Saturday, January 27, 2007

You Were Warned: Botnets, Security Ops, and Boxing




Yes, indeed -- you were warned.

But it turned out quite differently that William predicted...



(Click for larger images.)



Now, we see what happens. :-)

Next time someone hits you, don't wet your pants, Gadi. :-)


Friday, January 26, 2007

Are Privacy Notices Worthless?

Jay Cline writes on ComputerWorld:

While the rest of the country was debating the merits of Nancy Pelosi’s new look, minor shockwaves were reverberating throughout the U.S. privacy community over a truly critical issue: privacy notices.

Fred Cate, a highly regarded privacy guru at the Indiana University School of Law, had testified at a November Federal Trade Commission (FTC) hearing that privacy notices have failed us. "There’s no one in America who’s read a privacy notice who wasn’t paid to," he taunted.

Cate, usually a libertarian, said that instead of having companies provide their customers privacy notices and the chance to opt out — two bedrock principles the FTC has long promoted — the U.S. government needs to impose new restrictions on what U.S. businesses can and can’t do with customers’ information. It was the privacy world’s equivalent of Donald Rumsfeld saying that the U.S. has lost in Iraq and that France needs to take over.

So what’s the big deal? Why did this cause so much buzz across the country’s back corridors of privacy?

More here.

ACLU Fights Government Legal Maneuvers to Delay Challenges to Datamining

Via The ACLU.

The American Civil Liberties Union today argued before a federal panel that lawsuits against telecommunications companies over unlawful wiretapping by the National Security Agency should remain in the five states where the challenges were filed. ACLU affiliates in those states brought actions before local Public Utility Commissions that resulted in lawsuits that were heard today by the Multidistrict Litigation Panel as the government sought to get the cases consolidated and transferred to California.

“The lawsuit against the Maine PUC should be kept in Maine where the challenge was filed and where the affected population lives,” said Zachary Heiden, a staff attorney with the Maine Civil Liberties Union who argued before the panel. “The government is seeking to evade responsibility by having disparate lawsuits in individual states merged and moved across the country. Telephone customers in every state have the right to know whether their personal privacy has been violated.”

More here.

Secrecy Is at Issue in Suits Opposing Spy Program

Adam Liptak writes in The New York Times:

The Bush administration has employed extraordinary secrecy in defending the National Security Agency’s highly classified domestic surveillance program from civil lawsuits. Plaintiffs and judges’ clerks cannot see its secret filings. Judges have to make appointments to review them and are not allowed to keep copies.

Judges have even been instructed to use computers provided by the Justice Department to compose their decisions.

But now the procedures have started to meet resistance. At a private meeting with the lawyers in one of the cases this month, the judges who will hear the first appeal next week expressed uneasiness about the procedures, said a lawyer who attended, Ann Beeson of the American Civil Liberties Union.

Lawyers suing the government and some legal scholars say the procedures threaten the separation of powers, the adversary system and the lawyer-client privilege.

More here.

Rinse, Lather, Repeat: Hack, Pump And Dump

Ellen Nakashima writes in The Washington Post:

Aleksey Kamardin reaped $13,158 in just 104 minutes buying and selling penny stocks.

The 21-year-old bought 43,000 shares in a small Wisconsin equipment company that makes, among other things, potato harvesters. He sold the shares less than two hours later at nearly double the investment.

But Kamardin's is no success story. Instead, federal authorities say, his methods place him at the front of a wave of techno-criminals who meld computer hacking with identity theft to create nightmares for legitimate investors.

More here.

U.S. Confirms Loss in Internet Gambling Trade Case

Doug Palmer writes for Reuters:

The United States has suffered a new setback in a four-year-old legal battle with Antigua and Barbuda over U.S. restrictions on Internet gambling, a U.S. trade official said on Thursday.

At issue is an April 2005 World Trade Organization ruling against U.S. prohibitions on online horse race betting. Since then, the U.S. Congress has passed additional legislation to ban betting over the Internet.

Gretchen Hamel, a spokesman for the U.S. Trade Representative's office, confirmed press reports that a WTO panel "did not agree with the United States that we had taken the necessary steps to comply" with that ruling.

More here.

Programming Note

Yes, indeed: Blogging will (still) most likely be light today (Friday), since I'm still at the ISOI meeting in Redmond.

- ferg

Thursday, January 25, 2007

MySpace Allegedly Kills Computer Security Website

Kevin Poulsen writes on 27B Stroke 6:

Computer security guru Fyodor reports waking up yesterday to find his website SecLists.org essentially removed from the web by his domain registrar, GoDaddy. After a bunch of phone calls to GoDaddy, he eventually got them to explain why: Because MySpace asked them too.

