All Your Apps Are Belong to Apple: The iPhone Developer Program License Agreement: Via EFF.org Updates.

The entire family of devices built on the iPhone OS (iPhone, iPod Touch, iPad) have been designed to run only software that is approved by Apple—a major shift from the norms of the personal computer market. Software developers who want Apple's approval must first agree to the iPhone Developer Program License Agreement.

So today we're posting the "iPhone Developer Program License Agreement"—the contract that every developer who writes software for the iTunes App Store must "sign." Though more than 100,000 app developers have clicked "I agree," public copies of the agreement are scarce, perhaps thanks to the prohibition on making any "public statements regarding this Agreement, its terms and conditions, or the relationship of the parties without Apple's express prior written approval." But when we saw the NASA App for iPhone, we used the Freedom of Information Act (FOIA) to ask NASA for a copy, so that the general public could see what rules conrolled the technology they could use with their phones. NASA responded with the Rev. 3-17-09 version of the agreement (it has reportedly been revised somewhat since—please send us the current version if you are able). [ Read more ... ]

Ubisoft's Authentication Servers Go Down: Via Slashdot.

ZuchinniOne writes "With Ubisoft's fantastically awful new DRM you must be online and logged in to their servers to play the games you buy. Not only was this DRM broken the very first day it was released, but now their authentication servers have failed so absolutely that no-one who legally bought their games can play them. 'At around 8am GMT, people began to complain in the Assassin's Creed 2 forum that they couldn't access the Ubisoft servers and were unable to play their games.' One can only hope that this utter failure will help to stem the tide of bad DRM."

Read Original Article:(Via Slashdot.)

Unintended Consequences: 12 Years Under the DMCA: Via EFF.org Updates.

EFF today released Unintended Consequences: 12 Years Under the DMCA. This is the sixth update to the report, which aims to catalog all the reported instances where the DMCA's ban on tampering with DRM have been abused to stymie fair use, free speech, and competition, rather than to attack "piracy."

Congress enacted the DMCA's ban on bypassing DRM at the urging of entertainment industry lobbyists who argued that DRM backed by law would quell digital copyright infringement. Of course, 12 years later, that exactly hasn't worked out. Nor is it likely to ever work out. But lots of industries have recognized that these provisions of the DMCA are good for other things—like impeding scientific research and legitimate competition. The Unintended Consequences report collects these stories, including oldies like Lexmark's effort to block toner cartridge refilling and new cases like the lawsuit against RealDVD. [ Read more ... ]

Are Aggregation Services Security Risks?: Via NYTimes.com .

Do you like social aggregation and tracking services like FriendFeed, Google Buzz and Cliqset? If so, there's another startup launching today that wants your attention: Strings. This service is focused less on social content sites like flickr and YouTube (although supported) and more on traditional online activity like clothing purchases from JCrew or Saks, groceries from Amazon Fresh, beauty products from Sephora and a slew of other purchases from web-based shopping sites.

But before you rush to sign up with yet another activity aggregation service, it may be time to pause and think. Do the benefits of seeing your friends' purchases on sites like Strings and the online shopping tracker Blippy outweigh the risks of handing over login credentials to these third parties? [ Read more ... ]

Opinion: Dear Facebook, it's time to act like a grown-up about security: Via Computerworld Cybercrime/Hacking News.

An open letter to Facebook from Ira Winkler, who had no luck contacting the company via conventional means.

Dear Facebook,

I appreciate your service. I really do. I'm sure that many of your 400 million active users appreciate it as well. But now that you have a market value estimated at billions of dollars, it is time for you to start acting like a grown-up company. That means you have to provide basic security for your customers. And it means responding when your customers try to contact you, as I did recently to talk about an important security issue. Do you think you will be able to hold on to 400 million users if you treat them that way, and if you put their computers at risk? I don't.

As you can see, I have had to resort to writing an open letter on Computerworld's Web site, because all other attempts to get through to you were unsuccessful. [ Read more ... ]

Web Certification Fail: Bad Assumptions Lead to Bad Technology: Via Freedom to Tinker.

It should be abundantly clear, from two recent posts here, that the current model for certifying the identity of web sites is deeply flawed. When you connect to a web site, and your browser displays an https URL and a happy lock or key icon indicating a secure connection, the odds that you're connecting to an impostor site, despite your browser's best efforts, are uncomfortably high.

How did this happen? The last two posts unpacked some of the detailed problems with the current system. Today I want to explore the root cause: today's system is based on wildly unrealistic assumptions about organizations and trust.

The theory behind the system is simple. Browser vendors will identify a set of Certificate Authorities (CAs) who are trusted to certify identities. Browsers will automatically accept any identity certificate issued by any of the trusted CAs.

