Internet Laws of 2003
Unexpected Twists in Internet Law, authored by
copyright attorney , does an excellent
job summarizing legal actions that have
been taken (or not taken) to regulate computing.
Writing about spam...
"CAN-SPAM is an acronym for 'Controlling the Assault of
Non-Solicited Pornography and Marketing'"
Writing about pop-up advertisements...
"In at least three court decisions in 2003, judges ruled
in favor of companies that provide software that delivers
Writing about illegal file sharing...
"The U.S. Court of Appeals for the District of
Columbia ruled that the Recording Industry Association
of America (RIAA) could not use a subpoena process under
the Digital Millennium Copyright Act (DMCA) to obtain the
name of a customer of Verizon Internet Services suspected
of sharing about 800 sound files."
Writing about domain names...
"Truth in Domain Names Act, which made it illegal to
use a 'misleading domain name' with the intent to deceive
a person into viewing obscenity or to deceive a minor into
viewing 'material that is harmful to minors' on the Internet."
Writing about kiddie porn...
"The Children's Internet Protection Act (CIPA), was
upheld by the U.S. Supreme Court in June. It was the
first time the nation's highest court had ruled in favor
of an Internet law, surprising those who said all such
laws violate the First Amendment."
Writing about the Internet taxes...
"Congress let the Internet Tax Freedom Act
expire Nov. 1, opening the door for the imposition
of Internet access taxes after a five-year ban."
Unexpected Twists in Internet Law.
[26 December 2003, top]
From CAN-SPAM to Facial Scanning in Arizona
The AZIPA mailing-list has seen an huge increase in postings
thanks to the CAN-SPAM Act. Because it is a law, computer
users need to learn what they can and cannot do with respect
to sending email messages. Email must always be used with
caution, but these days it may not be a bad idea to consult
a lawyer prior to sending email messages.
ACLU Asks Arizona School District to Reject Face-Recognition Checkpoints.
I am not an ACLU member; however, I am a paying member of the
Who's watching you?
[19 December 2003, top]
Biometrics Takes On Many Forms; Physical Security
It only seemed timely that while working on
this week's biometrics-related posting the
following headline was in 11 December 2003
Arizona Republic: "Phoenix school first
to install face scanners." Sub-titled:
"System can spot sex offenders."
The face scanning biometric system is being
installed in the Royal Palm Middle School
located at 8520 N. 19th Avenue.
The Arizona Republic article quoted the International
Biometric Industry Association as saying it had
"never heard of biometric face scanning
being used on K-12 campuses."
Sheriff Joe Arpaio has assured us that the system is
"not set to recognize people wanted for other
crimes." The key-phrase is not set
because it implies it can (not that it will) be
set to locate people other than sex offenders.
Prepare To Be Scanned
Identity Verified using nose hair analysis.
Headline from 09 December 2003: "Computer Disks at
Los Alamos Missing." Homer Simpson says Doh...
I say Foo... Computer security requires physical
security. Learning about security is not easy.
[12 December 2003, top]
Spammers Spam Anti-Spammers; Can Spam Law; Spam Rage
Spammers are spamming anti-spam organizations
with spam, spam, and more spam. The spammers
are hoping to take the anti-spammers off-line
by attacking their computers with lots of spam.
Spammers are giving Thanks to the W32/Mimail-L worm
for enabling them to implement their spam attack
against anti-spammers. Bottom-line: NEVER reply
to a spam email message and be ever so careful
clicking on email attachments when using applications
running on any version of a Micro
U.S. politicians must be getting computing
advice from spammers because the they are
considering passing the bill.
Anti-spam Bill Passes. Here is a quote from a politician:
'Americans will have the right to say 'Take me off your
list, I don't want this in my house.'"
We have all heard of Road Rage... Now comes Spam Rage.
Man Arrested Over 'Spam Rage'. The guy threatened to send a
"package full of Anthrax spores to the company, to 'disable'
an employee with a bullet and torture him with a power drill and
ice pick; and to hunt down and castrate the employees unless they
removed him from their e-mail list."
[05 December 2003, top]
Can Biometrics Save Us From Criminals?
Sadly, our world is full of criminals. Criminals have
numerous tools to help them perform criminal acts. When
a criminal uses a computer to commit a crime, then they
are a cracker.
The following quote is from , U.S. Attorney General:
"The information superhighway should be
a conduit for communication, information and
commerce, not an expressway for crime."
The following quote is from , Chief Postal Inspector:
"Many suspects were simply transferring
time-honored scams to Internet. We'd like to
say it's just old wine in a new bottle."
Is biometrics a tool to help fight criminals?
They may be according to
Biometrics Hold Key to Next High-Tech Revolution
[28 November 2003, top]
Bill Joy Worries About The Future; BioPay
I picked up a copy of the November 2003 issue of
The headline title was: "Why This Tech Bubble
Is About to BLOW... Wall Street Is Doing It Again...
Save Yourself!" But, I didn't care about this;
instead, I purchased the magazine because the cover
also said (in much smaller print) that "Marc Andreessen
Has Found His Next Bid Idea p.118" When I got the magazine
home and started looking at it, I came across a short
"Exit Interview" with that consisted of three questions and
three brief answers. Here is the end of the interview.
