Earl Bockenfeld: Security

Zotob Outbreak Leads To Worm War III

Sat, 20 Aug 2005 02:53:32 GMT

Zotob Outbreak Leads To Worm War III

The internet has become a gangland war zone and your computer is the street corner being fought over.

Shortly after someone published exploit code for a newly discovered Windows 2000 flaw, someone created the Zotob worm. Once installed, Zotob will try to seek out and infect other computers on the same network. It also opens a backdoor trojan that allows someone to access the infected machine.

Several slightly different versions of Zotob have been released. The creators of these separate versions apparently have gone to war with each other. Now owners of infected computers not only have to deal with a virus infection. They also are dealt the double indignity of seeing their machine become a battleground, as the different Zotob worms try to exterminate each other.

In the past, people released viruses and worms for bragging rights. They wanted to show their fellow miscreants how cool they were, so they would infect millions of computers for the hell of it. These days, an infected computer is worth money.

Everyone - from spammers to organized crime to international terrorists - pay good money for control of large networks of infected computers. These computers can be used to send spam. They can be used to launch denial of service attacks. They can be used for a number of illegal things.

An infected computer now is "turf" belonging to whoever can take the machine and keep it. If a competitor is discovered, that competitor must go. The best way to avoid being hit in the crossfire of this or any future computer gang war is to have a policeman nearby. By that, I mean that you must have an antivirus program which is kept up-to-date on a constant basis.

You also need to make sure you install Windows security updates, as soon as they come out. Turn on automatic updates or visit http://windowsupdate.microsoft.com at least once a week. Microsoft Updates usually are released on the second Tuesday of each month. Occasionally, a very critical update is released off schedule, so take the time to check at least once a week.

New Rules for Paranoid Computing

Tue, 16 Aug 2005 04:19:21 GMT

New Rules for Paranoid Computing

Recently a fellow told me that he was quitting the Internet! He had enough and didn’t want anymore. No more spam, no more viruses, no more spyware, he just felt it was not worth it. "I'm shutting of my broadband connection. It's become too invasive to my privacy and it seems that one has to have more and more protection and I'm just tired of what is going on with the internet." If this speaks to you, maybe some of these suggestions could put more fun back improve your internet surfing.

However I'm not because so far I don't really find it that difficult to avoid infections. A few relatively simple things minimize the risk:

1) Use Antivirus software and keep it up to date, Grisoft's AVG is free, effective, and doesn't mess up my machine like some other popular Antiviruses I could name
2) A firewall, some free ones such as Zonealarm or Sygate Personal are also quite

good
3) Use text at the very least to preview email, Chilton Preview for Outlook is very effective
4) Change things like .vbs and .reg files to open with a text editor in Windows by default
5)Don't use Internet Explorer! I've used Opera for years but now use Firefox for almost all my browsing, but occasional tricky site ends up requiring IE for a short time.
6) Disable the Messenger service in XP
7) If it looks weird don't open it! Don't trust your relatives on the internet!
8) Be stealthy, very few internet sites really need your email address, get a webmail account just for the junk mail

Selecting a good password is an important part of password security. The key is to find a password that is easy for you to remember and hard for others to guess.

Create a good (strong) password:

1) Include both uppercase and lowercase letters (case-sensitive).
2) Include both letters and numbers (alpha-numeric).
3) Do not include your login name, a.k.a. username, in any form (as-is, reversed, capitalized, doubled).
4) Avoid words that can be found in a dictionary (including foreign and technical dictionaries).
5) Do not use a password that has been given as an example of a good password.

Create an easy to remember password:

One possible way to pick a good password is to make up your own acronym. Create a phrase that has meaning to you and pick the first letter of each word. Make sure your phase has numbers in the middle. A combination of numbers and letters is harder to guess or crack with a computer program.

For example:
"I love to shop for sandals in the Spring." (Il2s4sitS)
2) "I'm going to work out 3 times a week." (Ig2wo3taw)
3) "Last summer I caught a 30 inch striped bass." (LsIca30isb)

A similar method is to take out all the vowels from a short phrase.

For example:
1) "I work 8 hours a day." (wrk8hrsdy)
2) "You're once, twice, three times a lady." - Lionel Richie (Yr123tmsLdy)

Protect your Password:

1)Memorize your password.
2) If you must write down your new password because you are afraid to forget it, then:
2A) Never write your username and your password on the same piece of paper.
2B) Do not place a written copy of your password on the side of your monitor, under your keyboard, etc.
3) Destroy the written copy as soon as you have memorized your password.
4) Do not allow anyone to look over your shoulder while you are entering your password.
5) Change your password often.
6) Change your password immediately if it has been compromised.

One phenomenon that has become quite obvious from the vast numbers of virus victims over the last year is that people click first and ask questions later. Maybe we're inspired by the false belief that firewalls, antivirus software, and anti-spyware programs protect us from all viruses, worms, and intrusive programs. But even the best of these shields can't always protect you from your biggest security threat: yourself.

Don't click e-mail attachments: Most viruses and worms arrive on your PC in the form of e-mail attachments. A few of them exploit security flaws in Windows or in your browser to launch automatically, but if you keep your programs updated, your chances of being infected via this route are slim to none.
Don't believe the return address: Though an e-mail message may claim it's from your bank, your ISP, or even your boss, that doesn't mean it is. Spammers and virus mailers generally spoof the From address field in their messages with a legitimate address that they've stolen. You may even have received spam from yourself as a result of this clever technique.
Of course, not all e-mail is bad. But if a message from a coworker or friend insists that you launch a file attachment, first confirm with the sender what the file is (make a call or send an e-mail asking whether the purported sender in fact e-mailed the file attachment, and whether it is indeed intended for you). If you have any doubts about the legitimacy of the message and its attachment, delete them.
Don't believe the message: To persuade you to launch a virus-laden mail attachment or provide your personal information, virus authors must earn your trust. They try to accomplish this by composing convincing-looking messages that appear to be sent from Microsoft, your ISP, or some other entity you do business with. The message may even contain links to a counterfeit version of the company's Web site, complete with genuine-looking graphics and corporate logos.
Often the message laments that the company is experiencing technical problems, and that it needs you to click an executable attachment. You don't need to rely on your intuition to determine whether this message is truthful. If the message hasn't been verified by a company representative via phone or in person, it almost certainly contains a virus. Microsoft doesn't e-mail updates to its customers, and neither should your ISP.
Don't believe the link, either: A link in an e-mail message that claims to point to a Citibank Web site may not really go there. Devious phishing scams use the wonders of HTML to snooker you into uploading your Social Security number, PIN, credit card number, password, or other sensitive data to a scammer's Web site. A carefully crafted e-mail message purporting to be from your bank, PayPal, or some other institution (and often also containing links to the real company's Web site) warns that you must update your records there. The biggest tip-off should be this: Banks and ISPs don't lose your information and then send e-mail requests for you to reenter it online. Another tip-off is that the link text and the real underlying URL don't match. Always examine log-in Web pages and their URLs closely. The site sends unsuspecting Citibank customers to a non-Citibank site (which no longer exists, fortunately). If you do get hooked by creeps on a phishing expedition, notify your bank, ISP, or other institution immediately.

Practice abstinence. Resist viewing or replying to messages from questionable sources or opening dubious attachments-- most viruses, worms and Trojans enter computers this way. If the email seems too good to be true, it probably isn't. Many schemes use `social engineering' methods to lure unsuspecting users into revealing personal information or into confirming their email address for use in more schemes or spam.

Make sure your antivirus and personal firewall software is up to date. An updated antivirus program blocks incoming threats from known viruses and worms while an updated personal firewall blocks incoming threats from hackers, identity thieves and even new, unknown viruses and worms. Make sure that your personal firewall provides outbound protection measures, too. Outbound protection is vital in case malicious code does make it onto the PC and starts trying to 'call home' to establish a back door method for hackers to disguise their activities.

Schedule a monthly check-up. Vulnerability patches and bug fixes are released often, but you don't always hear about them. Take a few minutes one day a month to check for updates on all your software vendors' Web sites.

Who Will Be Watching The Watchers

Thu, 21 Apr 2005 17:29:09 GMT

Who Will Be Watching The Watchers

Very interesting article by Kim Zetter, in Wired, about wearable computing guru Steve Mann. Mann's made it his mission to make people more aware of surveillance cameras around them by engaging in what he calls "equiveillance through sousveillance":

The opposite of surveillance -- French for watching from above -- sousveillance refers to watching from below, essentially from beneath the eye in the sky. It's the equivalent of keeping an eye on the eye.
With that in mind, Mann conducted his tour with conference participants to see how those conducting surveillance would respond to being monitored.

Mann sported his signature camera eyewear, while some of the other participants wore CFP conference bags around their necks. The bags had a dark plastic dome stitched on one side -- modeled after store surveillance domes -- which they pointed randomly at passersby, unnerving them. Conference organizers had outfitted a handful of the bag domes with wireless webcams -- they wouldn't say which bags contained cameras -- which transmitted and recorded live streaming video to monitors in the conference lobby.

In the stores, as conference attendees snapped pictures of three smoked domes in the ceiling of a Mont Blanc pen shop, an employee inside waved his arms overhead. The intruders interpreted his gesture as happy excitement at being photographed until a summoned security guard halted the photography.

Mann asked the guard why, if the Mont Blanc cameras were recording him, he couldn't, in turn, record the cameras. But the philosophical question, asked again at Nordstrom and the Gap, was beyond the comprehension of store managers who were more concerned with the practical issues of prohibiting store photography.

At the Gap, photographers were told they couldn't take pictures because the Gap didn't want competitors to study and copy its clothing displays. At Nordstrom, an undercover security guard who looked like Baby Spice and sported a badge identifying her as Agent No. 1, summoned a manager who told Mann that customers would be disturbed by the handheld cameras.

Illogically, she didn't have a problem with participants pointing their conference bag domes around the store to take photos, just with the handheld cameras.

Mann said that duplicity is often necessary in order to mirror the Kafkaesque nature of surveillance.

He has designed a wallet that requires someone to show ID in order to see his ID. The device consists of a wallet with a card reader on it. His driver's license can be seen only partially through a display. And in order for someone to see the rest of his ID, they have to swipe their own ID through the card reader to open the wallet.

He also made a briefcase that has a fingerprint scan that requires the fingerprint of someone else to open it.

Mann quoted Simon Davies of Privacy International, a London-based nonprofit that monitors civil liberties issues: "The totalitarian regime is the regime that would like to know everything about everyone but reveal nothing about itself," Mann said.

He considered such a government an "inequiveillant regime" and likened it to signing a contract with another party without being allowed to keep a copy of the contract.

"What I argue is that if I'm going to be held accountable for my actions that I should be allowed to record ... my actions," Mann said. "Especially if somebody else is keeping a record of my actions."

"In Europe, data is owned by the person to whom it relates. In the United States, data becomes the property of the company which collects it," said Simon Davies, director of Privacy International, a London-based lobbying group. What is more personal than your likeness, either on film or digital format, so if you should own your name, address, phone number, SS number, etc - then you own your pictures taken with or without your knowledge or approval. Many groups concerned about privacy want the US to adopt the European ownship of personal data.

Earth To Humankind: Back Off

Wed, 13 Apr 2005 15:20:40 GMT

Earth To Humankind: Back Off

[Link - Say good-bye to your car, computer, everything. We are burning up the planet too fast to hang on]

The Earth is going down. Way, way down. To the mat, hard and painful and with a sad moaning broken-boned crunch. Don't take my world for it. Just read the headlines, the latest major, soul-stabbing report.

It's one of those stories that sort of punches you in the karmic gut, about how they just completed this unprecedented, four-year, $24 million, U.N.-backed study involving 1,360 scientists from 95 nations who all pored over thousands of satellite images and countless scientific reports and reams of stats, and they all distilled their findings down to one deadly, heartbreaking summary.

And here it is: We, humankind, people, sentient carbon-based biped creatures, only us and no one else but us because it sure as hell ain't the goddamn lions or caribou or meerkats or rhododendrons, we humans have, in our shockingly short time one this wobbly sphere, used up a staggering 60 percent of the world's grasslands, forests, farmland, rivers and lakes.

That's right, 60 percent. Gone. Burned up. Used up. Much of it irreversibly. These are the basic ecosystem services that, simply put, sustain life on Earth. The glass ain't even half full, people. It's about three-fifths empty and draining fast and we are doing our damnedest to expedite the process because, well, this is just who we are.

[skip]

And this heartbreaking study, it comes hot on the heels of one of the most distressing and sobering pieces of journalism I've read in ages, an excerpt from a book by James Howard Kunstler called "The Long Emergency," all about the imminent and staggering oil/natural gas crisis now looming large over the U.S. and the world, a crisis of such dire proportions that it will very soon reshape American life like nothing since the Industrial Revolution. Except in reverse.

It's about peak oil. It's coming within a year or two. It means we've essentially siphoned off all the easily attainable oil on the planet (about 50 percent of the grand total) and getting to the remaining 50 percent -- the lower-quality stuff that's buried deep in rock or in impossibly difficult locations or that lies underneath countries where the people absolutely hate us -- will be so fraught and expensive and hypercompetitive that it will mean not only, in the immediate future, much more war and strife and pain but also, in the next decade or two, a radical -- and I do mean radical -- reshaping of life as we know it.

Petroleum and gas will become incredibly scarce and everything we know about consumer culture, travel, products, Wal-Mart, easy access to all daily goods and services, will essentially vanish, and we will return to a intensely local, viciously competitive agricultural model of raw survival. Read this article now about survival skills, and be empowered and amazed.

Another important source of knowledge which we should take advantage of before it vanishes entirely is our senior citizens. Many elderly people grew up in a world where wilderness lore was common knowledge. Talk to them. You may be surprised at the wealth of their knowledge, and those who possess it are usually quite willing to pass it on if you approach them correctly.

[skip]

But if these scientific studies and stories are to be believed -- and there's little reason to think otherwise -- that fire is about to get one hell of a lot hotter. Stock up on duct tape. And water. And hope.