SecLists provides public archives of over a dozen computer security mailing lists, including BugTraq and Full Disclosure. MySpace was apparently unhappy with a post that crossed Full Disclosure earlier this month, in which the author attached the spoils of a phishing attack against MySpace users, consisting of 56,000 user names and passwords.

More here.

Boeing Kills 'Dreamliner' Wireless Network Plans

A Reuters newswire article, via ComputerWorld, reports that:

Boeing Co. said today that it will not use a wireless network to deliver in-flight entertainment on its 787 "Dreamliner" airplane because of problems involving plane weight and the technology.

A wireless network would add 200 pounds per plane, rather than the 50 pounds needed for a wired network. Boeing also could not get permission to use certain wireless frequencies from some countries, spokeswoman Lori Gunter said. That would make it difficult to deliver entertainment such as DVD-quality movies, which consume high amounts of bandwidth, she said.

Boeing would have worked on the weight problem, but decided against it because of the spectrum issue, she said. "Knowing that the regulatory issues were basically insurmountable, it just did not make sense to apply those resources there," Gunter said.

More here.

Criminals 'May Overwhelm the Web'

Tim Weber writes for The BBC:

Criminals controlling millions of personal computers are threatening the internet's future, experts have warned.

Up to a quarter of computers on the net may be used by cyber criminals in so-called botnets, said Vint Cerf, one of the fathers of the internet.

Technology writer John Markoff said: "It's as bad as you can imagine, it puts the whole internet at risk."

The panel of leading experts was discussing the future of the internet at the World Economic Forum in Davos.

More here.

Online Nordic Banking Theft Stirs Talk of Russian Hacker

Andrew E. Kramer writes in The New York Times:

Word has started spreading in Sweden about the discovery last week of a $1 million online banking theft traced to a Russian hacker who goes by the sobriquet “the Corpse.”

The case opens a window into the dark world of Russian programming and underlines risks in online banking. Nordea Bank, the Scandinavian financial services company involved, emphasized that only customers whose computers were not protected by antivirus programs had become victims.

More here.

Programming Note

Blogging will most likely be light today (Thursday) and tomorrow (Friday), since I'll be attending (and speaking) at the ISOI meeting in Redmond.

- ferg

Wednesday, January 24, 2007

Customer Data Stolen in TJX Hack Used in Frauds, Banks Report

An AP newswire article, via SiliconValley.com, reports that:

Customer data stolen by computer hackers from TJX Cos. has been used to make fraudulent debit card and credit card purchases in the United States and overseas, the Massachusetts Bankers Association said Wednesday.

The fraudulent purchases have been made in Florida, Georgia, and Louisiana, and overseas in Hong Kong and Sweden, the association said.

Nearly 60 banks have reported they've been contacted by credit and debit card companies about compromised cards, the association said. The number is likely to grow because less than half of the association's 205 banks have reported to it on the issue.

The association said banks are notifying customers about fraudulent purchases, and reissuing cards, in some cases.

TJX, operator of T.J. Maxx and Marshalls discount stores, did not immediately respond to a request for comment.

More here.

Hacker Attacks Chilean Football Association Website

Via Reuters.

A hacker attacked the official site of the Chilean Football Association on Wednesday and posted anti-Chilean slogans, stoking rivalries with neighbor Peru.

"Chileans, sons of bitches, you've been hacked by a Peruvian," the hacker said on the site www.anfp.cl.

An ANFP spokesman confirmed the hacking and said the site had briefly shut down after the cyber graffiti was discovered.

The hacker went by the initials The-RjR and also used the site to fuel an age-old rivalry between Chile and Peru about who invented ceviche, a dish of raw fish marinated in lime or lemon juice, and Pisco, a liquor produced from grapes.

More here.

Street-Fighting Robot Challenge Announced

Via NewScientistTech.

A contest to build a robot that can operate autonomously in urban warfare conditions, moving in and out of buildings to search and destroy targets like a human soldier, was launched in Singapore on Tuesday.

The country's Defence Science and Technology Agency (DSTA) is offering one million Singapore dollars ($652,000) to whoever develops a robot that completes a stipulated set of tasks – yet to be revealed – in the fastest time possible.

DSTA said individuals, companies, universities and research institutes are all welcome to participate in the contest, dubbed the TechX Challenge, although foreigners must collaborate with local partners.

More here.

