Privacy Digest

Windows Vista security 'rendered useless' by researchers - Via SearchSecurity.com :

LAS VEGAS -- Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.  read more »

French Reporters at Black Hat Booted from Conference for Hacking Fellow Reporters - Via Threat Level:

LAS VEGAS -- Reporters covering the Black Hat Security Conference this week were allegedly hacked by three French reporters. The three reporters are believed to have sniffed a private network that other reporters at the conference were using -- an apparent violation of the federal wiretap statute.

A Black Hat spokeswoman explained that the three reporters gathered log-in data for reporters in the Black Hat press room and tried to convince organizers of the Wall of Sheep to post the data publicly. The Wall of Sheep is a traditional feature at the DefCon hacker conference (which begins tomorrow in Las Vegas) but was launched at Black Hat for the first time this year.  read more »

Constitution Protects Location Information, CDT Argues - Via Center for Democracy and Technology:

In a July 31 amicus brief filed in a federal court in Pennsylvania, the Electronic Frontier Foundation, joined by CDT, ACLU and the ACLU of Pennsylvania, argued that cell phone location information is protected by the Fourth Amendment. The brief argues that a court should require the government to obtain a warrant based on probable cause in order to gain access to cell site location information stored by a cell phone company.

Amicus brief in In Re Application of United States [PDF] July 31, 2008

(Read Original Article - Via Center for Democracy and Technology.)

DNS Flaw Much Worse Than Previously Reported - Via Threat Level:

LAS VEGAS -- Security researcher Dan Kaminsky finally revealed the full details of his reported DNS flaw. It turns out it's a lot worse than previously understood.

"Every network is at risk," Kaminsky said at the Black Hat conference here Wednesday. "That's what this flaw has shown."

Kaminsky disclosed the security vulnerability in the Domain Name System on July 13 but promised to withhold details of the bug for one month to give DNS server owners a chance to patch their systems. But a week ago, some of the details leaked after security firm Matasano inadvertently posted information about it online.  read more »

Black Hat: Security Geeks Converge on Vegas - Via Threat Level:

LAS VEGAS -- More than 4,000 security professionals have converged in Las Vegas this week for the Black Hat Security Conference -- to be followed this weekend by the DefCon hacker conference.

IOActive penetration tester Dan Kaminsky is expected to draw a full house to his anticipated talk on the serious DNS security flaw he discovered earlier this year.

Other talks include a discussion on hacking highway toll systems, security vulnerabilities in implantable wireless medical devices and a demonstration on injecting law-enforcement Trojans onto target machines.  read more »

Kaminsky's Grandmother Bakes Session Cookies for Black Hat - Via Threat Level:

Dan Kaminsky has been giving talks at the Black Hat Security Conference in Las Vegas for nine years. For five of those years his 85-year-old grandmother has been in the audience. The last three talks, she baked cookies for attendees -- what Kaminsky refers to as "session cookies."

Grandma Kaminsky, also known as Raia Maurer, made 250 Swedish lace cookies for the crowd this year. But that fell far short of the standing-room only audience that showed up to hear his talk.

I chatted a bit with Maurer who hails from Eastern Europe but emigrated to Canada with her husband in 1951 and later came to live with Kaminsky's family in California after her husband died. She bought Kaminsky his first computer -- or, rather, she gave him $1,800 to purchase parts to build his first computer.

She recalls the first time she heard him speak at Black Hat.  read more »

EFF Battles Dangerous Attempts to Circumvent Electronic Privacy Law - Via EFF.org Updates:

San Francisco - The Electronic Frontier Foundation (EFF) has filed friend-of-the-court briefs in two key electronic privacy cases that threaten to expand the government's spying authority.