Leaving U.S.? Passport may be needed to get back in

Fri, 08 Apr 2005 02:14:08 GMT

Leaving U.S.? Passport May Be Needed To Get Back In

THE BUSH ADMINISTRATION'S announcement that U.S. citizens are soon going to need passports to get back into their country from Mexico and Canada, is being played as a way to keep Americans safer. But like most everything else this president has done in the name of security, the only things there will be more of if this measure goes through are bureaucracy, hassles for Americans who don't have passports and never needed them before to travel to Mexico or Canada, and bad feeling between the United States and its neighbors. Already, Canada has announced that it might require Americans to show passports before they can enter Canada.

Potential terrorists are probably the only demographic group who will not be deterred by the new passport requirement. Since when have terrorists been intimidated by the need to carry a passport? Back in February, 2002, the New York Times ran an article by Jeff Goodell about passport forgery. Goodell asked Alain Boucar, the director of Belgium's antifraud unit, how long it would take him to put someone else's photograph in Goodell's passport.

Boucar examines it. It's a standard United States passport, issued eight years ago, with a laminated photo page. ''Five minutes.''

He sticks his thumbnail into a corner of the laminate, showing me how you can peel it back. (You can loosen the laminate by sticking it in the freezer or a microwave oven -- it depends on the type of laminate -- or, better yet, by dissolving the adhesive with Undu, a product that is easily ordered on the Internet.) Boucar then points to the little blue emblem, called a guilloche, that overlaps the photo and the passport page and is supposed to make the photo difficult to remove. ''You might see a little line here. But if I do a good job, you would not notice.'' Of course, that person would have to be around the same age, height and weight as me, but Boucar's point is well taken: doing a passable job of doctoring a typical passport is not very hard.

Boucar then explains the tricks criminals use to fill in stolen blanks: how they feed passports into laser printers, for example. Or how they can create a perfectly good dry stamp -- an inkless stamp that leaves an embossed image on paper and is used to authenticate the passports of many countries -- by placing an old vinyl record over a passport marked with a real seal, then heating the record with an iron; the record is then pressed onto a fresh passport. Candle wax also works. As for ink stamps, they pose no challenge at all. Years ago, forgers would cut a fresh potato in half and use it to transfer a stamp from one passport to another. Today ''you just scan the page of a passport into a computer, print it out, then take it to a copy shop,'' Boucar says. ''They'll make you a rubber stamp in two minutes.''

And, oh, yeah. Most who don't now have passports will wait, and then they'll get stuck with the "new, improved" ones, with the special RFID chip that can be used to track citizens, via radio, remotely, as they travel, at airports, or any other place.

Those passports have the EU kind of pissed off, too.

Bush and his groupies have a positive genius for coming up with the policies most likely to alienate people and make international relations worse. It really is absolutely astounding. Pissing off neighbors is just a bonus.

Biometrics: Truths and Fictions

Mon, 04 Apr 2005 06:00:57 GMT

Biometrics: Truths and Fictions

by Bruce Schneier, President Counterpane Systems

Biometrics are seductive: you are your key. Your voiceprint unlocks the door of your house. Your retinal scan lets you in the corporate offices. Your thumbprint logs you on to your computer. Unfortunately, the reality of biometrics isn't that simple.

Biometrics are the oldest form of identification. Dogs have distinctive barks. Cats spray. Humans recognise each other's faces. On the telephone, your voice identifies you as the person on the line. On a paper contract, your signature identifies you as the person who signed it. Your photograph identifies you as the person who owns a particular passport.

What makes biometrics useful for many of these applications is that they can be stored in a database. Alice's voice only works as a biometric identification on the telephone if you already know who she is; if she is a stranger, it doesn't help. It's the same with Alice's handwriting; you can recognize it only if you already know it. To solve this problem, banks keep signature cards on file. Alice signs her name on a card, and it is stored in the bank (the bank needs to maintain its secure perimeter in order for this to work right). When Alice signs a check, the bank verifies Alice's signature against the stored signature to ensure that the check is valid.

There are a bunch of different biometrics. I've mentioned handwriting, voiceprints, and face recognition. There are also hand geometry, fingerprints, retinal scans, DNA, typing patterns, signature geometry (not just the look of the signature, but the pen pressure, signature speed, etc.), and others. The technologies behind some of them are more reliable than others, and they'll all improve.

"Improve" means two different things. First, it means that the system will not incorrectly identify an impostor as Alice. The whole point of the biometric is to prove that Alice is Alice, so if an impostor can successfully fool the system it isn't working very well. This is called a false positive. Second, "improve" means that the system will not incorrectly identify Alice as an impostor. Again, the point of the biometric is to prove that Alice is Alice, and if Alice can't convince the system that she is her then it's not working very well, either. This is called a false negative. In general, you can tune a biometric system to err on the side of a false positive or a false negative.

Biometrics are great because they are really hard to forge: it's hard to put a false fingerprint on your finger, or make your retina look like someone else's. Some people can mimic others' voices, and Hollywood can make people's faces look like someone else, but these are specialized or expensive skills. When you see someone sign his name, you generally know it is him and not someone else.

Biometrics are lousy because they are so easy to forge: it's easy to steal a biometric after the measurement is taken. In all of the applications discussed above, the verifier needs to verify not only that the biometric is accurate but that it has been input correctly. Imagine a remote system that uses face recognition as a biometric. "In order to gain authorization, take a Polaroid picture of yourself and mail it in. We'll compare the picture with the one we have in file." What are the attacks here?

Easy. To masquerade as Alice, take a Polaroid picture of her when she's not looking. Then, at some later date, use it to fool the system. This attack works because while it is hard to make your face look like Alice's, it's easy to get a picture of Alice's face. And since the system does not verify that the picture is of your face, only that it matches the picture of Alice's face on file, we can fool it.

Similarly, we can fool a signature biometric using a photocopier or a fax machine. It's hard to forge the vice-president's signature on a letter giving you a promotion, but it's easy to cut his signature out of another letter, paste it on the letter giving you a promotion, and then photocopy the whole thing and send it to the human resources department...or just send them a fax. They won't be able to tell that the signature was cut from another document.

The moral is that biometrics work great only if the verifier can verify two things: one, that the biometric came from the person at the time of verification, and two, that the biometric matches the master biometric on file. If the system can't do that, it can't work. Biometrics are unique identifiers, but they are not secrets. (Repeat that sentence until it sinks in.)

Here's another possible biometric system: thumbprints for remote login authorizations. Alice puts her thumbprint on a reader embedded in the keyboard (don't laugh, there are a lot of companies who want to make this happen). The computer sends the digital thumbprint to the host. The host verifies the thumbprint and lets Alice in if it matches the thumbprint on file. This won't work because it's so easy to steal Alice's digital thumbprint, and once you have it it's easy to fool the host, again and again. Biometrics are unique identifiers, but they are not secrets.

Which brings us to the second major problem with biometrics: it doesn't handle failure very well. Imagine that Alice is using her thumbprint as a biometric, and someone steals it. Now what? This isn't a digital certificate, where some trusted third party can issue her another one. This is her thumb. She only has two. Once someone steals your biometric, it remains stolen for life; there's no getting back to a secure situation. (Other problems can arise: it's too cold for Alice's fingerprint to register on the reader, or her finger is too dry, or she loses it in a spectacular power-tool accident. Keys just don't have as dramatic a failure mode.)

A third, more minor problem, is that biometrics have to be common across different functions. Just as you should never use the same password on two different systems, the same encryption key should not be used for two different applications. If my fingerprint is used to start my car, unlock my medical records, and read my email, then it's not hard to imagine some very bad situations arising.

Biometrics are powerful and useful, but they are not keys. They are useful in situations where there is a trusted path from the reader to the verifier; in those cases all you need is a unique identifier. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destory. Biometrics are unique identifiers, but they are not secrets.

RFID tags: Big Brother in Small Packages

Mon, 04 Apr 2005 05:12:02 GMT

RFID tags: Big Brother in Small Packages

Could we be constantly tracked through our clothes, shoes or even our cash in the future?

I'm not talking about having a microchip surgically implanted beneath your skin, which is what Applied Digital Systems of Palm Beach, Fla., would like to do. Nor am I talking about John Poindexter's creepy Total Information Awareness spy-veillance system.

Instead, in the future, we could be tracked because we'll be wearing, eating and carrying objects that are carefully designed to do so.

The generic name for this technology is RFID, which stands for radio frequency identification. RFID tags are miniscule microchips, which already have shrunk to half the size of a grain of sand. They listen for a radio query and respond by transmitting their unique ID code. Most RFID tags have no batteries: They use the power from the initial radio signal to transmit their response.

It becomes unnervingly easy to imagine a scenario where everything you buy that's more expensive than a Snickers will sport RFID tags, which typically include a 64-bit unique identifier yielding about 18 thousand trillion possible values. KSW-Microtec, a German company, has invented washable RFID tags designed to be sewn into clothing. And according to EE Times, the European central bank is considering embedding RFID tags into banknotes by 2005.

The privacy threat comes when RFID tags remain active once you leave a store. That's the scenario that should raise alarms--and currently the RFID industry seems to be giving mixed signals about whether the tags will be disabled or left enabled by default.

Gillette Vice President Dick Cantwell said that its RFID tags would be disabled at the cash register only if the consumer chooses to "opt out" and asks for the tags to be turned off. "The protocol for the tag is that it has built in opt-out function for the retailer, manufacturer, consumer," Cantwell said.

Wal-Mart, on the other hand, says that's not the case. When asked if Wal-Mart will disable the RFID tags at checkout, company spokesman Bill Wertz told Gilbert: "My understanding is that we will."

If the tags stay active after they leave the store, the biggest privacy worries depend on the range of the RFID readers. There's a big difference between tags that can be read from an inch away compared to dozens or hundreds of feet away.

Privacy worries also depend on the size of the tags. Matrics of Columbia, Md., said it has claimed the record for the smallest RFID tag, a flat square measuring 550 microns a side with an antenna that varies between half an inch long to four inches by four inches, depending on the application. Without an antenna, the RFID tag is about the size of a flake of pepper.

First, consumers should be notified--a notice on a checkout receipt would work--when RFID tags are present in what they're buying. Second, RFID tags should be disabled by default at the checkout counter. Third, RFID tags should be placed on the product's packaging instead of on the product when possible. Fourth, RFID tags should be readily visible and easily removable.

UPDATE: When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.

Grunwald's software program, RFDump, makes rewriting RFIDs easy. While there are significant malicious uses of the program, consumers could also use it to protect themselves, he said.

"Everyone should have the right, once they leave the store, to erase the RFID tags," he said. Deleting information on the tags would allow people to stop RFID checkpoints in stores and other places from tracking which products they are carrying, or which have been inserted under their skin.

EEF Electronic Frontier Foundation is working to prevent the embrace of this technology from eroding privacy and freedom.

CASPIAN Consumers Against Supermarket Privacy Invasion And Numbering

New Virus Targets On-board Car Computers

Sun, 06 Feb 2005 18:16:50 GMT

New Virus Targets On-board Car Computers

New Virus Targets On-board Car Computers LINK

By Santosh Beharie

Owners of vehicles with onboard computers should brace themselves for an onslaught by hi-tech criminals who are causing havoc by infecting the devices with viruses.

Those with systems such as satellite navigation have been warned to secure the devices, after reports last week that the on-board computers of several Lexus models in the United States had been infected via cellphones.

And security experts in South Africa believe it is only a matter of time before local vehicles are targeted.

Ian Melamed, principal consultant at Shaya Technologies in Johannesburg, said computer viruses were now so widespread, they were starting to attack new devices such as cellphones and even on-board computers in cars.
“If a device can carry data, it can carry a computer virus,” he said.

Melamed said about 150 000 cars in the US had been affected last week.

“Many of the vehicles also had their security codes breached,” said Melamed, a former computer expert with Interpol. “And with our high car theft and hijacking rate, it is only a matter of time before car owners in South Africa become targets. It is only a matter of time before these criminals (in the US) brag about their achievements on the Internet and spread the information on how to spread the virus or breach a vehicle’s computer security code.”

Many of the vehicles had satellite navigation systems linked to hands-free phone kits, via wireless Bluetooth technology and this was likely how the on-board systems of the cars had become infected, said Melamed.

“We are already starting to see a significant jump in the number of viruses affecting mobile devices such as cellphones and hand-held computers,” Melamed said. “As technology becomes more mobile, it is becoming increasingly important to guard against virus infections.

Although the viruses found on mobile devices are less advanced than those found on traditional computer networks, experts have warned that this will not be the case for long.

“We expect to see more elaborate viruses targeting mobile devices – viruses that are able to cripple those machines or steal the information housed in them,” said Melamed.

Melamed warned owners of such devices to always disable Bluetooth connectivity when possible.

“On-board devices in vehicles and mobile devices so readily available all pose a serious risk, once activated on a universal platform,” he said.

Automobile Virus Update

Lexus cars may be vulnerable to viruses that infect them via mobile phones. Landcruiser 100 models LX470 and LS430 have been discovered with infected operating systems that transfer within a range of 15 feet.

It seems that no one has done this yet, and the story is based on speculation that a cell phone can transfer a virus to the Lexus using Bluetooth. But it's only a matter of time before something like this actually works.

As for virus attacks and embedded systems well... Some (mainly older systems) are immune which are ROM based with insufficient RAM/Registers for executable code to be stored or operated. Until recently this would almost certainly have been true for all automobile based systems, however some now use FLASH ROM's and even smart/memory cards.

I guess a consequence of cheaper memory and short software development cycles requiring upgradeability as a standard is that we will get people developing attacks in exactly the same way as for motherboards in PCs. I guess it will soon be possible for my fridge to be made to think it's a microwave oven or a coffee machine with results that would delight and amuse a 7 year old attacker.