"What's the answer?"
"Those who create powerful technology must take
responsibility for it. We need to reflect the
cost of bad behavior in ways that make businesses
respond - with laws and penalties. This will be
a decisive century. We'll learn to manage dangerous
technologies - or we'll wish we'd done so sooner."
Thumbs Pay At Some Stores
is a story about a pet store in Virginia using a system
(scanner connected to a computer) that allows people to
pay using their thumbprint. The system is provided by
company named BioPay
who is a provider of "biometric payment systems."
[21 November 2003, top]
Identity Theft Assistance Center
is a collection of companies that are working together to
"create a single point of contact for people who believe
they are victims of identity theft" called the .
Center Launched for ID Theft Victims}
I consistently hear people say that computer
security work is difficult to outsource.
Here is a real-world example that involves
a company named that
is in the GDT::Portfolio.
Internet Security Systems to
Shut Down Two Overseas Engineering Operations}
[14 November 2003, top]
Microsoft Says: Stop Cracking Our Not Good Enough Software
The more Microsoft executives publicly speak about computer security,
the more they expose their software for what it is: a piece of crap.
ITBusiness.ca::Gates: You Don't Need Perfect Code for Good Security
[Recall, a few weeks ago, Ballmer (CEO of Microsoft) was quoted saying
"hackers are criminals."]
More Microsoft stuff...
CNET::Microsoft to Offer Bounty on
reports "Microsoft plans to pay for information that leads to
the arrest of the people who released the MSBlast worm and the SoBig
virus." The CNET claims that part of Microsoft's motivation may
be the fact that recent security defects in their just-good-enough
systems have hurt the company's
balance sheet. Microsoft has a don't care attitude when it comes to
hurting the bottom-line of its users, but when their bottom-line is attacked,
then they take action. I wonder why they don't take this bounty money and
fix their not-good-enough software.
The Thursday, 05 November 2003,
headlines included a hyperlink about a potential attempt to place an
exploit into the Linux kernel. These type of risks are huge and must
be taken seriously.
Slashdot.org::Linux Kernel Back-Door
[07 November 2003, top]
Hack Crack Attempt Discovered
Security Cannot Be Patched Into Bad Software
This week's posting is a message I posted
A couple of weeks ago, Steve Ballmer (CEO of
Microsoft), called most of us criminals by
saying "hackers are criminals."
Now Ballmer is trying to convince us that
Microsoft can patch security into its software.
Computer security guru says this is impossible
and I agree with him.
Here is Ballmer speaking about Open Source.
"Should there be a reason to believe that code that
comes from a variety of people unknown around the
world somehow will be a higher quality than people
who get paid to do it professionally? I don't buy
that. We have a methodology, we have an approach,
we have a testing process that we know can lead to
a sustained, predictable level of quality."
I agree with Ballmer that Microsoft's software
practices do lead to a "predictable level
of quaility" -- we know it will suck and
be full of security holes. Microsoft has become
a huge computer company by producing "just
good enough software." But in an Internet
world, "just good enough" needs to be
a whole lot better. In fact, just good enough
software is just bad enough to cause serious security
I'd like to ask Ballmer what exactly is Microsoft's
"testing process?" Sometime I think it may
be the following: If it compiles and links, ship it.
Yahoo.com::Microsoft's Ballmer Sounds Off On Security
[31 October 2003, top]
SANS Releases List of Top 20 Vulnerabilities
established in 1989 as a "cooperative research
and education organization." SANS -- which stands
for Sysadmin, Audit, Network, Security -- provides many
of its resource for little or no cost. The money that
SANS does bring in goes to fund university-based research,
special research projects, and the SANS training program.
During early October of 2003, released documentation on the
Twenty Most Critical Internet Security
[24 October 2003, top]
Microsoft Sucks and Other Tidbits
This week's posting is a smorgasboard of related items.
[17 October 2003, top]
(CERT) issued an advisory titled
and it is not an easy read.
More... from CERT.org]
The U.S. shut down an Internet scheme that promised illegal
immigrants U.S. residency in return for money.
The U.S. has added numerous websites to its list (register)
of Foreign Terrorist Organizations such
A nineteen year-old accused cracker says he didn't do it;
instead, the kid claims crackers cracked his computer and
did their cracking using his computer identity.
More... from BBC.co.uk]
was almost sued under the DMCA for deciphering copy-protection
software on a new music CD. The company that was going to do
the suing changed their minds because of negative publicity.
Congress Stalls CAPPS II; Unintended Consequences of the DMCA
The 2004 budget for the prohibits
use of the Transportation Security Administration's
CAPPS II program until there is proof that
"false positives" will be minimized.
The existing CAPPS system checks passenger names
against a list of suspected terrorists. The new
system uses "additional information supplied
by passengers to check against commercial databases
and a terrorist watch list."
Wired.com::Congress Puts Brakes on CAPPS II
has put together a resource reviewing the unintended effects of the
EFF.org::Unintended Consequences: Five Years under the DMCA
[10 October 2003, top]
AtStake Cannot Take the Truth About Microsoft
is a company that
"has assembled the best minds in digital security
to help you understand and mitigate the security risks
inherent in your business model, so that you can maximize
the opportunity in front of you." is also aware that is a huge and powerful company.