Privacy Board Won't Share Documents

Ryan Singel writes on 27B Stroke 6:

The White House Privacy and Civil Liberties Board responded to Wired News's request for documents about its briefings on the board's knowledge of the government's warrantless wiretapping of Americans and is refusing to release any records -- except already publicly available testimony by activists and professors -- since doing so would not be in "not be in the public interest" and would "inhibit the frank and candid exchange of views that are necessary for effective government decision making," according to a letter received Tuesday. Congress, which created the board in 2004 in response to 9/11 Commission recommendations, specifically required the board to be subject to government sunshine requests.

The board is charged with providing advice to the Administration, making sure that antiterrorism programs respect privacy and civil liberties and reporting to Congress. Carol Dinkins -- a partner at the law firm where Attorney General Alberto Gonzales used to work -- chairs the board.

More here.

Senior Intel Officials Warn U.S. Has Lost Its Global Reach in Spy Network

Kirit Radia writes on ABC News' "The Blotter":

The United States' spy network has lost its "global reach," its ability to monitor, gather and analyze developments around the world, according to two top officials from Office of the Director of National Intelligence.

Their testimony on Capitol Hill yesterday revealed that the current policy of focusing on a few hot-button issues leaves the U.S. intelligence network unprepared to monitor other areas that might emerge as crises on the horizon.

More here.

Michigan County Treasurer Accused of Funneling $1.2M to Nigerian Fraud Scam

Frank Washkuch Jr. writes on SC Magazine Online:

A former Michigan county treasurer was arrested last week for allegedly embezzling more than $1.2 million in public funds to a Nigerian fraud scam.

Thomas Katona, 56, the former treasurer of Alcona County, was arraigned in a district court on Jan. 17 on eight counts of embezzlement by a public official and one count of forgery, according to a report in the Oscoda Press.

Held in lieu of $1 million bond, Katona faces a maximum of 14 years in prison. He is scheduled to appear in court for a preliminary hearing on Jan. 31.

More here.

Google Sues Leo Stoller for Racketeering

It's about time...

Steve Bryant writes on Google Watch:

Google filed a lawsuit last week against Central Mfg., a company owned by Leo Stoller, a Chicago-based attorney who has claimed trademark rights for the word "Google," Google Watch has learned.

Google's lawsuit, which comes after several years of legal wrangling with Stoller, after Stoller declared bankruptcy, and after Google was granted relief by the courts to pursue litigation, alleges that Stoller and his businesses are falsely claiming trademark rights for the purpose of harassing and attempting to extort money.

More here.

Quote of the Day: Declan McCullagh

"The Bush administration has made it entirely clear that new laws forcing Internet service providers to save certain customer records for police convenience will be a priority this year. The concept is called data retention (also known as treating all Americans as suspects)."

- Declan McCullagh, summarizing the data retention issues on PoliTech, which may not only apply to ISPs, but also domain registrars, search engines, and more.

ICANN Ditches .UM for U.S. Isles

An AP newswire article by Anick Jesdanun, via Yahoo! News, reports that:

The list of Internet domain names just got shorter.

No one was using it anyhow, and the organization that has run ".um" — the University of Southern California's Information Sciences Institute — no longer wanted to bother.

So the Internet Corporation for Assigned Names and Numbers decided unanimously last week to eliminate it entirely, bringing the list of domains to 264. There are still separate domains for larger U.S. territories, including ".gu" for Guam and ".vi" for the U.S. Virgin Islands.

More here.

Civilian Misuse of Police Computer Alleged

Via The Sacramento Bee.

A civilian Police Department employee has been charged with illegally using a law enforcement computer for personal reasons.

Eric J. Ansbro, 33, allegedly used the computer to access records of the state Department of Motor Vehicles, police said.

Police spokeswoman Dee Dee Gunther said in a news release that charges were filed Friday by the Placer County District Attorney's Office. Ansbro has been cited and will be scheduled to appear in Placer Superior Court, she said.

More here.

Cable Confronts Bandwidth Crunch

Alan Breznick writes on Light Reading:

Shaking off two years of disbelief and dismay, the cable industry has finally started dealing with the prospect of an impending bandwidth shortage.

Cable operators and equipment suppliers, alarmed by an explosion in bandwidth use by cable subscribers over the last couple of years, are now drawing up plans to boost capacity at both the headend and plant levels. Instead of debating whether the coming bandwidth crisis is genuine, they're looking at ways to confront the crisis by splitting fiber nodes in half, converting systems over to more efficient switched digital video delivery, testing pre-Docsis 3.0 channel-bonding technologies, and expanding their systems' RF capacity to 860 MHz or 1 GHz.

More here.