Automobile Viruses and DSRC from Thinking About Technology suggests how DSRC increases vulnerability. DSCR allows high-speed communications between vehicles and the roadside, or between moving vehicles, suggests other scenarios that could be more serious. What if a car thief can call his pick of any of a new model of a high end car and make it shut its engine off, all he needs for carjacking is a threatening demeanor. Worse yet, if he can call the police cars behind him and tell them to shut down, he has an excellent chance of escaping his pursuers.

Anti-Adware Misses Most Malware

Tue, 01 Feb 2005 18:22:58 GMT

Anti-Adware Misses Most Malware

By Brian Livingston

Now that 80% of home PCs in the U.S. are infected with adware and spyware, according to one study, it turns out that nearly every anti-adware application on the market catches less than half of the bad stuff.

That's the conclusion of a remarkably comprehensive series of anti-adware tests conducted recently by Eric Howes, an instructor at the University of Illinois.

Howes, a well-known researcher among PC security professionals, collected 20 different anti-adware applications. He then infected a fresh install of Windows 2000 SP4 and Office 2000 SP3 with several dozen adware programs in separate stages. Finally, he counted how many active adware components were removed by each anti-adware product.

(Note: I use the single term "adware" in this article to refer to both "adware" and "spyware." Since it's not necessary for a spyware program to "call home" to be disruptive, the distinction between adware and spyware is meaningless. All such programs display ads or generate revenue for the adware maker in some other way. )

Howes's tests were conducted over a period of weeks in October 2004. His results were mentioned at the time in several places, including Slashdot and eWeek.

[skip]

Howes's test results sprawl over six long Web pages, with no overall totals or summary of the figures. It's a daunting body of data, but its bottom line is explosive. Adware seems to be evolving much faster than anti-adware, and the battle is so far being won by the adware side.

Each anti-adware application, according to Howe, removed a certain percentage of "critical" adware components. These are executable .exe and .com files, dynamic link library (.dll) files, and Windows Registry entries (autorun commands and the like).

Almost all the anti-adware programs that were tested removed fewer than half of the hundreds of adware components Howes cataloged. The best at removing adware was Giant AntiSpyware, but even that program removed less than two-thirds of a PC's unwanted guests.

Howes's tests were conducted before the Microsoft Corp. announced in December that it was purchasing Giant Company Software outright. For that reason, the tests use the version of Giant AntiSpyware that was available in October and not the newer Microsoft beta version that's currently available.

Even so, with Giant's application removing 63% of a PC's adware components, and its nearest competitor, Webroot Spy Sweeper, removing less than 50%, it's clear that Microsoft has a potential winner on its hands.

How to defend yourself against adware

First, let me make my opinion clear: The installation of adware should be illegal and harshly punished. Adware has exploded because it offers big economic incentives for its sponsors. They'll never adequately inform PC users about their software before it's installed. This troubling aspect of adware will never be wished away.

Only software that a PC user specifically consents to should legally be able to install — and "end-user license agreements" that stretch off the screen should never be counted as consent. (This isn't a knock on "ad-supported software," such as the Opera browser. Such legitimate software is clearly integrated with its advertising and makes it easy to shut off the ads by registering.)

In reality, today's tech-illiterate legislatures will never ban adware — if they could even think of an effective legal approach to do so. We need to engage the battle on a technical level instead.

To understand adware, you first need to know how PCs get it. The ways that Howes obtained the adware he used in his tests provide us with some perfect examples:

Software downloads. For one group of tests, Howes downloaded and installed Grokster, a popular peer-to-peer file-sharing program, from CNET Download.com. Installing Grokster and clicking OK in its subsequent dialog boxes loaded 15 separate adware programs, containing 134 "critical" executable components, by Howes's count. This source of infection would compromise even Windows XP with its new Service Pack 2 (SP2).

Drive-by downloads. To set up another group of tests, Howes used Internet Explorer to visit the following Web locations: 007 Arcade Games (a games site), LyricsDomain (a song lyrics site), and Innovators of Wrestling (yup, a wrestling site). This resulted in 23 different adware programs being installed, carrying 138 components, Howes says. Drive-by downloads such as these are now less of a problem for users who've installed XP SP2.
You can't step into the same river twice. For yet another test, Howes visited the wrestling site again, but on a different date. The makers of adware must have signed a lot of distribution contracts with the site in the interim. Howes says his PC picked up 25 adware programs and 153 components on that one visit alone. (You'll notice that I didn't link to the examples I cited above, and I strongly recommend that you avoid trying any of them.)

It's not enough to say "PC users should be more careful." Computer professionals, instead, have a duty and an obligation to prevent adware from infecting their PCs or anyone else's.

Introducing the Windows Secrets security baseline

Every PC needs the following six components for protection against hacker attacks, both from the Internet and from within your company or home. In each issue, starting today, this new section will summarize the top-rated products top-rated by trusted reviewers.

1. Hardware firewall. For wired home and small-office networking, the 8-port Linksys BEFSR81 router ($80 USD) is rated "the best of our testing" by Extreme Tech. For wireless networking, the new Belkin Wireless Pre-N router ($150) is currently highest-rated at CNET.

2. Software firewall. Often called a "personal firewall," ZoneAlarm Pro ($40) is number one according to several testers, including TopTenReviews.com and PC World's Best of 2004.

3. Antivirus. Trend Micro's PC-cillin Internet Security 2005 antivirus suite ($50), which includes a personal firewall, recently won head-to-head comparisons in PC World and CNET.

4. Antispam. Cloudmark Safetybar ($40, formerly SpamNet) is rated a Best Buy by PC World and Editors' Choice by PC Magazine.

5. Anti-adware. Giant AntiSpyware or Microsoft AntiSpyware beta, Webroot Spy Sweeper, CWShredder (use all; free or optional registration). See article above.

6. Update management. Without naming a winner (because update software is highly related to your network's size), a wide-ranging buyer's guide to patch-management software was published in the Oct. 2004 Windows IT Pro magazine.

FORWARDING INSTRUCTIONS — news gains value when it's shared

Please share this information with your friends
You're encouraged to refer your friends and colleagues to this free newsletter. Because most e-mail programs don't correctly display a formatted message that's been forwarded, simply call people's attention to the permanent Web address of this issue: WindowsSecrets.com/050127.

Safe Personal Computing, Revisited

Fri, 17 Dec 2004 16:28:08 GMT

Safe Personal Computing, Revisited

Internet computing security tips from a security expert, Bruce Schneier!

I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."

But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.

Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security.

General: Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.

Laptop security: Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data--including passwords and PINs--on PDAs than they do on laptops.

Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.

Operating systems: If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files "command.com" and "cmd.exe."

Applications: Limit the number of applications on your machine. If you don't need it, don't install it. If you no longer need it, uninstall it. Look into one of the free office suites as an alternative to Microsoft Office. Regularly check for updates to the applications you use and install them. Keeping your applications patched is important, but don't lose sleep over it.

Browsing: Don't use Microsoft Internet Explorer, period. Limit use of cookies and applets to those few sites that provide services you need. Don't assume a Web site is what it claiSet your browser to regularly delete cookies. ms to be, unless you've typed in the URL yourself. Make sure the address bar shows the exact address, not a near-miss.

Web sites: Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.

Think before you do business with a Web site. Limit the financial and personal data you send to Web sites--don't give out information unless you see a value to you. If you don't want to give out personal information, lie. Opt out of marketing notices. If the Web site gives you the option of not storing your information for later use, take it. Use a credit card for online purchases, not a debit card.

Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.

Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly.

Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

E-mail: Turn off HTML e-mail. Don't automatically assume that any e-mail is from the "From" address.

Delete spam without reading it. Don't open messages with file attachments, unless you know what they contain; immediately delete them. Don't open cartoons, videos and similar "good for a laugh" files forwarded by your well-meaning friends; again, immediately delete them.

Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express. If you must use Microsoft Office, enable macro virus protection; in Office 2000, turn the security level to "high" and don't trust any received files unless you have to. If you're using Windows, turn off the "hide file extensions for known file types" option; it lets Trojan horses masquerade as other types of files. Uninstall the Windows Scripting Host if you can get along without it. If you can't, at least change your file associations, so that script files aren't automatically sent to the Scripting Host if you double-click them.

Antivirus and anti-spyware software: Use it--either a combined program or two separate programs. Download and install the updates, at least weekly and whenever you read about a new virus in the news. Some antivirus products automatically check for updates. Enable that feature and set it to "daily."

Firewall: Spend $50 for a Network Address Translator firewall device; it's likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.

Encryption: Install an e-mail and file encryptor (like PGP). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.

None of the measures I've described are foolproof. If the secret police wants to target your data or your communications, no countermeasure on this list will stop them. But these precautions are all good network-hygiene measures, and they'll make you a more difficult target than the computer next door. And even if you only follow a few basic measures, you're unlikely to have any problems.

I'm stuck using Microsoft Windows and Office, but I use Opera for Web browsing and Eudora for e-mail. I use Windows Update to automatically get patches and install other patches when I hear about them. My antivirus software updates itself regularly. I keep my computer relatively clean and delete applications that I don't need. I'm diligent about backing up my data and about storing data files that are no longer needed offline.

I'm suspicious to the point of near-paranoia about e-mail attachments and Web sites. I delete cookies and spyware. I watch URLs to make sure I know where I am, and I don't trust unsolicited e-mails. I don't care about low-security passwords, but try to have good passwords for accounts that involve money. I still don't do Internet banking. I have my firewall set to deny all incoming connections. And I turn my computer off when I'm not using it.

That's basically it. Really, it's not that hard. The hardest part is developing an intuition about e-mail and Web sites. But that just takes experience.

Others have disagreed with these recommendations:
<http://www.getluky.net/archives/000145.html>;
<http://www.berylliumsphere.com/security_mentor/2004/12/heres-another-re ally-good-twelve.html> or <http://makeashorterlink.com/?Z3772560A>;

My original essay on the topic:
<http://www.schneier.com/crypto-gram-0105.html#8>;

This essay previously appeared on CNet:
<http://news.com.com/Who+says+safe+computing+must+remain+a+pipe+dream/20 10-1071_3-5482340.html> or <http://makeashorterlink.com/?V6872560A>;

How to Disappear

Tue, 22 Jun 2004 14:33:26 GMT

How to Disappear

Your inbox is awash in spam, your boss is chuckling over your credit report, and you've got a sneaking suspicion that Uncle Sam counts how many Löwenbräu you chug. Yes, your privacy's shot to hell, and you're tempted to shrug and settle for an open source life. But privacy isn't like virginity, forever lost after the first trespass. With some work, "reprivatization" is possible. Use this three-tiered guide to pick a level of solitude. But be warned: Going all the way off the grid is more Ted Kaczynski than Howard Hughes.

Going

Diss credit: Want to be hard to find? Start by dashing off stern opt-out letters to the big database companies and credit bureaus - Experian, Acxiom, Equifax. These folks may make a mint peddling personal info, but they can be cajoled into stopping. First, though, they'll make you jump through hoops - like filling out a 1040-sized form or idling in toll-free hell. Junkbusters (www.junkbusters.com) has a good list of opt-out addresses.

Anonymize: Ditch your ISP and sign up with a service that lets you surf by proxy, keeping your IP address concealed. Send email via an anonymous remailer like Mixmaster, a digital middleman that scrambles timestamps and message sizes. And if you're going to be advocating the violent overthrow of the government or bragging about your cool new bong, make sure your remailer routes messages through multiple machines.

Grok the fine print: Boring as it sounds, read the privacy statements that clutter your mailbox around tax time and sever ties with companies that admit, "Our privacy policy may change over time" - industry lingo for "We reserve the right to screw you."

Going Further

Ditch the digits:Want to drop out?Start by rustling up a new Social Security number.

The Social Security Administration doesn't accept paranoia as a criterion for granting a new card, but it recognizes cultural objections and religious pleas. One stratagem: Contend that your credit has been irrevocably damaged by a number-related snafu, or that you live in fear of a stalker who knows your digits. Once you switch your SSN, never use it. Instead, dole out 078-05-1120, an Eisenhower-era card that works 99 percent of the time.

Call cell-free: Use the humble pay phone. Mobile phones are being outfitted with global positioning satellite chips to comply with an FCC mandate. By 2006, all wireless networks must feature 911-friendly tracking technology. Marketers are cooking up ways to capitalize, like zapping burger coupons to your Nokia as you stroll by a fast-food joint.

Pay full price: You may relish saving 10 percent on Prell, but deep-six your buyers' club cards. Supermarkets and pharmacies haven't yet perfected the art of data mining, but it won't be long. "If you're having a child custody fight, they could subpoena your frequent-shopper cards and say, 'Look, he's buying too many potato chips, he's hurting the kids,'" says Robert Gellman, a Washington-based privacy consultant.

Gone

Move: Want to go completely off the grid? Start by moving - address changes bedevil databasers. But don't buy a home. All those loan apps will blow your cover. Residential hotels smell like cheap cigars and urine, but at least you can register under a pseudonym. Give a fake address: 3500 S. Wacker, Chicago, IL, 60616 - the front door for Comiskey Park.

Toss your cards:Pay cash for everything, and don't plan on a life of luxury. Any (legal) cash transaction more than $10,000 triggers government reporting regulations, which means you can forget about that Cadillac Escalade you've had your eye on. Settle for the subway or bus, using coins rather than prepaid fare cards, which keep a record of trips.

Go incognito: Facial-recognition gear will soon be ubiquitous in public spaces. To fool the systems, invest in a pair of bulky aviator sunglasses and a hat. If you fear being tailed, alter your gait every time you hit the street - a pigeon-toed shuffle one day, a bowlegged amble the next. There are also Central American plastic surgery mills, beloved of drug lords, that can alter the loops and whorls on your fingertips. It'll set you back 10 Gs, but then, Costa Rican doctors have been known to accept gold Rolexes in lieu of cash.

