GDT::Security::Watchdog::Archive::Year 2003

Security Watchdog

Internet Laws of 2003
Com.com::CNET:: Unexpected Twists in Internet Law, authored by copyright attorney Doug Isenberg, does an excellent job summarizing legal actions that have been taken (or not taken) to regulate computing.
   Writing about spam...
     "CAN-SPAM is an acronym for 'Controlling the Assault of 
      Non-Solicited Pornography and Marketing'"

   Writing about pop-up advertisements...
     "In at least three court decisions in 2003, judges ruled 
      in favor of companies that provide software that delivers 
      these advertisements.

   Writing about illegal file sharing...
     "The U.S. Court of Appeals for the District of 
      Columbia ruled that the Recording Industry Association 
      of America (RIAA) could not use a subpoena process under 
      the Digital Millennium Copyright Act (DMCA) to obtain the 
      name of a customer of Verizon Internet Services suspected 
      of sharing about 800 sound files."

   Writing about domain names...
     "Truth in Domain Names Act, which made it illegal to 
      use a 'misleading domain name' with the intent to deceive 
      a person into viewing obscenity or to deceive a minor into 
      viewing 'material that is harmful to minors' on the Internet."

   Writing about kiddie porn...
     "The Children's Internet Protection Act (CIPA), was 
      upheld by the U.S. Supreme Court in June. It was the 
      first time the nation's highest court had ruled in favor 
      of an Internet law, surprising those who said all such 
      laws violate the First Amendment."

   Writing about the Internet taxes...
     "Congress let the Internet Tax Freedom Act 
      expire Nov. 1, opening the door for the imposition 
      of Internet access taxes after a five-year ban."

Com.com::CNET:: Unexpected Twists in Internet Law.

[26 December 2003, top]
From CAN-SPAM to Facial Scanning in Arizona
[Item] The AZIPA mailing-list has seen an huge increase in postings thanks to the CAN-SPAM Act. Because it is a law, computer users need to learn what they can and cannot do with respect to sending email messages. Email must always be used with caution, but these days it may not be a bad idea to consult a lawyer prior to sending email messages.

[Item] ACLU.org:: ACLU Asks Arizona School District to Reject Face-Recognition Checkpoints. I am not an ACLU member; however, I am a paying member of the Electronic Frontier Foundation. EFF.org::Biometrics:: Who's watching you?

[19 December 2003, top]
Biometrics Takes On Many Forms; Physical Security
It only seemed timely that while working on this week's biometrics-related posting the following headline was in 11 December 2003 Arizona Republic: "Phoenix school first to install face scanners." Sub-titled: "System can spot sex offenders." The face scanning biometric system is being installed in the Royal Palm Middle School located at 8520 N. 19th Avenue.

The Arizona Republic article quoted the International Biometric Industry Association as saying it had "never heard of biometric face scanning being used on K-12 campuses."

Sheriff Joe Arpaio has assured us that the system is "not set to recognize people wanted for other crimes." The key-phrase is not set because it implies it can (not that it will) be set to locate people other than sex offenders.

Economist.com:: Prepare To Be Scanned

[humor] Ibiblio.org:: Identity Verified using nose hair analysis.

[Extra] Headline from 09 December 2003: "Computer Disks at Los Alamos Missing." Homer Simpson says Doh... I say Foo... Computer security requires physical security. Learning about security is not easy.

[12 December 2003, top]
Spammers Spam Anti-Spammers; Can Spam Law; Spam Rage
[Item] Spammers are spamming anti-spam organizations with spam, spam, and more spam. The spammers are hoping to take the anti-spammers off-line by attacking their computers with lots of spam. Spammers are giving Thanks to the W32/Mimail-L worm for enabling them to implement their spam attack against anti-spammers. Bottom-line: NEVER reply to a spam email message and be ever so careful clicking on email attachments when using applications running on any version of a Microcrapsoft system.

[Item] U.S. politicians must be getting computing advice from spammers because the they are considering passing the Can Spam bill. House.gov:: Anti-spam Bill Passes. Here is a quote from a politician: 'Americans will have the right to say 'Take me off your list, I don't want this in my house.'"

[Item] We have all heard of Road Rage... Now comes Spam Rage. Wired.com:: Man Arrested Over 'Spam Rage'. The guy threatened to send a "package full of Anthrax spores to the company, to 'disable' an employee with a bullet and torture him with a power drill and ice pick; and to hunt down and castrate the employees unless they removed him from their e-mail list."

[05 December 2003, top]
Can Biometrics Save Us From Criminals?
Sadly, our world is full of criminals. Criminals have numerous tools to help them perform criminal acts. When a criminal uses a computer to commit a crime, then they are a cracker.

The following quote is from John Ashcroft, U.S. Attorney General: "The information superhighway should be a conduit for communication, information and commerce, not an expressway for crime."

The following quote is from Lee Heath, Chief Postal Inspector: "Many suspects were simply transferring time-honored scams to Internet. We'd like to say it's just old wine in a new bottle."

Is biometrics a tool to help fight criminals? They may be according to Reuters.com:: Biometrics Hold Key to Next High-Tech Revolution

[28 November 2003, top]
Bill Joy Worries About The Future; BioPay
I picked up a copy of the November 2003 issue of Business 2.0 magazine. The headline title was: "Why This Tech Bubble Is About to BLOW... Wall Street Is Doing It Again... Save Yourself!" But, I didn't care about this; instead, I purchased the magazine because the cover also said (in much smaller print) that "Marc Andreessen Has Found His Next Bid Idea p.118" When I got the magazine home and started looking at it, I came across a short "Exit Interview" with Bill Joy that consisted of three questions and three brief answers. Here is the end of the interview.
   Business2.0::Question 
   "What's the answer?"

