Corp. Russinovich, creator of the RootkitRevealer anti-rootkit utility, said the use of rootkit-type features by commercial vendors is very worrisome. It's a bad, bad, bad idea to start hiding things in places where it presents a danger. I'm seeing it more and more with commercial vendors, Russinovich said in an interview with eWEEK. When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. It's impossible to manage the security and health of that system if the owner is not in control. Russinovich said Symantec was very receptive to the warnings that the hidden directory presented a real risk to computer users. In Sony's case, it was meant as a benefit to Sony. In Symantec's case, they really believed it was a benefit to the consumer. I don't see the benefit but I think they had good intentions. They did the right thing by making this change, he added. Security vendors clueless over rootkit invasion. Click here to read more. Russinovich, who plans to publish more evidence of commercial vendors using rootkits at Sysinternals.com, also pinpointed another big problem. When you have different vendors changing the way Windows works, they start interfering with each other. Two or three rootkits on a machine could seriously change the way Windows behaves and that's another big concern, he said. Mikko Hypponen, director of anti-virus research at the F-Secure Corp., said his company's BlackLight Rootkit Elimination Technology also detected the NProtect directory, which was hidden from the Windows FindFirst/FindNext APIs. We found out about this when we shipped the first BlackLight beta in March 2005 and started getting reports back from users. Then we tested it in our own labs and confirmed the functionality in Symantec. It's not a huge problem, but I'm glad they've now fixed it, Hypponen said in an interview. He confirmed Russinovich's contention that more and more legitimate commercial vendors are using cloaking mechanisms, warning that it is a dangerous trend, even if the it's not an offensive, malicious rootkit. The area is a little gray. We've seen a dozen or so commercial vendors hiding folders. Some are actual
[infowarrior] - Verizon Prevents Treo Use As 3G Modem
Verizon Prevents Treo Use As 3G Modem http://www.mobilepipeline.com/175803792?cid=rssfeed_pl_mwp By James M. Turner Mobile Pipeline So you just bought a Windows Mobile Treo with EV-DO service and you want to use it as a modem for your laptop? Forget it. Verizon Wireless says you must buy a second 3G subscription and they have the technology to back it up. Specifically, while the device, which has well-reviewed, comes with Bluetooth, Verizon has disabled the Bluetooth dial-up networking capability that would enable the Treo 700w to act as a modem for laptops. That means subscribers who buy the Treo 700w and a $50 monthly subscription for EV-DO service on that device must purchase a second subscription for $60 monthly, plus an EV-DO card to access the Web using a laptop. According to Verizon, the Treo doesn't currently meet requirements they specify for their network. Russ Brankley, director of data network services for the cellular operator, said that the company hopes to enable modem functionality for the Treo in the third quarter of 2006 and expects, but would not commit, to the fix being backward compatible with existing units. We have a history of taking care of our customers, Brankley said. Brankley also added that, while the capability might be enabled in the future, users will still have to pay more for the capability, although it likely will be less than the $60 monthly fee for EV-DO service. He said the specific fee will depend on the service plan the user selects. Not The First Time This isn't the first time Verizon has limited Bluetooth functionality in its phones to prevent users from accessing services they otherwise would have to pay for. The cellular operator was a defendant in a class action lawsuit in the state of California over their advertising of the Motorola V710 phone, which had many of its Bluetooth capabilities removed by the company. Verizon eventually settled with the plaintiffs, although they admitted no wrongdoing. Besides the Treo 700w, all of Verizon phones used for its V Cast service, which accesses media and games over the EV-DO network, have had their Bluetooth and USB DUN abilities turned off. V CAST doesn't provide broad access to the Internet but, rather, only to specific content made available by Verizon Wireless. It also costs considerably less than full EV-DO access. Brankley said that Verizon plans to enable DUN on most of their new consumer-grade phones by mid-year. He said that the currently-sold V CAST phones do not properly interact with their network when used as a modem, but refused to cite examples, claiming that such information is proprietary. Verizon also has disabled the ability to install ring tones from the Motorola v815 flash card to the phone without paying to e-mail them to the phone, although crafty customers reportedly have discovered work-arounds for that problem. Ironically, some customers reportedly have re-enabled their outgoing dialup functionality on the v815 by pressing ##DIALUP, and may be getting free data calls because Verizon has no system in place to sell data services for anything but smartphones and PCMCIA cards. Sprint, which also offers EV-DO service, offers the ability to tether their phones to laptops for a $25 fee, which includes 40MB/month of data transfer. Usage above 40MB incurs separate additional charges up to a maximum for $70 per month. Making Customers Unhappy After months of build-up for the new Treo 700w, however, Verizon's marketing approach has angered some of its customers. It's insane to have someone with a Verizon phone with EV-DO, and expect them to pay another $60 a month for another phone account with EV-DO so you can use it on your laptop, said Tyler Endicott, who described himself as a help desk technician from Southern California. He added that employees and even store managers in Verizon Wireless stores know nothing about this limitation. According to one member of EVDOForums.com who goes by the handle xenophon, Verizon tends to behave like a vendor that allows only very specific services - to steer customers towards services that they market. Besides limiting use of the phones as modems, Verizon and other cellular carrier also place usage limits, as previously reported, on their so-called unlimited service plans. EVDOForum users have, for instance, reported having their EV-DO service cut off for excessive usage. Although Verizon sells their EV-DO service as unlimited, the actual terms and conditions of the service limit EVDO use to Internet browsing, e-mail and intranet access. Specifically, large file transfers could lead to termination of service, even if the material being transferred is legal. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Schneier: Anonymity Won't Kill the Internet
Anonymity Won't Kill the Internet By Bruce Schneier | http://www.wired.com/news/columns/1,7-0.html In a recent essay, Kevin Kelly warns of the dangers of anonymity. It's OK in small doses, he maintains, but too much of it is a problem: (I)n every system that I have seen where anonymity becomes common, the system fails. The recent taint in the honor of Wikipedia stems from the extreme ease which anonymous declarations can be put into a very visible public record. Communities infected with anonymity will either collapse, or shift the anonymous to pseudo-anonymous, as in eBay, where you have a traceable identity behind an invented nickname. Kelly has a point, but it comes out all wrong. Anonymous systems are inherently easier to abuse and harder to secure, as his eBay example illustrates. In an anonymous commerce system -- where the buyer does not know who the seller is and vice versa -- it's easy for one to cheat the other. This cheating, even if only a minority engaged in it, would quickly erode confidence in the marketplace, and eBay would be out of business. The auction site's solution was brilliant: a feedback system that attached an ongoing reputation to those anonymous user names, and made buyers and sellers accountable for their actions. And that's precisely where Kelly makes his mistake. The problem isn't anonymity; it's accountability. If someone isn't accountable, then knowing his name doesn't help. If you have someone who is completely anonymous, yet just as completely accountable, then -- heck, just call him Fred. History is filled with bandits and pirates who amass reputations without anyone knowing their real names. EBay's feedback system doesn't work because there's a traceable identity behind that anonymous nickname. EBay's feedback system works because each anonymous nickname comes with a record of previous transactions attached, and if someone cheats someone else then everybody knows it. Similarly, Wikipedia's veracity problems are not a result of anonymous authors adding fabrications to entries. They're an inherent property of an information system with distributed accountability. People think of Wikipedia as an encyclopedia, but it's not. We all trust Britannica entries to be correct because we know the reputation of that company, and by extension its editors and writers. On the other hand, we all should know that Wikipedia will contain a small amount of false information because no particular person is accountable for accuracy -- and that would be true even if you could mouse over each sentence and see the name of the person who wrote it. Historically, accountability has been tied to identity, but there's no reason why it has to be so. My name doesn't have to be on my credit card. I could have an anonymous photo ID that proved I was of legal drinking age. There's no reason for my e-mail address to be related to my legal name. This is what Kelly calls pseudo-anonymity. In these systems, you hand your identity to a trusted third party that promises to respect your anonymity to a limited degree. For example, I have a credit card in another name from my credit-card company. It's tied to my account, but it allows me to remain anonymous to merchants I do business with. The security of pseudo-anonymity inherently depends on how trusted that trusted third party is. Depending on both local laws and how much they're respected, pseudo-anonymity can be broken by corporations, the police or the government. It can be broken by the police collecting a whole lot of information about you, or by ChoicePoint collecting billions of tiny pieces of information about everyone and then making correlations. Pseudo-anonymity is only limited anonymity. It's anonymity from those without power, and not from those with power. Remember that anon.penet.fi couldn't say up in the face of government. In a perfect world, we wouldn't need anonymity. It wouldn't be necessary for commerce, since no one would ostracize or blackmail you based on what you purchased. It wouldn't be necessary for internet activities, because no one would blackmail or arrest you based on who you corresponded with or what you read. It wouldn't be necessary for AIDS patients, members of fringe political parties or people who call suicide hotlines. Yes, criminals use anonymity, just like they use everything else society has to offer. But the benefits of anonymity -- extensively discussed in an excellent essay by Gary T. Marx -- far outweigh the risks. In Kelly's world -- a perfect world -- limited anonymity is enough because the only people who would harm you are individuals who cannot learn your identity, and not those in power who can. We do not live in a perfect world. We live in a world where information about our activities -- even ones that are perfectly legal -- can easily be turned against us. Recent news reports have described a student being hounded by his college because he said uncomplimentary things in his blog,
[infowarrior] - Surge in Sale of Disposable Cell Phones May Have Terror Link
Surge in Sale of Disposable Cell Phones May Have Terror Link Phones Can Be Difficult or Impossible to Track; Large Quantities Purchased in California, Texas By BRIAN ROSS and RICHARD ESPOSITO http://abcnews.go.com/WNT/print?id=1499905 Jan. 12, 2006 - Federal agents have launched an investigation into a surge in the purchase of large quantities of disposable cell phones by individuals from the Middle East and Pakistan, ABC News has learned. The phones -- which do not require purchasers to sign a contract or have a credit card -- have many legitimate uses, and are popular with people who have bad credit or for use as emergency phones tucked away in glove compartments or tackle boxes. But since they can be difficult or impossible to track, law enforcement officials say the phones are widely used by criminal gangs and terrorists. There's very little audit trail assigned to this phone. One can walk in, purchase it in cash, you don't have to put down a credit card, buy any amount of minutes to it, and you don't, frankly, know who bought this, said Jack Cloonan, a former FBI official who is now an ABC News consultant. Law enforcement officials say the phones were used to detonate the bombs terrorists used in the Madrid train attacks in March 2004. The application of prepaid phones for nefarious reasons, is really widespread. For example, the terrorists in Madrid used prepaid phones to detonate the bombs in the subway trains that killed more than 200 people, said Roger Entner, a communications consultant. 150 Phones in One Sale, 60 Phones in Another The FBI is closely monitoring the potentially dangerous development, which came to light following recent large-quantity purchases in California and Texas, officials confirmed. In one New Year's Eve transaction at a Target store in Hemet, Calif., 150 disposable tracfones were purchased. Suspicious store employees notified police, who called in the FBI, law enforcement sources said. In an earlier incident, at a Wal-mart store in Midland, Texas, on December 18, six individuals attempted to buy about 60 of the phones until store clerks became suspicious and notified the police. A Wal-mart spokesperson confirmed the incident. The Midland, Texas, police report dated December 18 and obtained by ABC News states: Information obtained by MPD [Midland Police Department] dispatch personnel indicated that approximately six individuals of Middle-Eastern origin were attempting to purchase an unusually large quantity of tracfones (disposable cell phones with prepaid minutes attached). At least one of the suspects was identified as being from Iraq and another from Pakistan, officials said. Upon the arrival of officers, suspects were observed moving away from the registers -- appearing to evade detection while ridding themselves of the merchandise. Other reports have come in from other cities, including Dallas, and from authorities in other states. Authorities in Pennsylvania, New York and other parts of Texas confirmed that they were alerted to the cases, and sources say other jurisdictions were also notified. The growing use of the throwaway cell phones has been cited by President Bush as an important justification for expanding the wiretap laws under the Patriot Act. Law enforcement officials can now use what's now called roving wiretaps, which will prevent a terrorist from switching cell phones to get a message out to one of his buddies, Bush said on April 20, 2004. Legitimate Uses May Have Spurred Sales, Too Law enforcement sources say it is possible some large purchases that have been identified as being sent to the Middle East could have been sent for resale in a sellers' market for handsets, or simply given to friends and relatives. Officials are also investigating these possibilities. Managing the complex balancing of these two issues -- significant and legitimate uses and their potential for misuse has been an ongoing dilemma for law enforcement. For now, both intelligence officers and bomb technicians have been monitoring reports of large-quantity purchases. Some such purchases may have innocent explanations, but even law enforcement officials themselves say disposable phones are sometimes their own phones of choice when operating in hostile environments. The CIA recently used them in a kidnapping in Milan, Italy. Italian authorities were able to track the telephones. But they mostly tracked them to a dead end -- the false identities in which they were purchased. Possible purchasers of disposable cellular phones could also include political extremists, terrorist supporters, sympathizers or others simply shaken by the recent revelations of the spy agency's widespread monitoring of calls, including calls to and from the United States to foreign countries. Police Report Identifies Terror Links The Midland, Texas, arrest report police also identified the individuals as linked to a terror cell: Evasive responses provided by the subjects, coupled with
[infowarrior] - OpEd: You're being watched ...