[Via Wired]

CIA's Tenet did speak to Bush before 9-11, spokesman says

Wed, 16 Jun 2004 14:25:57 GMT

CIA's Tenet Did Speak To Bush Before 9-11, Spokesman Says

By Stewart M. Powell
Hearst Newspapers

WASHINGTON -- CIA Director George Tenet met with President Bush at least eight times in the 42 days before the catastrophic terrorist attacks on Sept. 11, 2001, a CIA spokesman said Thursday, correcting Tenet's testimony that he hadn't talked with the president during the entire month of August.

Bill Harlow, spokesman for the agency, said CIA records showed Tenet briefed the president on national security threats once during Bush's 27-day ranch vacation, on Aug. 17, and again at the White House on Aug. 31. He also met with the president at least six more times during the first eight days of September.

Bush has established the practice of receiving daily face-to-face intelligence briefings by the CIA chief.

Tenet's contacts with Bush during that period are significant because the CIA director was the highest ranking U.S. official who was aware of both the FBI's arrest of flight student Zacarias Moussaoui in Minnesota and the CIA warning to Bush that Osama bin Laden was "determined to strike" inside the United States.

The CIA warning memo to Bush on Aug. 6, 2001, also noted that the FBI had detected "patterns of suspicious activity in this country consistent with preparations for hijackings or other types of attacks."

Tenet learned of Moussaoui's arrest on Aug. 23 or Aug. 24 in a CIA memo entitled "Islamic Extremist Learns to Fly," investigators disclosed Wednesday.

Tenet's spokesman said "as far as we know" the CIA chief did not mention the arrest of Moussaoui to Bush on Aug. 31 or at subsequent meetings before the Sept. 11 attacks.

Tenet's testimony to the independent Sept. 11 commission on Wednesday that he had not spoken to Bush during the entire month of August raised eyebrows on the 10-member bipartisan panel.

Harlow said Tenet apparently did not mention Moussaoui's arrest to higher officials because the CIA's only involvement in the case at that point was to help gain access to data on Moussaoui's seized laptop computer if the FBI could not obtain a Foreign Intelligence Surveillance Act subpoena to examine the laptop's hard drive.

Tenet was briefed on the arrest of Moussaoui as "something that the FBI was dealing with in Minnesota" rather than something requiring CIA follow up, Harlow said.

Former Acting FBI Director Thomas Pickard, who served as acting director for 10 of the 11 weeks before the Sept. 11 attacks, told the inquiry Tuesday that he had learned of Moussaoui's arrest in Minnesota on the afternoon of Sept. 11 -- after the attacks.

Word of Moussaoui's arrest never reached the White House National Security Council's interagency Counterterrorism and Security Group, former counterterrorism czar Richard Clarke testified on March 24.

After the Sept. 11 attacks, FBI agents obtained the legal go-ahead to examine the hard drive on his laptop. It contained information on using crop-dusting airplanes.

Moussaoui was charged with federal conspiracy counts as an accomplice to the 19 suicide hijackers and awaits federal trial in Alexandria, Va.

[Via Salt Lake Tribune]

DO NOT USE INTERNET EXPLORER UNTIL FURTHER NOTICE.

Mon, 14 Jun 2004 16:31:40 GMT

DO NOT USE INTERNET EXPLORER UNTIL FURTHER NOTICE.

Use Mozilla or Opera instead.

<http://www.vnunet.com/news/1155868>

Warning issued on new IE flaws

Safety experts advise switching browsers as three 'Zero Day' flaws hit Microsoft Iain Thomson, vnunet.com 14 Jun 2004

Three new flaws for which no patch exists - so-called 'Zero Day' flaws - have been identified in Microsoft's Internet Explorer.

Like Sasser, two of the three vulnerabilities need no user intervention and can be downloaded just by logging on to the internet.

The third allows a false web address to be embedded in an email to misdirect users to a phishing site, which then attempts to capture user information.

The US Computer Emergency Readiness Team warned of the phishing flaw late on Friday, while security firm Ubizen highlighted the other two after being in contact with a researcher investigating computers where pornographic banners had been inserted into the browser toolbar.

Ubizen has advised computer users to switch to alternative web browsers like Netscape or Mozilla for the moment.

"[Changing browser is] a harsh workaround but at the end of the day it'll work," said Dick Van Droogenbroeck, senior security assessment engineer at Ubizen's Security Intelligence Laboratory.

"As there is no fix available, the hacker community will seek to massively exploit these vulnerabilities. Hit the wrong web page and it's over and out."

[...]

Browser Hijackings Are More Than Just Annoying

Tue, 18 May 2004 21:04:48 GMT

Browser Hijackings Are More Than Just Annoying

Browser hijackers are annoying. They lock you out of your own browser controls. They redirect you to porn sites or bogus search portals. Many of them launch a barrage of pop-up ads. Most set hooks deep into Windows and hold on for dear life when you try to remove them. Some people simply give up and turn off their computers permanently.

For some people, becoming infected with a browser hijacker can ruin their life. Someone, who's company computer becomes infected with the pornographic variety of browser hijacker, may find themselves in very hot water. People have lost their jobs, their spouses and, in some cases, people have been put in jail.

From Wired News:

"The police raided my house on Sept. 17, 2002," said "Jack," who came to the United States from the former Soviet Union as a political refugee, and has requested that his name not be published. "Nobody gave me a chance to explain. I was told by judge and prosecutor that I will get years in prison if I go to trial. After negotiations through my lawyer I got 180 days in an adult correctional facility. I was imprisoned for 20 days and then released under the Electronic Home Monitoring scheme. I now have a felony sex-criminal record, and the court ordered me to register as a predatory sex offender for 10 years."

Jack originally believed that the images found on his computer were from a previous owner -- he'd bought the machine on an eBay auction. But he now thinks a browser hijacker may have been responsible.

"When I used search engines, sometimes I got a lot of porn pop-ups," Jack said. "Sometimes I was sent to illegal porn sites. When I tried to close one, another five would be opened without my will. They changed my start page, wrote a lot of illegal porn links in favorites. The only way to stop this was turn the (computer's) power off. But when I dialed up to my server again, I started with illegal site, then got the same pop-ups. There were illegal pictures in pop-ups."

Whether this one person is telling the truth or not, I have no doubt that this is happening to innocent people. Not only do the people who distribute hijacker software make cash by trespassing on private property and altering system settings, they do so legally while their victims are at risk of going to jail. It is long past time to criminalize this activity.

If you agree with me on this, I urge you to contact your US Senators and ask them to support the SPYBLOCK Act, S. 2145. This activity will never stop as long as it is perfectly legal to engage in it.

Links:

Browser Hijackers Ruining Lives
Nasty Malware Fouls PCs With Porn
Contact your US Senator
SPYBLOCK Act

[Via Spyware Weekly Newsletter]

Woman Loses $8,000 In Lotto Scam

Fri, 23 Apr 2004 04:52:30 GMT

Woman Loses $8,000 In Lotto Scam

Police Search For Man, Woman

Authorities in Orlando, Fla., are warning residents of a lotto scam Wednesday after a woman was tricked out of $8,000, according to Local 6 News.

Police said Rosaura Ortiz was approached by a Hispanic man and woman while she was putting bags into her car at Crystal Lake and Curry Ford Road.

Ortiz said the man advised her that he just won $182,000 from playing Florida Lotto and that he would give her the winning ticket if she was able to come up with $20,000 cash.

The woman then went to Wachovia Bank and withdrew $8,000. The man then allegedly told the woman that he would put money and the Lotto ticket into her purse. When she agreed, the suspect placed an envelope supposedly holding the $8,000 and the Lotto ticket into her purse.

Later, Ortiz said that the man asked her to buy some aspirin in a Publix on Curryford Road for his wife while they went to Washington Mutual Bank. When Ortiz exited Publix, the man and woman had vanished with her money.

When Ortiz checked the envelope in her purse, she found it contained nothing but newspaper clippings cut into dollar-sized pieces.

Ortiz said the man was 35-40 years old, heavy set and wearing a yellow plaid shirt. The woman was described as being the same approximate age with black hair and wearing a gray dress. No other information was available.

Police have obtained surveillance video from Wachovia Bank.

If you have any information concerning this crime, you are urged to call the Orlando Police Department.

[Via Local 6 News]

LETTING CONSUMERISM GET UNDER YOUR SKIN

Tue, 30 Mar 2004 18:31:23 GMT

LETTING CONSUMERISM GET UNDER YOUR SKIN

Have you been "chipped" yet?

A company called Applied Digital Solutions wants you to undergo a surgical procedure to implant a tiny RFID microchip in your arm. Why would you want to do this? Because "Radio Frequency ID" chips will eliminate the heavy burden of having to carry credit cards and remember your ATM numbers. Instead, your arm becomes your card and ID number – simply run your arm under a scanner and your embedded radio chip sends a digital signal to the computer, allowing you to complete your transaction. ADS calls its microchip "VeriPay."

There's only one rational reason that ADS executives think we'll submit to this: They're insane. Insane, but serious. They insist that this technological leap is needed because many people lose their credit cards. "VeriPay solves that problem," says a corporate PR flak, cheerfully noting that ADS's chip "is sub dermal and very difficult to lose. You don't leave it sitting in the back seat of a taxi," he said.

Sub dermal or not, your ID number still can be stolen by a geeky thief who rigs up a device to intercept your radio-transmitted number, then plays it back later to your ATM machine, emptying your account.

If your number is stolen, or if you simply switch credit-card companies or banks, what are you to do? No problem says the PR guy: "If you don't want it anymore... you can go to a doctor and have it removed. I call it an opt-out feature," he said gaily. Swell, instead of simply calling your credit card company to cancel your card, you'd have to call a surgeon. This is progress?

Still, ADS is banking on you to "get chipped," as they cheerily put it in a special promotion. To lure you, they're even offering a $50 discount to the first 100,000 people who sign up.

[Via Jim Hightower's On The Air]

Utah's Spyware Control Act

Wed, 17 Mar 2004 14:36:47 GMT

Utah's Spyware Control Act

The Utah state legislature has passed a bill outlawing certain activities in which most spyware engages. This includes, without first seeking permission from the owner of the PC, reporting online behavior, sending information about a user to third parties and creating pop-up advertisements based on the context of a web site a person is visiting.

This bill, the Spyware Control Act, was prompted by a local business owner in Utah. The owners of 1800contacts.com received complaints from web visitors about pop-up ads. The company discovered that the ads were being generated by adware installed on the visitors' computers.

Adware is a piece of software which installs itself onto a person's PC in a variety of clever ways and then serves advertisements to that PC. Usually, the company pays another software company to bundle their installer into their own software. Some companies exploit Internet Explorer's ActiveX technology to install the software, often by fooling the PC's owner into believing it to be a necessary part of the web site.

The visitors of 1800contacts.com had adware installed which analyzed the content of their web site. Using that information, the software would pop up advertisements for competing web sites. Companies such as Gator/Claria and WhenU have created an entire industry based on this sort of parasitic advertising. The owners of many web sites consider their activities to be theft.

Utah's Spyware Control Act has not been signed into law yet by Governor Walker. Several internet companies have drafted a letter in an attempt to persuade Governor Walker not to sign the act into law.

The parties to the letter make a false argument claiming that the bill might interfere with computer security by preventing security companies from analyzing data about such things as virus attacks. That is, of course, absurd. The owner of a PC installs security software deliberately. Contrast that to Gator/Claria's methods of installation, which often leave the PC owner confused as to its origin.

Their real concern is that the Spyware Control Act makes it illegal to sneak software onto a PC, use it to collect and transmit information about that PC and its use and to generate parasitic ads based on the content of someone else's web site. This is a law which should be passed, albeit at a federal level, not state.

If someone enters into an informed agreement allowing such software to operate on their own property, that is their choice. However, to sneak this software onto someone's machine, someone's private property, in order to display ads which are themselves based on someone else's work is shameful and should be illegal. Your private property should not be used as a billboard without your express authorization or without your knowledge.

If you are a resident of Utah, please write to your governor and urge her to sign this bill into law.

Links:

http://www.utah.gov/governor/ :· Utah's Governor's page
http://www.utah.gov/governor/contact.html :· Contact Utah's Governor
http://www.pcpitstop.com/gator/ :· PCPitstop's Gator information center
http://news.com.com/2100-1023-940072.html :· Publishers sue Gator over pop-ups
http://www.pcpitstop.com/gator/Survey.asp :· Survey Says: Gator Users Didn't Know
http://news.com.com/2100-1024_3-5170263.html :· States join spyware battle
http://www.spywareguide.com/product_search.php?s=savenow :· Information about WhenU

[Via Spywareinfo Newletter]

Microsoft monoculture

Thu, 26 Feb 2004 16:43:15 GMT

Microsoft monoculture

The world's reliance on Microsoft operating systems is leaving critical computer networks unnecessarily vulnerable to attack, claim security experts.

A report published on Wednesday by the Computer and Communications Industry Association says that Microsoft’s dominance in PC operating systems has created a 'monoculture' that allows viruses to spread like wildfire over the Internet. This lack of diversity allows even simple viruses, created in minutes by so called 'script kiddies' to wreak havoc within hours of creation.

"Nature does not put up with monocultures because they are too easy to attack," says Daniel Geer, one of the paper's authors and chief technology officer for the security company AtStake. "If everything looks just alike . . . it will promptly be punished."

The security problems created by Microsoft are a direct result of the company's business practices, claims the report. The company’s systems are designed to keep out competitors rather than intruders, say the authors.

"Their goal is to facilitate lock-in of Microsoft products,” says Bruce Schneier, chief technology officer of Counterpane Internet Security, one of the report’s authors.

Following the recent spread of the Sobig, Blaster and Slammer worms, governments and industry around the world have begun looking more critically at security. Many technology officers for governments and companies are now considering whether they should diversify the types of operating systems and applications on their networks.

I'm taking those monoculture warnings about Microsoft products seriously. If everyone runs the same software, especially software notorious for having security holes, then a serious virus could take everyone out. Everyone, that is, except those not running Internet Explorer and Outlook.

Because via IE and Outlook are the ways most viruses and malware attack Windows users.