Cisco Announces Three Serious IOS Security Vulnerabilities

Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco Security Advisory: Crafted IP Option Vulnerability

Cisco routers and switches running Cisco IOS® or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.

Cisco Security Advisory: IPv6 Routing Header Vulnerability

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

UK: Online Fraud 'Now Major Concern'

Via The BBC.

Britons fear being ripped-off online more than gun crime, climate change or even contracting MRSA in hospital, a survey has suggested.

Online fraud worries four out of 10 Britons, according to a survey from 3V, an electronic payments company.

The survey also found 48% of online shoppers had concerns about using their credit or debit cards online.

In addition, one in seven people said they knew someone who had suffered at the hands of internet fraudsters.

More here.

Unpaid Domain Registration Fee Closes State Debt Groups' Website

Via Reuters.

An association of debt management offices, who together manage billions of dollars of government debt, has had its Web site closed after it failed to pay the $35-a-year fee to keep the Web address registered.

The World Association of Debt Management Offices (Wadmo), a forum for treasury officials from more than 40 developing countries, ran the wadmo.net Web site, but the domain name expired on January 15.

More here.

Tuesday, January 23, 2007

Nationwide Customer Data Swiped

Denise Trowbridge writes in The Columbus (Ohio) Dispatch:

The personal information of tens of thousands of Nationwide customers has been stolen.

The company said yesterday that a lockbox of backup tapes containing the personal data of 28,279 Nationwide Health Plans customers, most in central Ohio, was stolen from the Waymouth, Mass., office of Concentra Preferred Systems.

More here.

(Props, Pogo Was Right.)

Satire: NeoCon Buzzword Bingo!



How to play:

  1. Tune into CSPAN, PBS, CNN, MSNBC, CNBC, the Fascist News Netw...errr, FOX, or even one of the traditional three networks.
  2. Wait for a NeoCon or proxy to appear at a speaking engagement, press conference, interview, or talking head confrontation.
  3. Mark off squares as buzzwords are used.
  4. Celebrate any 5 in a row by shouting "I am not a terrorist" loudly enough that the perfectly legal wiretaps can pick it up.

Copyright Arrogant-Bastard.com 2007.

(Props, Boing Boing.)

Microsoft in Hot Water for Offer to Pay for Wikipedia Edits

An AP newswire article by Brian Bergstein, via The Seattle Post-Intelligencer, reports that:

Microsoft landed in the Wikipedia doghouse Tuesday after it offered to pay a blogger to change technical articles on the community-produced Web encyclopedia site.

While Wikipedia is known as the encyclopedia that anyone can tweak, founder Jimmy Wales and his cadre of volunteer editors, writers and moderators have blocked public-relations firms, campaign workers and anyone else perceived as having a conflict of interest from posting fluff or slanting entries. So paying for Wikipedia copy is considered a definite no-no.

"We were very disappointed to hear that Microsoft was taking that approach,” Wales said.

Microsoft acknowledged it had approached the writer and offered to pay him for the time it would take to correct what the company was sure were inaccuracies in Wikipedia articles on an open-source document standard and a rival format put forward by Microsoft.

More here.

Picture of the Day: Pagans Honor Zeus at Ancient Athens Temple

Image source: National Geographic


Via National Geographic News.

Zeus, king of the ancient Greek gods, was not known for being a patient deity. But on a cosmic scale maybe 1,600 years isn't a very long time to wait between temple ceremonies.

Yesterday believers gathered near the ruins of the Temple of Olympian Zeus in the heart of Athens, Greece, to honor Zeus's marriage to the goddess Hera—the first such ceremony known to be performed at the site since the Romans outlawed the religion in A.D. 394.

More here.

EFF Action Alert: Tell Congress to Investigate the NSA Spying Program

Via The EFF.

Over five years since it first began, the NSA's massive domestic spying program remains shrouded in secrecy. Recently, the Bush Administration announced that it has let the shadowy FISA court review the program, but that's not enough -- the President must abide by the law and answer to the traditional court system, Congress, and the American public. Use our Action Center to demand immediate Congressional investigations.

Three federal courts have already rejected the government's bogus arguments and allowed cases to go forward regarding the secret surveillance. With its back against the wall, the Administration has finally conceded that judicial review should be involved at some level.

That's welcome news, but the President is still trying to dodge meaningful oversight. While claiming that the secret FISA court orders legalize the program, the Administration has refused to let anyone else see the orders and confirm key details about what they permit. EFF is skeptical that they actually satisfy the strict requirements of current statutes or the Fourth Amendment, considering the broad program of dragnet surveillance alleged in our case against AT&T for its role in the program.