   Bill Joy::Response
   "Those who create powerful technology must take
    responsibility for it.  We need to reflect the
    cost of bad behavior in ways that make businesses
    respond - with laws and penalties.  This will be
    a decisive century. We'll learn to manage dangerous
    technologies - or we'll wish we'd done so sooner."

[Extra] USAToday.com::Tech:: Thumbs Pay At Some Stores is a story about a pet store in Virginia using a system (scanner connected to a computer) that allows people to pay using their thumbprint. The system is provided by company named BioPay who is a provider of "biometric payment systems."

[21 November 2003, top]
Identity Theft Assistance Center
The Financial Services Roundtable is a collection of companies that are working together to "create a single point of contact for people who believe they are victims of identity theft" called the Identity Theft Assistance Center. {WashingtonPost.com:: Center Launched for ID Theft Victims}

[Extra] I consistently hear people say that computer security work is difficult to outsource. Here is a real-world example that involves a company named Internet Security Systems that is in the GDT::Portfolio. {BizJournals.com:: Internet Security Systems to Shut Down Two Overseas Engineering Operations}

[14 November 2003, top]
Microsoft Says: Stop Cracking Our Not Good Enough Software
The more Microsoft executives publicly speak about computer security, the more they expose their software for what it is: a piece of crap. ITBusiness.ca::Gates: You Don't Need Perfect Code for Good Security [Recall, a few weeks ago, Ballmer (CEO of Microsoft) was quoted saying "hackers are criminals."]

More Microsoft stuff...

CNET::Microsoft to Offer Bounty on HCrackers reports "Microsoft plans to pay for information that leads to the arrest of the people who released the MSBlast worm and the SoBig virus." The CNET claims that part of Microsoft's motivation may be the fact that recent security defects in their just-good-enough systems have hurt the company's balance sheet. Microsoft has a don't care attitude when it comes to hurting the bottom-line of its users, but when their bottom-line is attacked, then they take action. I wonder why they don't take this bounty money and fix their not-good-enough software.

[Extra] The Thursday, 05 November 2003, Slashdot.org headlines included a hyperlink about a potential attempt to place an exploit into the Linux kernel. These type of risks are huge and must be taken seriously. Slashdot.org::Linux Kernel Back-Door Hack Crack Attempt Discovered

[07 November 2003, top]
Security Cannot Be Patched Into Bad Software
This week's posting is a message I posted to the [CSZero] mailing-list.

A couple of weeks ago, Steve Ballmer (CEO of Microsoft), called most of us criminals by saying "hackers are criminals." [exact quote]

Now Ballmer is trying to convince us that Microsoft can patch security into its software. Computer security guru Bruce Schneier says this is impossible and I agree with him.

Here is Ballmer speaking about Open Source.

   "Should there be a reason to believe that code that 
    comes from a variety of people unknown around the 
    world somehow will be a higher quality than people 
    who get paid to do it professionally? I don't buy 
    that.  We have a methodology, we have an approach, 
    we have a testing process that we know can lead to 
    a sustained, predictable level of quality." 

I agree with Ballmer that Microsoft's software practices do lead to a "predictable level of quaility" -- we know it will suck and be full of security holes. Microsoft has become a huge computer company by producing "just good enough software." But in an Internet world, "just good enough" needs to be a whole lot better. In fact, just good enough software is just bad enough to cause serious security problems.

I'd like to ask Ballmer what exactly is Microsoft's "testing process?" Sometime I think it may be the following: If it compiles and links, ship it.

Yahoo.com::Microsoft's Ballmer Sounds Off On Security

[31 October 2003, top]
SANS Releases List of Top 20 Vulnerabilities
The SANS Institute was established in 1989 as a "cooperative research and education organization." SANS -- which stands for Sysadmin, Audit, Network, Security -- provides many of its resource for little or no cost. The money that SANS does bring in goes to fund university-based research, special research projects, and the SANS training program. During early October of 2003, SANS.org released documentation on the Twenty Most Critical Internet Security Vulnerabilites. [24 October 2003, top]
Microsoft Sucks and Other Tidbits
This week's posting is a smorgasboard of Security Watchdog related items.
  • The Computer Emergency Response Team (CERT) issued an advisory titled Multiple Vulnerabilities in Microsoft Windows and Exchange and it is not an easy read. [ More... from CERT.org]

  • The U.S. shut down an Internet scheme that promised illegal immigrants U.S. residency in return for money.

  • The U.S. has added numerous websites to its list (register) of Foreign Terrorist Organizations such kahane.org or newkach.org.

  • A nineteen year-old accused cracker says he didn't do it; instead, the kid claims crackers cracked his computer and did their cracking using his computer identity. [ More... from BBC.co.uk]

  • A Princeton University student was almost sued under the DMCA for deciphering copy-protection software on a new music CD. The company that was going to do the suing changed their minds because of negative publicity.