So, on my new computer I'm running Firefox as the default browser and playing with converting my four email accounts from Outlook and Opera 7 to The Mozilla Thunderbird Mail Project. So far, I've got two accounts in Thunderbird, and am testing it to see how I like it. Firefox and Thunderbird are open source and free.

I've previously have been quite happy with Opera 7 and it's integrated e-mail client.

Anyone out there using Thunderbird? Or have ideas for other email programs? And yes, I may get a Mac or a Linux box one day!

[Via New Scientifist]

Security Myth - Photo IDs Makes Everyone More Secure

Thu, 19 Feb 2004 04:32:30 GMT

Security Myth - Photo IDs Makes Everyone More Secure (Safe)

Bruce Schneier - CRYPTO-GRAM

In recent years there has been an increased use of identification checks as a security measure. Airlines always demand photo IDs, and hotels increasingly do so. They're often required for admittance into government buildings, and sometimes even hospitals. Everywhere, it seems, someone is checking IDs. The ostensible reason is that ID checks make us all safer, but that's just not so. In most cases, identification has very little to do with security.

Let's debunk the myths one by one. First, verifying that someone has a photo ID is a completely useless security measure. All the 9/11 terrorists had photo IDs. Some of the IDs were real. Some were fake. Some were real IDs in fake names, bought from a crooked DMV employee in Virginia for $1,000 each. Fake driver's licenses for all fifty states, good enough to fool anyone who isn't paying close attention, are available on the Internet. Or if you don't want to buy IDs online, just ask any teenager where to get a fake ID.

Harder-to-forge IDs only help marginally, because the problem is not making sure the ID is valid. This is the second myth of ID checks: that identification combined with profiling can be an indicator of intention.

Our goal is to somehow identify the few bad guys scattered in the sea of good guys. In an ideal world, what we'd want is some kind of ID that denotes intention. We'd want all terrorists to carry a card that says "evildoer" and everyone else to carry a card that said "honest person who won't try to hijack or blow up anything." Then, security would be easy. We'd just look at people's IDs and, if they were evildoers, we wouldn't let them on the airplane or into the building.

This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you're likely to be an evildoer. This is the basis behind CAPPS-2, the government's new airline passenger profiling system. People are divided into two categories based on various criteria: the traveler's address, credit history, and police and tax records; flight origin and destination; whether the ticket was purchased by cash, check, or credit card; whether the ticket is one way or round trip; whether the traveler is alone or with a larger party; how frequently the traveler flies; and how long before departure the ticket was purchased.

Profiling has two very dangerous failure modes. The first one is obvious. The intent of profiling is to divide people into two categories: people who may be evildoers and need to be screened more carefully, and people who are less likely to be evildoers and can be screened less carefully. But any such system will create a third, and very dangerous, category: evildoers who don't fit the profile.

Oklahoma City bomber Timothy McVeigh, DC sniper John Allen Muhammed, and many of the 9/11 terrorists had no previous links to terrorism. The Unabomber taught mathematics at Berkeley. The Palestinians have demonstrated that they can recruit suicide bombers with no previous record of anti-Israeli activities. Even the 9/11 hijackers went out of their way to establish a normal-looking profile; frequent-flier numbers, a history of first-class travel, etc. Evildoers can also engage in identity theft, and steal the identity-and profile-of an honest person. Profiling can actually result in less security by giving certain people an easy way to skirt security.

There's another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because actual evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. This not only wastes investigative resources that might be better spent elsewhere, but it causes grave harm to those innocents who fit the profile. Whether it's something as simple as "driving while black" or "flying while Arab," or something more complicated like taking scuba lessons or protesting the current administration, profiling harms society because it causes us all to live in fear...not from the evildoers, but from the police.

Security is a trade-off; we have to weigh the security we get against the price we pay for it. Better trade-offs are to spend money on intelligence and analysis, investigation, and making ourselves less of a pariah on the world stage. And to spend money on the other, non-terrorist, security issues that affect far more Americans every year.

Identification and profiling don't provide very good security, and they do so at an enormous cost. Dropping ID checks completely, and engaging in random screening where appropriate, is a far better security trade-off. People who know they're being watched, and that their innocent actions can result in police scrutiny, are people who become scared to step out of line. They know that they can be put on a "bad list" at any time. People living in this kind of society are not free, despite any illusionary security they receive. It's contrary to all the ideals that went into founding the United States.

[Via Bruce Schneier's Crypto-Gram]

PC Pitstop Launches Gator Information Center

Wed, 03 Dec 2003 21:07:05 GMT

PC Pitstop Launches Gator Information Center

I wanted to let you know what we are doing to help spread the word about the problem of Spyware.

As you are probably aware, Gator Corporation sued PC Pitstop in September. Although we resolved the dispute, some of Gator's public statements on the matter may have left a false impression that PC Pitstop was obligated to remove most discussion of Gator's products from our site. This is not true.

PC Pitstop has launched its Gator Information Center:

http://www.pcpitstop.com/gator/

This area includes the results of original research we conducted based on responses from visitors to the PC Pitstop site. Our results show that most users that have Gator applications on their PC did not consciously install them. This contradicts a key Gator assertion that the company has the user's permission and acceptance of Gator's license terms.

The Gator Information Center also includes:
* Free or low-cost alternatives to Gator applications;
* Step by step instructions for removing Gator;
* How to recognize Gator's drive-by downloads and confusing ads;
* A link for complaints to the U.S. Federal Trade Commission;
* Our experiences using Gator applications and GAIN on our own PCs;
* An interactive quiz about Gator's terms and conditions.

This site is available now at the address listed above. If you have questions, please contact me.

Dave Methvin
Chief Technology Officer
PC Pitstop

[Via PC Pitstop]

The Trojan Defense

Mon, 17 Nov 2003 02:20:57 GMT

The Trojan Defense
CRYPTO-GRAM, November 15, 2003, by Bruce Schneier

Aaron Caffrey is a UK teenager accused of launching a distributed denial-of-service attack against an independent contractor for the Port of Houston, Texas. Last month he was acquitted on all charges in a UK court. Caffrey's defense was that while the attack did come from Caffrey's computer, it was the work of someone who had installed a Trojan horse program on the machine and altered his computer's log files.

I have read several opinions on this case. Some believe that the "Trojan defense" sets a dangerous precedent, and that computer criminals will claim it every time. I believe that it sets a very good precedent, and will force prosecutors to do more than show that a particular computer was involved in a crime.

The hardest part of computer security is the piece between the computer and the user. The hardest part of encryption is maintaining the security of the data when it's being entered into the keyboard and when it's being displayed on the screen. The hardest part of digital signatures is proving that the text signed is the same text that the user viewed. And the hardest part of computer forensics is knowing who is sitting in front of a particular computer at any time.

Just because a particular computer was involved in an attack doesn't mean that the computer's owner was involved. Maybe, as Aaron Caffrey alleged, the computer was being controlled by someone else. We know that many hackers control a series of computers in an attempt to disguise their tracks. Maybe, as is being alleged in another case, the computer was in a public space and someone else used it to commit the crime. Maybe the user was duped into pushing certain keys or clicking on certain mouse buttons, and had no idea what he was really doing.

Also in the U.K., two men accused of downloading child pornography convinced the court that a Trojan on their computer did it and not them.

This defense makes it harder for the prosecution, but that's not a bad thing. The barrier should be high to convict someone of a crime. If the prosecutor can prove that a particular computer was involved but can't prove that a particular person was involved, that sounds like insufficient evidence to convict. I want the prosecutor to be able to prove that the person committed the crime.

By allowing this defense we're permitting some guilty people to go free, but we're also protecting the innocent. I don't think society would be well-served by denying this defense and thus offering people a sure-fire way to frame someone for a computer crime.

<http://www.forbes.com/markets/newswire/2003/10/27/rtr1124430.html>
<http://news.com.com/2102-7349_3-5092781.html >
<http://news.bbc.co.uk/1/hi/technology/3202116.stm>
<http://www.theregister.co.uk/content/55/33460.html>
<http://www.theregister.co.uk/content/55/33636.html>

[Via CRYPTO_GRAM]

Why America is losing the intelligence war

Thu, 13 Nov 2003 14:35:27 GMT

Why America Is Losing The Intelligence War

"Americans should not expect one battle, but a lengthy campaign, unlike any other we have ever seen. It may include dramatic strikes, visible on TV, and covert operations, secret even in success," said President George W Bush on September 20, 2001.

Unique among America's foreign conflicts, the so-called "war on terror" is an intelligence war. That bodes ill for America, because an intelligence war is the kind America is least capable of fighting, for reasons inherent in the country's character. That is one more reason why Islamic radicalism yet may defeat the West.

It is already clear that America is losing the intelligence war in Iraq, for the same reasons it lost in Somalia. The rocket attack on the al-Rashid hotel while Deputy Defense Secretary Paul Wolfowitz was present, the downing of a Chinook helicopter with 16 deaths, and related incidents suggest that the Iraqi resistance has infiltrated the American command. That should be no surprise, given that the occupiers depend on local sources for information, and have little capacity to distinguish a repentant Ba'athist from a saboteur. There exist ways to compensate for such limitations, to be sure, but an army that would court-martial Lieutenant-Colonel Allen West for scaring a prisoner into a confession with a harmless pistol shot does not have the stomach for them.

More disturbing for the American side are the treason charges against an army chaplain and translator at the Guantanamo prison for al-Qaeda captives. The situation brings to mind Kim Philby and the failure of Anglo-American intelligence in the 1930s, when the Soviet side wielded a higher moral authority among the intellectual class. Syrian intelligence, it appears, reached into one of America's most secure installations. That is quite a turnabout from the 1960s, when Israel's master spy Eli Cohen infiltrated the highest levels of the Syrian government.

<snip>

In the intelligence war, Islamists have a distinct advantage. Among the ranks of Islamist radicals are thousands who have studied in the United States, speak serviceable English, and can move with ease in American society. How many field agents of American intelligence can move at ease in the Islamist milieu? German and British universities once produced spies who could speak half a dozen Arab dialects and recite the Koran from memory. Today's only superpower cannot recruit enough Arabic translators to handle routine intercepts.

Precisely why the US cannot find Arabic translators (let alone Arabic-speaking field agents) deserves a moment's attention. Conservative critics of the American intelligence establishment, such as Reuel Marc Gerecht of the American Enterprise Institute, ridicule the Central Intelligence Agency's (CIA's) lack of language ability, and blame the previous (Democratic) administration for failing to spend enough money on the requisite skills.

All that is somewhat unfair. During the 1990s, the CIA under Admiral James Woolsey and then under George Tenet cast its net wide for speakers of foreign languages, particularly Middle Eastern and South Asian dialects, with disappointing results. The pool of qualified applicants was too small, and within this pool, too few applicants met the agency's security standards. Particularly in the case of Arabic and Persian, too many of the candidates were first and second generation immigrants who failed the screening criteria, that is, they were deemed too likely to sympathize with their subjects. The Guantanamo allegations suggest that the CIA's security concerns were not ill placed.

By contrast, Israeli intelligence can draw on a pool of first and second generation immigrants who speak foreign languages (among which Arabic is most common) as natives, but feel no loyalty whatever, but rather hostility, to their native culture. During the Cold War, European intelligence services could find native speakers of all varieties - German-speaking Bohemians from the Austrian Empire, Polish-speaking Ukrainians, Russian-speaking Poles, Italian- speaking Austrians - who despised the cultures in which they were educated and were happy to subvert them. The average Hungarian headwaiter had a greater command of languages than today's doctoral students in comparative literature at American universities.

In terms of linguistic and cultural capacity, the US today commands what may be the lowest-quality clandestine service of any great power in history. Why don't more Americans learn foreign languages? Turn the question around: why do they forget the languages they already know? The children of immigrants almost invariably lose the native language of their ancestors. One finds German festivals in Wisconsin with lederhosen-wearing brass bands, Weissbier and bratwurst, but no one who can form a single German sentence. Italian-Americans march through the streets in what they imagine to be native costume to honor the birthday of Columbus, without knowing more than a few obscenities in a southern dialect.

Folk came to America precisely in order to shed their culture. More precisely, they fled the tragic destiny of their cultures. Immigrants to America were the poor or the rebels. Not the Milanese but the Calabrians, not the Berliners but the Bavarians, not the assimilated Jews of Germany but the persecuted Jews of Russia made their way westward. These had little stake in their own cultures and no connection to the high culture of the countries they abandoned. There are a few exceptions, eg, the German political exiles of 1848, but these are few. What did the Irish immigrants care for Shakespeare, or Russian-Jewish immigrants for Leo Tolstoy? They shed their old culture almost as fast as their traveling-clothes.

<snip>

The quality of American intelligence depends on its moral authority to recruit spies who are willing to betray their own cultures because of their faith in America. During the Great Depression of the 1930s, when the credibility of the West stood at an ebb, Russia recruited intellectuals from the great universities of the West. Against the betrayal of its own elites, the West had no defense, and Russia won the intelligence war of the 1940s and 1950s. Not until the credibility of Russian communism collapsed after the 1956 Hungarian invasion did the tide turn, as Russians and Eastern Europeans shifted loyalty to the American side.

Today's intelligence war with radical Islam comes down to a contest for the loyalties of the population of individuals who can move between both worlds. The vast majority of these are university students from Islamic countries in the US or Western Europe, and the remainder are students of Oriental languages in the West. For several reasons, the US is at a vast disadvantage.

Unlike other immigrants, Muslim students in the US neither are poor nor politically disenfranchised. They are there precisely because they belong to the elite of their country, for whom foreign study is a privilege. Few are prepared to abandon their culture, while many resent the West. Because of the cultural divide, the vast majority of Muslims who study in the West read sciences or mathematics. Indian and Chinese foreign students dominate these faculties. No Arab has become a scientist of note since the early Middle Ages, while the universities are full of Indian and Chinese Nobelists. Hell hath no fury like an elite slighted. These circumstances tend to provoke the resentment of Arab and other Muslim foreign students toward the West.