http://www.latimes.com/news/printedition/opinion/la-oe-donohue12jan12,1,3860 067.story From the Los Angeles Times You're being watched ... Efforts to collect data on Americans go far beyond the NSA's domestic spying program. By Laura K. Donohue January 12, 2006 CONGRESS WILL soon hold hearings on the National Security Agency's domestic spying program, secretly authorized by President Bush in 2002. But that program is just the tip of the iceberg. Since 9/11, the expansion of efforts to gather and analyze information on U.S. citizens is nothing short of staggering. The government collects vast troves of data, including consumer credit histories and medical and travel records. Databases track Americans' networks of friends, family and associates, not just to identify who is a terrorist but to try to predict who might become one. Remember Total Information Awareness, retired Adm. John Poindexter's effort to harness all government and commercial databases to preempt national security threats? The idea was that disparate, seemingly mundane behaviors can reveal criminal intent when viewed together. More disturbing, it assumed that deviance from social norms can be an early indicator of terrorism. Congress killed that program in 2003, but according to the Associated Press, many related projects continued. The Defense Advanced Research Projects Agency runs a data-mining program called Evidence Extraction and Link Discovery, which connects pieces of information from vast amounts of data sources. The Defense Intelligence Agency trawls intelligence records and the Internet to identify Americans connected to foreign terrorists. The CIA reportedly runs Quantum Leap, which gathers personal information on individuals from private and public sources. In 2002, Congress authorized $500 million for the Homeland Security Department to develop data mining and other advanced analytical tools. In 2004, the General Accounting Office surveyed 128 federal departments and agencies to determine the extent of data mining. It found 199 operations, 14 of which related to counterterrorism. What type of information could these mine? Your tax, education, vehicle, criminal and welfare records for starters. But also other digital data, such as your travel, medical and insurance records and DNA tests. Section 505 of the Patriot Act (innocuously titled Miscellaneous National Security Authorities) extends the type of information the government can obtain without a warrant to include credit card records, bank account numbers and information on Internet use. Your checking account may tell which charities or political causes you support. Your credit card statements show where you shop, and your supermarket frequent-buyer-card records may indicate whether you keep kosher or follow an Islamic halal diet. Internet searches record your interests, down to what, exactly, you read. Faith forums or chat rooms offer a window into your thoughts and beliefs. E-mail and telephone conversations contain intimate details of your life. A University of Illinois study found that in the 12 months following 9/11, federal agents made at least 545 visits to libraries to obtain information about patrons. This isn't just data surveillance. It's psychological surveillance. Many Americans might approve of data mining to find terrorists. But not all of the inquiries necessarily relate to terrorism. The Patriot Act allows law enforcement officers to get sneak and peek warrants to search a home for any suspected crime and to wait months or even years to tell the owner they were there. Last July, the Justice Department told the House Judiciary Committee that only 12% of the 153 sneak and peek warrants it received were related to terrorism investigations. The FBI has used Patriot Act powers to break into a judge's chambers and to procure records from medical clinics. Documents obtained by the American Civil Liberties Union recently revealed that the FBI used other new powers to eavesdrop on environmental, political and religious organizations. When Congress looks into domestic spying in the war on terror, it should ask a series of questions: First, what information, exactly, is being collected? Are other programs besides the president's NSA initiative ignoring traditional warrant requirements? Are federal agencies dodging weak privacy laws by outsourcing the job to private contractors? Second, who has access to the data once it is collected, and what legal restrictions are set on how it can be used or shared? Third, who authorized data mining, and is its use restricted to identifying terrorists? Fourth, what is the collective effect of these programs on citizens' rights? Privacy certainly suffers, but as individuals begin to feel inhibited in what they say and do, free speech and freedom of assembly also erode. Fifth, how do these data collection and mining operations deal with error? As anyone who's tried to dispute an erroneous credit report can attest,
[infowarrior] - FW: DHS Your Tax Dollars
(via attrition) http://www.osvdb.org/blog/?p=83 DHS Your Tax Dollars http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100-100 2_3-6025579.html Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coveritys commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com. The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday. The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said. So DHS uses $1.24 million dollars to fund a university and two commercial companies. The money will be used to develop source code auditing tools that will remain private. Coverity and Symantec will use the software on open-source software (which is good), but is arguably a huge PR move to help grease the wheels of the money flow. Coverity and Symantic will also be able to use these tools for their customers, which will pay them money for this service. Why exactly do my tax dollars pay for the commercial development of tools that are not released to the public? As Ben Laurie states, why cant he get a copy of these tax payer funded tools to run on the code his team develops? Why must they submit their code to a commercial third party for review to get any value from this software? Given the date of this announcement, coupled with the announcement of Stanfords PHP-CHECKER makes me wonder when the funds started rolling. There are obviously questions to be answered regarding Stanfords project (that I already asked). This also makes me wonder what legal and ethical questions should be asked about tax dollars being spent by the DHS, for a university to fund the development of a security tool that could potentially do great good if released for all to use. Its too bad there is more than a year long wait for FOIA requests made to the DHS. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Microsoft's FAT file system patent upheld
Microsoft's file system patent upheld By Anne Broache http://news.com.com/Microsofts+file+system+patent+upheld/2100-1012_3-6025447 .html Story last modified Tue Jan 10 14:09:00 PST 2006 Two patents covering one of Microsoft's main Windows file-storage systems are valid after all, federal patent examiners have decided. The decision, announced Tuesday by the software giant, effectively ends a two-year saga over the patents and reverses two non-final rulings--the latest issued in October--in which the U.S. Patent and Trademark Office rejected Microsoft's claims. In their latest action, filed last week, the examiners concluded that the company's File Allocation Table (FAT) file system is, in fact, novel and non-obvious, entitling it to patentability. Now the office is in the process of issuing a patent re-examination certificate, which signals the finality of the decision, a Microsoft representative said. The FAT file system, a common means of storing files, was originally developed for the DOS operating system, but has also been employed in Microsoft's Windows and on removable flash memory cards used in digital cameras and other devices. Some Linux- and Unix-related products also use the system to exchange data with Windows. The Patent Office agreed to re-examine two patents covering the FAT system at the request of a little-known public interest group called the Public Patent Foundation in April 2004. That organization claimed there was prior art that proved Microsoft was not the first company to come up with the file format. It also voiced concern that Microsoft would try to seek royalties from companies that sell and support Linux for using the technology, potentially posing a threat to the free software community. Under the terms of the Free Software Foundation's General Public License, Linux cannot be distributed if it contains patented technology that requires royalty payments. Microsoft indicated in the past that it would license the file format. In December 2003, it said it had struck such a deal with flash memory vendor Lexar Media. The Patent Office's final decision followed several non-binding decisions that were unfavorable to Microsoft. After issuing its preliminary rejection of the patents in September 2004, examiners handed down a similar decision about a year later. All along, Microsoft voiced confidence that the patents would be upheld. David Kaefer, the company's director of business development, said Tuesday that the company was very pleased with the office's final decision. This result underscores the validity of these patents but also the importance of allowing third parties to request re-examinations, he said in a statement. Public Patent Foundation President Dan Ravicher said his organization disagreed with the Patent Office's conclusions and offered a broader critique. Microsoft has won a debate where they were the only party allowed to speak, in that the patent re-examination process bars the public from rebutting arguments made by Microsoft, he told CNET News.com. We still believe these patents are invalid and that a process that gave the public equal time to present its positions would result in them being found as such. CNET News.com's Ina Fried contributed to this report. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Homeland Security opening private mail
(Note: The USG always had that authority, but this is the first time I've seen it used by DHSrf) Homeland Security opening private mail Retired professor confused, angered when letter from abroad is opened By Brock N. Meeks Chief Washington correspondent MSNBC Updated: 5:55 p.m. ET Jan. 6, 2006 WASHINGTON - In the 50 years that Grant Goodman has known and corresponded with a colleague in the Philippines he never had any reason to suspect that their friendship was anything but spectacularly ordinary. But now he believes that the relationship has somehow sparked the interest of the Department of Homeland Security and led the agency to place him under surveillance. Last month Goodman, an 81-year-old retired University of Kansas history professor, received a letter from his friend in the Philippines that had been opened and resealed with a strip of dark green tape bearing the words ³by Border Protection² and carrying the official Homeland Security seal. ³I had no idea (Homeland Security) would open personal letters,² Goodman told MSNBC.com in a phone interview. ³That¹s why I alerted the media. I thought it should be known publicly that this is going on,² he said. Goodman originally showed the letter to his own local newspaper, the Kansas-based Lawrence Journal-World. ³I was shocked and there was a certain degree of disbelief in the beginning,² Goodman said when he noticed the letter had been tampered with, adding that he felt his privacy had been invaded. ³I think I must be under some kind of surveillance.² Goodman is no stranger to mail snooping; as an officer during World War II he was responsible for reading all outgoing mail of the men in his command and censoring any passages that might provide clues as to his unit¹s position. ³But we didn¹t do it as clumsily as they¹ve done it, I can tell you that,² Goodman noted, with no small amount of irony in his voice. ³Isn¹t it funny that this doesn¹t appear to be any kind of surreptitious effort here,² he said. The letter comes from a retired Filipino history professor; Goodman declined to identify her. And although the Philippines is on the U.S. government¹s radar screen as a potential spawning ground for Muslim-related terrorism, Goodman said his friend is a devout Catholic and not given to supporting such causes. A spokesman for the Customs and Border Protection division said he couldn¹t speak directly to Goodman¹s case but acknowledged that the agency can, will and does open mail coming to U.S. citizens that originates from a foreign country whenever it¹s deemed necessary. ³All mail originating outside the United States Customs territory that is to be delivered inside the U.S. Customs territory is subject to Customs examination,² says the CBP Web site. That includes personal correspondence. ³All mail means all mail,¹² said John Mohan, a CBP spokesman, emphasizing the point. ³This process isn¹t something we¹re trying to hide,² Mohan said, noting the wording on the agency¹s Web site. ³We¹ve had this authority since before the Department of Homeland Security was created,² Mohan said. However, Mohan declined to outline what criteria are used to determine when a piece of personal correspondence should be opened, but said, ³obviously it¹s a security-related criteria.² Mohan also declined to say how often or in what volume CBP might be opening mail. ³All I can really say is that Customs and Border Protection does undertake [opening mail] when it is determined to be necessary,² he said. © 2006 MSNBC Interactive © 2006 MSNBC.com URL: http://www.msnbc.msn.com/id/10740935/ You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Mobile ringtone biz goes off tune as piracy creeps in
Mobile ringtone biz goes off tune as piracy creeps in http://www.blonnet.com/2006/01/09/stories/2006010903370100.htm Nithya Subramanian Thomas K. Thomas New Delhi , Jan. 8 PIRACY is almost synonymous with the music industry and now it is creeping into the flourishing mobile ringtone segment. Chartbusting music downloads may be bringing in lots of moolah for mobile operators. However, the music industry is now crying foul over the growing number of illegitimate downloads and under-reporting at various levels in the chain of content owners, aggregators, handset dealers and operators. Highlighting the menace, Mr Vipul Pradhan, Chief Executive Officer, Phonographic Performance Ltd (PPL) the licensing arm of the Indian music industry with 127 member companies, told Business Line, Until now, the telecom industry has been legitimately paying for the music offered in the form of ringtones and caller tunes. But in recent months, piracy has crept into this business as well. There is copyright violation with shops selling high-end phones with bundled content. Some of this content is illegal as neither permission is taken nor royalty paid. Mobile operators, however, said that piracy is not happening at their end. There can be no way that any illegal downloads are happening from our servers as we keep an account for billing purposes. But there could be leaks at other levels in the chain, said a Delhi-based operator. Forward-lock: Royalty is paid for the first download of ringtone, which is then passed on to other users free of cost. Mr Pradhan said, Operators must device a method to lock forwarding on ringtones. PPL has found out that piracy is also happening at the handset retailers' end. These retailers offer free ringtones bundled with the phone without paying any royalty. Similarly, some pre-loaded micro-chips have also entered the market. Under-reporting: Mr Pradhan said the quantum of music downloads is also being under-reported. Ringtone royalties are actually collected by companies known as aggregators such as Yahoo and Indiatimes. They convert songs into digital formats for playing on mobile phones and charge a fee. They give the royalties to the music companies and the performing rights society for distribution. According to PPL, mobile operators in India are retaining a higher share of the revenues from music downloads. While in some countries, operators keep only 10 per cent of the revenue, in India, it is as high as 50-60 per cent. Music in telecom is estimated to be a Rs 150-crore market in India. The global ringtone market is forecast to grow to $5.2 billion in 2006, and ringtones now account for over 10 per cent of the $32.3-billion worldwide music market. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Qwest Says It Can Charge You If Your Computer Spams Anyone
(c/o IP list) From: Brett Glass [EMAIL PROTECTED] Date: January 6, 2006 10:30:22 PM EST Not long ago, Qwest tried to foist upon its customers an agreement allowing the details of their telephone calls -- Customer Proprietary Network Information, or CPNI -- to be sold to all comers. Well, it's now at it again -- this time, with its DSL service. Users of Qwest's DSL service recently received a letter announcing that the FCC had allowed its terms of service -- formerly dictated by a tariff -- to be dictated by an agreement published on Qwest's Web site. I guess that they expect most users not to look up the document, because it's an interesting one. The fine print of the agreement, which can be found at http://www.qwest.com/legal/highspeedinternetsubscriberagreement/ High_Speed_Internet_Subscriber_Agreement__12_20_05_-5.pdf prohibits, among other things, the use of a DSL line by a business to provide a wireless hotspot for its customers. It also prohibits all users from setting up servers -- even if they've ordered static IP addresses for the express purpose of setting up, for example, a VPN server to let them into their own networks. (See Section 7(a) of the agreement.) Tellingly, these restrictions apply EVEN IF QWEST IS NOT THE PROVIDER OF THE INTERNET BANDWIDTH OR SERVICE FOR THE DSL LINE. Yes, that's right: even if Qwest is merely providing the line, and your Internet service is coming from a third party ISP which wants to sell you bandwidth for the purpose of running a server or a hotspot, you can't. The agreement also states that the user agrees to be liable for $5.00 for each spam message sent from his or her machine... EVEN IF HIS OR HER MACHINE WAS TAKEN OVER BY A WORM OR SPYWARE, which is all too common in these days of massive security holes in consumer operating systems. There are other onerous provisions as well. This might be a good source of business for our small wireless ISP, which is always looking for clients who are disgruntled with Qwest. (We got a new customer this week: a business which saw the agreement and decided to use our wireless instead. That's how we found out.) But it's not cricket for an ILEC not only to impose such onerous terms unilaterally, but to impose them upon the customers of third party ISPs. Are other ILECs doing similar things? You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - TV to iPod, PSP conversion tools spill onto the market