The first step in making this system work is identifying some CA who is trusted by everybody in the world.

If that last sentence didn't strike you as odd, go back and read it again. That's right, the system assumes that there is some party who is trusted by everyone in the world -- a spectacularly naive assumption. [ Read more ... ]

Student slaps Google Buzz with privacy lawsuit: Via The Money Times .

Lawsuit against Google

Now a student at Harvard Law School has filed a class action suit against the company for making personal information of the users public.

Law firms in San Francisco and Washington, D.C. have sued Google on behalf of Eva Hibnick.

The 24-year-old law student filed the law suit against the search giant after finding herself automatically opted to the new networking service, without consent. [ Read more ... ]

Google Buzzkill: Via Freedom to Tinker.

The launch of Google Buzz, the new social networking service tied to GMail, was a fiasco to say the least. Its default settings exposed people's e-mail contacts in frightening ways with serious privacy and human rights implications. Evgeny Morozov, who specializes in analyzing how authoritarian regimes use the Internet, put it bluntly last Friday in a blog post: "If I were working for the Iranian or the Chinese government, I would immediately dispatch my Internet geek squads to check on Google Buzz accounts for political activists and see if they have any connections that were previously unknown to the government."

According to the BBC, the Buzz development team bypassed Google's standard trial and testing procedures in order to launch the product quickly. [ Read more ... ]

The Google Buzz Launch -- and the Limits of Downing Dogfood: Via Lauren Weinstein's Blog.

Greetings. There's an old Hollywood adage suggesting that most of the time, "any publicity is good publicity." When it comes to the launch of Google Buzz, there's definitely some truth to that saying -- the widely discussed privacy issues associated with the launch have yielded the product a significant global awareness far outside the world of current Gmail users. And reports are that usage of Buzz is (sorry, I can't resist) buzzin' along at a very significant clip.

Still, the very public privacy controversies regarding Buzz over the week since its debut (hard to believe it's only been a week) are both fascinating and instructive.

In "Google Buzz" -- and the Risks of "Automatic Friends" I noted my own concerns about specific features of the original Buzz start-up experience defaults, and expressed the hope that Google would reconsider those defaults. [ Read more ... ]

Privacy and Medical issues of Airport body scanners: Via The Malta Independent Online.

The attempted terror attack on a Delta/Northwest flight to Detroit from Amsterdam, averted by quick passenger reaction, has brought the so-called body-scanners (or screeners) into the limelight. In Malta, the question was also raised by the local press at the MIA meeting when the annual statistics were presented in January.

The debate in the EU focuses on two controversial issues of security technology: on the one hand the ‘naked’ issue and data protection, and, to a lesser extent, the medical issue.

The ‘naked’ issue

As regards the first issue, while there was a lot of hype about how technology can hide ‘critical’ areas, one might consider that people on the beach do not look that different, do they?

However, people choose to so ‘present themselves’ on the beach, but here one does not have a choice. For people with some handicap it might mean extra unwanted exposure, and who guarantees that the photos are not stored in some way? [ Read more ... ]

Guard Your Health Insurance Card: Via Bucks Blog - NYTimes.com .

You may want to make sure you know where your health insurance card is.

According to a new study, the 2010 Identity Fraud Survey Report, from the research company Javelin Strategy & Research, 7 percent of identity fraud victims this year reported identity thieves stole their health insurance information, up from just 3 percent last year.

So even though the actual total dollar amount of health care identity fraud didn’t increase meaningfully from 2008 to 2009, James Van Dyke, the president and founder of Javelin, said he expected to see more incidences of health insurance identity fraud showing up in next year’s study and beyond. “We’re seeing more criminal access to private medical records in our survey now, and therefore, we expect to see resulting increases in health care fraud in future years’ studies,” Mr. Van Dyke said. [ Read more ... ]

Google Alters Buzz Service Over Privacy Concerns - NYTimes.com: Via NYTimes.com .

Google moved quickly over the weekend to try to contain mounting criticism of Buzz, its social network, apologizing to users for features that were widely seen as endangering privacy and announcing product changes to address those concerns.

Todd Jackson, product manager for Gmail and Google Buzz, wrote in a blog post on Saturday that Google had decided to alter one of the most-criticized features in Buzz: the ready-made circle of friends the service provided to new users based on their most frequent e-mail and chat contacts in Gmail. Instead of automatically connecting people, Buzz will in the future merely suggest to new users a group of people they may want to follow or be followed by, he said.

Mr. Jackson, who said that the auto-follow feature had been intended to make it easy for people to get started on Buzz, acknowledged the criticism that was heaped on Google in the last few days.

“We’re very sorry for the concern we’ve caused and have been working hard ever since to improve things based on your feedback,” Mr. Jackson wrote. “We’ll continue to do so.” [ Read more ... ]

Microsoft's new 'phone home' anti-piracy practice unacceptable, says critic: Via Computerworld Privacy News.