In the first case, Bunnell v. Motion Picture Association of America (MPAA), EFF filed a brief with the 9th U.S. Circuit Court of Appeals arguing that federal wiretapping law protects emails from unauthorized interception while they are temporarily stored on the email servers that transmit them. This case was brought against the MPAA by the owners and operators of TorrentSpy, a search engine that let Internet users locate files on the BitTorrent peer-to-peer network. After a business dispute, one of TorrentSpy's independent contractors hacked into the company email server and configured it to copy and forward all incoming and outgoing email to his personal account and then sold the information to the MPAA. However, the federal district court ruled that because the emails were stored on the mail server for several milliseconds during transmission, they were not technically "intercepted" under the federal Wiretap Act. In its amicus brief filed Friday, EFF argues that this dangerous ruling is incorrect as a matter of law and must be overturned in order to prevent the government from engaging in similar surveillance without a court order.  read more »

Cablevision Scores Copyright Victory Against Hollywood - Via Threat Level:

A federal appeals court on Monday lifted an injunction against Cablevision Systems that blocked it from offering a recording service that stored programming on the cable company's own servers instead of on an viewers' in-house recording devices.

Hollywood and television programmers alleged Cablevision’s plan would directly infringe their exclusive rights to both reproduce and publicly perform their copyrighted works.  read more »

Congress Bows to Big Content, Scapegoats Higher Ed - Via EFF.org Updates:

Last week, after months of intensive wrangling, the House and the Senate finally agreed on a final version of the Higher Education Act (HEA). Buried in this massive bill, which touches on virtually every aspect of education, is a little provision requiring campuses to develop “plans to effectively combat the unauthorized distribution of copyrighted material, including through the use of a variety of technology-based deterrents.” Those deterrent include bandwidth shaping and traffic monitoring, but also use of filtering technologies such as Audible Magic. “To the extent practicable,” colleges and universities must also offer legal alternatives for file-sharing, such as music services like Ruckus.

There are at least three major problems with this.  read more »

Lessig Predicts Cyber 9/11 Event, Restrictive Laws - Via Slashdot: Your Rights Online:

A number of readers are sending in links to a video from the Fortune Brainstorm Tech conference last month, in which Lawrence Lessig recounts a conversation over dinner with Richard Clarke, the former government counter-terrorism czar. Remembering that the Patriot Act was dropped on Congress just 20 days after 9/11 — the Department of Justice had had it sitting in a drawer for years — Lessig asked Clarke if DoJ had a similar proposed law, an "i-Patriot Act," to drop in the event of a "cyber-9/11." Clarke responded, "Of course they do. And Vint Cerf won't like it." Lessig's anecdote begins at about 4:30 in the video.

(Read Original Article - Via Slashdot: Your Rights Online.)

Air Force cracks software, carpet bombs DMCA - Via Ars Technica :

Last week, a US Court of Appeals upheld a ruling on software piracy. The organization doing the piracy, however, happened to be a branch of the US government, and the decision highlights the significant limits to the application of copyright law to the government charged with enforcing it. Most significantly, perhaps, the court found that because the DMCA is written in a way that targets individual infringers, the government cannot be liable for claims made under the statute.

[...]

Although Davenport did his development on a personal system at home, he began to bring beta versions of his code in for testing, and eventually started distributing his improved system within his unit, giving the software a timed expiration. A demonstration to higher-ups led to a recommendation for his immediate promotion, but that was followed by demands that the code for his software be turned over to the USAF.  read more »

FISA and Border Searches of Laptops - Via Slashdot: Your Rights Online:

With the recent attention to the DHS's draconian policy on laptop searches at borders, a blog post by Steven Bellovin from last month is worth wider discussion. Bellovin extrapolates from the DHS border policy on physical electronic devices and asks why authorities wouldn't push to extend it to electronic data transfers. "...it would seem to make little difference if the information is 'imported' into the US via a physical laptop or via a VPN, or for that matter by a Web connection. The right to search a laptop for information, then, is equivalent to the right to tap any and all international connections, without a warrant or probable cause. (More precisely, one always has a constitutional protection against 'unreasonable' search and seizure; the issue is what the definition of 'unreasonable' is.)"