The CTO (Chief Technology Office) of , Daniel Geer, was recently fired because
he co-authored a report on computer security that was
critical of Microsoft software. Geer's report indicated
that the U.S. government "relies too heavily on software
from Microsoft. It argued that the widespread dominance of
Windows has created an unhealthy 'monoculture' inadequately
resistant to viruses and attacks by hackers."
-- a computer
security guru who helped work on the report (and a GDT::DreamTeam
member) -- is quoted saying the following: "There is a huge
chilling effect based on Microsoft's monopoly position. It's
unfortunate that AtStake put its private agenda ahead of
obviously has lots
at stake when it comes to staying friendly with Microsoft.
CRN.com::Tell the Truth About Microsoft at AtStake and Get Fired
A federal judge ruled that the FTC cannot enforce
however, the FCC can and will. On 29 September 2003,
President George W. Bush signed legislation making
the Do Not Call List legal. For telemarketers
"to call or not to call that is the question."
[03 October 2003, top]
California spam; Do Not Call List; File-Sharing in Israel
The state of California has passed a new law
to help the fight against spam. In a nutshell,
the victims of spam can seek civil damages of up
to $1,000 per e-mail per customer and $1 million
per mass mailing. The new law takes effect on
01 January 2004; however, many believe the law
cannot be enforced. California's passage of this
law probably have lawyers partying.
CA.gov::California Passes Strict Spamming Law
A Federal court ruled that the Federal Trade Commission (FTC)
cannot legally do a federal do-not-call list. Telemarketers
and the DMA (Direct Marketing Association) are happy, but
those people who took the time to sign the do-not-call list
provided by DoNotCall.gov
are probably not happy. [Note: so many people have signed this
list that it may return sometime in the near future.]
announced they are going to implement
a zero tolerance policy with
respect to the downloading of music.
Here is a quote from a Tel Aviv-based
record company manager.
"Israel is a modern hell for anything that
has to deal with Internet and copyright."
Reuters.com::Israeli Music Industry to Get Tough on Downloaders
[26 September 2003, top]
CERT Advisories Against OpenSSH and Sendmail
This was another bad week for the FLOSS (Free/Libre and Open
Source Software) computing world. Two advisories were issued: one against the
server and one
MTA (Mail Transfer Agent). OpenSSH is used to securely
access remote systems. Sendmail is one of the most popular
MTAs used on the Internet.
The following quote is from the 10 September 2003 issue
of the .
"The testified before the
Senate Judiciary Committee that peer-to-peer (P2P) services
are used to trade child pornography as well as to download
pirated copies of digital music and movie files. Any type
of Congressional action against P2P networks could benefit
the recording industry's attempts to eliminate illegal file
WashingtonPost.com::RIAA Ties Child Port to File-Sharing Sites
[19 September 2003, top]
Identity Theft; RIAA Lawsuits; 911 Viruses
is a nasty crime
that is becoming more and more of a problem. The Internet
is yet another tool for enabling criminals to steal our
identities. The FTC (Federal Trade Commission) offers
http://www.consumer.gov/idtheft/. On 04 September
2003, CNN.com reported that
identity theft strikes 1 in 8 adults.
[Item::261 RIAA Lawsuits and Counting]
A 12-year-old girl in New York was among the first to be sued
by the record industry for sharing music over the Internet.
The kid is off the hook after her mother agreed to pay $2,000
to settle the lawsuit, apologizing and admitting that her daughter
was a criminal. CNN.com offers insight as to
how RIAA tracks downloaders.
[12 September 2003, top]
Two new viruses hit the Internet on 911 hoping to cause
problems by taking advantage of people's emotions.
CNN.com::Virus Writers Mark 9/11 With New Bugs
RIAA Begins Their "Fear and Awe" Campaign
The (Recording Industry
Association of America) will be filing lawsuits early
this month (i.e. September) against college students
and others for stealing music. The RIAA calls this
their fear and awe campaign.
Slashdot.org::RIAA Prepares Legal Blitz Against File-sharers
(Electronic Frontier Foundation)
provides a webpage that allows us to see if our file-sharing
username has been subpoenaed by the RIAA.
EFF.org::RIAA Subpoena Database
also provides a webpage that
provides information about
How Not To Get Sued by the RIAA for File-sharing.
The has announced that
they are going to have an amnesty program that
will allow Internet users who promise to stop copying
music to avoid prosecution. Users will have to sign
a notarized affidavit promising to stop using P2P (peer-to-peer)
programs such as Kazaa. The affidavit signer must also promise
to delete all of the music they illegally copied (downloaded,
stole, pirated, or whatever they opt to call it). Note: the
EFF warns that the RIAA does represent all copyright holders;
therefore, their amnesty program provides only partial protection
against being sued.
, founder of
had a letter published in the September issue of the
in which he declares:
"Legalize Music Sharing Now."
[Next Week] Identy theft is in the news. I suspect
next week's posting will have stuff about this huge problem.
[05 September 2003, top]
Biometrics Still Needs Work; EFF Searches on Yahoo
Biometrics is a technology that currently has limited uses
and questionable reliability. Biometrics are a tool that
can be used in some cases to improve security and prove
identification. But as of 29 August 2003, biometrics
cannot be the only tool.