[17 October 2003, top]
Congress Stalls CAPPS II; Unintended Consequences of the DMCA
The 2004 budget for the Department of Homeland Security prohibits use of the Transportation Security Administration's CAPPS II program until there is proof that "false positives" will be minimized. The existing CAPPS system checks passenger names against a list of suspected terrorists. The new system uses "additional information supplied by passengers to check against commercial databases and a terrorist watch list." Wired.com::Congress Puts Brakes on CAPPS II

[Item] The Electronic Frontier Foundation (EFF) has put together a resource reviewing the unintended effects of the Digital Millennium Copyright Act (DMCA). EFF.org::Unintended Consequences: Five Years under the DMCA

[10 October 2003, top]
AtStake Cannot Take the Truth About Microsoft
AtStake is a company that "has assembled the best minds in digital security to help you understand and mitigate the security risks inherent in your business model, so that you can maximize the opportunity in front of you." AtStake is also aware that Microsoft is a huge and powerful company. The CTO (Chief Technology Office) of AtStake, Daniel Geer, was recently fired because he co-authored a report on computer security that was critical of Microsoft software. Geer's report indicated that the U.S. government "relies too heavily on software from Microsoft. It argued that the widespread dominance of Windows has created an unhealthy 'monoculture' inadequately resistant to viruses and attacks by hackers."

Bruce Schneier -- a computer security guru who helped work on the report (and a GDT::DreamTeam member) -- is quoted saying the following: "There is a huge chilling effect based on Microsoft's monopoly position. It's unfortunate that AtStake put its private agenda ahead of intellectual integrity."

AtStake obviously has lots at stake when it comes to staying friendly with Microsoft. CRN.com::Tell the Truth About Microsoft at AtStake and Get Fired

[Extra] A federal judge ruled that the FTC cannot enforce the Do Not Call List; however, the FCC can and will. On 29 September 2003, President George W. Bush signed legislation making the Do Not Call List legal. For telemarketers "to call or not to call that is the question." [ More...]

[03 October 2003, top]
California spam; Do Not Call List; File-Sharing in Israel
[Item] The state of California has passed a new law to help the fight against spam. In a nutshell, the victims of spam can seek civil damages of up to $1,000 per e-mail per customer and $1 million per mass mailing. The new law takes effect on 01 January 2004; however, many believe the law cannot be enforced. California's passage of this law probably have lawyers partying. [ CA.gov::California Passes Strict Spamming Law ]

[Item] A Federal court ruled that the Federal Trade Commission (FTC) cannot legally do a federal do-not-call list. Telemarketers and the DMA (Direct Marketing Association) are happy, but those people who took the time to sign the do-not-call list provided by DoNotCall.gov are probably not happy. [Note: so many people have signed this list that it may return sometime in the near future.]

[Item] Israel has announced they are going to implement a zero tolerance policy with respect to the downloading of music. Here is a quote from a Tel Aviv-based record company manager.

   "Israel is a modern hell for anything that 
    has to deal with Internet and copyright."
Reuters.com::Israeli Music Industry to Get Tough on Downloaders

[26 September 2003, top]
CERT Advisories Against OpenSSH and Sendmail
This was another bad week for the FLOSS (Free/Libre and Open Source Software) computing world. Two CERT advisories were issued: one against the OpenSSH server and one against the Sendmail MTA (Mail Transfer Agent). OpenSSH is used to securely access remote systems. Sendmail is one of the most popular MTAs used on the Internet.

[Extra] The following quote is from the 10 September 2003 issue of the Washington Post.

"The RIAA testified before the Senate Judiciary Committee that peer-to-peer (P2P) services are used to trade child pornography as well as to download pirated copies of digital music and movie files. Any type of Congressional action against P2P networks could benefit the recording industry's attempts to eliminate illegal file sharing."

WashingtonPost.com::RIAA Ties Child Port to File-Sharing Sites

[19 September 2003, top]
Identity Theft; RIAA Lawsuits; 911 Viruses
Identity Theft is a nasty crime that is becoming more and more of a problem. The Internet is yet another tool for enabling criminals to steal our identities. The FTC (Federal Trade Commission) offers help at http://www.consumer.gov/idtheft/. On 04 September 2003, CNN.com reported that identity theft strikes 1 in 8 adults.

[Item::261 RIAA Lawsuits and Counting]
A 12-year-old girl in New York was among the first to be sued by the record industry for sharing music over the Internet. The kid is off the hook after her mother agreed to pay $2,000 to settle the lawsuit, apologizing and admitting that her daughter was a criminal. CNN.com offers insight as to how RIAA tracks downloaders.

[Item::911 Viruses]
Two new viruses hit the Internet on 911 hoping to cause problems by taking advantage of people's emotions. CNN.com::Virus Writers Mark 9/11 With New Bugs

[12 September 2003, top]
RIAA Begins Their "Fear and Awe" Campaign
The RIAA (Recording Industry Association of America) will be filing lawsuits early this month (i.e. September) against college students and others for stealing music. The RIAA calls this their fear and awe campaign. Slashdot.org::RIAA Prepares Legal Blitz Against File-sharers

EFF (Electronic Frontier Foundation) provides a webpage that allows us to see if our file-sharing username has been subpoenaed by the RIAA. EFF.org::RIAA Subpoena Database

EFF.org also provides a webpage that provides information about How Not To Get Sued by the RIAA for File-sharing.

The RIAA has announced that they are going to have an amnesty program that will allow Internet users who promise to stop copying music to avoid prosecution. Users will have to sign a notarized affidavit promising to stop using P2P (peer-to-peer) programs such as Kazaa. The affidavit signer must also promise to delete all of the music they illegally copied (downloaded, stole, pirated, or whatever they opt to call it). Note: the EFF warns that the RIAA does represent all copyright holders; therefore, their amnesty program provides only partial protection against being sued.

Richard Stallman, founder of the Free Software Foundation, had a letter published in the September issue of the Communications of the ACM in which he declares: "Legalize Music Sharing Now."

[Next Week] Identy theft is in the news. I suspect next week's posting will have stuff about this huge problem.