Muslim students attending the most prestigious Western universities, moreover, hear nothing of the merits of Western culture. Instead, what they learn from post-colonial theory, deconstructionism, and post-modernism is that all culture is a pretext for the assertion of power by oppressors. No qualitative difference separates Dante and Goethe from the meanest screed of the cheapest propagandist. What matters is the sub-text, the expression of power relations buried beneath the rhetoric. They learn of the evil US that slaughtered its native population, oppressed blacks and other minorities, degraded women, marginalized the poor, and operates on behalf of plutocratic financial interests.

Not since Kim Philby was an undergraduate at Cambridge has the intellectual elite of the West been so inclined to bite the hand that feeds it. The degenerate view of Martin Heidegger and Ludwig Wittgenstein, which reduces all faith and conviction to capricious existential choice, dominates the mind of the West. From this standpoint it is impossible to challenge another culture, because all differences are arbitrary to begin with. How is it possible under these circumstances to make ideological recruits?

There is not much hope for American intelligence among Western students of the Middle East. General John Abizaid, the commander of US Central Command, earned a master's degree in Middle Eastern Studies in 1981 under Professor Nadav Safran, one of the best academics in the field. But in 1985, the Middle East Studies Association censured Safran for accepting CIA funding, destroying his career, according to Martin Kramer, a right-wing critic of the overwhelmingly left-wing Middle East Studies establishment. That was a generation ago; in the interim, the field has shifted even further toward Heideggerian relativism.

One does encounter exceptions, such as General William Boykin, an evangelical Christian who evidently does not subscribe to the relativism of the academics and who heads the hunt for Osama bin Laden, among others. The evangelicals represent an important force in American politics, but have little to contribute to the intelligence effort. Born-again Christians in some respects seem as if they were born yesterday. Their educational institutions, such as they are, lack the sophistication to produce the sort of training that General Abizaid received at Harvard when it was still available.

<snip>

[Via Asia Times]

The Future of Surveillance

Tue, 21 Oct 2003 02:27:59 GMT

The Future of Surveillance

At a gas station in Coquitlam, British Columbia, two employees installed a camera in the ceiling in front of an ATM machine. They recorded thousands of people as they typed in their PIN numbers. Combined with a false front on the ATM that recorded account numbers from the cards, the pair was able to steal millions before they were caught.

In at least 14 Kinko's copy shops in New York City, Juju Jiang installed keystroke loggers on the rentable computers. For over a year he eavesdropped on people, capturing more than 450 user names and passwords, and using them to access and open bank accounts online.

A lot has been written about the dangers of increased government surveillance, but we also need to be aware of the potential for more pedestrian forms of surveillance. A combination of forces -- the miniaturization of surveillance technologies, the falling price of digital storage, the increased power of computer programs to sort through all of this data -- means that surveillance abilities that used to be limited to governments are now, or soon will be, in the hands of everyone.

Some uses of surveillance are benign. Fine restaurants sometimes have cameras in their dining rooms so the chef can watch diners as they eat their creations. Telephone help desks sometimes record customer conversations in order to help train their employees.

Other uses are less benign. Some employers monitor the computer use of their employees, including use of company machines on personal time. A company is selling an e-mail greeting card that serriptiously installs
spyware on the recipient's computer. Some libraries keep records of what books people check out, and Amazon keeps records of what books people browse on their website.

And, as we've seen, some uses are criminal.

This trend will continue in the years ahead, because technology will continue to improve. Cameras will become even smaller and more inconspicuous. Imaging technology will be able to pick up even smaller details, and will be increasingly able to "see" through walls and other barriers. And computers will be able to process this information better. Today, cameras are just mindlessly watching and recording, but eventually sensors will be able to identify people. Photo IDs are just temporary; eventually no one will have to ask you for an ID because they'll already know who you are. Walk into a store, and you'll be identified. Sit down at a computer, and you'll be identified. I don't know if the technology will be face recognition, DNA sniffing, or something else entirely. I don't know if this future is ten or twenty years out -- but eventually it will work often enough and be cheap enough for mass-market use. (Remember, in marketing, even a technology with a high error rate can be good enough.)

The upshot of this is that you should consider the possibility, albeit remote, that you are being observed whenever you're out in public. Assume that all public Internet terminals are being eavesdropped on; either don't use them or don't care. Assume that cameras are watching and recording you as you walk down the street. (In some cities, they probably are.) Assume that surveillance technologies that were science fiction ten years ago are now mass-market.

This loss of privacy is an important change to society. It means that we will leave an even wider audit trail through our lives than we do now. And it's not only a matter of making sure this audit trail is accessed only by "legitimate" parties: an employer, the government, etc. Once data is collected, it can be compiled, cross-indexed, and sold; it can be used for all sorts of purposes. (In the U.S., data about you is not owned by you. It is owned by the person or company that collected it.) It can be accessed both legitimately and illegitimately. And it can persist for your entire life. David Brin got a lot of things wrong in his book The Transparent Society. But this part he got right.

Kinko's story:
<http://www.computercops.us/article2568.html>
<http://www.securityfocus.com/news/6447>

ATM fraud story:
<http://www.globetechnology.com/servlet/story/RTGAM.20030812.gtatmm0812/
BNStory/Technology>
<http://canada.com/search/story.aspx?id=f07cac50-62c7-46d8-892a-b66dfa2f
1d88>

Net spying:
<http://www.nytimes.com/2003/10/10/technology/10SPY.html>
<http://news.com.com/2100-1029_3-5083874.html>

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. Back issues are available on <http://www.schneier.com/crypto-gram.html>.

To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.

[Via CRYPTO-GRAM]

Danger, Danger: 5 Tips for Using a Public PC

Wed, 24 Sep 2003 15:33:49 GMT

Danger, Danger: 5 Tips for Using a Public PC

Reprinted from Spyware Weekly Newsletter

A couple of months ago, I wrote about a couple of high profile cases where hackers used keylogging spyware to steal online banking information at dozens of public internet terminals. My advice at the time was to download X-Cleaner antispyware, stick it on a floppy disk, and take it with you to scan a public machine before using it. If the machine is infected, either clean it or move on to a different machine.

Kim Komando, "America's Digital Goddess", has written an excellent article on the same subject at MSN's Business Central. SpywareInfo is linked in the article; and the server logs have been spinning like a windmill for two days now.

Kim gives five valuable tips for protecting your privacy at a public internet terminal.

1.- Check for spy programs
2.- Erase your tracks
3.- Protect your passwords
4.- Don't rely on encryption
5.- Use some common sense

Go read the article for the complete tips.

Links:

http://www.komando.com/ :: Kim Komando

http://www.spywareinfo.net/july22,2003#spyware :: The Cost of Spyware

http://www.bcentral.com/articles/komando/140.asp :: Danger, danger: 5 tips for using a public PC

[Via Spyware Weekly Newsletter]

Hidden Text in Computer Documents

Sat, 16 Aug 2003 14:23:54 GMT

Hidden Text in Computer Documents

BY Bruce Schneier, CRYPTO-GRAM

In the beginning, computer text files were filled with weird formatting commands. (Anyone remember WordStar's dot commands?) Then we had WYSIWYG: What You See Is What You Get. Or, more accurately, what you see on the screen is what you get on the printer. In the beginning, what you saw on the screen what was what was actually in the digital file. With WYSIWYG, what you saw on the screen was not in the digital file; formatting commands remained hidden from view, and the screen looked like the printed page.

WYSIWYG was an huge improvement, because it enabled writers to more easily format documents and see the results of that formatting. But it also brought with it a new security vulnerability: the leakage of information not shown on the screen (or on the printed document). Most of the time it's completely benign formatting information, but sometimes it's actual text. And because the user sees what the printed page looks like, he never even knows that this text is in the file. But someone who is even a little bit clever can recover the text, with embarrassing or even damaging results.

Three examples:

Last month, Alastair Campbell, Tony Blair's Director of Communications and Strategy, was in the hot seat in British Parliament hearings explaining what roles four of his employees played in the creation of a plagiarized dossier on Iraq that the UK government published in February 2003. The names of these four employees were found hidden inside of a Microsoft Word file of the dossier, which was posted on the 10 Downing Street Web site for the press. The "dodgy dossier," as it became known in the British press, raised serious questions about the quality of British intelligence before the second Iraq war.

Last year, during the manhunt for the DC sniper, a letter was left for the police by the sniper that included specific names and telephone numbers. Perhaps in order to persuade the panicking public that the police were in fact doing something, they allowed the letter to be published -- in redacted form -- on the Washington Post's Web site. Unfortunately, they implemented the redactions by the completely pointless method of placing black rectangles over the sensitive text in the PDF. A simple script was able to remove these boxes and recover the full PDF.

And three years ago in Crypto-Gram, I told the story of a CIA document that the New York Times redacted and posted as a PDF on its Web site. The document concerned an old Iranian plot, and contained the names of the conspirators. The New York Times redacted the document in the same reversible way that the Washington Post did.

So much for examples. How pervasive is this problem? In a recent research paper, S.D. Byers went out on the Internet to see what sorts of hidden information he could find. He concentrated on Microsoft Word, because Word documents are notorious for containing private information that people would sometimes rather not share. This information includes people who wrote or edited the document (as Blair's government discovered), information about the computers and networks and printers involved in the document, text that had been deleted from the document at some prior time, and in some cases text from completely unrelated documents.

Byers collected 100,000 MS Word documents, at random, from the Web. He built three scripts to look for hidden text, and found it in all documents. Most of it was uninteresting -- the name of the author -- but sometimes it was very interesting. His conclusion was that this problem is pervasive.

MS Word was the subject of Byers's paper, but other data files can leak private information: Excel, PowerPoint, PDF, PostScript, etc. There's no excuse for the companies that own those formats not to create a program that scrubs hidden information from these files. And certainly there's a business opportunity for some third party to create such a scrubber program, but they should be outside the U.S., because it might be a violation of the DMCA to do it. Microsoft's closed proprietary file formats make it harder to write such a scrubber, and unless Microsoft makes some additional changes in its software (e.g. usage and default values), scrubbers will remain an imperfect solution.

Oh, and the press uses techniques like this to unredact stuff all the time. I believe they don't mention it much because they're afraid they'll lose access to all that leaked information.

Byers's research paper:
<http://www.user-agent.org/word_docs.pdf>

Tony Blair bitten by inadvertent info left in MS Word files:
<http://www.computerbytesman.com/privacy/blair.htm>

The DC sniper letter:
<http://www.planetpdf.com/mainpage.asp?webpageid=2434>

DC sniper letter in redacted form:
<http://www.user-agent.org/washpost_sniperletter.pdf>

Same letter, unredacted:
<http://www.user-agent.org/washpost_unredacted.pdf>

The CIA and a redacted PDF file:
<http://www.counterpane.com./crypto-gram-0007.html#1>

[ Via CRYPTO-GRAM, 15 August 2003, Bruce Schneier]

RapidBlaster Alert

Thu, 12 Jun 2003 02:13:25 GMT

RapidBlaster Alert

Material supplied by Spyware Weekly Newsletter. Subscribe for the latest spyware info.

RapidBlaster is an advertising parasite whose very nature demonstrates all that is wrong with online advertising today. It is installed using activex driveby methods from affiliate web sites or silently by a browser hijacker called ISTbar. It sets itself to run hidden in the background when Windows starts, then pops up pornographic ads.

As with several other advertising parasites loose on the internet today, RapidBlaster actively works to evade removal by antispyware software. Other parasites mutate their filenames and CLSID identifiers randomly as they are installed, but this is not how RapidBlaster evades removal.

The software connects to a server at 209.47.15.73 to download a list of words. Then it creates a folder and a file with names based on those words, loads the new file, and exits. It then watches to see if anyone tampers with its registry settings. As soon as you use HijackThis or another tool to remove any part of the software or its settings, it takes a word from that list to create another anonymous version of itself, and then it disappears from view. That makes it extremely difficult to remove the bugger, because its authors designed it to watch for that and to defend itself.

I mentioned in a private security forum that we need to kill it from memory before attempting removal, and Javacool Software came to the rescue with a small program that specifically targets RapidBlaster. RBKiller will identify all known variants of RapidBlaster and remove it from memory, then delete the associated startup entry from the registry. It doesn't delete the actual file or folder currently, but most likely it soon will.

Those of you helping people out with HijackThis log files on message boards and newsgroups, you are looking for an entry similar to this:
O4 - HKLM..Run: [explorer lptt01] "c:\program files\explorer\explorer.exe"

Notice the part in bold. Current versions of RapidBlaster include that in all startup entries, although I can't imagine why considering how that makes it stand out. A future version will probably remove that to make it harder to find. If you spot that in someone's log, it is a clear sign of a RapidBlaster infection. Have them download and run RBKiller and that will solve their problem.

http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe

[Via Weekly Spyware Newsletter]

Messenger Plus Bundling Lop.com

Wed, 04 Jun 2003 03:20:33 GMT

Messenger Plus Bundling Lop.com

Material supplied by Spyware Weekly Newsletter. Subscribe for the latest spyware info.

Many of you may have heard of a program called Patchou's "Messenger Plus". I used it myself once, before I discovered Trillian. Similar to the many front end programs for Internet Explorer (Avant browser, MyIE2, etc), Messenger Plus adds a user interface to Microsoft's MSN Messenger that contains extra features.

Patchou has brought in C2Media as a sponsor and is now bundling their lop.com software into Messenger Plus. For those of you who have never heard of it, lop.com software is classified as a trojan by antivirus vendors and as a browser hijacker by antispyware vendors. You can find plenty of information about it by doing a Google search for lop.com. Just be warned - some of the language used by lop victims will melt your monitor.

No single parasite has caused as many support threads at our message boards as lop.com (although Xupiter comes close). Ad-aware, Spybot, and all other spyware removal programs target several older variants of lop.com. It now comes in a version that is nearly impossible to detect automatically. It uses randomly named files, randomly generated CLSID identifiers, and uses activex installation methods that let them update all of their installers at once.