'At what point is one free of this' perpetual checking, asks Lauren Weinstein

The Internet advocate who blasted Microsoft in 2006 over the daily "phone home" habits of its anti-piracy software took the company to task again today for a new practice that will examine consumers' Windows 7 PCs every 90 days to make sure they're running legitimate copies of the OS.

Lauren Weinstein, the co-founder of People For Internet Responsibility (PFIR), urged Windows 7 users not to accept the option update to Windows Activation Technologies (WAT) when Microsoft begins seeding it to the Windows Update service later this month.

"The approach that Microsoft is now taking doesn't seem to make sense, even for honest consumers," Weinstein argued in a post to his blog. "Microsoft will trigger forced downgrading to non-genuine status if they believe a Windows 7 system is potentially pirated based on their 'phone home' checks that will occur at (for now) 90 day intervals during the entire life of Windows 7 on a given PC, even months or years after purchase. [ Read more ... ]

Google May Offer Buzz Independently From Gmail: Via Search Engine Land.

Google says it may allow people to participate in Google Buzz without having it integrated within Gmail, in addition to offering a combined Gmail service. That may be a welcome move from users of both products, especially in light of the substantial privacy concerns voiced this week about Google Buzz.

“It’s clear that interest in Buzz may extend beyond the current Gmail base, and we’re open to serving that community,” said Bradley Horowitz, Google’s VP of Product Marketing, when I spoke to him about some Buzz issues at the TED Conference.

Horowitz stressed that Google would still offer a version of Buzz within Gmail, in addition to any independent version.

[...]

Meanwhile, there’s also the privacy issue. Since Buzz is tied to Gmail, people are forced to expose their Gmail address if they want ot have a profile URL that isn’t a string of numbers. And even if they don’t, it turns out there’s still a way that Buzz can give away your Gmail address. [ Read more ... ]

Protect Your Privacy on Google Buzz: Via EFF.org Updates.

Google's new social networking service, Buzz has upset a lot of people who have inadvertently posted the list of the people they email and chat with most frequently on their profile. If you took the default options and didn't opt-out or edit this list during profile creation, the list becomes part of your profile. Since who you email with frequently can often be private information (reporters and sources, doctors and patients, former significant others, etc), making this list public can create serious problems.

If you're going to use Google Buzz, we recommend that you opt-out during profile creation. If you have already created a profile, change it to private immediately. Then go through the suggested list, and edit it as appropriate before making it public again. PC World has a helpful privacy checklist to help users understand the privacy implications of Google Buzz options. [ Read more ... ]

Researchers find huge weakness in European payment cards: Via Computerworld Security News.

Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.

The findings, which will be presented at the IEEE Symposium on Security and Privacy in California in May, cast new doubts on chip-and-PIN or EMV cards. The cards contain a microchip that verifies a correct PIN in order to complete a transaction.

European banks hail the system as more secure, as U.S. cards do not have the microchip, which has so far prevented some types of card cloning.

But the Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered. [ Read more ... ]

Google Buzz: Privacy nightmare: Via Molly Rants - CNET News.

I know some of the technorati are losing their minds over the awesomeness that is Google Buzz, but I think that Google's making a lot of Facebook's privacy and opt-in mistakes right out of the gate, and it's going to bite it big-time, if it doesn't fix it pronto.

I, for one, have already opted out of the entire endeavor.

See, I love the idea of neat new tech innovations that lead to streamlined communication, real-time updating, in-line video and photo posting, and supersimple friend and contact integration. I do not, however, like a product that bursts through my door like a tornado and opts me in to wanton in-box clutter and spam (or, more precisely, bacn) publicly reveals my personal contact list without asking me, threatens to broadcast my e-mail address anytime someone wants to @ me in a Buzz, and even appears to grab photos off my Android phone that I've never uploaded. [ Read more ... ]

Using Google Buzz? Here’s a privacy checklist: Via PC World- msnbc.com .

If you've heard of Google Buzz, chances are you've also heard about some of the privacy concerns that surround it. The social media service offers some cool ways to share photos, links, status messages, and more with fellow Google Buzz users. But if you're not careful, you may end up sharing more than you expect.

Silicon Alley Insider raised some very real privacy concerns about Google Buzz this week, noting that the service ends up exposing many of your e-mail contacts by default. That's a problem if you have e-mail contacts you'd rather not make public.

You also can't hide your e-mail contacts without cutting them off from your Buzz network. [ Read more ... ]

Google Buzz criticized for disclosing Gmail contacts: Via Computerworld Privacy News.

One day after its launch, privacy concerns have been raised about Google's new Gmail-based social-networking tool, Buzz.