Forbes.com::World May Not Be Ready for U.S. Biometric Passport Plans
The following is a copy/paste from my 29 July 2003
1 Tour de France
3 Kobe Bryant
5 50 Cent
1 Amber Alert 758.95%
2 Little Nicky 698.05%
3 American Orient Express 477.20%
4 Eff.org 419.02%
5 Frank Dux 384.13%
Typically I don't care about this data; however,
I noticed in
the list. It would have been fun to go to EFF's
Freedom Fest 2003.
[29 August 2003, top]
Are E-Chads an Election Away?
What are chads called in the 21st Century? E-chads.
"Among the security flaws discovered were several ways
in which individual voters could vote multiple times
in a given election. The researchers also uncovered
methods permitting voters to "trick" the e-voting
machines into allowing them system administrator
privileges or even terminating an election before
tallying all legitimate votes."
The state of California is rushing to hold an election.
Some districts are going to be using touch-screen computerized
voting systems. Good luck, California.
[Extra] Last week was considered one of the
worst weeks for computer security. This week, however,
a nasty virus named
hit the Internet and warnings are being issued that
it may get bigger next month.
[22 August 2003, top]
Bad News on All Fronts: W32/Blaster and GNU/FTP
It was an absolutely terrible week for computer security.
The following two advisories
The following quote from the W32/Blaster advisory shows
how complicated and difficult computer security is.
"Sites that do not use windowsupdate.com to manage patches
may wish to block outbound traffic to windowsupdate.com.
In practice, this may be difficult to achieve, since
windowsupdate.com may not resolve to the same address
every time. Correctly blocking traffic to windowsupdate.com
will require detailed understanding of your network routing
architecture, system management needs, and name resolution
environment. You should not block traffic to windowsupdate.com
without a thorough understanding of your operational needs."
The following quote from the GNU/FTP advisory shows
how dangerous cracked computer systems are.
[15 August 2003, top]
"Because this system serves as a centralized archive of
popular software, the insertion of malicious code into the
distributed software is a serious threat. As the above
announcement indicates, however, no source code distributions
are believed to have been maliciously modified at this time."
Do Not Call... Do Not Spam... Do Not Whatever
The Senate wants the federal government to create a
do-not-spam registry similar to the do-not-call
registry managed by the Federal Trade Commission.
These do-not-whatever lists demonstrate how
politicians have things backwards -- by default, you
should be placed in a do-not-whatever registry.
If you want to receive cold calls, then remove yourself
from the do-not-call registry; likewise, your
email address is automatically in the do-not-spam
registery, but if you desire spam, then you are free to
remove yourself from the do-not-spam registry.
It is understandable why so much stuff default the wrong
way; those of us who are prone to do-nothing get
trapped. In other words, we get punished for doing nothing.
[08 August 2003, top]
SEVIS Not Ready For Real-World Usage
has temporarily altered SEVIS usage to avoid unnecessary
disruptions to foreign students returning to school in the
United States. SEVIS was suppose to be up-and-running
by 01 August 2003, but as of 01 August 2003 it was not
Student and Exchange Visitor Information System (SEVIS) to
SEVIS requires that all institutions create records for foreign
students, in an effort to better track foreign nationals inside
the United States.
Previous SEVIS postings.
31 January 2003 (Security Watchdog)
30 August 2002 (Security Watchdog)
27 September 2002 (MOTD)
11 October 2002 (MOTD)
The 31 January 2003 posting to the was about SEVIS being cracked
at the University of Kansas.
GDT::SecurityWatchdog::SEVIS Cracked [31 January 2003]
[01 August 2003, top]
Avoid Replying to Spam E-mail Messages
This is typical of numerous spam e-mail messages work.
This invitation was sent to firstname.lastname@example.org on behalf of
Herb Mumford <email@example.com> at 7/23/03 2:46 PM.
If you do not wish to receive invitations from
foo dot foo members, click on the link below:
In otherwords, you receive a spam e-mail message from
foo.foo; however, foo dot foo requires you
to visit their website in order to stop receiving their
spam. When you visit their website, then they have a
record of a working e-mail address. Maybe you will stop
receiving spam from
foo.foo, but foo dot foo
is probably also bar dot bar so you end up getting a spam
e-mail message from
From comes a story titled
Hijacked Windows PCs Spread Porn
and it starts as follows.
"Almost 2,000 broadband-connected PCs have been commandeered and are
being used to send ads for porn. The method used to spread the Trojan
program is unknown, but it doesn't appear to harm victim computers."
[25 July 2003, top]
Euros to Contain RFIDs
continues to gain popularity. There are plans to embed euro notes
with RFID chips by 2005. Many hope that RFIDs will reduce counterfeiting,
but privacy groups worry about the end to anonymous transactions.
Euro Scheme Makes Money Talk
For the second time in less than two years, the
had to shutdown parts of its website due to security holes.
Some Gov't Computers Ordered Shut Down]
Two advisories were
issued against Windows-based systems this week.
[18 July 2003, top]
Microsoft Internet Explorer Remains Defective
Perfect software is not possible these days;
however, just-good-enough software is not
good enough. The
has been defective from day one. [If it
contains one bug, then it has a defect.
