Archive

Archive for May, 2010

The backlash against the backlash against Facebook’s Zuckerberg

May 31, 2010 Leave a comment

The backlash against the backlash against Zuckerberg has started. In an interview with Wired he said

…one thing that is personally a bit disheartening…. It bums me out that people immediately go to “You must be doing this to make money.” Because that’s just so different from the ethos of the company. It is so different from how we actually think about stuff that you feel so misunderstood.
Mark Zuckerberg: I Donated to Open Source, Facebook Competitor

UK readers will immediately remember the tears of misunderstood heartache welling up in the eyes of Brown and Campbell, on screen, in the weeks prior to the election; and will sympathise. Sure they will.

If he was interested in money, he would have sold. However that’s not what motivates Mark Zuckerberg. As he tells Wired Magazine, “The thing I really care about is the mission, making the world open.” Facebook has fundamentally changed human behavior and to a certain extent it helped make people more transparent. Individuals share things with others with much more ease than ever before, and often times with people they normally wouldn’t have shared with.
Nick O’Neill, in All Facebook (Yes, Facebook’s Privacy Changes Were Not About Money, 28 May 2010 23:55, although it now seems to have been removed from the site)

OK, I have two questions to ask. One. If Facebook is so altruistic, how come sharing isn’t opt-in rather than opt-out. If all the arguments are correct, that people really do want to share everything about themselves, then they will surely opt-in at the earliest opportunity.

Two. It’s the mission. To make the world more open. Well that sounds a bit like social engineering on a grand scale – more like society engineering. Zuckerberg wants to make the world more open. I’m sorry, but that’s not his call. If society wishes to be more open, society will be more open. Wishing to change society into what you want smacks of megalomania; it’s what despotic politicians try to do.

So, I may be wrong. Zuckerberg might indeed be the misunderstood altruist. I remain doubtful. I may yet rejoin Facebook. But certainly not yet.

Mark Zuckerberg: I Donated to Open Source, Facebook Competitor

Categories: All, General Rants

NEWS: Pirate sent to the brig for 18 months

May 29, 2010 Leave a comment

Robert Cimino was sentenced to 18 months in prison by U.S. District Judge Anthony J. Trenga in the Eastern District of Virginia for his sales of more than $250,000 worth of pirated software.

On Feb. 25, 2010, Cimino pleaded guilty to a single count of criminal copyright infringement for manufacturing and distributing pirated copies of popular business, engineering and graphic design copies of software titles by Adobe, Autodesk, Intuit, Quark and others over a more than three-year period. According to court documents, Cimino operated under the business name “SoftwareSuite” and advertised the sale of discounted popular software programs on a variety of Internet-based advertising forums, including http://www.buysellcommunity.com, http://www.adpost.com  and http://www.sell.com. Customers would contact Cimino by email and would typically pay for the products by PayPal. Cimino would then mail pirated copies of the programs he had burned to CD or DVD to the customers, including customers in the Eastern District of Virginia.  From February 2006 to September 2009, Cimino received at least $270,035 in gross proceeds from his sales of pirated software products.
DoJ

Washington FBI

Categories: All, Vendor News

Digital Economy Act and Ofcom: Pigs and Lipstick

May 28, 2010 Leave a comment

The BBC summarised the announcement of the Great Repeal Bill in the Queen’s Speech thus:

Freedom (Great Repeal) Bill
Will limit the amount of time that DNA profiles of innocent people can be held on national database. Will tighten regulation on the use of CCTV cameras, remove limits on right to peaceful protest. The storage of DNA is a power devolved to the Scottish Parliament. The Bill would adopt the Scottish model.
Queen’s Speech 2010: Bill by bill

The one that’s missing is the Digital Economy Act: draconian, unworkable, unfair, undemocratic and unjust.

There’s something else that’s missing from the Coalition’s hit list. Before the election, the one quango that all the pundits expected to go was Ofcom. Since the election this dead cert has disappeared from view. It doesn’t seem likely now that it will be abolished.

These two things are related, because it is Ofcom that is charged with much of the donkey work in enforcing the DEA. So if the DEA stays, then Ofcom must also.

Today we have confirmation of sorts. Ofcom has released its Online Infringement of Copyright and the Digital Economy Act 2010, Draft Initial Obligations Code; and is asking for comments by 30 July 2010.