Original URL: http://www.theregister.co.uk/2006/01/09/faultline_ipod_psp_content/ TV to iPod, PSP conversion tools spill onto the market By Faultline Published Monday 9th January 2006 11:22 GMT It¹s been difficult to predict how Apple will continue to develop the video iPod, given that it had such a poor start in signing up so little content for the device. Now, it¹s barely a few days into the New Year and already there are appearing handfuls for software tools for putting ³personal copy² video onto not just the iPod, but also onto the Sony PlayStation Portable (PSP). Click Here As far as we can work out, none of these methods, with the possible exception of the TiVo to iPod/PSP software in TiVoToGo, launched late last year, carries any form of copy protection, and they all rely on unprotected free to air TV content being transferred to the world¹s two most popular portable digital devices. Last week video portal Blinkx copied the TiVo naming convention and launched blinkx.tv To Go, a tool to place video blogs onto iPods. blinkx.tv To Go enables users to enter a search of video blogs, and either upload specific results to their iPod or portable video player, or save the search as a ³channel,² which is automatically updated and fed to their iPod, or other portable device. Additionally four other US companies, Hauppauge Computer Works, InterVideo, Proxure and Bling Software have launched products this week that do something similar, mostly citing the Video iPod, but all able to work just as well targeting the Sony PSP. There are no official numbers for Apple Video iPods, but it is a certainty that Sony has shipped more PSPs with video capability because all PSPs are video capable, whereas only a small percentage of iPods can operate with video. Hauppauge Computer Works released a new extension of its Wing software, sold for $24.95, which works with its PC-based personal video recorder. The software previously took live TV shows recorded them in H.264 and DivX formats, burning them to recordable DVDs. Now customers can opt for copying them to an iPod or PSP, both of which are H.264 compliant. InterVideo added a new version of its DVD Copy software for $70, again able to covert video files for the iPod, Sony PSP and many 3G cell phones, while Proxure launched MyTV ToGo, a $30 application which transfers TV shows recorded for a Microsoft Windows Media Center PC to Apple's video iPod. The Bling product XcopyPod, transfers exiting DVD movies to an Apple's video iPod. What all of this does is sway the hand of Apple. For as long as there is no copy protection on normally transmitted TV content, then making personal copies with VHS players, DVD recorders and of course Video iPods and PSPs, is perfectly legal. While there are moves afoot to make this illegal in the US, by means of a broadcast flag, it is unlikely that this legislation, if passed in the US, would ever find its way into European or Asian copyright laws. The upshot of this is that any business models that rely on ³selling² copies of previously televised TV shows, such as Apple¹s sale of ³Lost² and ³Desperate Housewives,² is doomed to failure. Why pay for that content when it can be extracted for free. There is a wealth of difference between what Apple is doing as far as the content companies are concerned, because it places the content under the protection of its Fairplay DRM. These other methods leave content unencrypted and in the clear, a potential source for internet piracy. But from the point of view of the consumer, the free personal copies versus the paid personal copies are going to mean that Apple will sell iPods, but not sell much content. Instead it may have to take on a strategy closer to Sony¹s and negotiate for high value film content on iTunes which is not widely available via broadcast, because it is protected by conditional access systems and still in their pay per view video window. In the meantime Apple and Disney this week said they will expand their iPod content sales partnership to include ESPN, ABC Sports and ABC News, selling programs for $1.99 each from Apple's iTunes store. Apple already sells programming from Disney¹s ABC, including just shown episodes of Desperate Housewives, and Lost. Copyright © 2005, Faultline (http://www.rethinkresearch.biz/about.asp?crypt=%B3%9C%C2%97%8B%80) You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - IRS Said to Improperly Restrict Access
IRS Said to Improperly Restrict Access http://www.guardian.co.uk/worldlatest/story/0,1280,-5532353,00.html Sunday January 8, 2006 10:02 PM By MICHAEL J. SNIFFEN Associated Press Writer WASHINGTON (AP) - The Bush administration has illegally stopped making public detailed tax enforcement data, which has been used to show which kinds of taxpayers get the most and toughest audits, a noted tax researcher says. Syracuse University Professor Susan B. Long said in papers filed in U.S. District Court in Seattle late last week that since Nov. 1, 2004, the Internal Revenue Service has violated a 1976 court order requiring the release of the data. IRS spokesman Terry Lemons responded Friday, ``We do not believe we are in violation of the court order.'' Long, who has researched and written about federal tax administration for more than 30 years, used the Freedom of Information Act to win the court order in 1976 directing the revenue agency to provide her regularly with its data on criminal investigations, tax collections, the number and hours devoted to audits by income level and taxpayer category and other enforcement records. Since 1989, her FOIA requests have been submitted by the Transactional Records Access Clearinghouse, a data-research organization at Syracuse of which she is co-director. TRAC has used the records to report in 2000 that the Clinton administration was auditing poor people at a higher rate than rich people and in 2004 that business and corporate audits were down substantially and criminal tax enforcement was at an all-time low. TRAC also reported that in fiscal 2002-2004 IRS audited on average only a third of the largest corporations, which control 90 percent of all corporate assets and 87 percent of all corporate income. The 1976 court order listed 38 types of IRS reports, including five produced quarterly, that Long was entitled to receive ``promptly'' and regularly under the Freedom of Information Act. The court said IRS must continue to make the same statistical data contained in the listed reports available without charge in future years ``regardless of the format ... hereafter compiled.'' Despite filing regular FOIA requests for the material, the last data Long received arrived Nov. 1, 2004 and covered only the first six months of fiscal year 2004, through March, 2004, she said in an interview. ``They really shut down access,'' she said. Although the original court order covers some data compiled every three months, Long said in recent years she had shifted mainly to requesting annual data compilations. But when IRS stopped releasing the data, Long shifted first to six-month, then nine-month, and finally monthly requests ``because that's how they compile that data'' - all without success. ``For years, TRAC requested data on an annual basis from the IRS,'' agency spokesman Lemons said. ``The IRS voluntarily gave TRAC an enormous amount of data beyond what we routinely release to the public, outside of the FOIA process.'' But he said TRAC shifted in June 2004 to seeking data monthly. ``These were much broader and sweeping requests than TRAC previously sought, with many of the requested data sets not normally gathered by the IRS'' since it reorganized in 2000 from geographic divisions to taxpayer-category divisions. Lemons said ``the IRS continues to provide annual data to TRAC - just as it has done for years.'' As evidence he cited a report TRAC issued in April 2005, but that report only contained data through March 2004, which is the last data set Long said she received. Lemons acknowledged the court order ``is still in effect. Nobody disputes that.'' But he said the agency cannot find copies of the reports from the 1970s listed in the court order to determine exactly which data Long is entitled to. She replied that record retention rules require IRS to keep historical copies of its manual, which describes each record. ^--- On the Net: TRAC documents: http://trac.syr.edu/foia/ IRS: www.irs.gov You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Slate: Microsoft vs. Computer Security
Microsoft vs. Computer Security Why the software giant still can't get it right. By Adam L. Penenberg Posted Monday, Jan. 9, 2006, at 1:10 PM ET http://www.slate.com/id/2133993/ Four years ago, Bill Gates dispatched a companywide e-mail promising that security and privacy would be Microsoft's top priorities. Gates urged that new design approaches must dramatically reduce the number of security-related issues as well as make fixes easier to administer. Eventually, he added, our software should be so fundamentally secure that customers never even worry about it. Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed critical have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer. Just last week, another problem reared its heada security hole that could allow Windows users to become infected with adware, spyware, or viruses by simply viewing an e-mail, instant message, or Web page. When Microsoft dragged its heels on issuing a patch, the SANS Institute, an organization that tracks security threats, took the extraordinary step of recommending that users download an unofficial patch developed by a Russian programmer. (Microsoft had planned to release its fix on Jan. 10, but ultimately bowed to pressure and issued it five days earlier.) With the company's security problems still monopolizing the news, you might have expected that Bill Gates would address the vulnerability at the Consumer Electronics Show in Las Vegas. Instead, he boasted how Microsoft's new operating system, Vista, would extend the company's tendrils into your living room. Sure, it might be nice to connect your computer and your television set. But is it worth it to give hackers access to your television? SANS' list of the Top 20 most threatening security vulnerabilities includes products from Oracle, Apple, Cisco, Mozilla, and even anti-virus software vendors. But Microsoft is still the dominatrix of the desktop and runs about 90 percent of the world's computers, making it the biggest target for hackers, crackers, pirates, and thieves. Microsoft's security problems run much deeper than just being the most popular, though, and that is why many computer security pros despise Microsoft. While the company claims that Vista will be more secure against hack attacks, the computer security professionals I talked to are skeptical. We hear this each and every time Microsoft comes out with a new operating system, says Brian Martin, an independent computer security consultant. It is still built on the same legacy code, it is still written without adhering to secure coding practices, it is still thrown to the masses without adequate security testing. Richard Forno, a principal consultant for KRvW Associates and a former senior security analyst for the House of Representatives, believes that Microsoft is a threat to national security. The White House, Congress, and Department of Defense all run Windows and send and receive e-mail on MS Exchange Serverexploitable Microsoft products that offer a target-rich environment for malicious code. Case in point: buffer overflow attacks, a popular technique for exploiting Microsoft products. By flooding a program with too much data, a hacker can track and manipulate the overflow and trick the system into following his instructions as if he were the system administrator. The technique has been known for decades, yet Microsoft still hasn't come up with a way to defend against it. Although Oracle, Linux, UNIX, and even Apple iTunes have fallen prey to buffer overflow attacks, the number that have afflicted Microsoft products far outstrips them. Buffer-overflow vulnerabilities are simply programming errors; they occur when coders fail to deploy proper memory-management techniques. When Microsoft shipped XP and its 50 million lines of code in 2001, it claimed it was the most secure operating system it had ever developed and that the company had paid special attention to buffer overflows. Within two months, researchers at eEye Digital Security found a hole in the code that left it vulnerable to buffer overflowsand the operating system has been plagued with these holes ever since. Security consultant A.J. Reznor points out that every major worm other than the original Morris Worm from 1988 has leveraged a hole in Microsoft products. Reznor refuses to work with Microsoft products but still actively loathes the company because his network becomes saturated with crap flying out of [Windows] machines. Spammers route their junk through MS machines infected with a trojana harmful computer program disguised as an innocuous onethat turns these machines into zombies. Even if we don't use them, we
[infowarrior] - Adobe snaps up document security tools
Adobe snaps up document security tools By Alorie Gilbert http://news.com.com/Adobe+snaps+up+document+security+tools/2100-1012_3-60246 74.html Story last modified Mon Jan 09 11:22:00 PST 2006 Adobe Systems is adding new document protection mechanisms to its business workflow software with an acquisition announced on Monday. The company has acquired FileLine Digital Rights Management software from privately-held Navisware, based in Raleigh, N.C., for an undisclosed sum. The copy-restriction program is designed to guard business files, especially engineering documents, from intellectual property thieves. Adobe, based in San Jose, Calif., plans to incorporate the program into its LiveCycle Document Services software, a line of server software for updating and routing PDF documents. In addition to safeguarding Adobe PDF files, the FileLine program is also designed to protect Microsoft Office and computer-aided design documents, the company said. The newly bought software helps businesses restrict how, when and who can use such documents. It also features an audit log that shows everyone who has accessed documents and indicates improper usage or disclosure. The program enables version control, to prevent the distribution of outdated documents, as well. Adobe has continually added new capabilities to LiveCycle, a key product in its effort to increase sales to businesses and compete with Microsoft and IBM on that front. Adobe updated the product in September with workflow design technology it purchased in 2004. By adding document protection for Microsoft Office files to its bag of tricks, Adobe encroaches further upon Microsoft's turf. The company's recent acquisition of Macromedia, which makes Web application development tools, has also intensified that rivalry. The company plans to complete its integration of FileLine into LiveCycle Document Services by the end of they year. LiveCycle Document Services starts at $65,000 per server. Adobe has not yet disclosed pricing for the FileLine product. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - More on Google's friendlier DRM for video
http://thomashawk.com/2006/01/ces-day-four-google-video-kinder-more.html The big Google distinction between how they will offer their pay downloads vs. the other guys is that Google is going to actually let you download your paid download files on to your computer and then allow you total control over the file. Want to copy it to your laptop? No problem. To your portable device? Hey, it's your file, you paid for it, why not. Of course you can't just allow people free and easy access with no controls or the content providers would not license their content. How then does Google secure their paid downloads, by using a log on authentication system. Basically you will download the new Google proprietary media player with secret and proprietary codecs and it will play all of your video for you. Basically when you want to view your content anywhere, any device, any time, you'll just authenticate with your user ID and password and be able to play your previously downloaded free and purchased video. Google will of course monitor log ons and passwords for abuse (i.e. you give you your Google video files to 100 of your friends along with your user name and password. This does seem like a nicer approach to the necessary evil of DRM. The only thing that I'm not crazy about is that the files will be in gvi format which is Google proprietary and I'd assume after building up a nice library there could be a chance that they change the rules on you, but na a non-evil company would never do that. Would they? You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Microsoft to hunt for new species of Windows bug