Before this change, the number of lop.com complaints actually had gone down because it was so easy to remove and could even be blocked beforehand. Since C2Media introduced these new versions that mutate randomly, the number of infections has become larger than ever. The only sure way to be rid of it is to ask for help at the SWI support forums.

Patchou, the developer of Messenger Plus, has issued a statement regarding the complaints he's been receiving due to his new "sponsor". To all of the people who are saying that they won't use his program because of lop.com, he has this to say, "I don't want to be rude but if you boycot version 2.10.36, you're an idiot."

<sarcasm>
Rude? Well gee, what could possibly be "rude" about being called an "idiot" for refusing to install software that sets off trojan alarms in antivirus programs?
</sarcasm>

Whether it makes you an idiot or not, I strongly recommend that everyone stay as far away from Patchou's Messenger Plus as possible. If you have installed it already and now have lop.com's software all over your system, uninstalling Messenger Plus supposedly will also remove lop. If that doesn't work, then please read this FAQ and follow the instructions. We are very experienced at removing this thing and can easily walk you through it.

Links:

http://www.trillian.cc Trillian
http://www.spywareinfo.net/rd/6 Lop setting off AVG antivirus
http://www.spywareinfo.net/rd/6 Search Google for lop.com
http://www.spywareinfo.com/forums/ SWI Forums
http://www.spywareinfo.net/rd/8 FAQ, how to fix a browser hijack

[Spyware Weekly Newsletter]

Microsoft is spying on you .... and yes there is proof

Tue, 11 Mar 2003 23:19:03 GMT

Microsoft is spying on you .... and yes there is proof

People have been saying for years that Microsoft is spying on people using Windows. People have been spouting crazy sounding theories about how Microsoft knows what is on your computer, knows what movies you are watching, and is installing software over the internet without your knowledge. Those people are usually dismissed as kooks and paranoids, and are often challenged to "run a port sniffer and see for yourself". Well, it seems that a lot of people have a lot of crow to eat, because as it turns out, Microsoft really is spying on its users, and they've been caught at it red-handed.

German tech news portal tecchannel is reporting that when users of Windows XP use the Windows Update web site, it transmits a list of installed software and the hardware configuration of the machine to Microsoft. Using custom-built software which takes advantage of an undocumented function of the Windows API, tecchannel has logged the data being transmitted to Microsoft just before it is encrypted. Their testing also reveals that Microsoft can identify your machine uniquely if they chose to do so, and could even lock you out of the site altogether.

The first six pages of the article are free. This is a subscription web site, so the complete article is not available to non-subscribers, but you can buy the article in pdf format for $2. When you buy the article, they also send you the custom software they used to log this activity. Since there is absolutely no doubt that a future "update" from Microsoft will disable the undocumented API function used to gather this evidence, they provide no support for the software.

This shouldn't really be a surprise. As I said, people have been saying it for years, but there is always the naive majority who refuse to believe that these sorts of abuses happen until the hard evidence is rubbed in their face. Last year rumors circulated that Microsoft's Windows Media Player was spying on them by sending back information of the music they listened to and the movies they watched. As before, the uninformed refused to believe the rumors, ridiculing those making the suggestions rather than investigating for themselves.

An investigation by noted privacy advocate Richard Smith found proof that once again, the rumors were true. Using a port sniffer, Smith found that each time a DVD movie is played on a computer which is online, Media Player 8, which ships with all copies of Windows XP, contacts a Microsoft web server to get title and chapter information for the DVD. In violation of Microsoft's stated privacy policy, the server was setting a cookie with a unique identification code that enabled Microsoft to track what DVDs were being played on that particular computer. Rather than acknowledge that they had violated the privacy of their users, Microsoft merely shrugged and said "oops" before updating their privacy policy to include the behavior that they had been caught engaging in.

This wasn't the first time Microsoft has been caught lying in its privacy policy. Last year, an FTC investigation concluded that Microsoft made false promises about how secure it kept the consumer information it collected. The Director of the Bureau of Consumer Protection at the FTC, Howard Beales, said that Microsoft had been collecting information about the day and time consumers logged into participating Passport Web sites without their knowledge, and storing data for longer than it claimed.

It wasn't the first time it's happened, and it won't be the last time it happens. I am sure that the next time someone tries to warn people that Microsoft is doing something wrong, the same people who blindly refuse to listen will again display their ignorance with taunts and insults. History is full of examples of people reacting to theories that disagree with their own beliefs by ridiculing those who come up with them. In the end, no one looks more foolish than those who use childish insults as a substitute for intelligent argument. Keep that in mind the next time someone warns about privacy being invaded.

[Via Spyware Info]

Nigerian Net Scam, Version 3.0

Tue, 31 Dec 2002 18:45:23 GMT

Nigerian Net Scam, Version 3.0 By Michelle Delio

Story location: http://www.wired.com/news/culture/0,1284,56829,00.html

02:00 AM Dec. 16, 2002 PT

All those beleaguered widows, complaining chief's sons and yowling high-ranking government officials don't want your assistance in getting a large sum of money out of Nigeria anymore.

Now they want to buy your stuff.

Yes, there's a new twist in Nigeria's thriving Internet-based scam operations. This time, the scammers pose as potential buyers for big-ticket items, like cars, listed for sale online.

The buyer explains that a business associate in the United States will mail the seller a cashier's check for the amount of the item plus the cost to transport it overseas. The seller is asked to wire the transportation fees to the buyer once the check has cleared so the buyer can arrange for shipment.

But a week or so after the check clears and the money has been wired, victims are notified by their banks that the check was counterfeited.

The scam has become so widespread that victims formed their own online support group last month. The group now has close to a hundred members.

Scam victims admit they initially were skeptical when the deal was brokered, but after receiving and depositing a cashier's check that cleared, they assumed all was well.

The scam takes advantage of a little-known loophole in the U.S. banking system. Many people don't realize that when a bank says funds have cleared, it doesn't mean the check is good, according to Carol McKay, director of communications for the national consumers league.

"Under federal law, depending on the type of checks deposited, banks must give consumers access to the money within one to five days. Longer holds can be placed on deposits over $5,000, but banks are reluctant to inconvenience their customers," McKay explained.

Unfortunately, it can take weeks for fake checks to be detected in the banking system. And consumers are then left holding the bag for the money they've withdrawn. That's because it's the depositor, not the bank, who is responsible if a check turns out to be bad."

Jeff and Shawn Mosch were victims of the scam, and they figure their bank is just as much at fault as the con artist who ripped them off for $7,200.

Shawn Mosch said she went to the bank with the cashier's check and told the teller, "I need to know when this is going to be a good, clear check -- when this is going to be actual money I can spend and it's never going to come back and bite me in the butt."

She was told her butt would be out of harm's way in 24 hours.

Mosch said she waited an extra day just to make sure, and then wired the money to the buyer. Five days later, the bank informed Mosch the check was counterfeit and her checking account was now $5,000 overdrawn.

McKay said the scam isn't limited to Internet sellers. The Consumers League is starting to hear from people who have also received counterfeit checks in connection with work-at-home offers.

"Banks would serve their customers better by explaining that they can't immediately tell if the checks are good and that the depositors will be stuck if they're not," McKay said. "In general, it's probably a good idea to wait several weeks before drawing on checks from unfamiliar sources.

"But the bottom line is this: No legitimate company will offer to pay you by arranging to send you a check and asking you to wire some of the money back. If that's the pitch, it's a scam."

School 'hacker' Gets an 'A'

Thu, 19 Dec 2002 04:10:27 GMT

School `hacker' gets `A'
11TH-GRADER BREACHES SECURITY, WITH APPROVAL
By Larry Slonaker
Mercury News

Reid Ellison, an 11th-grader at Anzar High School in San Juan Bautista, recently decided a cool student project would be to hack into the school's computer grading system. So he presented the idea to school administrators, and they gave him the go-ahead.

He hacked his way in without difficulty. Once there, he wanted to leave a footprint to prove he had been successful. But he couldn't artificially bump up his grades -- he already had a straight-A average.

His solution? Lower his grades. He dropped himself from a 4.0 grade-point average to 1.9.

``It was kind of the opposite of what most people would do,'' he said Monday.

Reid's project was an Anzar ``exhibition.'' The school requires students to create six exhibitions to graduate. The projects, which have both a written and oral component, ``are supposed to be issue-based, not topic-based,'' said Wayne Norton, Reid's adviser.

``They're not just reports.''

Students' exhibitions have to touch on six subject areas, and Reid hit three in his hacking report -- history, science and math. (Part 2 of his written report was, ``The History of Hacking.'')

Last week he gave a presentation on his project to his three evaluators. They gave him a perfect score.

As it turned out, doing the report was the hard part of the project. The hacking was easy.

``I had a pretty good idea that it wasn't the best security system,'' Reid said. Once he had his hacking program in place, figuring out the password ``didn't take too long -- 200 milliseconds.''

He didn't tell any fellow students he had been successful until the administration had a chance to change the password. The school is taking other steps to shore up its security, too.

``We're aware we've got a hole that needs to be plugged,'' Norton said.

After his hacking venture was recorded, Reid remembered perhaps the most important stage of the project. He made sure his grades were adjusted back up.

He obviously didn't get that 4.0 by accident.

Keeping Track of John Poindexter

Sun, 15 Dec 2002 01:50:21 GMT

Keeping Track of John Poindexter

By Paul BoutinPaul Boutin

Story location: http://www.wired.com/news/politics/0,1283,56860,00.html

02:00 AM Dec. 14, 2002 PT

The head of the government's Total Information Awareness project, which aims to root out potential terrorists by aggregating credit-card, travel, medical, school and other records of everyone in the United States, has himself become a target of personal data profiling.

Online pranksters, taking their lead from a San Francisco journalist, are publishing John Poindexter's home phone number, photos of his house and other personal information to protest the TIA program.

Matt Smith, a columnist for SF Weekly, printed the material -- which he says is all publicly available -- in a recent column: "Optimistically, I dialed John and Linda Poindexter's number -- (301) 424-6613 -- at their home at 10 Barrington Fare in Rockville, Md., hoping the good admiral and excused criminal might be able to offer some insight," Smith wrote.

"Why, for example, is their $269,700 Rockville, Md., house covered with artificial siding, according to Maryland tax records? Shouldn't a Reagan conspirator be able to afford repainting every seven years? Is the Donald Douglas Poindexter listed in Maryland sex-offender records any relation to the good admiral? What do Tom Maxwell, at 8 Barrington Fare, and James Galvin, at 12 Barrington Fare, think of their spooky neighbor?"

Smith said he wrote the column to demonstrate the sense of violation he felt over his personal records being profiled by secretive government agencies.

"I needed to call Poindexter anyway, and it seemed like a worthy concept that if he's going to be compiling data that most certainly will leak around to other departments and get used, one way to get readers to think about it was to turn that around," Smith said.

What Smith didn't realize was that Poindexter's phone number and other information would end up on more than 100 Web pages a week later as others took up the cause.

Phone-phreaking hackers supplied details on the Verizon switch serving the admiral's home. The popular Cryptome privacy-issues website posted satellite photos of the house.

Poindexter could not be reached for comment for this story, and calls to his home phone now reach a recording: "The party you are calling is not available at this time."

Since the Defense Advanced Research Projects Agency began awarding contracts for the Total Information Awareness project in August, the effort has been criticized by both civil rights advocates and data-mining experts.

The dispute over TIA seems to fall not along straight political party lines, but between advocates and opponents of the government's right to monitor its own citizens. Former President Clinton expressed support for the project in a recent public appearance, while conservative New York Times columnist William Safire recently wrote a pointed editorial criticizing the idea.

One Bush voter, speaking on condition of anonymity, said of the pranks on Poindexter: "If they're making him as uncomfortable as we are, good."

More On The Autotote Scam

Thu, 21 Nov 2002 03:58:40 GMT

Foistware / Spyware - Gator, OfferCompanion, Trickler, GAIN

Wed, 13 Nov 2002 19:14:29 GMT

Foistware / Spyware - Gator, OfferCompanion, Trickler, GAIN

Update: As of April 2002, Gator has been implicated in a questionable practice some are calling "drive-by-downloads". In this scheme, a normal banner or popup ad will attempt to install software (executable code) on the user's PC. Depending on the browser's security settings, the software will either download silently and without any user action, or present an install dialogue. Novice users may choose "Yes" thinking the browser is asking to download a legitimate page-display plugin.

Gator is a software product that can automatically fill in passwords and other form-elements on Web pages. But its main purpose is to load an advertising spyware module called OfferCompanion, which displays pop-up ads when visiting some Web sites. Gator boasts that since it's software is always running, it can spam users with "Special Offers" and other ads anywhere they go--even competitors' sites--with remarkable targeting capabilities, since it can spy on what sites the user is visiting. Don't take my word for it, see what kind of abilities Gator boasts to potential advertisers.

Gator is confirmed spyware, according to Tribune Media Services (via SecurityNewPortal):

"Gator tracks the sites that users visit and forwards that data back to the company's servers. Gator sells the use of this information to advertisers who can purchase the opportunity to make ads pop up at certain moments, such as when specific words appear on a screen. It also lets companies launch a pop-up ad when users visit a competitor's Web site."

According to SimplytheBest Spyware information:

Gator helps you to fill out forms and remember passwords. Gator targets consumers based on site visitation and/or historical behavior. Your personal information is stored on your computer in an encrypted file. Gator accesses this personal information on occasion, using your IP address to help diagnose. Gator provides aggregate statistics about its customers, traffic patterns, and related site information to third-party vendors. In order to provide this service, they collect information on your web usage.

According to this article (& discussion), Gator is also dynamically inserting ads on top of ads already on the page. They look and feel like the site's real banners, but place ads for things the actual Web site never intended--including ads for competitors' products and possibly even adult materials. Among other things, this 'steals' advertising revenue from the legitimate owner of that Web site, as their banner is inaccessible and covered up by the Gator ad. (The basic idea of this questionable technology is similar to ezula's TOPText.)