The DEA imposed new obligations on Internet Service providers (“ISPs”) to send notifications to their subscribers following receipt of reports of copyright infringement from Copyright Owners. ISPs must also record the number of reports made against their subscribers and provide Copyright Owners on request with an anonymised list  which enables the Copyright Owner to see which of the reports it has made are linked to the same subscriber – also known as the ‘copyright infringement list’.

The DEA gave Ofcom duties to draw up and enforce a code of practice (“the Code”).  The DEA is very clear on how Ofcom should implement many elements of the measures, but where there is discretion the interests of citizens and consumers are central to Ofcom’s approach. We propose a system of quality assurance reporting to ensure that where allegations are made against subscribers they are based upon credible evidence, gathered in a robust manner.  We also propose that the independent appeals body, which Ofcom is required to establish, should adopt specific measures to protect subscribers during the hearing of appeals, including a right to anonymity.

…We welcome responses to this consultation by 30th July 2010.
Online Infringement of Copyright and the Digital Economy Act 2010

The Draft also includes sample templates for the three strikes letters:

Strike One!

Strike Two!

Strike Three!

If you have an interest in how the DEA will operate, then it is worth reading this document. If you think you can influence the Obligations Code, then send in your comments by the end of July. But the truth is, no amount of tinkering with either the Act or Obligations Code will do much good. Pigs and lipstick come to mind. The only thing to do with this Act is dump it completely and come up with something better and more reasonable.

Online Infringement of Copyright and the Digital Economy Act 2010

Categories: All, Security Issues

Microsoft drops support for SP2 – Wolfgang Kandek, CTO of Qualys, explains the problem

May 28, 2010 Leave a comment

Microsoft supports a service pack for two years beyond the release of its successor (“Microsoft will offer Mainstream Support for either a minimum of 5 years from the date of a product’s general availability, or for 2 years after the successor product (N+1) is released, whichever is longer”: Microsoft Support Lifecycle). Since XP Service Pack 3 was released on July 13, 2008, the demise of support for XP SP2 is now imminent. The problem is, there are a lot of SP2s still out there.

Wolfgang Kandek, CTO of Qualys

“It’s not so much home computers as company networks,” explains Wolfgang Kandek, CTO at Qualys, possibly the world’s leading vulnerability management company. “Home computers are usually pre-configured to accept automatic updates so remaining XP installations tend to be SP3. But our company scans show us that there are many SP2s still out there.”

Wolfgang suspects a reluctance to fix what isn’t broken. “SP2 works, we’re used to it, why change it?” And possibly the way Microsoft announced SP3 was no help. According to Microsoft at the time:

Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system. This update also includes a small number of new functionalities, which do not significantly change customers’ experience with the operating system.

So SP2 users who had religiously updated and patched the OS could be forgiven for thinking that the hassle of a major upgrade wasn’t worth it for the sake “a small number of new functionalities, which do not significantly change customers’ experience”.

“But we’re also seeing a little bit of the problem that Vista brought as well. If Vista had been a successful operating system, like Windows 7 seems to be, then more people would have migrated off XP. Vista just didn’t give people a good reason to leave XP,” adds Wolfgang.

So what’s the problem? If it works and it ain’t broken, why fix it? “Because it will be broken,” says Wolfgang. “Within 60 to 90 days of the end of support, the hacking community will have found major new vulnerabilities, and there will be no defence, and no chance of a patch. Today, SP2 is a Level Four vulnerability in our rankings. Five is the most critical vulnerability level. Level Four is, shall we say, fairly serious. Three is what we would call ‘moderate’, and Two and One are more informational. SP2 is currently Four; but we will elevate it to the most critical level Five as soon as exploits appear that cannot be patched. By September I suspect that just using SP2 will be a Level Five vulnerability.”

That makes SP2 a ticking timebomb getting close to explosion. And it’s not just for SP2 users. If they don’t upgrade, then come September there will be many more bots out there attacking all of us.

So there you have it. It’s decision time. Run WinVer to see what version you have. If it’s SP2, you have to upgrade. Sooner or later you’ll have to leave XP altogether: so the difficult choice now is whether to go straight to Windows 7 or delay the cost by just upgrading to SP3.

Or you could bite the bullet and really upgrade to Mac or Linux, of course.