At issue is a feature that compiles a list of the Gmail contacts who users most frequently e-mail or chat with. Buzz automatically starts following these people and makes the list public, meaning strangers can see who Buzz users have been in contact with.

The issue was noted by the Silicon Alley Insider on Wednesday. "Imagine ... a wife discovering that her husband emails and chats with an old girlfriend," the Web site said. "Imagine a boss discovers a subordinate emails with executives at a competitor." [ Read more ... ]

"Google Buzz" -- and the Risks of "Automatic Friends": Via Lauren Weinstein's Blog.

Whether or not the goal of Google Buzz (let's call it "Gbuzz" for now) is really to be a Twitter or Facebook "killer" as some observers have suggested, Google is doing a couple of key things very differently with Gbuzz -- one of them very positive, the other seemingly quite problematic.

[...]

Now for the not so excellent. Gbuzz, being tightly integrated with Gmail, apparently makes the implicit assumption that your frequent e-mail contacts should also automatically be declared as your "friends" for social update sharing purposes, and by default creates automatic "follow" lists on this basis.

Maybe this will work just fine for some people, but man, it might be just plain dangerous for others -- perhaps especially those persons who use a single Gmail account to communicate with both personal friends and business associates. Is routinely updating your business acquaintances with the same information as your personal contacts typically appropriate? Doubtful. [ Read more ... ]

ShmooCon: Inside FarmVille's sinister underbelly: Via Computerworld Security News.

You love Facebook apps like FarmVille and Mafia Wars and think they're perfectly safe, right? Think again.

You see it all the time on Facebook: A friend moving on up in FarmVille. Another friend trying to expand his posse in Mafia Wars. Everyone thinks of them as harmless third-party applications, free from the crooks and cooks of cyberspace.

Unfortunately, that's not the case.

The sad fact is that these applications are susceptible to malware pushers and those looking to steal your personal information. It's not much of a stretch for hackers to impersonate people you think are trusted, fellow players, as is the case with a lot of online gaming. And the more you expose yourself, the bigger the target you become. [ Read more ... ]

Can you trust Chinese computer equipment?: Via ITworld.

China may not only be breaking into Google's network, but giving people deliberately bugged technology gear. Can we trust any technology that comes from China?

As you surely know, Google has accused China of hacking into its systems and is considering pulling out of China altogether. The U.S. government is taking this seriously, and Google has partnered with the NSA (National Security Agency) to get to the bottom of this. What you may not know is that the United Kingdom's MI5 -- Americans can think of this as a combination of the FBI and CIA -- has reported that the Chinese government has been giving UK executives electronics with built-in security holes.

According to the Sunday Times, "A leaked MI5 document says that undercover intelligence officers from the People's Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of 'gifts' and 'lavish hospitality.' The gifts -- cameras and memory sticks -- have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users' computers." [ Read more ... ]

Facebook Privacy, Security Fears Grow with Social Network Risks: Via Security from eWeek.

According to Sophos, 60 percent of businesses consider Facebook the riskiest social networking site, underscoring a new level of wariness for social networks at a time when a researcher from Kaspersky Lab says compromised accounts for Twitter and other sites can go for big bucks in the cyber-underworld.

Businesses are growing more concerned about the use of social networks, starting with Facebook.

According to a survey of 502 IT professionals by Sophos, businesses are seeing more malware and spam, and 60 percent of respondents put Facebook ahead of MySpace, Twitter and LinkedIn as the riskiest social networking site. The statistics, which were included in Sophos' "Security Threat Report: 2010" (PDF), revealed that while 33 percent block Facebook for productivity reasons, businesses are also concerned with the prospect of spam, malware and data leakage on social networks. [ Read more ... ]

Wikileaks Closes Operations Temporarily Due to Budget Woes: Via Threat Level.

Wikileaks, the controversial whistleblower site, has temporarily shuttered its operations due to a dearth of funds to meet its operating costs.

The site announced last December that it planned to temporarily cease operations, save for its anonymous submission tool, until it could raise money for its operating costs.

But it has so far been unable to meet those needs. The site’s annual costs are $200,000 — $600,000 if staff is paid — but it has raised only $130,000 so far. The site will remain closed to allow administrators to focus on fundraising efforts.

A note on the web site’s main page reads: We protect the world — but will you protect us? [ Read more ... ]

Online Credit/Debit Card Security Failure: Via Schneier on Security.

Ross Anderson reports:

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it.

In a paper I'm presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it's becoming a fat target for phishing. So why did it succeed in the marketplace? [ Read more ... ]

Bookmark/Search this post with:

• Twitter
• Digg
• StumbleUpon
• Technorati
• del.icio.us
• Facebook
• Furl
• LinkedIn
• Yahoo