If code has a defect, then it is defective.]
A recent Internet Explorer defect is a
"buffer overflow in a HTML conversion
library." Buffer overflows in library
code is not good.
TheRegister.co.uk::IE bugs keep coming
[11 July 2003, top]
Do Not Call Registry Setup by the Federal Government
The Bush Administration, in association with the Federal Trade Commission
(FTC) and the Federal Communications Commission (FCC), announced on the
launch of the located
I have heard that there is a push to start a
to help reduce spam email messages.
[04 July 2003, top]
RIAA Goes After the Little Guy; Can Spam Act
The (RIAA) is going after people who "share"
substantial amounts of copyrighted music over peer-to-peer networks.
The RIAA states: "The law is clear and the message to those who
are distributing substantial quantities of music online should be
equally clear --- this activity is illegal, you are not anonymous
when you do it, and engaging in it can have real consequences."
The RIAA press release goes on to state: "The RIAA expects to
use the data it collects as the basis for filing what could ultimately
be thousands of lawsuits charging individual peer-to-peer music
distributors with copyright infringement. The first round of suits
could take place as early as mid-August."
offers the following opinion.
"It's plain that the dinosaurs of the recording industry
have completely lost touch with reality. At a time when more
Americans are using file-sharing software than voted for President
Bush, more lawsuits are simply not the answer. It's time to get
artists paid and make file-sharing legal. EFF calls on Congress
to hold hearings immediately on alternatives to the RIAA's
litigation campaign against the American public."
Recording Industry to Begin Collecting
Evidence and Preparing Lawsuits Agaist
File "Sharers" Who Illegally
Offer Music Online
How Not To Get Sued by the RIAA for File-sharing
The Senate Commerce Committee has approved the of 2003. The bill is supported by major e-mail
providers, including Microsoft, AOL, Yahoo, and EarthLink, as well
as online auction site Ebay.
Anti-Spam Bill Gains in Senate
[27 June 2003, top]
Stanford Hit Hard By the Bugbear Virus
hard by the virus.
Stanford has reminded us just how hard secure computing
is. They wrote an alert to their users in which they
screamed "DO NOT OPEN THAT ATTACHMENT."
Screaming won't help much because many users are
Bugbear Virus Rampaging Through Campus
[20 June 2003, top]
Learning About Spam in Law School
-- "Regulation of Spam and Email Marketing"
offered by the
Learning About Writing Viruses and Malware
is offering a class titled "Computer Viruses and Malware"
in which students write and test their own viruses. There are some
people in the computing world that are not happy about this.
A few semesters ago I introduced the
[06 June 2003, top]
to students and they immediately started using it. This resulted
the following motto: "Teach it and they will use it."
The Future Says... RFID
"Symantec Corp. is warning that there's a growing gap between the
speed at which security attacks are being launched and the industry's
ability to respond."
CRN.com::Focus on Wireless::Getting a Good Read On RFID
[29 May 2003, top]
TIA Now Stands for Terrorism Information Awareness
DARPA.mil::Report to Congress Regarding Terrorism Information
Awareness Program. The introduction to the report, which
is only a few paragraphs long, contains the phrase civil
liberties four times. The 'T' in TIA now means 'T'errorism
instead of 'T'otal. The Department of Defense (DoD) made this
change to help ensure U.S. citizens that the TIA program is
interested in terrorists only and not the public at large.
Here is a quote from DARPA's report.
"Note: The program's previous name, "Total Information
Awareness" program, created in some minds the impression
that TIA was a system to be used for developing dossiers on
U.S. citizens. That is not DoD's intent in pursuing this program.
Rather, DoD's purpose in pursuing these efforts is to protect U.S.
citizens by detecting and defeating foreign terrorist threats before
an attack. Therefore, to make this objective absolutely clear, on
May 20, DARPA changed the program name to Terrorism Information
[23 May 2003, top]
Flop, Flop, Fizzer, Fizzer -- Yet Another E-Virus
is the name of a new e-virus
that is spreading itself via the Internet. Like many other e-viruses
it uses e-mail as it transport mechanism, but it also uses the
WiredNews::Fizzer Virus Uses Kazaa to Spread. Bottom-line:
do not process attachments that come from unknown sources.
[16 May 2003, top]
Microsoft Passport System Cracked; Earthlink Sues a Spammer and Wins
On 08 May 2003, Microsoft announced a security breach in its . The defect exposed personal information,
email accounts and registered credit card information for an undisclosed number
of users. Microsoft indicated that the defect had been repaired, but that it
"affected potentially all of its active 200 million Passport accounts."
More from SecurityFocus.com.
ISP (Internet Service provider)
was used by a spammer to send over 825 million spam email message
over a one year time frame. Earthlink went after the spammer in
a court of law and was
awarded $16+ million in damages.
[09 May 2003, top]
Copying Copyrighted Music is Criminal Activity
reports that the (Recording Industry Association of America) is instituting an
educational effort to stop the copying of copyrighted music files.
The RIAA will scan databases made available via
and . If copyrighted material is found,
then instant-messaging is used to alert users about their evil ways.
More from Chronicle.com]
is a website devoted to
. The website's
hompage page contains the following alert.