[05 September 2003, top]
Biometrics Still Needs Work; EFF Searches on Yahoo
Biometrics is a technology that currently has limited uses and questionable reliability. Biometrics are a tool that can be used in some cases to improve security and prove identification. But as of 29 August 2003, biometrics cannot be the only tool. Forbes.com::World May Not Be Ready for U.S. Biometric Passport Plans

[Extra] The following is a copy/paste from my 29 July 2003 My.Yahoo.com homepage.

	Buzz Index

	Overall Leaders 
	1 Tour de France 
	2 Kazaa 
	3 Kobe Bryant 
	4 NASCAR 
	5 50 Cent 

	Overall Movers 
	1 Amber Alert 758.95% 
	2 Little Nicky 698.05% 
	3 American Orient Express 477.20% 
	4 Eff.org 419.02% 
	5 Frank Dux 384.13%

Typically I don't care about this data; however, I noticed Eff.org in the list. It would have been fun to go to EFF's Freedom Fest 2003.

[29 August 2003, top]
Are E-Chads an Election Away?
What are chads called in the 21st Century? E-chads.
   "Among the security flaws discovered were several ways 
    in which individual voters could vote multiple times 
    in a given election. The researchers also uncovered 
    methods permitting voters to "trick" the e-voting 
    machines into allowing them system administrator 
    privileges or even terminating an election before 
    tallying all legitimate votes."

The state of California is rushing to hold an election. Some districts are going to be using touch-screen computerized voting systems. Good luck, California.

[Extra] Last week was considered one of the worst weeks for computer security. This week, however, a nasty virus named Sobig hit the Internet and warnings are being issued that it may get bigger next month.

[22 August 2003, top]
Bad News on All Fronts: W32/Blaster and GNU/FTP
It was an absolutely terrible week for computer security. The following two CERT advisories were issued.

The following quote from the W32/Blaster advisory shows how complicated and difficult computer security is.

"Sites that do not use windowsupdate.com to manage patches may wish to block outbound traffic to windowsupdate.com. In practice, this may be difficult to achieve, since windowsupdate.com may not resolve to the same address every time. Correctly blocking traffic to windowsupdate.com will require detailed understanding of your network routing architecture, system management needs, and name resolution environment. You should not block traffic to windowsupdate.com without a thorough understanding of your operational needs."

The following quote from the GNU/FTP advisory shows how dangerous cracked computer systems are.

"Because this system serves as a centralized archive of popular software, the insertion of malicious code into the distributed software is a serious threat. As the above announcement indicates, however, no source code distributions are believed to have been maliciously modified at this time."

[15 August 2003, top]
Do Not Call... Do Not Spam... Do Not Whatever
The Senate wants the federal government to create a do-not-spam registry similar to the do-not-call registry managed by the Federal Trade Commission.

These do-not-whatever lists demonstrate how politicians have things backwards -- by default, you should be placed in a do-not-whatever registry. If you want to receive cold calls, then remove yourself from the do-not-call registry; likewise, your email address is automatically in the do-not-spam registery, but if you desire spam, then you are free to remove yourself from the do-not-spam registry.

It is understandable why so much stuff default the wrong way; those of us who are prone to do-nothing get trapped. In other words, we get punished for doing nothing.

[08 August 2003, top]
SEVIS Not Ready For Real-World Usage
Department of Homeland Security has temporarily altered SEVIS usage to avoid unnecessary disruptions to foreign students returning to school in the United States. SEVIS was suppose to be up-and-running by 01 August 2003, but as of 01 August 2003 it was not ready.

Student and Exchange Visitor Information System (SEVIS) to SEVIS requires that all institutions create records for foreign students, in an effort to better track foreign nationals inside the United States.

Previous SEVIS postings.

	31 January 2003 (Security Watchdog)
	30 August 2002 (Security Watchdog)
	27 September 2002 (MOTD)
	11 October 2002 (MOTD)

The 31 January 2003 posting to the GDT::SecurityWatchdog was about SEVIS being cracked at the University of Kansas. GDT::SecurityWatchdog::SEVIS Cracked [31 January 2003]

[01 August 2003, top]
Avoid Replying to Spam E-mail Messages
This is typical of numerous spam e-mail messages work.
   This invitation was sent to foo@foo.foo on behalf of
   Herb Mumford <hmumford@foo.foo> at 7/23/03 2:46 PM.
   If you do not wish to receive invitations from 
   foo dot foo members, click on the link below:
   http://www.foo.foo/blockinvites.jsp?invite=462483077528
In otherwords, you receive a spam e-mail message from foo.foo; however, foo dot foo requires you to visit their website in order to stop receiving their spam. When you visit their website, then they have a record of a working e-mail address. Maybe you will stop receiving spam from foo.foo, but foo dot foo is probably also bar dot bar so you end up getting a spam e-mail message from bar.bar.

[Extra] From HotWired.com comes a story titled Hijacked Windows PCs Spread Porn and it starts as follows.

   "Almost 2,000 broadband-connected PCs have been commandeered and are
    being used to send ads for porn. The method used to spread the Trojan
    program is unknown, but it doesn't appear to harm victim computers."
[25 July 2003, top]
Euros to Contain RFIDs
Radio Frequency Identifiers (RFIDs) continues to gain popularity. There are plans to embed euro notes with RFID chips by 2005. Many hope that RFIDs will reduce counterfeiting, but privacy groups worry about the end to anonymous transactions. [WiredNews:: Euro Scheme Makes Money Talk ]

[Extra] For the second time in less than two years, the U.S. Department of the Interior had to shutdown parts of its website due to security holes. [WashingtonPost.com:: Some Gov't Computers Ordered Shut Down]

[Extra] Two CERT advisories were issued against Windows-based systems this week.