Congress must do its job and help uncover the truth about the program. Take action now to protect the checks and balances that define our democracy.

More here.

NIST Stages Competition to Improve Encryption Standard

Brian Robinson writes on FCW.com:

Faced with declining confidence in the decade-old encryption algorithm that has been the basis for much of the security protecting transactions on the Internet, the National Institute of Standards and Technology has begun a competition to define a new standard.

Federal Information Processing Standard 180-1 – otherwise known as Secure Hash Algorithm-1 (SHA-1) – has been widely used in government and industry since 1994. It’s the basis for the Secure Sockets Layer private-key technology that secures online information such as credit card numbers and other security technologies.

More here.

U.S. DoJ Hasn't Decided Data Retention Requirements (Yet)

Anne Broache writes on C|Net News:

The Bush administration hasn't settled on what data it would like Internet service providers to retain about their subscribers or for how long, a U.S. Department of Justice attorney said Tuesday.

U.S. Attorney General Alberto Gonzales made it clear last fall that he planned to seek national legislation requiring the controversial practice known as data retention, but "we don't have any position officially about how long records would have to be retained or what records would have to be retained," said Eric Wenger, a trial attorney with the Justice Department's computer crime unit.

During an event here hosted by the Federal Communications Bar Association, Wenger also said police already have ready access to other legal tools, such as the power to send letters to ISPs requesting "preservation" of existing data for up to 90 days while law enforcement obtains the necessary court authority to obtain that data.

More here.

Schneier: Debating Full Disclosure

Bruce Schneier:

Full disclosure -- the practice of making the details of security vulnerabilities public -- is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure.

Unfortunately, secrecy sounds like a good idea. Keeping software vulnerabilities secret, the argument goes, keeps them out of the hands of the hackers (See The Vulnerability Disclosure Game: Are We More Secure?). The problem, according to this position, is less the vulnerability itself and more the information about the vulnerability.

But that assumes that hackers can't discover vulnerabilities on their own, and that software companies will spend time and money fixing secret vulnerabilities. Both of those assumptions are false. Hackers have proven to be quite adept at discovering secret vulnerabilities, and full disclosure is the only reason vendors routinely patch their systems.

More here.

Worth a read.

Data Retention Raises Cost Concerns

An AP newswire article, via Forbes, reports that:

Internet service providers are worried about potentially escalating costs and other consequences if Congress - in an effort to combat online criminal activity - requires them to retain more data on subscribers, a privacy and civil liberties group said Monday.

In addition to being costly, the Center for Democracy and Technology said a mandate would raise consumer privacy and security concerns for a wide variety of businesses, including Earthlink Inc., Verizon Communications Inc. and Microsoft Corp. The group also questioned the effectiveness of such a mandate.

More here.

Countdown to CALEA: Do Federal Wiretapping Laws Affect Your Network?

Greg Schaffer writes on ComputerWorld:

CALEA. What is it, and what does it mean for your network? If the acronym for the Communications Assistance for Law Enforcement Act is familiar, chances are your organization has already done much decision-making regarding CALEA. If not, with the deadlines for reporting and compliance fast approaching, it's time to become familiar with CALEA and what implications it may have for the network you administer.

First, some background. Congress enacted CALEA in 1994. CALEA's purpose was to provide a way of intercepting voice communications from digital telephone networks to aid in Law Enforcement Agencies (LEA) in investigations.

In 2005, the Federal Communications Commission (FCC) issued a First Report and Order on CALEA in response to a joint petition from the Department of Justice, FBI and Drug Enforcement Agency to expand CALEA intercept coverage to include providers of interconnected voice-over-IP (VoIP) services. The First Report and Order required facilities-based Internet services and VoIP broadband providers to be compliant by May 14, 2007.

More here.

Saudi Hackers Change DNS Registration Information

Via Zone-H News.

It appears that Saudi Arabia crackers managed to get the passwords of our registrar (our registrant panel to be precise), accessed the domain management page and changed the DNS entries, pointing the zone-h domain to an IP address belonging to the crackers on which they mounted the page you saw in the last 48 hours.

48 hours!?! So long it took to take contact with the registrar (they work only through email communication), explain the problem to 8 different people then finally getting a reset of our credentials, taking the domain back in control.

On the funny side, the same problem happened to Google in its German version which yesterday evening was redirected to a different page (different owner actually).

More here.

Monday, January 22, 2007

Flight Ban for Anti-Bush Tee Shirt

Allen Jasson's tee shirt.
Image source: TruthDig.com

Via The BBC.