The unauthorized reproduction and distribution of copyrighted music is
JUST AS ILLEGAL AS SHOPLIFTING A CD. Burning CD's from peer-to-peer networks
like KaZaA, Morpheus or Gnutella is against the law. The rules are very simple.
Unless you own the copyright, it's not yours to distribute.
contains numerous quotes
from artists on the topic of downloading music. Here are some of those
quotes copied/pasted into this webpage.
"I don't like to have a record out and have people hear
versions that we don't want them to hear. With the Internet,
there is no more privacy and not even the chance to express
yourself in front of your audience in the intimacy of a concert
that lets songs evolve. You can't do this because they immediately
get circulated." Yahoo! Entertainment News - January 31, 2001
"It may seem innocent enough, but every time you illegally download
music a songwriter doesn't get paid. And, every time you swap that
music with your friends a new artist doesn't get a chance. Respect
the artists you love by not stealing their music. You're in control.
Support music, don't steal it."
Danny Federici (E Street Band)
"Although music is a blessing, the parasites of piracy pollute
its 'specialness.' We don't need digital pimps robbing us blind of
our own creativity and the fruits thereof."
There are many more quotes from musicians located at
[02 May 2003, top]
Designing and Implementing Secure Website Authentication
has completed the first of a two part
article on the security of website authentication. The first article focuses on
issues surrounding usernames and passwords; issues that CSZero will study as a
Summer of 2003 project. There are currently two websites that will be used for
our studies: Slashdot.org and Bioinformatics.org.
SecurityFocus::Auditing Website Authentication
[25 April 2003, top]
Rivest, Shamir and Adelman Receive the ACM A.M. Turing Award
The 2002 has been
awarded to the co-inventors of --
Rivest, Shamir and Adelman. RSA is an "asymmetric algorithm
for public key cryptography, widely used in electronic commerce."
A Method for Obtaining Digital Signatures and Public-Key
Cryptosystems (pdf) [ACM, February 1978]
Here is a copy/paste from the article's introduction.
"The era of 'electronic mail' may soon be upon us; we must ensure
that two important properties of the current 'paper mail' system be
preserved: a) messages are private, and (b) messages can be
[18 April 2003, top]
CERT Advisories Leaked; CIO Prays Computers Secure; Flash Cracked
This week's posting is a clean-up of items that were
queued to be posted last month (i.e. March of 2003).
[11 April 2003, top]
Slashdot.org::Hacker Leaks Unreleased CERT Reports
Generally, when security problems are found in software products,
those responsible for the software do not want the problem publicly
announced until there is a fix available. They worry that the lag
between announcement and patch release can be used by crackers to
crack the software.
Information Week's article ends with the following paragraph.
"One chief information security officer at a major financial-services
firm says he welcomes all efforts to create a more secure Internet, secure
software, and better tools to protect apps and networks. 'We are preparing
the best we can, monitoring and hardening our systems,' he says. 'The rest
is patching and praying.'"
I'm not convinced that praying ensures secure computing.
CNN.com::Flash Player Poses Threat
In its alert, the company said the vulnerability involves the player's
"sandbox," which acts as a safety zone between a user's system and code
downloaded from the Internet to be run within the player. The flaw, which
would let an attacker create a buffer overflow, could enable an attacker to
gain access to a user's system.
Yet-Another Sendmail Buffer Overflow
On 29 March 2003, the
issued yet-another advisory against the
sendmail program. According to
the CERT, "Address parsing code in
sendmail does not adequately check the
length of email addresses. An email message
with a specially crafted address could trigger
a stack overflow."
CERT.org::Buffer Overflow in Sendmail [Note: this
advisory is in addition to the
sendmail advisory issued on 03 March 2003.]
[04 April 2003, top]
Google is Good, but... [mature posting]
I have promoted since its URL
[it still works]
Time and time again I honor Google for being good. I wish
I was a Google shareholder. But Google's goodness can also
be used for stuff that many don't think is good. According
to a article,
"Google, properly leveraged, has more intrusion
potential than any hacking tool."
Wired.com::Google: Net Hacker Tool du Jour
Speaking of porn...
reports that "the U.S. House of Representatives are voting
on a proposal that would criminalize using misleading domain names
to lure unsuspecting people to sex sites." Once again, we
have an example of politicians wanting to regulate the Internet.
CNET::Use misleading domain name, go to jail?
Back to Google...
Google is a great source for porn. Go to at
http://images.google.com and enter in a porn-related query string.
By default, Google defaults to using a mature content filter on your
initial search. [Note: how do they define mature?] Turn
off this filter by clicking on the link that says "mature content
filter is on" and the result is access to porn, porn, and more porn.
[28 March 2003, top]
U. of Texas Cracked -- 55,200 Social Secrity Numbers Exposed
I'm grateful provides some of their resources for free,
but I wish they would start calling those who hack computer
Chronicle.com::Hackers Seize More Than 50,000 Social Security
Numbers From U. of Texas Database. The has
posted this report to their website.
[Update::15 March 2003] A computer science student
at the University of Texas has been charged with cracking
the school's computer system and stealing social security
numbers. If convicted he may face eight years in prison
and a $500,000 fine.