[18 July 2003, top]
Microsoft Internet Explorer Remains Defective
Perfect software is not possible these days; however, just-good-enough software is not good enough. The Microsoft Internet Explorer browser has been defective from day one. [If it contains one bug, then it has a defect. If code has a defect, then it is defective.]

A recent Internet Explorer defect is a "buffer overflow in a HTML conversion library." Buffer overflows in library code is not good.

TheRegister.co.uk::IE bugs keep coming [11 July 2003, top]
Do Not Call Registry Setup by the Federal Government
The Bush Administration, in association with the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC), announced on the launch of the Do Not Call Registry located at http://donotcall.gov

I have heard that there is a push to start a Do Not Email Registry to help reduce spam email messages.

[04 July 2003, top]
RIAA Goes After the Little Guy; Can Spam Act
The Recording Industry Association of America (RIAA) is going after people who "share" substantial amounts of copyrighted music over peer-to-peer networks. The RIAA states: "The law is clear and the message to those who are distributing substantial quantities of music online should be equally clear --- this activity is illegal, you are not anonymous when you do it, and engaging in it can have real consequences." The RIAA press release goes on to state: "The RIAA expects to use the data it collects as the basis for filing what could ultimately be thousands of lawsuits charging individual peer-to-peer music distributors with copyright infringement. The first round of suits could take place as early as mid-August."

The Electronic Frontier Foundation offers the following opinion.

"It's plain that the dinosaurs of the recording industry have completely lost touch with reality. At a time when more Americans are using file-sharing software than voted for President Bush, more lawsuits are simply not the answer. It's time to get artists paid and make file-sharing legal. EFF calls on Congress to hold hearings immediately on alternatives to the RIAA's litigation campaign against the American public."

RIAA.com::Press Release::
Recording Industry to Begin Collecting Evidence and Preparing Lawsuits Agaist File "Sharers" Who Illegally Offer Music Online
EFF.org:: How Not To Get Sued by the RIAA for File-sharing

[item] The Senate Commerce Committee has approved the Can Spam Act of 2003. The bill is supported by major e-mail providers, including Microsoft, AOL, Yahoo, and EarthLink, as well as online auction site Ebay. WashingtonPost.com:: Anti-Spam Bill Gains in Senate

[27 June 2003, top]
Stanford Hit Hard By the Bugbear Virus
Stanford University was hit hard by the BugbearB virus. Stanford has reminded us just how hard secure computing is. They wrote an alert to their users in which they screamed "DO NOT OPEN THAT ATTACHMENT." Screaming won't help much because many users are unconditional clickers. SecureComputing.Stanford.Edu:: Bugbear Virus Rampaging Through Campus [20 June 2003, top]
Learning About Spam in Law School
Spam Seminar -- "Regulation of Spam and Email Marketing" offered by the John Marshall Law School. [13 June 2003, top]
Learning About Writing Viruses and Malware
This fall Calgary University is offering a class titled "Computer Viruses and Malware" in which students write and test their own viruses. There are some people in the computing world that are not happy about this.

A few semesters ago I introduced the goto statement to students and they immediately started using it. This resulted the following motto: "Teach it and they will use it."

[06 June 2003, top]
The Future Says... RFID
From Yahoo!News: "Symantec Corp. is warning that there's a growing gap between the speed at which security attacks are being launched and the industry's ability to respond."

[Extra] CRN.com::Focus on Wireless::Getting a Good Read On RFID

[29 May 2003, top]
TIA Now Stands for Terrorism Information Awareness
DARPA.mil::Report to Congress Regarding Terrorism Information Awareness Program. The introduction to the report, which is only a few paragraphs long, contains the phrase civil liberties four times. The 'T' in TIA now means 'T'errorism instead of 'T'otal. The Department of Defense (DoD) made this change to help ensure U.S. citizens that the TIA program is interested in terrorists only and not the public at large. Here is a quote from DARPA's report.
"Note: The program's previous name, "Total Information Awareness" program, created in some minds the impression that TIA was a system to be used for developing dossiers on U.S. citizens. That is not DoD's intent in pursuing this program. Rather, DoD's purpose in pursuing these efforts is to protect U.S. citizens by detecting and defeating foreign terrorist threats before an attack. Therefore, to make this objective absolutely clear, on May 20, DARPA changed the program name to Terrorism Information Awareness."
[23 May 2003, top]
Flop, Flop, Fizzer, Fizzer -- Yet Another E-Virus
Fizzer is the name of a new e-virus that is spreading itself via the Internet. Like many other e-viruses it uses e-mail as it transport mechanism, but it also uses the Kazaa file-swapping application. WiredNews::Fizzer Virus Uses Kazaa to Spread. Bottom-line: do not process attachments that come from unknown sources. [16 May 2003, top]
Microsoft Passport System Cracked; Earthlink Sues a Spammer and Wins
[Item] On 08 May 2003, Microsoft announced a security breach in its Passport Online Identity Service. The defect exposed personal information, email accounts and registered credit card information for an undisclosed number of users. Microsoft indicated that the defect had been repaired, but that it "affected potentially all of its active 200 million Passport accounts." More from SecurityFocus.com.

[Item] ISP (Internet Service provider) Earthlink was used by a spammer to send over 825 million spam email message over a one year time frame. Earthlink went after the spammer in a court of law and was awarded $16+ million in damages.