Categories: All, Security Issues

Government and big business conspire against us with our own money

May 27, 2010 Leave a comment

Do you remember the Labour government? That’s the one that kept asking the question until we gave the right answer; the one that thought ‘no’ simply meant we didn’t understand correctly, and needed it explained again. Well it lives on in the form of the Steering Group, Food Standards Agency GM Dialogue (incidentally the FSA is chaired by former Labour agriculture minister Jeff Rooker). Apparently, we don’t understand GM crops correctly.

So we have to be made to understand correctly, and understanding correctly means accepting GM crops. Just to make sure we do understand correctly, the FSA will spend about £500,000 of our money to help re-educate us. How do we know all this?

Dr Helen Wallace was, until today (but still is according to the FSA’s website), a member of the Steering Group. Here’s what the FSA says about her:

Dr Helen Wallace
Dr Helen Wallace is director of GeneWatch UK, a not-for-profit organisation that campaigns for genetics to be used in the public interest. Helen specialises in the ethics, risks and social implications of human genetics. She has a degree in physics from Bristol University and a PhD in applied mathematics from Exeter University. Helen has worked as an environmental scientist in academia and industry and as Senior Scientist at Greenpeace UK, where she was responsible for science and policy work on a range of issues.
Steering Group

But today she resigned; and has published her letter of resignation.

…it has now become clear to me that the process that the FSA has in mind is nothing more than a PR exercise on behalf of the GM industry. In my view, this would be a significant waste of £500,000 of taxpayers’ money.

This is a serious allegation. Does she have any proof?

Freedom of Information requests that have been passed to me show that the FSA met with the industry group the Agricultural Biotechnology Council (ABC) on 21st September 2009 to discuss a “GM public engagement programme”. On 1st October 2009, the ABC advised the FSA “abc welcomes the opportunity to provide suggestions on the individuals and groups that would add value to the FSA GM engagement Steering Group. We support this activity and understand the importance of this initiative; however we believe GM must be presented as an option within the wider context of food security as part of a solution to feeding a growing population. It is important that when consumers are thinking about GM, they are considering the future as much as the present”. The industry also suggested edits to a draft FSA report to the Food Strategy Task Force, which claims that lack of demand and rising costs will drive out non-GM feed supplies and that GM and non-GM feed should no longer be segregated. In a subsequent report, DEFRA and the FSA support the industry’s line that ‘zero tolerance’ of unapproved GM crops in the EU threatens food supplies.

This sounds horribly like the FSA and the GM industry (which is almost entirely Monsanto) are conspiring on how to spend our money to make us love GM. The money will actually be spend in conducting a public dialogue on GM. Incidentally, there is no scientific proof that GM crops can benefit the world rather than the GM industry, and no willingness on the part of the FSA to discuss this. And all of this against a background of rising suicides among Indian farmers whose crops fail leaving huge indebtedness to GM suppliers.

The dialogue will provide an opportunity to discuss with members of the public their understanding of GM in food and what they think are its potential risks and benefits. It will also try to identify what information people need and want in order to make confident, informed choices about the food they eat.
FSA

Well, that sounds reasonable – but we should note that the Steering Group will keep control of the content and direction of the public dialogue. The dialogue itself will be run by a third-party organization, so it will at least be independent to a degree. But will it? Here’s Dr Wallace’s thoughts on one particular tender:

…Ipsos-MORI, which states on page 89 of its bid to run the dialogue that the Ipsos-Mori Reputation Centre has been working with a “multi-national Agro-chemical and seed company” and its advertising agency since 2009 “to develop concepts which link agribusiness with important global issues (such as climate change, water scarcity, deforestation etc) and position the company as a positive force”. On page 17 of its bid, Ipsos-MORI warns that campaign organisations could “try and hijack the [dialogue] process to ensure GM food does not get a chance to be reintroduced into the UK. The danger is that anti-GM campaigning could take place in the absence of any ‘defence’ except from industry who will struggle to be credible”. This seems a shockingly one-sided view for a company bidding to run a dialogue to take: although not surprising from one running a reputation management exercise on behalf of the GM industry.

Frankly, it stinks. Dr Wallace concludes:

…I remain convinced that the FSA process was set up from the outset to provide free “reputation management” to the GM industry at taxpayers’ expense. The FSA appears to actively engaged in trying to use the so-called dialogue to implement the industry’s PR strategy: focusing on a non-existent positive future where new GM crops will ‘feed the world’, whilst lobbying to end the segregation of GM and non-GM food and feed entering Britain and Europe, and opposing the labelling of meat and dairy products produced using GM feed.