[14 March 2003, top]
Sendmail has a Buffer Overflow; Monster.com Warns About Identity Theft
On 03 March 2003, the
(Computer Emergency Response Team) issued Advisory CA-2003-07
Remote Buffer Overflow in Sendmail. This is a serious
defect because sendmail is the most popularly used
mail transfer agent on the Internet. The amount of
daily email data processed by sendmail is huge.
Here is the CERT Sendmail overview along with the beginning
of their Sendmail description.
There is a vulnerability in sendmail that may allow remote attackers
to gain the privileges of the sendmail daemon, typically root.
Researchers at Internet Security Systems (ISS) have discovered a remotely
exploitable vulnerability in sendmail. This vulnerability could allow an
intruder to gain control of a vulnerable sendmail server.
Most organizations have a variety of mail transfer agents (MTAs) at various
locations within their network, with at least one exposed to the Internet.
Since sendmail is the most popular MTA, most medium-sized to large organizations
are likely to have at least one vulnerable sendmail server. In addition, many
UNIX and Linux workstations provide a sendmail implementation that is enabled
and running by default.
[Side-bar] Upon hearing that
discovered the sendmail defect,
I bought some stock.
, one of the most popular
employment websites, warned clients that identity thieves are luring
victims from Internet job searches. Monster.com sent email messages
to people who have signed up to find jobs on their site, warning them
of the potential for false job postings and identity theft. [No
hyperlink provided because I couldn't find anything about this
story on the Monster.com website.]
[07 March 2003, top]
Biometrics; Workplace Surveillance; Patriot Act II
FCW.com::Group issues final biometrics report
Numerous laws (e.g. USA Patriot Act and the Enhanced Border Security and
Visa Entry Reform Act) include requirements for increased use of biometrics.
The International Biometric Group issued a report that recommends using
"multiple biometric methods of identification rather than relying
on a single one and adding biometric identification to existing programs
rather than replacing them." In otherwords, if you leave this country,
then upon your return you may be subjected to a finger-print scan, an iris
scan and a facial scan. [In addition, when approaching these various
scanning devices you may be subjected to a gait scan. I dread the day
of biometric brain scans -- what if there is nothing to scan?]
PrivacyFoundation.org::Workplace Surveillance Project
Surveillance in the workplace is becoming increasily prominent.
This is especially true when it comes to computer usage. When
using a computer it is important to remember that tools exist
that can monitor every key you type on your keyboard and every
movement/click of your mouse.
FindLaw.com::Patriot Act II
[28 February 2003, top]
The Federal Government likes the USA Patriot Act so much that they
are working on extending it with the (i.e. Patriot Act II). Here is
just one act that Patriot II enables: federal agents would not
need a subpoena or obtain a court order to access consumer credit
reports. Patriot II also could make you suspect if you
used encryption tools (e.g. encrypted email). The list of potential
dangers goes on and on.
Oracle Buffers Overflow; Mitnick Cracked; Secure eVoting
CERT.org::Multiple Vulnerabilities in Oracle Servers
It appears is good
at programming buffer overflows. Interestingly, many
of the buffer overflows have to do with date and time
CNN.com::Famous Hacker Kevin Mitnick Gets Hacked
Reading this article makes me ask why is Mitnick using
Microsoft product? The following quote from Mitnick will
be a future GDT::QOTW::Quote Of The Week.
"All the hackers out there figure if they can hack
Kevin Mitnick's site, they're the king of the hill."
-- Kevin Mitnick (February 2003)
SAMag.com::Secure Internet Voting with Perl
Many computer professionals are against moving to evoting
systems primarily because evoting cannot be done securely.
is a good programmer
who realizes that evoting is going to happen someday and he
knows how to write secure code. [source::CaitlinG]
[21 February 2003, top]
Cyberwarfare... esoldier... Computing Freedoms... Privacy
I have had numerous people laugh and dismiss me because I keep pondering
the responsibilities of being an esoldier. Cyberwarfare is a
difficult topic to discuss publicly.
WashingtonPost.com::Bush Orders Guidelines for Cyber-Warfare
Cyberwarfare could result in computer systems like these found in
Norway's Oslo Central Station.
[14 February 2003, top]
Gee-wiz...Yet Another Governmental Computing System; About Sapphire Slammer
Shortly after the 11 September 2001 attack on American, the began work on the ("gee-whiz").
The agency responsible for GEWIS currently pays numerous telecom and Internet
service provides for Internet related data. According to a Washington Post
article the "White House believes the monitoring center is necessary because
no single entity in the government or private sector has more than a limited view
of the global communications network."
WashingtonPost.com::Feds Building Internet Monitoring Center
Berkeley.edu::The Spread of the Sapphire/Slammer Worm
Here is the last paragraph in the document.
Though very simple, Sapphire represents a significant milestone
in the evolution of computer worms. Although it did not contain
a destructive payload, Sapphire spread worldwide in roughly 10
minutes causing significant disruption of financial, transportation,
and government institutions. It clearly demonstrates that fast worms
are not just a theoretical threat, but a reality -- one that should
be considered a standard tool in the arsenal of an attacker."
[07 February 2003, top]
College Computing:: Secure Email; SEVIS Cracked; Homeland Security
It is EOM (End-Of-Month) clean-up. This week's posting
consists of three articles from concerning computer security at
colleges and universities.