[09 May 2003, top]
Copying Copyrighted Music is Criminal Activity
Chronicle.com reports that the RIAA (Recording Industry Association of America) is instituting an educational effort to stop the copying of copyrighted music files. The RIAA will scan databases made available via KaZaA and Grokster. If copyrighted material is found, then instant-messaging is used to alert users about their evil ways. [ More from Chronicle.com]

MusicUnited.net is a website devoted to Strong Internet Copyright. The website's hompage page contains the following alert.

   The unauthorized reproduction and distribution of copyrighted music is 
   JUST AS ILLEGAL AS SHOPLIFTING A CD. Burning CD's from peer-to-peer networks 
   like KaZaA, Morpheus or Gnutella is against the law. The rules are very simple. 
   Unless you own the copyright, it's not yours to distribute. 

MusicUnited.net contains numerous quotes from artists on the topic of downloading music. Here are some of those quotes copied/pasted into this webpage.

   Neil Young
   "I don't like to have a record out and have people hear 
    versions that we don't want them to hear. With the Internet, 
    there is no more privacy and not even the chance to express 
    yourself in front of your audience in the intimacy of a concert 
    that lets songs evolve. You can't do this because they immediately 
    get circulated." Yahoo! Entertainment News - January 31, 2001

   Dixie Chicks
   "It may seem innocent enough, but every time you illegally download 
    music a songwriter doesn't get paid. And, every time you swap that 
    music with your friends a new artist doesn't get a chance. Respect 
    the artists you love by not stealing their music. You're in control. 
    Support music, don't steal it."
 
   Danny Federici (E Street Band) 
   "Although music is a blessing, the parasites of piracy pollute 
    its 'specialness.' We don't need digital pimps robbing us blind of 
    our own creativity and the fruits thereof."

There are many more quotes from musicians located at MusicUnited.net.

[02 May 2003, top]
Designing and Implementing Secure Website Authentication
Security Focus has completed the first of a two part article on the security of website authentication. The first article focuses on issues surrounding usernames and passwords; issues that CSZero will study as a Summer of 2003 project. There are currently two websites that will be used for our studies: Slashdot.org and Bioinformatics.org. SecurityFocus::Auditing Website Authentication [25 April 2003, top]
Rivest, Shamir and Adelman Receive the ACM A.M. Turing Award
The 2002 ACM A. M. Turing Award has been awarded to the co-inventors of RSA -- Rivest, Shamir and Adelman. RSA is an "asymmetric algorithm for public key cryptography, widely used in electronic commerce." A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (pdf) [ACM, February 1978]

Here is a copy/paste from the article's introduction.

"The era of 'electronic mail' may soon be upon us; we must ensure that two important properties of the current 'paper mail' system be preserved: a) messages are private, and (b) messages can be signed."

WikiPedia.org::Wiki::RSA

[18 April 2003, top]
CERT Advisories Leaked; CIO Prays Computers Secure; Flash Cracked
This week's posting is a clean-up of items that were queued to be posted last month (i.e. March of 2003).
  • Slashdot.org::Hacker Leaks Unreleased CERT Reports
    Generally, when security problems are found in software products, those responsible for the software do not want the problem publicly announced until there is a fix available. They worry that the lag between announcement and patch release can be used by crackers to crack the software.

  • InformationWeek.com::Rising Threat
    Information Week's article ends with the following paragraph.

    "One chief information security officer at a major financial-services firm says he welcomes all efforts to create a more secure Internet, secure software, and better tools to protect apps and networks. 'We are preparing the best we can, monitoring and hardening our systems,' he says. 'The rest is patching and praying.'"

    I'm not convinced that praying ensures secure computing.

  • CNN.com::Flash Player Poses Threat
    In its alert, the company said the vulnerability involves the player's "sandbox," which acts as a safety zone between a user's system and code downloaded from the Internet to be run within the player. The flaw, which would let an attacker create a buffer overflow, could enable an attacker to gain access to a user's system.

[11 April 2003, top]
Yet-Another Sendmail Buffer Overflow
On 29 March 2003, the Computer Emergency Response Team issued yet-another advisory against the sendmail program. According to the CERT, "Address parsing code in sendmail does not adequately check the length of email addresses. An email message with a specially crafted address could trigger a stack overflow." CERT.org::Buffer Overflow in Sendmail [Note: this advisory is in addition to the sendmail advisory issued on 03 March 2003.] [04 April 2003, top]
Google is Good, but... [mature posting]
I have promoted Google since its URL was http://google.stanford.edu . [it still works]

Time and time again I honor Google for being good. I wish I was a Google shareholder. But Google's goodness can also be used for stuff that many don't think is good. According to a Wired News article, "Google, properly leveraged, has more intrusion potential than any hacking tool." Wired.com::Google: Net Hacker Tool du Jour

Speaking of porn... Declan McCaullagh reports that "the U.S. House of Representatives are voting on a proposal that would criminalize using misleading domain names to lure unsuspecting people to sex sites." Once again, we have an example of politicians wanting to regulate the Internet. CNET::Use misleading domain name, go to jail?

Back to Google...

Google is a great source for porn. Go to Google Image Search at http://images.google.com and enter in a porn-related query string. By default, Google defaults to using a mature content filter on your initial search. [Note: how do they define mature?] Turn off this filter by clicking on the link that says "mature content filter is on" and the result is access to porn, porn, and more porn.

[28 March 2003, top]
U. of Texas Cracked -- 55,200 Social Secrity Numbers Exposed
I'm grateful The Chronicle for Higher Education provides some of their resources for free, but I wish they would start calling those who hack computer systems crackers. Chronicle.com::Hackers Seize More Than 50,000 Social Security Numbers From U. of Texas Database. The University of Texas has posted this report to their website.