This is big business and government conspiring against us with our own money.

Dr Helen Wallace: Letter of Resignation

Categories: All, General Rants

OUT-LAW gets it wrong (in my humble layman’s opinion). OUT-LAW 0, OFT 2

May 27, 2010 Leave a comment

I don’t often disagree with OUT-LAW. They’re lawyers talking about the law. Still, there’s a first time for everything…

Two problems. First:

The Office of Fair Trading is the Government’s consumer and competition authority. That it sees no need for Government regulation in behavioural advertising is great news for online publishers and advertisers. In my view, that is good for consumers too, because it helps to keep content free.

‘Free content’ is the standard argument from the marketing industry. But I just don’t buy it. We’ve had advertising for, well, yonks. Never before have we had targeted advertising in the current sense; but this lack of targeting hasn’t stopped companies advertising. Targeting was simply choosing the right magazine, newspaper, television programme or billboard best suited to the demographics of the product. This model translates directly to the internet in terms of choosing which websites to advertise on. So the argument that without behavioural advertising we would not have free content on the internet is spurious, false and disingenuous.

Second problem:

What surprised me more was another, less significant feature of the report: the OFT says that viewing a website is a transactional decision for the purposes of the Consumer Protection (Unfair Trading) Regulations, known as the CPRs.

The CPRs came into force in 2008. They say that if a consumer changes its mind in relation to a transaction as a result of misinformation or lack of information, there can be an offence, punishable by anything up to two years in prison for the directors of the company.

The report says:

“The OFT interprets transactional decision widely and believes it encompasses, for example, the decision to view a website. So not informing a consumer about the collection of information about their browsing behaviour could breach the CPRs if that knowledge would have altered their behaviour, perhaps by dissuading them from visiting that website.”

The OFT is not just saying that its worried about information or a lack of information influencing a decision to buy something on a website; it’s talking about it influencing a decision just to visit a site, whether the site sells things or not.

In my view, this goes further than the CPRs intended. The CPRs define “transactional decision” but the definition is focused, as you might expect, on transactions.

Well, that seems a perfectly reasonable conclusion from OFT. If I am told that visiting a particular website is dependent upon me accepting that data would be extracted for the purpose of building a profile for targeted advertising, then I simply won’t go there. It seems to me that OFT is trying to interpret the law in favour of the consumer and that seems to be in line with its raison d’etre:

The OFT’s mission is to make markets work well for consumers. We achieve this by promoting and protecting consumer interests throughout the UK, while ensuring that businesses are fair and competitive.
OFT website

OUT-LAW article
OFT Report

Categories: All, Security Issues

Spy on your kids: show them how much you trust them

May 27, 2010 Leave a comment

Well, schools are breaking up (American schools, that is; Brit schools will have to wait another six or so weeks). That used to mean cuckoos and swallows and cricket on the village green. But now it’s just another excuse to sell you monitoring software so you can spy on your kids while they’re at home and you’re at work. The latest to cross my desk is Pandora 6.

Parents need a solution that will effectively keep their kids safe on the Internet while the parent is outside the home. Ideally, it’s going to be something that removes any doubt and shows the parent exactly what their child is doing, while also being something they can check from work. That is exactly what our PC Pandora 6.0 monitoring software was created for.
Jamie Leasure, co-founder of Pandora Corp

Well, I beg to differ. There’s only one thing that will keep kids safe on the internet, and that’s knowledge. And there’s only one thing that will keep you sure of what they’re doing, and that’s trust. Without knowledge and trust, no amount of software will be a substitute. With genuine knowledge and trust, no amount of software is necessary. And if you spy on your kids you’re going to drive a wedge that will undermine any lingering trust you might have.

That’s my standard response to legal spyware. But the waters are now muddied by increasingly draconian laws from increasingly draconian governments. Possibly the strongest reason to monitor home computers is the growing use of 3 Strikes laws, and the way in which the entertainment industry can bypass judicial oversight by private arrangements with the ISPs.

Bullying is wrong. Kids can understand that. Being bullied is wrong. Kids can be taught what to do about that. Visiting porn sites is, well, not welcomed by most parents. But downloading free music and videos? Even many adults have difficulty in simply accepting that as illegal. And when people are at home and bored, what’s really so wrong with that?