Chronicle.com::U. of Colorado at Boulder Adopts Encrypting
Links for E-Mail Software
switched to using an encrypted email system. Here a quote
of a school official: "One person's insecurity is a
risk to the whole organization."
Chronicle.com::Hacker Steals Personal Data on Foreign
Students at U. of Kansas
The SEVIS at the
was cracked and information on more than 1,400 foreign students
was stolen. According the Chronicle.com article the crack was
possible due to the school updating the security features on
its Microsoft operating system.
Chronicle.com::Homeland Security Demands Tough For Colleges
[31 January 2003, top]
A crucial component to
is tracking people using computers. College computer systems make
good tracking tools. What many politicians don't understand is that
most computer systems are not secure and colleges cannot afford to
hire people who have the skills to provide a secure computing
environment. According to a Chronicle.com article, a panel
of computer security experts indicated that colleges "
must expand their curriculums to include more courses and degree
programs in information security. Last year, U.S. universities
awarded only 28 Ph.D. degrees in information security."
ASU and Edgeos Cybersecurity Seminar; CERT Advisories
I am looking forward to hearing Jay Jacobson speak
on Tuesday, 28 January 2003, at the following seminar.
(ASU) College of Extended Education and , the automated information security and hacker
sciences company, announced a new CyberSecurity seminar for
Arizona business leaders and professionals. The noontime seminar,
presented by Edgeos CEO Jay Jacobson is titled: . The goal of the seminar is to educate business
professionals about real-world cybersecurity risks and present a simple,
non-technical, practical approach for hacker prevention.
Those of us who have computers connected to the Internet
are lucky Jacobson is good guy. [Note: this seminar is
being held on ASU Phoenix downtown campus. I'm looking
forward to visiting
Ed The Hotdogger.]
There were two issued this week.
"The CVS server component contains a 'double-free' vulnerability that
can be triggered by a set of specially crafted directory requests.
While processing these requests, an error-checking routine may attempt
free() the same memory reference more than once. Deallocating
the already freed memory leads to heap corruption, which an attacker could
leverage to execute arbitrary code, alter the logical operation of the
CVS server program, or read sensitive information stored in memory.
In most cases, heap corruption will result in a segmentation fault,
causing a denial of service. The CVS server process is typically started
by the Internet services daemon (inetd) and runs with root privileges.
Arbitrary code inserted by an attacker would therefore run with root privileges."
CERT.org::Double-Free Bug in CVS Server]
"A buffer overflow in the Windows Locator service may make it
possible for a remote attacker to execute arbitrary code on a vulnerable
system by sending an overly large request to the Windows Locator service.
Microsoft describes the Windows Locator service as 'a name service that
maps logical names to network-specific names.'"
[24 January 2003, top]
CERT.org::Buffer Overflow in Windows Locator Service]
DeVry and UofP are Spammers
I've been getting University of Phoenix spam for a long time.
I spent time speaking with two people who work for the University
of Phoenix about how their school is a spammer. [This was news
firstname.lastname@example.org email account is
attacked with spam from DeVry University.
DeVry tells me to "Increase your income with a Degree."
If DeVry is-a University, then they should give up spamming.
If the University of Phoenix and DeVry University are spammers
by accident, then they can remove the defects from their
computing practices; however, if they are knowingly sending
spam, then I say foo to them.
When I put on my Computer Professional hat, then I have to
ponder what I will do if I receive spam from Maricopa.edu.
My actions, if necessary, will be influenced by this
quote from Andrew
[Extra] This posting coincides with the
start of the Spring 2003 semester; therefore,
it seems only fitting that we start the semester
YABO CERT Advisory. (YABO: Yet Another Buffer Overflow)
[17 January 2003, top]
IEEE.org::Dave Farber Speaks About Cybersecurity
has posted a cybersecurity article by
in which he states it is time for
government and industry to shut-up and put-up when it comes to computer
security. Here is a couple of quotes from the article.
"Cybersecurity encompasses most of the domain of computer communications
technology and management. To protect a cyberinfrastructure, you must protect
each building block. For example, it does little good to protect the computer
system hardware and software if untrustworthy operators and programmers can
make compromising changes. Every facet of the infrastructure must be examined
and protected. These include physical locations, computer hardware, networking,
operating systems, applications, and management practices."
Fame, but No Riches for Cybersecurity from .
Farber is a Guru]
[10 January 2003, top]
"Systems never have the chance to become even relatively bug free before
being replaced with still more complicated systems with a new set of critical
bugs. Our understanding of software design methodology has improved-but at
nowhere near the pace needed to match the rapid increase in complexity."
RFC 1087::Ethics and the Internet
RFCs (Requests For Comments) document the Internet.
I don't recall where, but I recently read RFC 1087.
Network Working Group Internet Activities Board
Request for Comments: 1087 January 1989
Ethics and the Internet
Status of this Memo
This memo is a statement of policy by the Internet Activities Board
(IAB) concerning the proper use of the resources of the Internet.
Distribution of this memo is unlimited.
At great human and economic cost, resources drawn from the U.S.
Government, industry and the academic community have been assembled
into a collection of interconnected networks called the Internet.
RFC 1087::Ethics and the Internet
[03 January 2003, top]