Microsoft to hunt for new species of Windows bug By Joris Evers http://news.com.com/Microsoft+to+hunt+for+new+species+of+Windows+bug/2100-10 02_3-6024778.html Story last modified Mon Jan 09 12:48:00 PST 2006 Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products. The critical flaw, in the way Windows Meta File images are handled, is different than any security vulnerability the software maker has dealt with in the past, Kevin Kean and Debby Fry Wilson, directors in Microsoft's Security Response Center, said in an interview with CNET News.com. Typical flaws are unforeseen gaps in programs that hackers can take advantage of and run code. By contrast, the WMF problem lies in a software feature being used in an unintended way. In response to the new threat, the software company is pledging to take a look at its programs, old and new, to avoid similar side effects. Now that we are aware that this attack vector is a possibility, customers can be certain that we will be scrubbing the code to look for any other points of vulnerability based on this kind of attack, Fry Wilson said. Microsoft has been working for years to improve its security posture, beginning with its Trustworthy Computing Initiative, launched in early 2002. The WMF problem is not a good advertisement for Microsoft's security efforts, one analyst said, as the legacy issue seemingly went undetected. This should have been caught and eliminated years ago, Gartner analyst Neil MacDonald said. They overlooked image format files, and that is where this WMF issue came in. Microsoft now faces a race with cybercriminals, who are likely on the prowl for the same bugs as well, experts said. The software maker is in a constant battle with miscreants who seek to attack computer users. When WMF files were designed in the late 1980s, a feature was included that allowed the image files to contain computer code that could be executed on a PC, said Mikko Hypponen, the chief research officer at Finnish security company F-Secure. This was not a bug, this was something that was needed at the time, Hypponen said. It is just bad design, design from another era, he said. The graphics file format was introduced with Windows 3.0 in early 1990. Executable code in the image file could help abort the processing of large images on the slow systems of yesteryear, experts said. This should have been caught and eliminated years ago. --Neil MacDonald, analyst, Gartner Ilfak Guilfanov, a European software developer who made headlines by beating Microsoft to the punch with a fix for the Windows flaw, agreed. WMF was designed a long time ago, when information security was not considered an essential part of software design, he said. Trojan horses, instant messaging worms and thousands of Web sites were found to attack users with specially crafted WMF files. A vulnerable Windows computer might be compromised simply if the user visits a Web site that contains a malicious image file, or opens such a file in an e-mail message or an Office document. Many of the attacks installed spyware or other unwanted programs on the PCs of unwitting Windows users. At least a million computers were compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. The WMF issue is also expected to be a conduit for many future threats, experts have said. Response speed Microsoft's fix for the flaw was the quickest turnaround ever for a Microsoft patch, released only 10 days after the vulnerability was made public, Fry Wilson said. While Microsoft was able to repair the problem in record time, the company was surprised by the type of vulnerability. It is not a common buffer overflow, Kean said. The software has a behavior that people can take advantage of. Obviously we did not intend it to be used in that way. Microsoft has learned from the WMF flaw and will put the lessons into practice, Fry Wilson said. The software maker will update its Security Development Life Cycle, a set of practices that Microsoft's developers follow to prevent security vulnerabilities in products. The process includes the software maker's threat-modeling system, which checks code for potential security problems. This kind of threat has not been anticipated before, Fry Wilson said. We will be revising that information in the SDL process and redoing the threat-modeling system to make sure we are looking for this kind of attack or anything similar to it. Microsoft should have already been hunting for this type of design problem, MacDonald said. I would have expected the SDL to already include data file formats. It should be a basic part of any security life cycle, he said. As part of its development process, Microsoft looks for a number of common mistakes developers can make. These mistakes can turn into security problems and allow
[infowarrior] - Even more -- More on Google's friendlier DRM for video
-- Forwarded Message From: matthew patton [EMAIL PROTECTED] Date: Mon, 9 Jan 2006 15:32:03 -0800 (PST) IMO it makes a whole LOT more sense to use totally standard encoding schemes but just encrypt the file. Of course nothing is ever not going to get broken but seems to me a 'loadable module' could be made for MS' media player, iTunes, VLC etc. Or have a very small Google Opener binary that asks for credentials, decrypts the stream, launches the standard commercial player of choice and sends the decrypted output to a file-handle or pipe. I'm sure there is something akin to the Digital-Analog-Digital problem here too but does it really matter? NOTHING will ever deter those with so much time on their hands that they will do anything to rip for-pay content. And NOTHING will ever stop those who likewise have so much time on their hands as to go look for ripped content from getting it. Personally, I think it's high time the entertainment industry get it through their heads that what they produce is so unimportant and worthless it should be priced accordingly. An episode of a TV show is worth just about nothing. So it should cost the viewer about nothing. The only ones who actually think there is value in it are advertisers. And that will approach zero as the percentage of people who punch triple-fast forward on their DVR's perfect their key-press timing. In some respects, if $50/mo buys you 300 channels on cable then that's like 0.02cents a show. And if I put the show on the DVR, it can be replayed for different people over and over again with no additional income for the studios. Price it at 10 cents and not only do you get 500x the income than derived from cable, but you get the chance to charge it for each and every showing because Dave with his iPod will download a copy, and Steve will put the show on his laptop too. They'll probably watch it once, or twice then delete it. When Steve says hey Jen you gotta see the latest LOST he could hand her a burned DVD, do the Laplink, or give her a USB drive. And yes, a 'sale' would be lost. But Jen could just as easily want to download it herself to a device of her choice. Chalk up another sale. I don't know why the cable/ISP companies don't become the DVR in the sky. Pay the $10/mo and download every show I care to to my computer or lacking that a set-top box which is actually nothing more than a computer anyway. Every customer that downloads a file becomes a torrent peer. Seems silly to me to have Comcast, BabyBells, RoadRunner et. al. all running fibre/copper alongside each other. Why dig up that street N times when once should have been enough? Why should the physical plant be a service differentiator? Maybe it should be like water mains and electricity lines - run by the municipality? I get the feeling the whole notion of wires is quickly going away, anyway. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Security flaws on the rise, questions remain
http://www.theregister.co.uk/2006/01/09/computer_security_flaws_on_the_rise/ Security flaws on the rise, questions remain By Robert Lemos, SecurityFocus Published Monday 9th January 2006 21:38 GMT After three years of modest or no gains, the number of publicly reported vulnerabilities jumped in 2005, boosted by easy-to-find bugs in web applications. Yet, questions remain about the value of analyzing current databases, whose data rarely correlates easily. A survey of four major vulnerability databases found that the number of flaws counted by each in the past five years differed significantly. However, three of the four databases exhibited a relative plateau in the number of flaws publicly disclosed in 2002 through 2004. And, every database saw a significant increase in their count of the flaws disclosed in 2005. A few common themes emerged from the data as well. In 2005, easy-to-find flaws in web applications were likely responsible for the majority of the increase, the database managers said in interviews with SecurityFocus. However, some of the increase came from a doubling in the number of flaws released by large software companies. The most important, and perhaps obvious, lesson is that the software flaws are here to stay, said Peter Mell, a senior computer scientist for the National Institute of Standards and Technology (NIST) and the creator of the National Vulnerability Database (NVD) (http://nvd.nist.gov/), one of the four databases surveyed. The problem of people breaking into computers is not going away any time soon, Mell said. There is certainly more patches every year that system administrators need to install, but the caveat is that more vulnerabilities seem to apply to less important software. Vulnerability databases are coming of age. In 2005, NIST created the National Vulnerability Database (http://www.securityfocus.com/news/11278) and software makers and security service providers have cooperated to create the Common Vulnerability Scoring System (CVSS) (http://www.securityfocus.com/news/10541), a standardized measure of the severity of software flaws. The National Vulnerability Database completed scoring flaws (http://www.securityfocus.com/news/11360) in its database using the CVSS in late November. While auctions of vulnerability research have not taken off (http://www.securityfocus.com/news/11364), two companies now buy vulnerability information (http://www.securityfocus.com/news/11253) from flaw finders. Four databases were surveyed: The Computer Emergency Response Team (CERT) Coordination Center's database, the National Vulnerability Database (NVD), the Open-Source Vulnerability Database (OSVDB), and the Symantec Vulnerability Database. (SecurityFocus is owned by Symantec.) The number of flaws cataloged by each database in 2005 varied widely, because of differing definitions of what constitutes a vulnerability and differing editorial policy. The OSVDB (http://www.osvdb.org/) - which counted the highest number of flaws in 2005 at 7,187 - breaks down vulnerabilities into their component parts, so what another database might classify as one flaw might be assigned multiple entries. SecurityFocus (http://www.securityfocus.com/bid) had the lowest count of the vulnerabilities at 3,766. The variations in editorial policy and lack of cross-referencing between databases as well as unmeasurable biases in the research community and disclosure policy mean that the databases - or refined vulnerability information (RVI) sources - do not produce statistics that can be meaningfully compared, Steve Christey, the editor of the Common Vulnerability and Exposures (CVE) (http://cve.mitre.org/), wrote in an e-mail to security mailing lists (http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0135.html) on Thursday. The CVE is a dictionary of security issues compiled by The MITRE Corp., a government contractor and nonprofit organization. In my opinion, RVI sources are still a year or two away from being able to produce reliable, repeatable, and comparable statistics, he wrote. In general, consumers should treat current statistics as suggestive, not conclusive. Recent numbers produced by the U.S. Computer Emergency Readiness Team (US-CERT) revealed some of the problems with refined vulnerability sources. Managed by the CERT Coordination Center, the US-CERT's security bulletins outline security issues but are updated each week. In a year end list published last week, the US-CERT announced that 5,198 vulnerabilities had been reported in 2005. Some mainstream media outlets noted the number (http://blogs.washingtonpost.com/securityfix/2005/12/uscert_5198_sof.html), compared it to the CERT Coordination Center's previous data - which is compiled from a different set of vulnerability reports - and concluded there was a 38 per cent increase in vulnerabilities in 2005 over the previous year. In fact, discounting the updated reports resulted in a 41 per cent decrease to 3,074 vulnerabilities,
[infowarrior] - Myspace.Com Users Revolt Against Fox
Get out of MySpace, bloggers rage at Murdoch By Nicholas Wapshott in New York Published: 08 January 2006 http://news.independent.co.uk/business/news/article337149.ece Angry members of MySpace, the personal file-sharing website for young adults, are accusing Rupert Murdoch's News Corporation of censoring their postings and blocking their access to rival sites. The 38 million subscribers to MySpace, which News Corp bought for $629m (£355m) last July, discovered that when they wrote to each other about rival video-swapping site YouTube, the words were automatically deleted, and attempts to download video images from YouTube led to blank screens. The intervention by News Corp in the traditionally open-access world of the web - in particular the alteration of personal user profiles - provoked a storm of angry posts in online blogs. This is s like Fox and News Corp to try and secretly seal our mouths with duct tape, wrote Alex to Blog Herald. The protests gathered pace, and when 600 MySpace customers complained and a campaign began to boycott the site and relocate to rival sites such as Friendster, Linkedin, revver.com and Facebook.com, News Corp relented and restored the links. However, MySpace managers promptly shut down the blog forum on which members had complained about the interference. An online notice said the problem was the result of a simple misunderstanding. The explanation did not, however, calm the bloggers. There was an outcry by some members after MySpace's acquisition by News Corp. People were afraid they might start monitoring or censoring MySpace, Ellis Yu wrote to the Blog Herald. At the time, their CEO said nothing like that would happen. Well, now it has. MySpace was built on an open community and now they're trying to censor us, putting business interests above its members! MySpace is supposed to be a personal forum! wrote makisha at the blog site Supr.c.iliu.us. Now it's owned by some corporation and it's being sensored [sic]! The beauty of it has been ruined. Better wise up MySpace or you're going to loose [sic] a good portion of your subscribers. A spokesman for MySpace said it would not explain how the blocking of YouTube came about, nor how it was resolved, nor whether in future it would continue to block links to rival websites or censor messages between MySpace customers. Mr Murdoch, 74, last week appointed 33-year-old Jeremy Philips to run News Corp's internet strategy and armed him with a $1bn fund to buy more sites. Angry members of MySpace, the personal file-sharing website for young adults, are accusing Rupert Murdoch's News Corporation of censoring their postings and blocking their access to rival sites. The 38 million subscribers to MySpace, which News Corp bought for $629m (£355m) last July, discovered that when they wrote to each other about rival video-swapping site YouTube, the words were automatically deleted, and attempts to download video images from YouTube led to blank screens. The intervention by News Corp in the traditionally open-access world of the web - in particular the alteration of personal user profiles - provoked a storm of angry posts in online blogs. This is s like Fox and News Corp to try and secretly seal our mouths with duct tape, wrote Alex to Blog Herald. The protests gathered pace, and when 600 MySpace customers complained and a campaign began to boycott the site and relocate to rival sites such as Friendster, Linkedin, revver.com and Facebook.com, News Corp relented and restored the links. However, MySpace managers promptly shut down the blog forum on which members had complained about the interference. An online notice said the problem was the result of a simple misunderstanding. The explanation did not, however, calm the bloggers. There was an outcry by some members after MySpace's acquisition by News Corp. People were afraid they might start monitoring or censoring MySpace, Ellis Yu wrote to the Blog Herald. At the time, their CEO said nothing like that would happen. Well, now it has. MySpace was built on an open community and now they're trying to censor us, putting business interests above its members! MySpace is supposed to be a personal forum! wrote makisha at the blog site Supr.c.iliu.us. Now it's owned by some corporation and it's being sensored [sic]! The beauty of it has been ruined. Better wise up MySpace or you're going to loose [sic] a good portion of your subscribers. A spokesman for MySpace said it would not explain how the blocking of YouTube came about, nor how it was resolved, nor whether in future it would continue to block links to rival websites or censor messages between MySpace customers. Mr Murdoch, 74, last week appointed 33-year-old Jeremy Philips to run News Corp's internet strategy and armed him with a $1bn fund to buy more sites. Also in this section You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may
[infowarrior] - Microsoft blocking MP3s on Verizon Wireless phones?