What’s wrong is that the entertainment industry can now come down on you like a ton of bricks. And if your kids repeatedly download illegal material over the summer months, then you might find the whole family’s internet connection disconnected. That’s a heavy price for something you didn’t do. So I’m finding that I have to modify my position.

If you have, or even hope to have, a half decent relationship with your kids, don’t spy on them. Talk to them.

But if your relationship is already shot to pieces and you don’t really have much hope of repairing it, then you may need to get some monitoring software: as much for you as for them.

Pandora

Categories: All, Security Issues

BLOGS: A formal end to ID Cards

May 27, 2010 Leave a comment

BigBrotherWatch has a short and simple post:

A good day. The ID card scheme’s demise is one in the eye for the authoritarian busybodies. Nobody wanted them and they were an intrusive waste of money.

Now, along with our friends at No2ID and the like, we must ensure that the bureaucrats don’t continue with the construction of a database state bit by bit – because ID cards were just the most visible part of a whole scheme of nosiness, much of which is still with us.
A formal end to ID Cards

I would reiterate the warning. The battle is won, but not the war. It really depends on who was behind the scheme. Was it the politicians? They can be more easily defeated because we can get rid of them. Or was it law enforcement including MI5 and CESG? They’re the zealots, the fanatics who can manipulate things behind the scenes – for our own good, because by controlling everyone, they can protect everyone.

Law enforcement is never beaten. If it loses a battle, it goes away, regroups and returns from a different direction.

A formal end to ID Cards

Categories: All, Blogs

The mad scientist at Reading may be mad; but he might not be wrong

May 27, 2010 Leave a comment

There is a lot of noise on the blogosphere about the ‘human computer virus’. The BBC runs a story:

A British scientist says he is the first man in the world to become infected with a computer virus.

Dr Mark Gasson from the University of Reading contaminated a computer chip which was then inserted into his hand.
First human ‘infected with computer virus’

But AV experts are quick to pour scorn on the idea.

but if you haven’t figured it out by now, the whole thing is complete rubbish.
Kurt Wismer

Well done to Dr Gasson for getting some media exposure for his department, but this really is shonky research in my opinion.

Yes, you could put software code on an RFID chip that you could put in your body (or your cat, as some Dutch researchers theorised in rather hysterical fashion back in 2006) but so what?

The fact is that that code would not be read until an RFID reader came into contact with the affected RFID chip and even then the software connected with the RFID reader would need to have a vulnerability that would allow the code to be run.
Graham Cluley

But I’m not so sure. Two things worry me. For years I’ve reading about the mad scientists at Reading University experimenting with chipping human beings. What happens when we get the mad politicians of the Labour Party back in power? A national ID card in the wallet is bad enough; but a national ID Card under the skin is terrifying – and ultimately inevitable.

But my second fear is more to the point. Gasson is talking about an RFID chip. OK, that’s not the danger he seems to describe. But do we really think implants will stop at RFID? I can certainly envisage a future where chips will be used to modify behaviour – perhaps to control bi-polar, regulate hearts, control paedophilia… It will reduce NHS costs and Prison Service costs and money is always a compelling argument.

These chips will accept input from the body, process them, and return outputs to the body. They will be miniature computers within the human body – and these chips will be susceptible to viruses.

Categories: All, Security Issues

BLOGS: Online Pentest Training

May 27, 2010 Leave a comment

Darknet has an extensive introduction to a new pentest training course and certification from eLearnSecurity.

Anyway the point is, there’s a new kid on the block – recently launched from eLearnSecurity called Penetration Testing – Pro (PTP) with the tagline “What CEH Should Have Been”…

The course itself is basically a Penetration Testing Course and covers 3 main areas; System Security, Network Security & Web Application Security. This pretty much covers what you need to know to conduct a penetration test as each of the 3 topics are quite broad. The course-ware itself is well presented and it doesn’t limit the order in which you can learn the topics, there’s no linear progressions so you can pick and choose depending on your mood.

Overall, the course is highly recommended, both in terms of cost ($599) and content.

It goes into a lot more depth than courses like CEH and can really benefit your skills. I wish there was something like this in 1999 when I was starting out. The way in which the material is presented is a lot more interactive and interesting than many other courses out there with a good mix of words, images and videos plus a good theory/practical mix too. This makes it a lot easier as many of the topics within infosec can get very dry very fast.

Blog entry

Categories: All, Blogs
Follow

Get every new post delivered to your Inbox.

Join 137 other followers