A passenger barred from a Qantas airlines flight for wearing a T-shirt depicting US President George Bush as a terrorist has threatened legal action.

Allen Jasson said he was sticking up for the principle of free speech by challenging the decision by the Australian flag carrier.

Mr Jasson was stopped as he was about to board the flight from Melbourne to London last Friday.

Qantas said the T-shirt had potential to offend other passengers.

The T-shift features an image of President George W Bush, along with the slogan "World's Number One Terrorist".

More here.

Indians to Bag Another Submarine Cable Network

Stuart Comer writes on ITWire.com.au:

India is fast becoming one of the world's largest owners of submarine cables, with news that Indian company Bharti Airtel is to acquire Singapore Telecom's share of their jointly-owned i2i network linking India and Singapore.

SingTel says it has reached commercial understanding with Bharti Airtel to sell its 49.99 interest in Network i2i Limited for $US55 million. Final details are yet to be worked and a further announcement will be made "as and when the parties execute definitive agreements."

i2i was announced in October 2000. It was to involve the construction of a $US650 million 8.4tbps loop system (then the highest capacity ever announced) linking India to Singapore with landfalls in Chennai (Madras) and Mumbai (Bombay). At the time this represented a 100 fold increase India's international cable capacity.

More here.

Malware More Compatible with Vista Than Anti-Malware Products

René Millman writes on IT Pro News (UK):

Malware writers appear to be much further along in developing malware for Vista than the security industry is in making products to protect the new operating system.

Speaking exclusively to IT PRO, Tim Eades, senior vice-president of sales at security company Sana Security said that 38 per cent of malware is already Vista-compatible.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Monday, Jan. 22, 2007, at least 3,061 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,444 died as a result of hostile action, according to the military's numbers.

The AP count is 32 higher than the Defense Department's tally, last updated Monday at 10 a.m. EST.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

'Dear TSA: Our Client Did Not Break the Law"

Christopher Soghoian:

"Our client is in the business of studying security. He is neither the first nor the only individual to criticize flaws in the TSA’s security procedures nor the only person to describe flaws in the way that boarding passes are created and used. He should not be subjected to civil penalties because he did not violate the Federal Regulations cited in the TSA’s letter, because the regulations cannot be enforced against him or other passengers, because the civil damages provision cited in the TSA’s letter does not apply to the cited regulations, and because Mr. Soghoian’s website is protected by the First Amendment."

More here.

U.S. Government Agencies Feel Botnets' Light Footprint

Patience Waite writes on GCN.com:

In the vast world of the Internet beyond the federal government’s borders, millions upon millions of invisible, automated soldiers are laying siege to the computers of companies and citizens alike.

These “soldiers” are bots—computers that have been taken over by worms, Trojans or other malware, knit together into vast networks and directed by bot-herders, the creators and controllers of these networks, to spew out spam and other useless or damaging content.

Government computers, too, are being corrupted and used as parts of a botnet, but the real threat is more insidious.

Hackers, particularly nation states, are using stealth botnets—they might be termed spearbots—to steal information from federal systems, experts say. This is different from the typical, wide-ranging cyberattack which looks for any hole in the defense.

More here.

City of Chicago Loses Voter Data

Art Golab writes in The Chicago Sun-Times:

About 100 computer discs with 1.3 million Chicago voters' Social Security numbers have been distributed to aldermen and ward committeemen, and the whereabouts of at least an additional six CDs with the same information are unknown, according to the Chicago Board of Elections.

This follows another security lapse in October 2006, when voters' Social Security numbers were available through the board's Web site. But unlike the Web site flaw, which was fixed in a few minutes, it will be difficult, if not impossible, for the Board of Elections to retrieve sensitive data physically scattered on more than 100 discs throughout the area.

The discs also contain voters' birth dates and addresses -- information that along with Social Security numbers can be used to commit identity theft.

More here.

Gapingvoid: Too Many Armchair Quaterbacks

Via gapingvoid.com. Enjoy!

e-Mail From The Grave? Microsoft Seeks Patent on 'Immortal Computing'

Todd Bishop writes on The Seattle Post-Intelligencer:

In this culture of instant information, some Microsoft Corp. researchers are pursuing a radical notion -- the concept of saving messages for delivery in decades, centuries or more.

The project, dubbed "immortal computing," would let people store digital information in physical artifacts and other forms to be preserved and revealed to future generations, and maybe even to future civilizations.

After all, when looking that far in the future, you never know who the end users might be.

"It is definitely a long-term project," said Andy Wilson, the Microsoft researcher whose musings on the ephemeral nature of digital information inspired the research initiative.