Microsoft blocking MP3s on Verizon Wireless phones? http://engadget.com/2006/01/07/microsoft-blocking-mp3s-on-verizon-wireless-p hones/ Posted Jan 7th 2006 11:27AM by Barb Dybwad So there seems to be some fallout from Verizon's music download service -- users who choose to upgrade their handsets to support the Verizon Wireless music store are doing so at a tradeoff: you'll no longer be able to play MP3s on your phone. The new phone software prevents you from playing MP3s on the phone as a result of an agreement Verizon Wireless made with Microsoft, the latter of whom stipulated that if the Verizon Wireless music store was gonna fly at all, MS wanted to make sure that phones using it could only play back Microsoft's audio format. Supposedly there is an internal memo floating around at VZW Wireless saying that if anyone complains about the new featureset, they'll be given a refurbished phone with older firmware to correct the problem -- but that users aren't being warned ahead of time that they'll lose MP3 playing functionality by upgrading their phones. Very tricksy, guys, very tricksy! You know, if the customer didn't always come first with these big corps we'd really be in trouble, folks. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Link to CRS Report on Domestic Surveillance
Jan 5, 2006 Presidential Authority to Conduct Warrantless Electronic Surveillance to Gather Foreign Intelligence Information http://www.opencrs.com/document/M20060105 You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - NAS warns DOD about loss of PCB industries
(c/o Anonymous) http://www.manufacturingnews.com/news/06/0104/art1.html National Academies of Sciences Panel Tells DOD It Is Vulnerable To Loss Of Circuit Board Industry; Half The PCB Industry Workforce Has Vanished BY RICHARD McCORMACK [EMAIL PROTECTED] The rapid decline of the U.S. printed circuit board industry should be raising red flags and a plan of action at the Pentagon, according to a new report from the National Research Council. With U.S. production projected to fall below 10 percent of world output (down from 42 percent in the mid 1980s), the military could soon be facing a crisis in finding U.S. companies capable of producing highly sophisticated circuit boards and assemblies for weapons systems needed to field a netcentric military force, says the report entitled Manufacturing Trends in Electronics Interconnect Technology. The diminution of the printed circuit board (PCB) industry raises fundamental questions as to how the Defense Department is going to handle technology development and assurance of supply in a global economy. The dynamics are huge, says one member of the NRC committee investigating the industry. DOD is caught looking at problems that are bigger than defense. Among the larger questions raised by the decline of the PCB industry: Can there be innovation in the defense electronics sector without a robust manufacturing base, as electrical engineers and designers move offshore? Should the Defense Department fund RD if there is no U.S. production base for the application of the resulting innovation? Says David Berteau, chair of the NRC Committee that produced the report: The message is that you need to wrestle with the big picture, but we should not wait until we have all the answers before we begin addressing the most critical industries. The NRC committee spent a year assessing the state of the printed circuit board industry and its impact on DOD. It recommends that DOD affirm its critical dependence on the industry; that it start an assessment of its economic health by collecting data; and that it increase support for the few national PCB research facilities that do exist. The threat potential posed to overall defense capabilities by lack of access to high-quality trusted PCB component technology will require a more specialized assessment for understanding how best to use DOD resources to maintain and enhance the nation's security, says the report. The growing divergence between commercial and military applications for interconnects has presented a complex challenge for DOD, but it's not an impossible task to deal with this, says committee chairman Berteau. The Pentagon needs to know whether it is vulnerable to shortages and to such things as Trojan horses inserted into electronic circuit boards. You have to answer those questions and you can't do it with piecemeal studies, Berteau says. You can't do it with outside groups. DOD has to have the analytical capability and the in-house expertise to be able to answer those questions and to make judgments on its [technological and industrial] priorities so that the allocation of the next marginal dollar goes to the highest and best use. DOD cannot wait until it knows all the answers to the questions about whether it can operate without a domestic industry. It needs to determine which electronics industries it needs to sustain and then put in place policies to assure there is an industrial base there to supply it. My view is that it's a lot easier to steer a moving car, so get in it, start driving and make adjustments as you go, Berteau told Manufacturing Technology News. You need to have the big picture in mind and wrestle with it, but to test [policy avenues] with critical, vulnerable and threatened areas that have a fairly discreet universe like printed circuit boards. The Department of Defense has no chance in fighting the economic dynamics that are pushing the industry to China, says one member of the NRC committee. But the Pentagon has not invested in the sub-tiers of the electronics industry for 10 years, and now must pony up. If you want a specialty industry, you have to subsidize and support it and accept that fact, and focus on the problems caused by relying on commercial off-the-shelf components that are neither made in America nor have any applications in military equipment. Berteau says DOD can't expect much innovation from the small board processors remaining in the United States -- companies that generate between $10 and $20 million a year in revenue. You may occasionally get a brainstorm because there are a lot of smart people who spend their recreational hours trying to think about new ideas, he says. But that's not a system; that's serendipity. If you're going to have a system that's based upon small shops that meet only DOD or a few other industry's needs such as medical equipment and industrial machinery, then where is that innovation going to come from? In many cases, these industries only require
[infowarrior] - For Mac users.... TechTool Protege offers Mac utilities on flash drive
(This product, on CD, has saved my systems numerous times..rf) TechTool Protege offers Mac utilities on flash drive Peter Cohen - MacCentralFri Jan 6, 7:54 AM ET Micromat Inc. has introduced TechTool Protege, a new Mac OS X troubleshooting and diagnostic tool stored on a bootable 1GB Firewire-based flash drive. TechTool Protege is shipping now but will make its public debut at next week¹s Macworld Expo in San Francisco. It costs $229. TechTool Protege combines the latest version of Mac OS X, the latest release of Micromat¹s TechTool Pro, and a drive utility called Disk Studio. With TechTool Protege in hand, you can boot a troubled computer, run diagnostic software, and make adjustments or repairs as necessary. You can diagnose the condition of the target Mac¹s hardware, repair and diagnose hard drive problems, optimize and defragment the drive if necessary, rebuild volume directories, attempt to recover data, repartition drives without losing data and more, according to Micromat. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Other government Web sites follow visitors' movements
Government Web sites follow visitors' movements By Declan McCullagh http://news.com.com/Government+Web+sites+follow+visitors+movements/2100-1028 _3-6018702.html Story last modified Thu Jan 05 04:00:00 PST 2006 Dozens of federal agencies are tracking visits to U.S. government Web sites in violation of long-standing rules designed to protect online privacy, a CNET News.com investigation shows. From the Air Force to the Treasury Department, government agencies are using either Web bugs or permanent cookies to monitor their visitors' behavior, even though federal law restricts the practice. Chart: Federal Web tracking Some departments changed their practices this week after being contacted by CNET News.com. The Pentagon said it wasn't aware that its popular Defenselink.mil portal tracked visitors--in violation of a privacy notice--and said it would fix the problem. So did the Defense Threat Reduction Agency and the U.S. Chemical Safety and Hazard Investigation Board. We were not aware of the cookies set to expire in 2016, a Pentagon representative said Wednesday. All of the cookies we had set with WebTrends were to be strictly (temporary) cookies, and we are taking immediate action. WebTrends is a commercial Web-monitoring service. The practice of tracking Web visitors came under fire last week when the National Security Agency was found to use permanent cookies to monitor visitors, a practice it halted after inquiries from the Associated Press. The White House also was criticized last week for employing WebTrends' tracking mechanism that used a tiny GIF image. A 2003 government directive says that, in general, agencies are prohibited from using Web bugs or cookies to track Web visitors. Both techniques are ways to identify repeat visitors and, depending on the configuration, can be used to track browsing behavior across nongovernment Web sites too. It's evidence that privacy is not being taken seriously, said Peter Swire, a law professor at Ohio State University, referring to the dozens of agencies tracking visitors. The guidance is very clear. While working in the Clinton administration in 2000, Swire helped to craft an earlier Web tracking policy. To detect which agencies engage in electronic tracking, CNET News.com wrote a computer program that connected to every agency listed in the official U.S. Government Manual, and then evaluated what monitoring techniques were used. The expiration dates of the cookies detected ranged from 2006 to 2038, with most of them marked as valid for at least a decade or two. Many agencies appeared to have no inkling that their Web sites were configured to record the activities of users. When the agency set up ColdFusion on our Web server, we set the software to its default value, said William Alberque, a spokesman for the Defense Threat Reduction Agency. The default value, as you saw, creates individual session cookies that can last on your computer for either 30 years or until you delete them. (ColdFusion is Adobe Systems' Web development software.) Not all monitoring of Web visitors is prohibited. The 2003 directive provides an exception for federal agencies that have a compelling need, clearly disclose the tracking and have approval from the agency head. In addition, the directive does not apply to state government Web sites, court Web sites or sites created by members of Congress. The perils of third-party cookies Probably the most intrusive type of tracking comes from third-party cookies set by commercial vendors. Such cookies permit correlation of visits to thousands of Web sites. A visitor to the Pentagon's Web site could be identified as the same person who stopped by Hilton.com and HRBlock.com--because both of those companies are WebTrends customers. For its part, WebTrends says it does not correlate that information. There are companies that tried to do that in the past and got a lot of bad public exposure, said Brent Hieggelke, WebTrends' vice president of corporate marketing. We do not track cross-site traffic, Hieggelke said. We do not offer any services that let you understand cross-domain traffic at unrelated sites at all. Privacy advocates tend to be leery of such third-party cookies, however, warning that a change in company management or ownership could result in a policy shift, or that a security breach would expose Web browsing habits. If WebTrends has the ability to link the White House visit to the commercial site visit, then that does look like persistent tracking, said Swire, the Ohio law professor. It would be useful to have a third-party audit of that. Statcounter.com is another Web-statistics program, used by the Commerce Department and the Energy Department, which also sets third-party cookies. The Dublin, Ireland-based company says it does not correlate information from multiple Internet sites. We do not sell any information to third parties, said its U.S. representative. All we're interested in gathering is information that
[infowarrior] - Open Letter on the Interpretation of ³ Vulnerability Statistics²
http://www.osvdb.org/blog/?p=80 Steve Christey (CVE Editor) wrote an open letter to several mailing lists regarding the nature of vulnerability statistics. What he said is spot on, and most of what I would have pointed out had my previous rant been more broad, and not a direct attack on a specific group. I am posting his entire letter here, because it needs to be said, read, understood, and drilled into the heads of so many people. I am reformatting this for the blog, you can read an original copy via a mail list. Open Letter on the Interpretation of ³Vulnerability Statistics² Author: Steve Christey, CVE Editor Date: January 4, 2006 As the new year begins, there will be many temptations to generate, comment, or report on vulnerability statistics based on totals from 2005. The original reports will likely come from publicly available Refined Vulnerability Information (RVI) sources - that is, vulnerability databases (including CVE/NVD), notification services, and periodic summary producers. RVI sources collect unstructured vulnerability information from Raw Sources. Then, they refine, correlate, and redistribute the information to others. Raw sources include mailing lists like Bugtraq, Vulnwatch, and Full-Disclosure, web sites like PacketStorm and Securiteam, blogs, conferences, newsgroups, direct emails, etc. In my opinion, RVI sources are still a year or two away from being able to produce reliable, repeatable, and COMPARABLE statistics. In general, consumers should treat current statistics as suggestive, not conclusive. Vulnerability statistics are difficult to interpret due to several factors: * - VARIATIONS IN EDITORIAL POLICY. An RVI source¹s editorial policy dictates HOW MANY vulnerabilities are reported, and WHICH vulnerabilities are reported. RVIs have widely varying policies. You can¹t even compare an RVI against itself, unless you can be sure that its editorial policy has not changed within the relevant data set. The editorial policies of RVIs seem to take a few years before they stabilize, and there is evidence that they can change periodically. * - FRACTURED VULNERABILITY INFORMATION. Each RVI source collects its information from its own list of raw sources - web sites, mailing lists, blogs, etc. RVIs can also use other RVIs as sources. Apparently for competitive reasons, some RVIs might not identify the raw source that was used for a vulnerability item, which is one aspect of what I refer to as the provenance problem. Long gone are the days when a couple mailing lists or newsgroups were the raw source for 90% of widely available vulnerability information. Based on what I have seen, the provenance problem is only going to get worse. * - LACK OF COMPLETE CROSS-REFERENCING BETWEEN RVI SOURCES. No RVI has an exhaustive set of cross-references, so no RVI can be sure that it is 100% comprehensive, even with respect to its own editorial policy. Some RVIs compete with each other directly, so they don¹t cross-reference each other. Some sources could theoretically support all public cross-references - most notably OSVDB and CVE - but they do not, due to resource limitations or other priorities. * - UNMEASURABLE RESEARCH COMMUNITY BIAS. Vulnerability researchers vary widely in skill sets, thoroughness, preference for certain vulnerability types or product classes, and so on. This collectively produces a bias that is not currently measurable against the number of latent vulnerabilities that actually exist. Example: web browser vulnerabilities were once thought to belong to Internet Explorer only, until people actually started researching other browsers; many elite researchers concentrate on a small number of operating systems or product classes; basic SQL injection and XSS are very easy to find manually; etc. * - UNMEASURABLE DISCLOSURE BIAS. Vendors and researchers vary widely in their disclosure models, which creates an unmeasurable bias. For example, one vendor might hire an independent auditor and patch all reported vulnerabilities without publicly announcing any of them, or a different vendor might publish advisories even for very low-risk issues. One researcher might disclose without coordinating with the vendor at all, whereas another researcher might never disclose an issue until a patch is provided, even if the vendor takes an inordinate amount of time to respond. Note that many large-scale comparisons, such as ³Linux vs. Windows,² can not be verified due to unmeasurable bias, and/or editorial policy of the core RVI that was used to conduct the comparison. EDITORIAL POLICY VARIATIONS This is just a sample of variations in editorial policy. There are legitimate reasons for each variation, usually due to audience needs or availability of analytical resources. COMPLETENESS (what is included): 1. SEVERITY. Some RVIs do not include very low-risk items such as a bug that causes path disclosure in an error message in certain non-operational configurations. Secunia
[infowarrior] - Who Killed PayPal?
(old but relevant.thanks to CL for the posting..rf) August 27, 2005 http://www.cato.org/pub_display.php?pub_id=4405 Who Killed PayPal? by Radley Balko Radley Balko is a policy analyst for the Cato Institute. The PayPal Wars: Battles With eBay, the Media, the Mafia, and the Rest of Planet Earth, by Eric M. Jackson, Gardena, Calif.: World Ahead Publishing, 344 pages, $27.95 In September 2004 Bill Quick received a notice from PayPal, the online payment company that facilitated reader donations to his Daily Pundit blog. The notice warned Quick that his account was on hold, and that it would be terminated unless he removed hate content from his site. This appeared to be a reference to Quick's link to a video of a terrorist beheading. PayPal sent a similar letter to Jarlaynn Merrit's civil liberties blog Talk Left. Neither site is at all hateful, and both linked to the beheading video for reasons that, while controversial, were certainly within the realm of civil discussion. Both letters came a month after PayPal announced an abrupt shift in its terms of use. The company would no longer permit customers to use the service for purchases associated with mature audiences, gambling, hate paraphernalia, or prescription drugs, along with a long list of other prohibitions. It would also fine its customers up to $500 for attempting such transactions. Those terms apparently applied to donations to blogs with content PayPal found objectionable. That's a far cry from the libertarian vision founders Peter Thiel and Max Levchin originally had for PayPal, an online payment service that enables account holders to send money to anyone in the world with an e-mail address. Thiel and Levchin had hoped PayPal would grow to become an extra-governmental system of currency, something reminiscent of the world described in Neal Stephenson's novel Cryptonomicon, in which programmers use encryption to create an offshore data haven free from government control. Eric M. Jackson documents the story of PayPal in his lively new book, The PayPal Wars. Jackson's engaging narrative reads in turn like a spy novel, a business text, and an insider tell-all. One of PayPal's earliest employees and savviest marketers, Jackson documents the full spate of challenges and obstacles faced by start-ups and entrepreneurs, and how visionaries often have to abandon big ideas to keep competitors at bay and to satisfy petty bureaucrats and politicians. Thiel is a philosophy major who drew inspiration from Aleksandr Solzhenistyn; Levchin a Ukranian Jew who grew up in the former Soviet Union and immigrated to Chicago with his family in 1991. They met in Silicon Valley in the late 1990s and over a series of lunches began to collaborate on marketing a method of data encryption that would let users safely send information between two personal digital assistants (Palm Pilots, for example). Thiel and Levchin eventually decided that the most practical application of the technology was moneyspecifically, the ability to beam funds between PDAs without currency, checks, or credit cards. At a conference in July 1999, representatives from Nokia Ventures and Deutche Bank used the encryption technology to send Thiel $3 million in venture capital via a Palm Pilot. Confinnity, later to become PayPal, was born. In the book's first chapter, Jackson recalls a speech Thiel gave to Confinnity employees, just a few days after he began work, in which he described his hopes for PayPal to become a borderless private currency. He saw PayPal facilitating trade in currency for anyone with an Internet connection by enabling an instant transfer of funds from insecure currencies to more stable ones, such as U.S. dollars. Thiel explained to his young staff how governments had historically robbed their own citizens through inflation and currency devaluation. The very rich could always protect themselves by investing offshore. It's the poor and middle class, Thiel explained, who get screwed. PayPal will give citizens worldwide more direct control over their currencies than they ever had before, Thiel predicted. It will be nearly impossible for corrupt governments to steal wealth from their people through their old means because if they try the people will switch to dollars or pounds or yen, in effect dumping the worthless local currency for something more secure. Though he touches on brushes with nearly a dozen would-be competitors to PayPal, much of Jackson's book follows the continuing tug-of-war between PayPal and eBay, the online auction behemoth. Early on, Jackson had smartly identified eBay users as ideal potential PayPal customers. Jackson recounts how, as his marketing overtures began to bring in high-volume eBay sellers, PayPal struggled to innovate, adapt, and scale up its customer service support to meet their needs. When PayPal's early success began to overwhelm its own customer service staff, for example, the company didn't have the capital to hire additional help.