[Update::15 March 2003] A computer science student at the University of Texas has been charged with cracking the school's computer system and stealing social security numbers. If convicted he may face eight years in prison and a $500,000 fine.

[14 March 2003, top]
Sendmail has a Buffer Overflow; Monster.com Warns About Identity Theft
On 03 March 2003, the CERT (Computer Emergency Response Team) issued Advisory CA-2003-07 Remote Buffer Overflow in Sendmail. This is a serious defect because sendmail is the most popularly used mail transfer agent on the Internet. The amount of daily email data processed by sendmail is huge. Here is the CERT Sendmail overview along with the beginning of their Sendmail description.
   Overview
   There is a vulnerability in sendmail that may allow remote attackers
   to gain the privileges of the sendmail daemon, typically root.

   I. Description
   Researchers at Internet Security Systems (ISS) have discovered a remotely  
   exploitable vulnerability in sendmail. This vulnerability could allow an 
   intruder to gain control of a vulnerable sendmail server.

   Most organizations have a variety of mail transfer agents (MTAs) at various  
   locations within their network, with at least one exposed to the Internet.   
   Since sendmail is the most popular MTA, most medium-sized to large organizations 
   are likely to have at least one vulnerable sendmail server.  In addition, many  
   UNIX and Linux workstations provide a sendmail implementation that is enabled 
   and running by default.

   [...]

[Side-bar] Upon hearing that Internet Security Systems, Inc. discovered the sendmail defect, I bought some stock.

[Extra] Monster.com, one of the most popular employment websites, warned clients that identity thieves are luring victims from Internet job searches. Monster.com sent email messages to people who have signed up to find jobs on their site, warning them of the potential for false job postings and identity theft. [No hyperlink provided because I couldn't find anything about this story on the Monster.com website.]

[07 March 2003, top]
Biometrics; Workplace Surveillance; Patriot Act II
FCW.com::Group issues final biometrics report
Numerous laws (e.g. USA Patriot Act and the Enhanced Border Security and Visa Entry Reform Act) include requirements for increased use of biometrics. The International Biometric Group issued a report that recommends using "multiple biometric methods of identification rather than relying on a single one and adding biometric identification to existing programs rather than replacing them." In otherwords, if you leave this country, then upon your return you may be subjected to a finger-print scan, an iris scan and a facial scan. [In addition, when approaching these various scanning devices you may be subjected to a gait scan. I dread the day of biometric brain scans -- what if there is nothing to scan?]

PrivacyFoundation.org::Workplace Surveillance Project
Surveillance in the workplace is becoming increasily prominent. This is especially true when it comes to computer usage. When using a computer it is important to remember that tools exist that can monitor every key you type on your keyboard and every movement/click of your mouse.

FindLaw.com::Patriot Act II
The Federal Government likes the USA Patriot Act so much that they are working on extending it with the Domestic Security Enhancement Act (i.e. Patriot Act II). Here is just one act that Patriot II enables: federal agents would not need a subpoena or obtain a court order to access consumer credit reports. Patriot II also could make you suspect if you used encryption tools (e.g. encrypted email). The list of potential dangers goes on and on.

[28 February 2003, top]
Oracle Buffers Overflow; Mitnick Cracked; Secure eVoting
CERT.org::Multiple Vulnerabilities in Oracle Servers
It appears Oracle is good at programming buffer overflows. Interestingly, many of the buffer overflows have to do with date and time stuff.

CNN.com::Famous Hacker Kevin Mitnick Gets Hacked
Reading this article makes me ask why is Mitnick using Microsoft product? The following quote from Mitnick will be a future GDT::QOTW::Quote Of The Week.

	"All the hackers out there figure if they can hack 
	 Kevin Mitnick's site, they're the king of the hill."
	-- Kevin Mitnick (February 2003)

SAMag.com::Secure Internet Voting with Perl
Many computer professionals are against moving to evoting systems primarily because evoting cannot be done securely. Lincoln Stein is a good programmer who realizes that evoting is going to happen someday and he knows how to write secure code. [source::CaitlinG]

[ACM.org::Crossroads] Electronic Voting

[21 February 2003, top]
Cyberwarfare... esoldier... Computing Freedoms... Privacy
I have had numerous people laugh and dismiss me because I keep pondering the responsibilities of being an esoldier. Cyberwarfare is a difficult topic to discuss publicly. WashingtonPost.com::Bush Orders Guidelines for Cyber-Warfare

Cyberwarfare could result in computer systems like these found in Norway's Oslo Central Station.

[14 February 2003, top]
Gee-wiz...Yet Another Governmental Computing System; About Sapphire Slammer
Shortly after the 11 September 2001 attack on American, the National Communication System (NCS) began work on the Global Early Warning Information System (GEWIS) ("gee-whiz"). The agency responsible for GEWIS currently pays numerous telecom and Internet service provides for Internet related data. According to a Washington Post article the "White House believes the monitoring center is necessary because no single entity in the government or private sector has more than a limited view of the global communications network."
WashingtonPost.com::Feds Building Internet Monitoring Center

[Extra] Berkeley.edu::The Spread of the Sapphire/Slammer Worm
Here is the last paragraph in the document.

" Though very simple, Sapphire represents a significant milestone in the evolution of computer worms. Although it did not contain a destructive payload, Sapphire spread worldwide in roughly 10 minutes causing significant disruption of financial, transportation, and government institutions. It clearly demonstrates that fast worms are not just a theoretical threat, but a reality -- one that should be considered a standard tool in the arsenal of an attacker."

[07 February 2003, top]
College Computing:: Secure Email; SEVIS Cracked; Homeland Security
It is EOM (End-Of-Month) clean-up. This week's posting consists of three articles from Chronicle.com concerning computer security at colleges and universities.