More here.

Court Finds NJ Users Can Expect Privacy From ISPs

An AP newswire article by Jeffrey Gold, via NJ.com, reports that:

Computer users in New Jersey can expect that personal information they give their Internet service providers be treated as private, a state appellate court decided Monday in the first such case considered in the state.

As a result, New Jersey and several other states give greater privacy rights to computer users than most federal courts, and law enforcement officers in New Jersey need to obtain valid subpoenas or search warrants to obtain the information.

The court ruled that a computer user whose screen name hid her identity has a "legitimate and substantial" interest in anonymity.

More here.

'Dear [Blank]: You've Been Breached.'

Dear Valued Customer,

Over these past several years we at [Company Name] have enjoyed providing [service description] to you. As you might have seen on [local, regional, prime time news program] or read in [local, regional, national ... well, everywhere], recently our private database was compromised, and your personal information (including your name, Social Security number, account number, date of birth, address, employment information, mother's maiden name, favorite Stooge) was exposed.

Since the data breach was discovered on [fudged date -- don't let on that it happened eons ago], we have been working around the clock with [heavy-duty security company] and [government entity] as well as [P.R. company specializing in corporate image damage control] to ensure [in a non-legally binding way, of course] that the information you provide to us [at our marketing department's insistence] will never again fall into unscrupulous hands [particularly those of our competitors].

More here.

Props, Dayana Yochim over on Motley Fool.

22% of All Windows Installs 'Non-Genuine'

Nate Mook writes on BetaNews:

Microsoft disclosed Monday that over one in five Windows installations were deemed non-genuine through the company's Windows Genuine Advantage program, which requires users to validate their operating system before downloading updates from the company.

Since WGA launched in July 2005, over 512 million users have attempted to validate their copy of Windows, Microsoft said. Of those, the non-genuine rate was 22.3 percent. 56,000 reports have been made by customers of counterfeit software, which grants that user a free replacement copy of Windows.

More here.

Why Antivirus Technology Is Ineffective

Robin Bloor writes on Businessweek.com:

Antivirus technology is a crock. It fails to prevent computers from getting infected with viruses, and this failure contributes to many other security woes that plague the world's computers.

Because viruses spread, hackers find it easier to compromise computers, identity theft is better enabled, and computer fraud is easier to perpetrate. Virus-infected computers become a resource for hackers to exploit. Some hackers assemble and control networks of thousands of such computers and use them to distribute huge volumes of spam, mount sophisticated phishing attacks, and launch targeted "denial of service" attacks on companies.

The level of virus infection is high. It's not an epidemic; it's a pandemic. How bad is it? That depends on how you look at it.

More here.

Piracy Thriving on Campuses

Eric Stern writes in The Sacramento Bee:

College students who illegally download music and movies have been sued. They've had Internet access shut off or threatened, and they've been warned to never do it again.

But the threat of a letter in a permanent file doesn't hold as much sway as it used to. Complaints of copyright violations remain steady at campuses across California -- even going up in some cases.

The culture of downloading music without paying for it is so pervasive that two-thirds of college students say they don't care if the music is copyrighted, according to a 2006 study by the University of Richmond law school. The study concludes that the "confrontational approach" is not working.

More here.

FCC, Industry Attempting to Protect Broadband Database

Via The FOIA Blog.

Here is a link to an exhaustive article about the Center for Public Integrity's lawsuit against the FCC for the FCC's database listing companies that have deployed broadband services. The FCC is attempting to withhold the database citing Exemption 4 of the FOIA (trade secrets/confidential business information).

The article includes links to all Court filings in the case, including those by intervenors ATT, Verizon and U.S. Telecom Association. The Intervenors all side with the government and urge the Court to withhold the database from Plaintiff. Plaintiff has until February 12, 2007 to file its Opposition to the FCC's Motion for Summary Judgment.

More here.

Online Gambling Subpoenas on Wall St.

Andrew Ross Sorkin and Stephanie Saul write in The New York Times:

The Justice Department has issued subpoenas to at least four Wall Street investment banks as part of a widening investigation into the multibillion-dollar online gambling industry, according to people briefed on the investigation.

The subpoenas were issued to firms that had underwritten the initial public offerings of some of the most popular online gambling sites that operate abroad. The banks involved in the inquiry include HSBC, Credit Suisse, Deutsche Bank and Dresdner Kleinwort, these people said.

While online gaming sites like PartyGaming and 888 Holdings operate from Gibraltar and their initial public offerings were held on the London Stock Exchange, companies that do business with them and have large bases in United States have come under scrutiny by regulators in Washington.