[infowarrior] - Google to Offer DRM'd Video Downloads
Note the last sentence of the article: Google has developed its own digital-rights-management software to protect downloaded videos from piracy. one can only imagine what that might be...rf Google to Offer Video Downloads, Software That Rivals Microsoft's By KEVIN J. DELANEY and NICK WINGFIELD Staff Reporters of THE WALL STREET JOURNAL January 5, 2006; Page A9 http://online.wsj.com/article_email/SB113643814564838423-lMyQjAxMDE2MzA2NTQw MzU4Wj.html Google Inc. plans to announce Friday that it will begin allowing consumers to buy videos from major content partners through the Google site and will also roll out a new downloadable bundle of software for consumers that could heighten Google's competition with Microsoft Corp., according to people familiar with the matter. Under the major upgrade to Google's video-search service, consumers will be able to pay to download and view videos, such as television shows, on their computers from Google content partners such as TV companies, people familiar with the matter say. Google plans to announce partnerships with some major players tomorrow, including CBS Corp. and the National Basketball Association, these people say. By virtue of Google's huge presence online, the move could place Google in competition with other emerging powers in Internet distribution of video such as Apple Computer Inc. Google co-founder Larry Page plans to make the announcements at the Consumer Electronics Show in Las Vegas, say the people familiar with the matter. Google in a statement said, We have a number of exciting announcements that we look forward to sharing in detail on Friday afternoon, during Larry's keynote address at CES. A CBS spokesman declined to comment. An NBA spokesman couldn't be reached for comment. The Mountain View, Calif., search company also plans to announce Google Pack, a bundle of software from Google and other companies that consumers will be able to download and install on their computers, say people familiar with the matter. That software will include the open-source Firefox Web browser, a version of Norton AntiVirus software from Symantec Corp., Adobe Systems Inc.'s Reader software, RealNetworks Inc.'s RealPlayer multimedia software, Trillian instant-messaging software from Cerulean Studios and Lavasoft AB's Ad-Aware antispyware software. Google Pack will also include Google's own desktop search software, Google Earth satellite imaging and maps software, Picasa photo-management software, Google Talk instant-messaging program, its Toolbar add-on for Web browsers and screen saver software. The release of Google Pack comes as the company and Microsoft are battling for users for their online services and see applications installed on users' computers directing them to those online services as powerful weapons. Internal Google documents released as part of a recently settled employee-recruitment-related lawsuit between the two companies indicate that Google executives have been concerned that Microsoft will increasingly try to push consumers toward Microsoft's online services, such as Web search, at the expense of Google. Microsoft could potentially use its coming Vista operating-system software and new version of its Web browser to do so. Google Pack, which could eventually come preinstalled when people buy some new personal computers, is one way for Google to promote alternatives to Microsoft. It doesn't, however, appear to include productivity applications, such as word-processor software, that would compete more directly with Microsoft's core software business. A Microsoft spokesman wasn't able to comment. Google Pack, which will involve a single installer program for all applications, could also ease some of Google's own work providing technical support to users. In some cases, the software in Google Pack could fix problems -- such as viruses or spyware on computers -- that impede consumers' usage of Google services. Some details of Google's online video service remain unclear, such as how much content owners might charge consumers to download their videos. Google last year had said it planned to allow content owners to charge for videos, but it hadn't activated that feature. Interest in delivering video over the Internet has surged since October, when Apple began offering downloads of popular TV shows through a partnership with Walt Disney Co. Google has developed its own digital-rights-management software to protect downloaded videos from piracy. Write to Kevin J. Delaney at [EMAIL PROTECTED] and Nick Wingfield at [EMAIL PROTECTED] You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Security flaws on the rise, questions remain
Security flaws on the rise, questions remain Robert Lemos, SecurityFocus 2006-01-05 http://www.securityfocus.com/news/11367?ref=rss After three years of modest or no gains, the number of publicly reported vulnerabilities jumped in 2005, boosted by easy-to-find bugs in Web applications. Yet, questions remain about the value of analyzing current databases, whose data rarely correlates easily. A survey of four major vulnerability databases found that the number of flaws counted by each in the past five years differed significantly. However, three of the four databases exhibited a relative plateau in the number of flaws publicly disclosed in 2002 through 2004. And, every database saw a significant increase in their count of the flaws disclosed in 2005. A few common themes emerged from the data as well. In 2005, easy-to-find flaws in Web applications were likely responsible for the majority of the increase, the database managers said in interviews with SecurityFocus. However, some of the increase came from a doubling in the number of flaws released by large software companies. The most important, and perhaps obvious, lesson is that the software flaws are here to stay, said Peter Mell, a senior computer scientist for the National Institute of Standards and Technology (NIST) and the creator of the National Vulnerability Database (NVD), one of the four databases surveyed. The problem of people breaking into computers is not going away any time soon, Mell said. There is certainly more patches every year that system administrators need to install, but the caveat is that more vulnerabilities seem to apply to less important software. Vulnerability databases are coming of age. In 2005, NIST created the National Vulnerability Database and software makers and security service providers have cooperated to create the Common Vulnerability Scoring System (CVSS) to create a measure of severity of software flaws. The National Vulnerability Database completed scoring flaws in its database using the CVSS in late November. While auctions of vulnerability research have not taken off, two companies now buy vulnerability information from flaw finders. The survey focused on four databases: The Computer Emergency Response Team (CERT) Coordination Center's database, National Vulnerability Database (NVD), the Open-Source Vulnerability Database (OSVDB), and the Symantec Vulnerability Database. (SecurityFocus is owned by Symantec.) The number of flaws cataloged by each database in 2005 varied widely, because of differing definitions of what constitutes a vulnerability and differing editorial policy. The OSVDB--which counted the highest number of flaws in 2005 at 7,187--breaks down vulnerabilities into their component parts, so what another database might classify as one flaw might be assigned multiple entries. SecurityFocus had the lowest count of the vulnerabilities at 3,766. The variations in editorial policy and lack of cross-referencing between databases and unmeasurable biases in the research community and disclosure policy mean that the databases--or refined vulnerability information (RVI) sources--do not produce statistics that can be compared, Steve Christey, the editor of the Common Vulnerability and Exposures (CVE), wrote in an e-mail to security mailing lists on Thursday. The CVE is a dictionary of security issues compiled by The MITRE Corp., a government contractor and nonprofit organization. In my opinion, RVI sources are still a year or two away from being able to produce reliable, repeatable, and comparable statistics, he wrote. In general, consumers should treat current statistics as suggestive, not conclusive. Recent numbers produced by the U.S. Computer Emergency Readiness Team (US-CERT) revealed some of the problems with refined vulnerability sources. Managed by the CERT Coordination Center, the US-CERT's security bulletins outline security issues but are updated each week. In a year end list published last week, the US-CERT announced that 5,198 vulnerabilities had been reported in 2005. Some mainstream media outlets noted the number, compared it to the CERT Coordination Center's previous data--which is compiled from a different set of vulnerability reports--and concluded there was a 38 percent increase in vulnerabilities in 2005 over the previous year. In fact, discounting the updated reports resulted in a 41 percent decrease to 3,074 vulnerabilities, according to an analysis done by Alan Wyle, an independent computer programmer. If the data point could be compared with statistics from CERT/CC, that would have placed the number of flaws reported in line with the previous three years. Yet, while the data is significantly flawed, the original story told by US-CERT's list seems to be the right one. The number of vulnerabilities reported in 2005 increased, mainly due to researchers looking into the security of Web applications. The National Vulnerability Database noted the largest increase of 96 percent from
[infowarrior] - MS Advance Patch for WMF exploit
http://www.microsoft.com/technet/security/bulletin/advance.mspx Important Information for Thursday 5 January 2006 Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week. Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned. Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible. Microsoft¹s monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft¹s efforts to shut down malicious Web sites and with up-to-date signatures form anti-virus companies. The security update will be available at 2:00 pm PT as MS06-001. Enterprise customers who are using Windows Server Update Services will receive the update automatically. In additional the update is supported Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Enterprise customers can also manually download the update from the Download Center. Microsoft will hold a special Web cast on Friday, January 6, 2006, to provide technical details on the MS06-001 and to answer questions. Registration details will be available at http://www.microsoft.com/technet/security/default.mspx. Microsoft will also be releasing additional security updates on Tuesday, January 10, 2006 as part of its regularly scheduled release of security updates. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Survey on Vulnerability Disclosure: Request for Participation
Greetings -- As part of my doctoral studies, I am seeking community input regarding how secrecy and openness can be balanced in the analysis and alerting of security vulnerabilities to protect critical national infrastructures. To answer this question, my thesis is investigating: 1.How vulnerabilities are analyzed, understood and managed throughout the vulnerability lifecycle process. 2.The ways that the critical infrastructure security community interact to exchange security-related information and the outcome of such interactions to date. 3.The nature of and influences upon collaboration and information-sharing within the critical infrastructure protection community, particularly those handling internet security concerns. 4.The relationship between secrecy and openness in providing and exchanging security-related information. The survey is located at http://www.infowarrior.org/survey.html and should take 10-15 minutes to complete. Participation is both voluntary and anonymous. Thank you for your help with this endeavor, and for helping distribute this request for participation to other interested parties/lists. The survey will be online through early March. Thanks again, Rick -infowarrior.org You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Windows rootkits of 2005, part three
Windows rootkits of 2005, part three James Butler, Sherri Sparks, http://www.securityfocus.com/infocus/1854?ref=rss The third and final article in this series explores five different rootkit detection techniques used to discover Windows rootkit deployments. Additionally, nine different tools designed for administrators are discussed. 1. Introduction Rootkits have become very sophisticated over the past few years, and in 2005 we have seen a surge in rootkit deployments in spyware, worms, botnets, and even music CDs. Although once a computer system has been subverted by a rootkit it is extremely difficult to detect or eradicate the rootkit, there are still some different methodologies that detect the rootkit that have worked to varying degrees. Part one looked at what Windows rootkits are and what makes them so dangerous. Part two examined the latest cutting-edge rootkit technologies and how they achieve stealth. Now in part three, we explore five such detection techniques and, where possible, provide information about different rootkit detection tools. 2. Signature based detection Signature based detection methods have been in use by antiviral products for years. The concept is simple. System files are scanned for a sequence of bytes that comprise a fingerprint that is unique to a particular rootkit. If the signature is found in a file on the user's system, it signals an infection. As signature scanning has traditionally been applied to the filesystem, its usefulness for rootkit detection is limited unless it is combined with some more advanced detection techniques. This is due to the rootkit's natural propensity to hide files using execution path hooking techniques. Despite their antiquity, signature based detections are worth mentioning because they may be applied with success to scanning system memory in addition to filesystem scanning. Ironically, most public kernel rootkits are susceptible to signature scans of kernel memory. As kernel drivers, they typically reside in non-paged memory and few, if any, make an effort towards any kind of polymorphic code obfuscation. Thus, a scan of kernel memory should trivially identify most public kernel rootkits regardless of their underlying bag of tricks (DKOM, SSDT, IDT hooking and the like). The key words in that last sentence, however, are public rootkits because signature based detection is, by definition, useless against malware for which a known signature does not exist. Finally, signature based detection methods are useless against Virtual Memory Manager (VMM) hooking rootkits like Shadow Walker which are capable of controlling the memory reads of a scanner application. [ref 1] 3. Heuristic / Behavioral detection Where signature based detections fall short, heuristic detections take over. Their primary advantage lies in their ability to identify new, previously unidentified rootkits. They work by recognizing deviations in normal system patterns or behaviors. Various heuristics have been proposed for identifying rootkits based upon execution path hooking. In this section we examine two such tools: VICE and Patchfinder. 3.1 VICE VICE is a freeware tool written to detect hooks [ref 2]. It is a standalone program that installs a device driver to analyze both user mode applications and the operating system kernel. In the kernel, VICE checks the SSDT for function pointers that do not resolve to ntoskrnl.exe. Also, you can add devices to the file driver.ini, and VICE will check the IRP major function table of the corresponding driver. If a function pointer in the IRP major function table of a driver does not consist of an address within the driver, then the IRP has been hooked by an outside driver or piece of kernel code. In user mode, VICE checks the address space of every application looking for IAT hooks in every DLL that the application uses. Inline function hooks are detected in DLL functions imported by applications and in the SSDT functions themselves. VICE will resolve what function is being hooked and the address of the hooking function. When possible, VICE will also display the full path on the filesystem of the DLL or device driver doing the hooking so that a System Administrator can remove the malicious software. Today, VICE will detect most publicly known Windows rootkits and any stealth related technology that uses hooking technologies. To run VICE, the host machine must have the Microsoft .NET Framework installed, which is free for download. The current version of VICE has been targeted and subverted by at least one public rootkit. [ref 3] Rootkits have leveraged the fact that VICE always executes with a specific process name. When the rootkit detects the VICE process, it does not hook so VICE has nothing to detect. Another attack has targeted VICE's communication channel between the user mode portion and the device driver. However, VICE's biggest weakness may be the large number of false positives it returns. VICE was designed to detect
[infowarrior] - Amit Yoran to head up CIA venture capital op
Original URL: http://www.theregister.co.uk/2006/01/04/inqtel_new_ceo/ Former cyber security chief tapped as new CEO of spook op By Ashlee Vance in Mountain View Published Wednesday 4th January 2006 08:09 GMT The spookiest venture capital firm on the planet has hired a new CEO. In-Q-Tel - the CIA's venture capital unit - has tapped Amit Yoran as the successor to Gilman Louie, according to a report in the Washington Business Journal. The well-credentialed Yoran previously served as the first head of cyber security for the Department of Homeland Security. He also founded security specialist Riptech, which was sold to Symantec in 2002. Click Here A quick search for Yoran turns up some stories declaring him as the most powerful man in cyberspace and others questioning whether we can trust the cyber tsar. These headlines relate to Yoran's days at the haplessly named Department of Homeland Security, and the underlying stories often include anecdotes about a young Yoran opting to wear ties to school and expressing a strong love for Reagan in his youth. Whether or not an Alex P. Keaton clone is evil depends on your perspective. Yoran left the DHS post after just one year (http://www.theregister.co.uk/2004/10/04/cybersecurity_czar_quits/) on the job, saying he wanted to - all together now - spend more time with his family and find a way to re-enter the private sector. As head of In-Q-Tel, Yoran will get to spearhead funding meant to help the snoops at Langley do their jobs. One recent report says that In-Q-Tel is helping cultivate nearly three dozen young firms specializing in one or more of the following: search, categorization, collaboration and publishing; application integration; visualization; translation; geospatial intelligence; and design, simulation and modeling. Louie began looking for a replacement last year. In-Q-Tel is expected to announce this move on Wednesday. ® You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Florida may sue Sony, too
Florida may sue Sony, too http://www.eff.org/deeplinks/archives/004292.php Charlie Crist, the Florida Attorney General, has joined several other states in investigating the Sony DRM debacle: Allegation or issue being investigated: It has been reported that certain Sony music cd¹s contain a software program apparently intended to protect against unauthorized duplication of the cd by the purchaser. This software is referred to as digital rights management (DRM) software and is used to regulate the number of times a CD may be copied by that computer system. The consumer is not informed in detail of the DRM and the in order to listen to the cd, the consumer must allow the download of the software onto the hard drive. There is no uninstall feature offered. In Sony cds the DRM software has been designed to be almost undetectable on computers with Windows operating systems. It is reported and we have initiated our own investigation of the fact that the DRM file is very difficult to locate and even more difficult to remove, even by a professional, without damaging the Windows system and the overall operation of the computer. This software is not detected by the standard antivirus and antispyware software. While a settlement for the private plaintiffs class-action suits has been propopsed, it allows for state Attorneys General to obtain further relief, which will be applied to all class members. The Florida matter is case number L05-3-1157, out of Crist's Tampa Economic Crimes office. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Cyber Warfare: The New Battlefield
Cyber Warfare: The New Battlefield By Jeffrey Young Washington, D.C. 03 January 2006 http://www.voanews.com/english/NewsAnalysis/2006-01-03-voa15.cfm New weapons to wage war continue to be developed and used in the effort to gain and maintain superiority over an adversary. Through cyber warfare, countries could attack each other via computers. Countries can now wage war by typing commands into a computer keyboard. Cyber warfare has been a reality in Hollywood for some time. Movies and TV shows have portrayed soldiers launching attacks against adversaries half a world away by typing commands into a computer. While Hollywood was ahead of reality for years, advances in technology over the past several decades have enabled cyber warfare to become a viable strategic tool. That's confirmed by Michael Skroch with the U.S. government's Sandia National Laboratories. He heads a special team of cyber warriors who probe computers, including U.S. government systems, looking for security weaknesses. Mr. Skroch says this form of war, while quite real, is not publicly quantified with statistics on numbers of attacks and successes. Details on cyber warfare are sensitive, he says. Everyone is going to hold those closely. Cyber warfare is already with us, and it will be growing in the set of solutions our military has for the future. We've seen this demonstrated in some of the wars in the Middle East. As we've heard in the press, the attacks by the United States have been to disable communications, to cause confusion in the command and control structure of the adversary before a follow-on assault. 1991 Gulf War: An Early Cyber Conflict The Pentagon reportedly hit Iraqi computers in the 1991 Gulf War. The first major U.S. conflict involving computer warfare was the 1991 war against Iraq. The Pentagon does not offer specific details as to what was done, but reports have asserted that Baghdad's air defense radar and other systems were targeted by U.S. cyber warriors. On today's battlefield, while jets and tanks may be locked in tactical combat, James Lewis at the Center for Strategic and International Studies in Washington says data control and management is how the larger fight is oftentimes won. Information dominance is the key to military success. Being able to defend your own information assets and attack your opponents' is crucial. But the ability to do that using the Internet and publicly controlled networks -- it's still sort of limited, he says. Analyst Lewis says that's because governments and their military forces shield critical computer systems from the Internet so that only authorized people can access them. But despite these efforts, Mr. Lewis says such computer systems can still be compromised. What's the best way to attack? he says. Is it somebody sitting four thousand miles away in front of a computer terminal, or is it somebody sneaking in onto what people think is a protected system. In some ways, this is a traditional kind of sabotage. Cyber Tactics: Attacking Data Integrity Cyber warriors say launching overt attacks on an enemy's computers isn't always the best or most successful tactic. Washington-based cyber security consultant Richard Forno describes another, called data integrity, that can be devastating to an adversary. You can certainly destroy a computer physically or electronically, but a more devious and perhaps more long-term or subtle approach is to 'tweak' [modify] the data on a target [computer] site so that the data is either corrupted or becomes untrustworthy, he says. It is definitely a viable attack strategy. But data integrity attacks aren't limited to military defense systems and other direct tools of warfare. Paul Kurtz, Executive Director of the Computer Security Industry Alliance in Washington, says data integrity attacks can also undermine an adversary by targeting systems that, in essence, keep that country functioning. Think of scrambling financial data, scrambling blood types, scrambling reservations and airline controls and scrambling customs and immigration data. An attack such as this would be very time consuming to go back and 'untangle' whatever was done, he says. Mr. Kurtz says that this form of data integrity attack is far easier to accomplish than those on military systems because the computers with financial and other data may be accessible through the Internet. Data Mining: Looking for Needles in a Haystack There is yet another way that a country can use computers to gain advantages over another nation. It's called data mining, the collection of a broad range of economic and other information that when analyzed can provide indications of a country's well-being. Cyber security consultant Richard Forno says data mining is akin to looking for the proverbial needle in a haystack Who cares if you mine a lot of 'noise' [irrelevant data] to get that one or two useful 'nuggets' of information? In some cases, some organizations and some countries may take
[infowarrior] - Interesting project -- openQRM
This seems to be an interesting open source Linux-based projectpotentially cost-effective for data centers?-rf http://www.openqrm.org/ openQRM is an open source systems management platform which integrates with existing components in enterprise data centers to create scalable, highly available and customizable infrastructures. The project is derived from a proven commercial product and distributed as an open source project through SourceForge, using a modified Mozilla Public License. http://www.openqrm.org/ You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - JSG: Go Back to Afghanistan, Hussy!