(Read Original Article - Via Slashdot: Your Rights Online.)

Judge Hints at Mistrial in RIAA v. Jammie Thomas - Via Threat Level:

DULUTH, Minnesota -- The federal judge who presided over the nation's only peer-to-peer copyright-infringement trial announced from the bench here Monday that he is likely to declare a mistrial.

"Certainly, I have sent a signal to both sides of where I'm headed," U.S. District Judge Michael Davis said during a 70-minute hearing in which lawyers for the Recording Industry Association of America and defendant Jammie Thomas sparred over whether a jury verdict against Thomas should be overturned.

At issue is whether the RIAA needs to prove that copyrighted music offered by a defendant on a peer-to-peer network was actually downloaded by anyone. During Thomas' trial last October, Davis, on the RIAA's recommendation, instructed (.pdf) the jury that no such proof was necessary; if Thomas had the music in her Kazaa shared folder, where it could be downloaded, she could be found liable "regardless of whether actual distribution has been shown."  read more »

FCC Rules Against Comcast for BitTorrent Blocking - Via EFF.org Updates:

On Friday, the FCC voted, 3-2, to punish Comcast for its surreptitious interference with BitTorrent uploads (a practice that EFF helped uncover and document in October 2007). The Commission adopted an order (text of which hasn't been released yet) finding that Comcast violated the neutrality principles set out in the FCC's 2005 "Internet Policy Statement." According to the statement released by FCC Chairman Martin, the order will require Comcast to disclose its practices and stop discriminating against BitTorrent traffic (Comcast, for its part, has already announced that it will be moving to different mechanisms to throttle high-bandwidth users.)

We're pleased that the FCC recognized that Comcast's behavior violated the Internet Policy Statement and could not be excused as "reasonable network management" -- we said as much in our comments to the FCC. We are particularly encouraged that the Chairman Martin specifically took Comcast to task for not adequately disclosing what it was up to -- for the free market to work, customers needs to know what they are buying.

But it's important to recognize that this is just the beginning, not the end, of the fight. The Commission made it clear that it intends to police this frontier of net neutrality on a case-by-case basis, responding to specific consumer complaints.  read more »

ACLU Calls FCC Penalty Against Comcast a Step Forward Toward Net Freedom - Via American Civil Liberties Union:

Urges Commissioners to Persevere in Defense of Consumers’ Rights and Net Neutrality

FOR IMMEDIATE RELEASE
Contact: 202-675-2312, media@dcaclu.org

Washington, DC – Today the Federal Communications Commission is expected to penalize Comcast for violating the FCC’s principles to ensure open access to the Internet.

The following can be attributed to Caroline Fredrickson, director of the ACLU Washington Legislative Office:

“We applaud the FCC for taking enforcement action against Comcast. The nation’s second largest Internet service provider violated the commission’s open access rules by unlawfully blocking file-sharing services such as BitTorrent. Significantly, it violated the rules by which the Internet must operate if it is to remain an open forum.  read more »

Appeals Court Reverses "Remote DVR" Decision - Via Center for Democracy and Technology:

The Second Circuit Court of Appeals today reversed a lower court decision that, as CDT and a number of others argued in a 2007 amicus brief, had the potential to chill innovation in products that use the Internet to provide storage and computing functions from remote locations. The lower court ruling had blocked Cablevision from rolling out a digital video recorder (DVR) system that stores recorded television programs on remote servers instead of in set top devices in the customers' homes. CDT applauds today's decision, which finds that providing such a remote DVR does not constitute direct copyright infringement. CDT also welcomes the court's finding that transitory data held in buffers for a mere 1.2 seconds do not constitute "copies" for purposes of the Copyright Act.

• Second Circuit Cablevision Opinion [PDF] August 04, 2008
• CDT Policy Post April 26, 2007
• Amicus Brief of CDT et al [PDF] June 08, 2007

(Read Original Article - Via Center for Democracy and Technology.)