More here.

'Spam King' Sued by MySpace

Nate Anderson writes on ARS Technica:

MySpace has just filed suit against well-known spammer Scott Richter, operator of OptInRealBig.com. MySpace, which bills itself as a "leading lifestyle portal" that helps people make "a positive impact on the world," is unhappy with Richter's alleged spamming of its membership, and has filed a federal lawsuit against him in US District Court in Los Angeles.

The suit alleges that Richter sent millions upon millions of "bulletins" to MySpace users between July and December 2006. These bulletins were hawking products like ringtones and polo shirts, and many were sent from accounts without the knowledge of the owner. MySpace claims that Richter got the account information through phishing, then used the accounts to disguise the origin of his spam.

More here.

Gonzales' Trojan Horse

Patrick Radden Keefe writes on Slate:

When Attorney General Alberto Gonzales sent a cryptic, four-paragraph letter to the Senate judiciary committee Wednesday, maintaining that from now on, the Bush administration will conduct its domestic surveillance program "subject to the approval of the Foreign Intelligence Surveillance Court," it looked like the administration was backing down. "Bush Retreats," the Washington Post declared, adding that the letter marked the president's "latest step back from the expansive interpretation of executive power."

But civil libertarians and administration foes should keep the Champagne on ice for the moment, because while Gonzales' letter looks like a surrender, it may prove to be a Trojan horse. A close read of the administration's Delphic pronouncements on this about-face reveals a major, unresolved contradiction: The National Security Agency surveillance program and the FISA system, as it currently exists, are fundamentally incompatible. Any hasty reconciliation of the two will involve either a dramatic revision of our espionage activities or a very creative reading of the wiretapping statute. For this marriage to work, one of them must be compromised. The question is, which one?

More here.

Blu-Ray DRM Cracked

Rob Beschizza writes on Gadget Lab:

The plaintext exploit used to partially crack HD-DVD a couple of weeks ago was brought to bear on Blu-Ray by the same gents this weekend—and it worked a treat.

"We need to kick DRM in the butt!" declares the sigfile of Doom9 forum poster Janvitos, launching his inspection of the format. And that they do, with muslix64 delivering the killing blow.

More here.

Google Blacklist Contained Confidential Information - UPDATE

Michael Arrington writes on TechCrunch:

Internet security firm Finjan will confirm on Monday that Google’s much-discussed anti-phishing blacklist contained confidential usernames and passwords of individuals, including credentials for accounts at banks and other financial institutions.

Google’s current anti-phishing blacklist, which has no access protection, is here. It’s used by the Google Safe Browsing for Firefox extension which is now part of the Google Toolbar for Firefox, according to Michael Sutton, who has spent some time analyzing it.

Google has not publicly discussed the error, although they quietly removed the offending data. They have, however, acknowledged it in email correspondence with Finjan, which was forwarded to me. Google has since removed the confidential data.

More here.

UPDATE: 15:13 PST: InfoWorld now has a detailed description of the incident here.

UK Newspaper Claims: Police Hack into Downing Street Computers

Fiona Raisbeck writes on SC Magazine Online:

Police have hacked into computers at Downing Street as they search for evidence in the cash-for-honours scandal, newspaper reports claim.

Detectives at Scotland Yard allegedly hired computer experts to obtain private information, including emails, letters and other electronic data, according to the Sunday Telegraph.

It is also understood that officers contacted the government’s internet service provider to access further email records.

More here.

Sunday, January 21, 2007

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Sunday, Jan. 21, 2007, at least 3,057 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,434 died as a result of hostile action, according to the military's numbers.

The AP count is 38 higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

F-Secure: Storm Worm Starts to Use Rootkit Techniques

Image source: F-Secure

Not good.

Kimmo writes on the F-Secure "News from the Lab" Blog:

The weekend has been very busy with Storm Worm. We have lately found out new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys and active network connections. F-Secure BlackLight is able to detect the hidden files.

More here.

Israeli PM 'Google-Bombed' As 'Miserable Failure'

A Reuters newswire article, via InformationWeek, reports that:

Israeli Prime Minister Ehud Olmert has taken another hit, this time on the Google search engine, where entering the words "miserable failure" in Hebrew will bring up his official biography.

Olmert's popularity rating has plummeted to some 14 percent following an inconclusive war in Lebanon and a string of corruption scandals, less than a year after his centrist Kadima party won a parliamentary election.

Like U.S. President George W. Bush several years ago, Olmert has been "Google-bombed," which occurs when a large number of Internet users link to a Web site from their own domains and label the links with certain words.

More here.