Go Back to Afghanistan, Hussy! By Jennifer Granick http://www.wired.com/news/technology/0,69955-0.html?tw=wn_tophead_3 My last column on the president's illegal wiretaps provoked the most responses I've received since starting Circuit Court. Circuit Court columnist Jennifer Granick Circuit Court Many of the e-mails parroted the same three debunked rationales offered by the White House as justifications for breaking the law. There was also a surprising amount of vitriol and name-calling. One writer called me a bimbo, and another told me to go back to Afghanistan if I hated our free country so much that I would voice concern about how our government doesn't respect our freedoms. Underlying all the anger, the fear and the credulity of those who wrote in was the theme that asking intelligence agents to get court authorization for surveillance would result in another Sept. 11. The principle of separation of powers -- of checks and balances -- is so fundamental to our system of government, and so familiar to anyone who grew up here, how is it that so many of my fellow Americans can forget it completely when the question is one of tracking terrorists? It's true that we're living in a dangerous world. The arms industry is producing cheaper and more portable weapons, and terrorists have benefited alongside national armies. The internet is the most amazing tool for cheap worldwide communication ever created, but terrorists use it alongside activists, consumers, commercial interests and artists. The terrorists aren't pulling any punches when it comes to using technology against us. Why should we handicap ourselves in using surveillance tools against them? The mistake is viewing checks and balances as a handicap. They are our strength. Separation of powers is what makes the U.S. government a government of laws, not of men. It's what makes the government accountable -- to the people, and to itself. It's what protects individuals against false accusations, what ensures that we spend our resources pursuing the real threats to our security and to our freedom. In recent polling -- as in my e-mail inbox -- people emphasized that the targets of the National Security Agency surveillance weren't just American citizens, but were collaborators, communicating with known terrorists. The kinds of people, in other words, who need to be watched. If that turns out to be true, then I agree -- but so does the law that our president ignored. All the Foreign Intelligence Surveillance Act, or FISA, requires in an emergency is that officials contact the secret court within 72 hours after performing a wiretap to show probable cause that the target of the spying was in fact a terrorist collaborator. The process ensures that the surveillance is being done correctly and under appropriate circumstances. The lessons of McCarthyism and the Church Committee reports are that people in power will use false evidence to target perceived enemies. History demonstrates that the executive branch makes mistakes. Juries rejected Department of Justice prosecutions against Florida professor Sami Al-Arian and web programmer Sami Omar Al-Hussayen. The conservative 4th U.S. Circuit Court of Appeals has expressed concern that the Justice Department told judges one story to keep Jose Padilla detained as an enemy combatant but presented a different story to obtain an indictment against him. The FBI pursued an Oregon lawyer for the Madrid bombings long after Spanish authorities told them that they had the wrong man. And it was only because a judge was paying attention that we learned the Justice Department has brought unsubstantiated terror charges in several cases. The Bush administration isn't the first to make these kinds of mistakes and it won't be the last. But it is alone in its insistence that its judgment and discretion, despite these errors, should not be reviewed by judges -- or questioned by the public. Getting a warrant takes more time and effort than not getting a warrant. But that extra effort guards against mistakes. And when there is not enough time to put a warrant together for an otherwise valid interception, FISA provides a 72-hour, fail-safe mechanism. Perhaps there will be rare occasions when three days is not enough. The way to deal with these exceptions is not to throw the rules away. We know that illegal, warrantless surveillance has happened in the past and will happen in the future. But the rule of law must remain our guiding principle. Breaking the law and accepting the consequences is sometimes part of doing the right thing. But most of the time, it's not. There is a difference between falling short of what the law requires -- while taking appropriate responsibility later -- and deliberately instituting policies designed to justify and support a failure to act in accordance with democratic principles. As author Richard Thieme put it when writing about proposals to legalize torture, this is the difference between a society
[infowarrior] - Apple -- A Tragic Love Story
Apple -- A Tragic Love Story Posted at 12:00 AM http://www.technologyreview.com/Blogs/wtr_16116,290,p1.html UPDATE: I knew the storm was coming when I posted this, but I did it anyway. Possibly I wasn't clear enough. I'm willing to admit that. However, let me reiterate my point in a very clear way: I've got no problem with Apple. I used Apple products until 1999, when I started working at Wired, a PC shop, and began covering digital entertainment, which didn't really exist on Apple products back then. So -- truly folks -- I get it. I understand. For loads of people, Apple is what they choose. The simple point I'm trying to make here: Jobs' deal with the entertainment industry and its DRM practices are bad for consumers. This isn't a knock on the iPod (although I really don't get it). If you love your iPod, by all means, use it in complete happiness and joy. But that doesn't mean you should be overjoyed by the DRM practices the company has built itself on. Now -- on to the original post. Let me start this post by saying this: if you like Apple, you are likely going to want to stab me with a fork when you are done reading this. I apologize for that. But since we're all friends here, I think it's important that I remind you of a few things. Okay, now that's out of the way. As you probably know, MacWorld takes place next week, and I have no doubt that Apple addicts around the planet are so giddy with anticipation that many of them can't sleep. I also know that no matter how much I try to make this blog sound respectful, I am going to fail miserably because it's difficult to have a rational discussion with people who are so into anything. But I completely respect that stance. I would even go so far as to say, I completely understand their stance. I feel that way about The Ohio State University, the Cincinnati Bengals, the Cincinnati Reds, and the Cincinnati Bearcats, and my mother. However, sometimes, blind faith isn't enough. And in this particular case, unquestioning faith in all things Steve is a bad idea. (For what it's worth, this McSweeney's post should take some of the heat off me, I hope.) The immediate response I get when I bring this up is always the same: Microsoft is s much worse. But I disagree. There is an army of programmers around the world who are developing applications, work-arounds, and other goodies that allow me to circumvent most of the aspects about Microsoft products I don't like. The coolest thing that I do is record television with my PC, hack the DRM, burn it to a DVD, and take that program with me anywhere. But I know that's doesn't even touch the tip of the iceberg. However, that's not what really, really sticks in my craw. I reserve that (possibly irrational) anger for the iPod and iTunes, two music products that are so restrictive in their licensing and user set-ups that I have never been able to bring myself to download the software to purchase music through iTunes or pony up the cash to by an iPod. It's fairly well publicized that if you have music on your hard drive, music you've purchased a license to use through iTunes, and your computer crashes -- you lose all of that music. It's not a common occurrence for sure (at least, I hope it's not), but when it does happen (as it nearly did to one editor here), your view of Apple suddenly, and dramatically, changes. (This doesn't even begin to touch on the fact that the iPod was clearly not the first digital music player, and for my tastes, isn't even the best player -- but the Altoids-style packaging has certainly resonated with consumers, which is the bottom line.) That said, even that restrictive licensing doesn't ultimately get to me. Every company has the right to set up the terms of use (within reason), and that is the road Apple chose to go down. The problem is they've been so compliant with the entertainment industry -- foisting ridiculous digital rights management on consumers -- that they may very well be setting the table for the music and movie industries to expand their restrictive licensing to entirely new platforms. Jobs has, by and large, become a proxy for the music and movie industries in the continual eroding of consumer rights in a digital age. And -- for everyone who shells out their hard-earned money for the latest and greatest gadget -- you've all fallen for it. No, what really gets to me is that I think all of the Apple users around the planet know this already, but simply have stopped caring -- and I can't figure out why. However, I think I may have figured it out, thanks to one unnamed person who said to me: Yes, but the iPod is so cute. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - FW: [attrition] Security Rant: US-CERT: A disgrace to vulnerability statistics
http://www.osvdb.org/blog/?p=79 US-CERT: A disgrace to vulnerability statistics Posted in Vulnerability Statistics on January 2nd, 2006 by jericho Several people have asked OSVDB about their thoughts on the recent US-CERT Cyber Security Bulletin 2005 Summary. Producing vulnerability statistics is trivial to do. All it takes is your favorite data set, a few queries, and off you go. Producing meaningful and useful vulnerability statistics is a real chore. Ive long been interested in vulnerability statistics, especially related to how they are used and the damage they cause. Creating and maintaining a useful statitistcs project has been on the OSVDB to-do list for some time, and I personally have not followed up with some folks that had the same interest (Ejovi et al). Until I see such statistics done right, I will of course continue to voice my opinion at other efforts. [..] Ok, on to the fun part.. the statistics! Unfortunately, the bulletin is very lacking on wording, explanation, details or additional disclaimers. We get two very brief paragraphs, and the list of vulnerabilities that link to their summary entries. Very unfortunate. No, let me do one better. US-CERT, you are a disgrace to vulnerability databases. I cant fathom why you even bothered to create this list, and why anyone in their right mind would actually use, reference or quote this trash. The only statistics provided by this bulletin: [..] A decade later, and the security community still lacks any meaningful statistics for vulnerabilities. Why cant these outfits with commercial or federal funding actually do a good job and produce solid data that helps instead of confuses and misleads?! You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Grokster in file share scare
(RIAA again hoping to dupe the ignorant masses...rf) Grokster in file share scare http://www.theinquirer.net/?article=28660 By Nick Farrell: Monday 02 January 2006, 15:36 IN A BIT OF a daft anti-piracy stunt, the former file sharing outfit Grokster has been posting visitors IP addresses on its homepage. Visitors to grokster.com are shown a snap shot of their IP address and are warned that the address has been recorded and their visit to the site was not anonymous. The move is no doubt to prove to the music and movie business, in which Grokster hopes to become a mover and a shaker, that the outfit is serious about piracy. The downside is that it is being treated with hoots of laughter from the file sharing community. Those who know what their IP address looks like will not be spooked that Grokster has a server that can read it. They know that servers all know their IP address, it's part of that whole Internet thing. Those who might be scared about their IP address being recorded¹ will probably think it is something to do with the microwave and nothing to do with piracy. Already on some bulletin boards file sharers are having fun logging in famous IP addresses such as Google at the site so that they can be recorded and ruthlessly hunted down by the music industry lawyers. The only problem is that we can¹t see any sending code in Grokster¹s page so chances are that nothing is being recorded by anyone. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Answering Back to the News Media, Using the Internet
January 2, 2006 Answering Back to the News Media, Using the Internet By KATHARINE Q. SEELYE - NY Times http://tinyurl.com/73o2v Never pick a fight with someone who buys ink by the barrel, or so goes the old saw. For decades, the famous and the infamous alike largely followed this advice. Even when subjects of news stories felt they had been misunderstood or badly treated, they were unlikely to take on reporters or publishers, believing that the power of the press gave the press the final word. The Internet, and especially the amplifying power of blogs, is changing that. Unhappy subjects discovered a decade ago that they could use their Web sites to correct the record or deconstruct articles to expose what they perceived as a journalist's bias or wrongheaded narration. But now they are going a step further. Subjects of newspaper articles and news broadcasts now fight back with the same methods reporters use to generate articles and broadcasts - taping interviews, gathering e-mail exchanges, taking notes on phone conversations - and publish them on their own Web sites. This new weapon in the media wars is shifting the center of gravity in the way that news is gathered and presented, and it carries implications for the future of journalism. Just ask Nightline, the ABC News program, which broadcast a segment in August about intelligent design that the Discovery Institute, a conservative clearinghouse for proponents of intelligent design, did not like very much. The next day, the institute published on its Web site the entire transcript of the nearly hourlong interview that Nightline had conducted a few days earlier with one of the institute's leaders, not just the brief quotes that had appeared on television. The institute did not accuse Nightline of any errors. Rather, it urged readers to examine the unedited interview because, it said, the transcript would reveal the predictable tone of some of the questions by the staff of Nightline. Here's your chance to go behind the scenes with the gatekeepers of the national media to see how they screen out viewpoints and information that don't fit their stereotypes, Rob Crowther, the institute's spokesman, wrote on the Web site. The printing of transcripts, e-mail messages and conversations, and the ability to pull up information from search engines like Google, have empowered those whom Jay Rosen, a blogger and journalism professor at New York University, calls the people formerly known as the audience. In this new world, the audience and sources are publishers, Mr. Rosen said. They are now saying to journalists, 'We are producers, too. So the interview lies midpoint between us. You produce things from it, and we do, too.' From now on, in a potentially hostile interview situation, this will be the norm. All these developments have forced journalists to respond in a variety of ways, including becoming more open about their methods and techniques and perhaps more conscious of how they filter information. To the extent that you know there's someone monitoring every word, it probably compels you to be even more careful, which is a good thing, said Chris Bury, the Nightline correspondent whose interview was published by the Discovery Institute. But readers and viewers need to realize that one interview is only one part of the story, that there are other interviews and other research and that this is just a sliver of what goes into a complete report. Posting primary source material is becoming part of public relations strategies for interest groups, businesses and government. The Pentagon and State Department now post transcripts of interviews with top officials on their Web sites or they e-mail them to reporters, as does Vice President Dick Cheney's office. An early example of turning the tables occurred in 2001, when David D. Kirkpatrick, who then covered the publishing industry for The New York Times, wrote an article about Dave Eggers, author of A Heartbreaking Work of Staggering Genius. Mr. Eggers posted a 10,000-word response on his Web site complaining about the tone of the piece, and included their e-mail exchanges, which Mr. Kirkpatrick had asked be kept private. Individual newspapers and television stations generally reach a wider audience than individual blogs, and Mr. Eggers touched on this lopsidedness when he explained on his Web site why he was reprinting Mr. Kirkpatrick's e-mail messages: It's the only remedy commensurate with the impact you enjoyed with your original piece. But the power of blogs is exponential; blog posts can be linked and replicated instantly across the Web, creating a snowball effect that often breaks through to the mainstream media. Moreover, blogs have a longer shelf life than most traditional news media articles. A newspaper reporter's original article is likely to disappear from the free Web site after a few days and become inaccessible unless purchased from the newspaper's archives, while the blogger's version of
[infowarrior] - Will Digital Cinema Can Pirates?