Chronicle.com::U. of Colorado at Boulder Adopts Encrypting Links for E-Mail Software
The Unversity of Colorado has switched to using an encrypted email system. Here a quote of a school official: "One person's insecurity is a risk to the whole organization."

Chronicle.com::Hacker Steals Personal Data on Foreign Students at U. of Kansas
The SEVIS at the University of Kansas was cracked and information on more than 1,400 foreign students was stolen. According the Chronicle.com article the crack was possible due to the school updating the security features on its Microsoft operating system.

Chronicle.com::Homeland Security Demands Tough For Colleges
A crucial component to Homeland Security is tracking people using computers. College computer systems make good tracking tools. What many politicians don't understand is that most computer systems are not secure and colleges cannot afford to hire people who have the skills to provide a secure computing environment. According to a Chronicle.com article, a panel of computer security experts indicated that colleges " must expand their curriculums to include more courses and degree programs in information security. Last year, U.S. universities awarded only 28 Ph.D. degrees in information security."

[31 January 2003, top]
ASU and Edgeos Cybersecurity Seminar; CERT Advisories
I am looking forward to hearing Jay Jacobson speak on Tuesday, 28 January 2003, at the following seminar.
Arizona State University (ASU) College of Extended Education and Edgeos, the automated information security and hacker sciences company, announced a new CyberSecurity seminar for Arizona business leaders and professionals. The noontime seminar, presented by Edgeos CEO Jay Jacobson is titled: Hacker's Paradise or Worst Nightmare - How your computer is viewed from the Internet. The goal of the seminar is to educate business professionals about real-world cybersecurity risks and present a simple, non-technical, practical approach for hacker prevention.
Those of us who have computers connected to the Internet are lucky Jacobson is good guy. [Note: this seminar is being held on ASU Phoenix downtown campus. I'm looking forward to visiting Ed The Hotdogger.]

[Extra]
There were two CERT Advisories issued this week.

"The CVS server component contains a 'double-free' vulnerability that can be triggered by a set of specially crafted directory requests. While processing these requests, an error-checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory leads to heap corruption, which an attacker could leverage to execute arbitrary code, alter the logical operation of the CVS server program, or read sensitive information stored in memory. In most cases, heap corruption will result in a segmentation fault, causing a denial of service. The CVS server process is typically started by the Internet services daemon (inetd) and runs with root privileges. Arbitrary code inserted by an attacker would therefore run with root privileges."
[ CERT.org::Double-Free Bug in CVS Server]
And...
"A buffer overflow in the Windows Locator service may make it possible for a remote attacker to execute arbitrary code on a vulnerable system by sending an overly large request to the Windows Locator service. Microsoft describes the Windows Locator service as 'a name service that maps logical names to network-specific names.'"
[ CERT.org::Buffer Overflow in Windows Locator Service]

[24 January 2003, top]
DeVry and UofP are Spammers
I've been getting University of Phoenix spam for a long time. I spent time speaking with two people who work for the University of Phoenix about how their school is a spammer. [This was news to them.]

Today, my thurmunit@yahoo.com email account is attacked with spam from DeVry University.

DeVry tells me to "Increase your income with a Degree."

If DeVry is-a University, then they should give up spamming.

If the University of Phoenix and DeVry University are spammers by accident, then they can remove the defects from their computing practices; however, if they are knowingly sending spam, then I say foo to them.

When I put on my Computer Professional hat, then I have to ponder what I will do if I receive spam from Maricopa.edu. My actions, if necessary, will be influenced by this quote from Andrew Koenig.

[Extra] This posting coincides with the start of the Spring 2003 semester; therefore, it seems only fitting that we start the semester with YABO CERT Advisory. (YABO: Yet Another Buffer Overflow)

[17 January 2003, top]
IEEE.org::Dave Farber Speaks About Cybersecurity
IEEE.org has posted a cybersecurity article by Dave Farber in which he states it is time for government and industry to shut-up and put-up when it comes to computer security. Here is a couple of quotes from the article.
"Cybersecurity encompasses most of the domain of computer communications technology and management. To protect a cyberinfrastructure, you must protect each building block. For example, it does little good to protect the computer system hardware and software if untrustworthy operators and programmers can make compromising changes. Every facet of the infrastructure must be examined and protected. These include physical locations, computer hardware, networking, operating systems, applications, and management practices."

"Systems never have the chance to become even relatively bug free before being replaced with still more complicated systems with a new set of critical bugs. Our understanding of software design methodology has improved-but at nowhere near the pace needed to match the rapid increase in complexity."

Fame, but No Riches for Cybersecurity from IEEE.org. [ Farber is a Guru] [10 January 2003, top]
RFC 1087::Ethics and the Internet
RFCs (Requests For Comments) document the Internet. I don't recall where, but I recently read RFC 1087.
   Network Working Group                          Internet Activities Board
   Request for Comments: 1087                                  January 1989


                           Ethics and the Internet

                           Status of this Memo

   This memo is a statement of policy by the Internet Activities Board
   (IAB) concerning the proper use of the resources of the Internet.
   Distribution of this memo is unlimited.

   Introduction

   At great human and economic cost, resources drawn from the U.S.
   Government, industry and the academic community have been assembled
   into a collection of interconnected networks called the Internet.

   [...]

RFC 1087::Ethics and the Internet

[03 January 2003, top]


Author: Gerald D.Thurman [deru@deru.com]
Last Modified: Saturday, 05-Jan-2013 11:17:39 MST

Thanks for Visiting