Will Digital Cinema Can Pirates? By Seán Captain | Also by this reporter http://www.wired.com/news/technology/0,69922-0.html?tw=wn_tophead_2 Switching from film-based to digital projectors in movie houses promises better quality for theatergoers. But it could also help Hollywood studios nab bootleggers. Digital projectors can't stop people from recording movies, but they can allow studios to trace every illegal copy back to the specific time and theater where it was recorded. This capability is a requirement of the Digital Cinema System Specification -- the playbook for digital theaters in the United States and potentially worldwide. This approach isn't entirely new. Studios often embed tracking information in prints. They don't publicly talk about this, said Brad Hunt of the Motion Picture Association of America, but it's a well-known fact that forensic watermarking is being used on theatrical release prints because that's how we can determine sources of piracy. Data in prints, however, can only say what reel of film was copied. Because digital projectors add the information as the movie is playing, they can specify when the piracy occurred. We now can actually extract the data that the content was rendered at 2 a.m., said Hunt, giving a hypothetical example. The digital projection guidelines, published in July by a consortium of Hollywood studios called the Digital Cinema Initiatives, say every five-minute chunk of video must contain a 35-bit forensic marker specifying the date, time and location at which the movie is shown. The guidelines don't say how to get that information into the movie, but they require it to be visually transparent to the critical viewer and inaudible in critical listening tests. One way is to include tones that are outside the range of human hearing. That's old tech, said Brian Claypool, spokesman for Christie Digital Systems, a major maker of cinema projectors. It doesn't give you a lot of information. It's also possible to speed up the image refresh rate and insert extra video frames. Hunt said that method is used to ruin the quality of bootleg copies. Although the frames flash too quickly for viewers to notice, the image sensor in a video camera picks them up. Such a trick could also be used to encode tracking information. But Hunt said several other techniques exist. We're not trying to describe specifically what is being done, because the effectiveness of these technologies is based on a lack of knowledge. Claypool also declined to say what cues Christie projectors add to the video. But he said they meet the requirement of being able to survive changes to the copy, such as recording it at a low bitrate, altering the resolution or converting it to a different file format. No matter how low-quality it may be, you can trace it back to the source, said Claypool. Christie will be supplying equipment with the tracking technology for a movie studio- and distributor-funded program to place 4,000 digital projection systems in U.S. theaters by the end of 2007. The effort is a baby step, however. About 30,000 movie theaters show films in the United States and about 100,000 globally -- completing the transition could take decades. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Can you patent a method of selling cereal?
Snap, Crackle ... Patents Can you patent the business method of selling cereal? One company gave it a shot. By Christopher Hayes http://www.inthesetimes.com/site/main/article/2451/ Back in 2000, David Roth had one of those eureka moments that are the stuff of American entreprenurial legend. After spotting a box of Cocoa Puffs hidden behind the desk of a Wall Street executive, Roth dreamed up a retail business that would sell cereal all the time. He and a partner opened the first Cereality in Tempe, Arizona, on the campus of Arizona State University. College students flocked; Roth followed up with stores in Philadelphia and Chicago; and news outlets from Time to CNN fawned. But as is so often the case with good ideas, Roth wasn't the only one to have it. Across the country, Rocco Monteleone was getting set to open Bowls, a cereal cafe in Gainesville, Florida, (near the University of Florida) when he found out that Cereality had beaten him to the punch. OK, he figured, no harm, no foul: It's America. Anyone can open a restaurant selling cereal. Right? Well, kind of. In May, Monteleone received a letter from Cereality's attorney warning him that he may be in violation of a patent application the company had filed for its methods and system of selling cereal. These included: displaying and mixing competitively branded food products and adding a third portion of liquid. Cuckoo for patent law Just 10 years ago, this kind of a patent would have been impossible even to consider. But a landmark shift in the law has made it possible to patent entire ways of doing business--a change that has prompted a rush on patent claims, opened a Pandora's Box of litigation and threatens to put large swaths of American innovation under the control of big business. Given the transition from an industrial to digital economy, changes in patent law were inevitable and necessary. But critics argue that when it comes to business methods the traditional rationales for granting patents--they incentivize expensive research and encourage inventors to share their knowledge--don't apply. You need incentives for people to innovate in technology, says Jason Schultz, an attorney with the Electronic Frontier Foundation's Patent Busting project. You've never needed that in businesses because if a business is successful you make money. It's its own incentive. When the first U.S. patent board convened in 1790, with Thomas Jefferson serving as one of the members, it required inventors to submit a miniature model of their invention. The board expected to issue patents for machines and industrial processes, things like cotton gins or the proverbial better mouse trap that were the engine of American economic growth. And for the first 200 years of the country's history, that's pretty much what they did. But over the last three decades the category of patentable subject matter has expanded significantly beyond the widgets of the industrial age: In 1980, the Supreme Court decided that life-forms such as bacteria were patentable; soon thereafter the United States Patent and Trade Office (USPTO) began issuing patents for isolated genes, and in 1998, in the landmark case State Street Bank v. Signature Financial Group, Inc., the Third Circuit Court of Appeals ruled business methods patentable as well. Signature had secured a patent for software it had developed that managed its system of pooled mutual fund assets. State Street used a similar system and when Signature told them to knock it off, State Street challenged the patent. A lower court sided with State Street, striking down the patent. Because it was software, the court ruled it was, at base, a mathematical algorithm, which the courts had traditionally viewed as an unpatentable abstract idea. Also, since Signature's entire business depended on the value of the mutual funds, the software qualified as a business method, which, since 1908, courts had also viewed as unpatentable. But the Third Circuit disagreed and ruled that as long as a given business method or software produced a useful, concrete, and tangible result--in this case the numerical value of the pooled mutual funds--it was suitable for a patent. The decision came just as Internet commerce was exploding, and the USPTO, taking its marching orders from the courts, began issuing patents for everything from the hyperlink to the pop-up window to a method of effecting commerce in a networked computer environment in a computerized system. In an early seminal case, Amazon patented its one-click method of purchasing products, which forced Barnes and Noble to add an extraneous click to its own system to avoid a lawsuit. Between 1997 and 2001, the number of business method patent applications increased twenty-fold, and the litigation associated with patent infringements exploded. Patent thickets Schultz argues that conferring monopolies on certain business methods stifles competition and creates artificially high prices for consumers, since
[infowarrior] - FW: [attrition] The myspace.com plague
http://attrition.org/news/content/05-12-31.001.html The myspace.com plague Sat Dec 31 02:26:52 EST 2005 Jericho A while back, we used to run an image gallery with over 5,000 pictures of all types. During this time, more and more web sites would inline link to the images. Inline linking means the image would display on their page, as if it was their own or hosted on their own server. This caused the image to display fine, but be served up by our server and use our bandwidth. Early on, gallery traffic was responsible for a couple gigs of traffic, but quickly grew. After a couple months, this got to be quite a burden to this server and our hosting situation. On a normal day, we would push out over 10 gigs of traffic from the gallery alone, often enough to saturate the link during peak hours. [..] In the past 48 hours (29th/30th), there have been just under 20,000 link attempts from 928 profiles! If you would like to cause yourself physical discomfort, feel free to wade through a list of the profiles that have partaken in the abuse. I warn you, many of these are physically nauseating and make grown men cry due to the terrible grammar, horrible page formatting, and annoying graphics as Rick Forno once said. When you hear people talk of online communities such as myspace.com, remember that they are not some fabulous social network advancing our culture. They are the scum of the internet, dragging it further down the sewers day by day. They are full of the most shallow, vapid and weak minded people our society has to offer. They are the next generation, and that scares me. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - U.S. military 'shuts down' soldiers' blogs
U.S. military 'shuts down' soldiers' blogs Troops are detailing their experiences in online journals, but military says some are revealing too much BY JOSEPH MALLIA STAFF WRITER http://www.newsday.com/news/local/longisland/ny-e4572547jan02,0,959146,print .story?coll=ny-linews-headlines January 2, 2006 Letters home filled with tales of death and danger, bravery and boredom are a wartime certainty. And now, as hundreds of soldiers overseas have started keeping Internet journals about the heat, the homesickness, the bloodshed, word speeds from the battlefront faster than ever. More and more, though, U.S. military commanders in Iraq and Afghanistan are clamping down on these military Web logs, known as milblogs. After all, digital photos of blown-up tanks and gritty comments on urban warfare don't just interest mom and dad. The enemy, too, has a laptop and satellite link. Nowadays, milbloggers get shut down almost as fast as they're set up, said New York Army National Guard Spc. Jason Christopher Hartley, 31, of upstate New Paltz, who believes something is lost as the grunt's-eye take on Tikrit or Kabul is silenced or sanitized. Hartley last January was among the first active-duty combat troops demoted and fined for security violations on his blog, justanothersoldier.com. Throughout last year, the Army, Marines, Air Force and Navy tightened control on bloggers by requiring them to register through the chain of command and by creating special security squads to monitor milblogs. The ones that stay up are completely patriotic and innocuous, and they're fine if you want to read the flag-waving and how everything's peachy keen in Iraq, said Hartley, who is back in New Paltz after two years stationed in Iraq. The new emphasis on security, however, is welcome to some. When you put your blog out there, you cannot forget that not only the good guys, but the bad guys are accessing it, especially for TTPs, said Marine Capt. Don Caetano, of Mineola, referring to techniques, tactics and procedures. Now a recruiter in Garden City, Caetano was stationed in Fallujah, where he ran the embedded journalist program. The limitations on blogging basically mean, 'Don't make it easy for them. Don't readily give up information,' that would endanger U.S. troops, Caetano said. Revealing a minor aspect of strategy or tactics may seem insignificant, Caetano said, but, If the bad guys take a piece from me, and a piece from you, and a piece from another guy, pretty soon they can gather some pretty good intel. The military, at first unaware of the milblogging trend, last year began targeting bloggers with warnings, punctuated by high-profile disciplinary action. The Army chief of staff, Gen. Peter J. Schoomaker, in August sent a videotaped admonition to overseas troops warning them of the dangers of carelessness on blogs. And, echoing the World War II censorship slogan, Loose lips sink ships, the Pentagon in November sent out an advisory titled Loose blogs may blow up BCTs. A BCT is a brigade combat team. Hartley was fined $1,000 and demoted from sergeant. Others also have been disciplined, including Pfc. Leonard Clark, an Arizona national guardsman serving in Iraq who was demoted from specialist and fined $1,640 in August for putting classified information on his blog. 'That's sorta the point' Among security breaches in postings on soldiers' Web sites, the Army pointed to photos of an Abrams tank pierced by a rocket-propelled grenade, which could show Iraqi insurgents where to aim. In Hartley's case, the Army said he should not have described his unit's flight route into Iraq because that could help the enemy shoot down U.S. aircraft. And, the Army said, Hartley should not have disclosed that the last three bullets he loaded into his weapon's magazine were always tracers, because that could tip an enemy to time an attack just as an American soldier is reloading. Despite those charges, Hartley asserts he did not put any American troops at risk. He believes the Army's real concern was his satiric tone. Photos of the week of cute Iraqi kids who I want to shoot, he captioned one set of snapshots on his blog in 2004. Something I cannot reiterate often enough is how monumentally misbehaved Iraqi street kids are, Hartley's blog continued. But some of them are just so darn cute, you can't help but want to squeeze their little faces - until they suffocate. The Army took him literally, even though Hartley said he was aiming his satire at those who believe Iraqi civilians' lives have little value. Some of Hartley's readers got the point. Others did not. One of Hartley's Web entries on April 24, 2004, carried a photograph of an Iraqi man's partially burned corpse clothed in a bloodied white tunic. Hartley's photo caption was a take on the I [heart] New York City slogan. His version: I [heart] Dead Civilians. In response, a visitor wrote: Is this a joke or what? This whole blogg gives a bad taste in the mouth. Hartley