Gator recently sued the Internet Advertising Bureau for decrying their methods as unethical and deceptive, and potentially illegal. Gator is seeking monetary damages for the IAB's "malicious disparagement", as well as a declaratory judgment deeming their methods legal and forbidding the IAB from bringing their own suit on behalf of members whose sites' ads are being poached.

Gator Modules

Gator (iegator.dll and others)
Gator is the main software, which autocompletes Web forms (which is completely unnecessary for many MSIE users, since IE has included an AutoComplete feature since version 5.0).
OfferCompanion
This is the advertising spyware module. It is responsible for spying on your Web browsing habits, downloading and displaying pop-up ads, and transmitting (personal?) information to Gator.

Trickler (fsg.exe, fsg-ag.exe, fsg*.exe)
Trickler is an "install stub", a small program that is installed with the application you really wanted. (Gator almost always appears on your system due to installing OTHER software, and not the installer available from Gator's website.) When installed, Trickler inserts a Run key in your Registry so that it is silently and automatically loaded every time you start your computer. Trickler runs hidden and very slowly downloads the rest of Gator/OfferCompanion onto your system. It is suggested that this "trickling" activity is intended to slip under the user's radar, the steady, low usage of bandwidth going unnoticed.

While often named fsg.exe, Trickler can go under other similar names, such as fsg-ag.exe (installed with AudioGalaxy) or another name containing "fsg" or "trickler".

GAIN (GMT.exe, CMESys.exe, GAIN_TRICKLER_*.EXE)
GAIN is short for Gator Advertising Information Network, and is the newest incarnation of the Gator spyware we all know and love. Gator describes this module here.

Dropping Gator

If you actually use(d) Gator for its purpose of remembering passwords, there are safe alternatives. The major browsers (IE, Netscape, Mozilla) and some non-major ones now include an autocomplete and password-remember feature. Gator users can also easily switch to RoboForm, a free program that does the same thing without spamming your system with ads and selling your privacy short. It can even import all your Gator data. Also, check out this page for retrieving passwords from Gators database.

Links
ThiefWare - more information on these onerous products
Scumware - Software that is ripping webmasters off - list of active Scumware (TOPtext, Surf+, Gator...), how to remove them, and more.
Gator rushes to court over ad technology - Gator's lawsuit against the Interactive Advertising Bureau over negative statements, and request for declararoty judgement

Identity: Digital ID World Conference

Fri, 11 Oct 2002 03:38:32 GMT

Not ready for DIDW player - I wish I were at the Digital ID World conference. Phil Windley's talk sounds very interesting. I have to admit that when it comes to Digital ID issues, I'm stupid. But I'm interested in the complex molecular structures that are being discussed. I'm interested in complexity too. But the Complexity World conference is still a ways off. So back to "identity" and what it means to stupid old me. And 'cause I'm stupid (and I notice that I'm not alone here) I need for "identity" to be simple.

I think that "identity" as a practical tool for humans, needs to be almost as simple as it is for dogs. Dogs don't like complexity at all, which is why there will never be a gathering of canines to yelp about how to improve 'ass-sniffing.' Of course, the problems of digital identity are more than: who are you? Still, that age-old problem is the one that is most nettlesome. For example, my wife and I went to the closing of our house recently. The first thing the notary wanted was our drivers' licenses. Why? So that she had a record of the identities of the people who were signing the legal documents that she was going to attest to. We all knew each other, but she didn't know us. So she had to sniff our rear-ends, so to speak.

Phil Windley says governments don't want to be in the identity managment business, even though they are. He says, according to the JOHO blog that "government has abdicated its responsibility as an issuer of digital signatures, which is why they're not as useful as they should be." That is so true. Someone has to be the lead dog here. But a lot of people cringe and say they don't want the government having too much control. Well, without a sovereign (Hobbes reminds us) we live in state of nature. And digital identity becomes the least of our worries. Well we aren't returning to the state of nature anytime soon, but it helps to remember the Hobbesian principles.

In the digital world of ass-sniffing, we need something more reliable than easily forgible drivers' licenses. And the government, excuse me...The Sovereign, is just the one to tackle this basic job.

[via Ernie the Attorney]

The Evil 'Eye In The Sky' and Here's Big Brother Looking At Ya Baby CAM

Mon, 07 Oct 2002 18:37:10 GMT

Here's Big Brother 'Lookin At Ya, Baby' CAM

New York Times - free registration required Protesting the Big Brother Lens, Little Brother Turns an Eye Blind.

Confronted with the unblinking eyes of surveillance cameras, Michael Naimark believes he can hide in plain sight with the aid of a $1 laser pointer.

Mr. Naimark, a Silicon Valley artist and technologist, decided to try turning the tables on what he saw as the potential for Big Brother surveillance after the Sept. 11 attacks. This little Brother response: using inexpensive laser pointers to temporarily blind those omnipresent electronic eyes. He plans to post his 13-page, single-spaced treatise on the subject this week on his Web site.

[...]

A national debate over the ethics of surveillance continues to grow as video cameras proliferate.

[ ... ]

In recent weeks there have been a growing number of incidents involving video-surveillance cameras, ranging from the mother who recently surrendered after she was recorded hitting her 4-year-old daughter in an Indiana parking lot to a man who filed a $1.5 million lawsuit against the Marriott hotel chain last month after discovering a video camera hidden in a bathroom light fixture.

The growing reliance on surveillance is giving some of the pioneers of the video camera industry second thoughts.

"I have lots of worries about how this technology is being used," said John Graham, who is the founder of BroadWare Technologies, a Cupertino, Calif., maker of software for video-camera networks, and who was one of the first researchers to send audio and video over the Internet.

"I've become Big Brother, but I didn't mean to be," Mr. Graham said. "It's just that there's no money in education or scientific collaboration."

[ ... ]

The value of video cameras to improve safety and detect terrorists has been greatly overrated, according to Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a nonprofit advocacy group based in Washington.

Like the Surveillance Camera Players, Mr. Rotenberg said he worries that while Internet-viewable cameras might offer entertainment, there are other networks of private and law enforcement cameras that collect information secretly on behalf of the government.

"There has been a reduction in privacy and there has been an expansion in government secrecy," he said. "We give up our privacy, but we don't gain openness in exchange."

[Privacy Digest]

Who's Spying On My eMail

Fri, 30 Aug 2002 02:54:13 GMT

MS-NBC [Privacy Digest]- Who's spying on my Hotmail? With new spyware, even your private Yahoo, Hotmail e-mails can be seen

Think using Yahoo or Hotmail e-mail at work protects you from your boss' prying eyes? Think again. New spy software essentially lets employers or parents co-pilot virtually any kind of e-mail account, including private Web-based e-mail accounts like Yahoo and Hotmail. A new version of eBlaster spyware will secretly forward all e-mail coming and going through such Web-based accounts to a spy's e-mail, allowing anyone to "ride-along" even the supposedly private e-mail.

[ ... ]

But word of the software's new feature disturbed privacy advocate Richard Smith of ComputerBytesMan.com -- and he suggested potential users think twice before installing the software,

"This is e-mail wiretapping," Smith said. "I would put up a big warning flag. Anybody who would consider buying this product should check with a lawyer first. There is a high probability it runs afoul of the Electronic Communications Privacy Act. I would not take the company's word that it's legal." Enacted in 1986, the Electronic Communications Privacy Act prohibits interception and disclosure of wire, oral, or electronic communications in most cases.

Spyware like that produced by SpectorSoft and competitor WinWhatWhere Corp. has not yet faced a definitive courtroom test. But David Sobel, general counsel of the Electronic Privacy Information Center, equated private Web-based e-mail account with an employee receiving a personal letter through the company mailroom. The contents of such a letter are protected by U.S. mail regulations.

"The question is: Is there a reasonable expectation of privacy? I would argue that if a company.com account is provided to me for company business, I can assume it might be subject to monitoring ... but if I take additional step to set up a Hotmail account that I occasionally access from my desktop at work, I think that could be construed as an expression of an expectation of privacy."

Nevertheless, the spyware makers generally argue that employers have the right to observe anything that happens on company-owned computers.

Chemical Weapons Threats, Real and Perceived

Wed, 21 Aug 2002 03:01:10 GMT

Chemical Weapons Threats, Real and Perceived (Elizabeth Spiers)

CNN keeps playing a tape of a rumored Al-Qaeda chemical weapons experiment that contains footage of a dog being killed by a gaseous substance. CNN, as usual, is conjecturing about the various possibilities - strongly suggesting that the substance in question is sarin - and asking whether major urban areas should have chemical antidotes in case of an attack.

I did some WMD research while working on a public policy/political science degree and my senior paper on "patterns of normative contraint in terrorist behavior" several years ago. Through a series of strange coincidences, I ended up advising a state government agency on chemical weapons disposal and emergency response policy for a Sarin/VX/Mustard Gas stockpile that was slated to be destoyed shortly before 2002. (The deadline has been repeatedly extended and the stockpile is, unfortunately, still there.) I'm not one to downplay the danger presented by these things, but CNN is really blowing some of this stuff out of proportion. A few points:

1) This one isn't going to actually make you feel better, but the mass-destruction risk presented by terrorist groups developing chemical weapons is probably much smaller than the risk presented by mismanagement or damage to existing stockpiles owned by the U.S. government. (Incidentally, one of the primary disaster scenarios for the stockpile I was working on was that an airplane would crash into the bunker. This was in '98.) The U.S. stockpiles consist of fully weaponized agents, in much purer form than anything known to be illicitly manufactured abroad. There is a small risk that GB and VX-loaded M55 rockets with nitroglycerine-based propellants will autoignite as stabilizer compounds naturally degrade. The areas surrounding the U.S. stockpiles have formal emergency response plans in case of such an event, but the damage would be very hard to contain, and casualty prospects for the immediate vicinity were pretty grim. Some of the proposed response tactics seemed as ridiculous as Cold War-era admonitions to run cold water over your house in the event of nuclear attack. They struck me as psychological security blankets for nearby civilians rather than a legitimate and effective response, and the FEMA/Army-run emergency preparedness program's failure to account for a good $20 million in appropriations didn't make me feel any better. If you want to worry about a real chemical weapons threat, worry about those rotting stockpiles and the risk they present if not destroyed. They're a lot more likely to affect you than a terrorist with a homade version.

2) The chemical weapons threat tends to get overblown because powerful nerve agents can be manufactured from fairly common and widely available dual-use chemicals and people assume that this means they *will be* developed. There are a number of risks associated with development, handling, maintenance, and delivery that provide tremendous practical disincentives for manufacture and actual use. Delivery is a major logistical problem, and it's much harder to recruit suicidal volunteers that are willing to die via painful chemical death than instantaneous explosion. Willing martyrs are not so much a commodity when slow death and possible torture are involved.

There are also a number of strategic disincentives to use; the primary being that chemical warfare is considered inhumane and indiscriminate, and any terrorist group with serious political aspirations will not push the envelope so far as to completely undermine any chance of eventual legitimacy. Having them and using them are two utterly different things. (Saddam Hussein, for example, began developing chem/bio weapons to neutralize threats presented by Iran and Israel. The deterrence/offensive use distinction is extremely important.)

The only terrorist demographic that has a rational incentive to use chemical weapons for mass destruction are religious apocalyptic terrorist groups that believe their actions are hastening Armageddon (i.e., Aum Shinrikyo, the Japanese doomsday cult that in 1995 released sarin into a Tokyo subway. It should be noted that Aum Shinrikyo failed to accurately produce a highly lethal version of the agent, and if they had, given their sloppy handling, would have probably done more damage to themselves than their intended targets.) Al-Qaeda is functionally a political terrorist group despite the religious rhetoric. Mass destruction is not strategically effective for them in the long run, and the leadership of Al-Qaeda knows this.

3) Technical point : The tapes show a white viscous liquid substance that effervesces a white gas. Sarin and VX are colorless and odorless, in both gaseous and liquid form, which lends credibility to the theory that it's really a cyanide/sulfuric acid combination. Also - both are cholinesterase inhibitors, which basically push major organs into overdrive. The poor dog in the video would have probably reacted more violently and died faster if it were sarin (at the potency required for mass destruction.)

A very impressive review about the chemical weapon's threat and the sorry record of the US government's sloppy and reckless management of WMD stockpiles of biological agents as well as the ticking timebomb of nuclear weapon wastes.

Howard Hughes homeland security plan

Tue, 20 Aug 2002 19:09:19 GMT

JAY AMBROSE says he's worried we're heading for a Howard Hughes homeland security plan:

Howard Hughes, you may recall, was the billionaire movie-producer-businessman-aviator whose paranoia about germs eventually ushered him into a reclusive life as ultra-sanitized as his money could buy. Instead of cheating death, he probably hastened it, and in the meanwhile cheated himself out of the kind of full, active, interesting existence disallowed by the excessive precautions of outsized fear.

We could do much the same thing to this society of ours if we delude ourselves into thinking that we can be perfectly safe if we work hard enough at it - if we spend enough money, expand the government sufficiently, put up enough inconveniencing roadblocks of various kinds, curb enough freedoms, look under enough stones.

It's a fraud, this frame of mind, and it won't deliver.

He's right. Fortunately, more and more Americans -- encouraged by the tweezer-confiscating air security example -- are waking up to this reality. [InstaPundit]

Homeland Security Confiscates 2

Wed, 07 Aug 2002 02:28:48 GMT

Well, I feel so much safer now.

2" GI Joe rifle confiscated at LAX. The British tabloid The Sun reports that security guards at LAX confiscated a two-inch plastic GI Joe rifle from a seven-year-old's toy action figure. I feel safer.

Security chiefs at Los Angeles airport said: “We have instructions to confiscate anything that looks like a weapon or a replica.
“If GI Joe was carrying a replica then it had to be taken from him.”

Link Discuss (via MeFi) [Boing Boing Blog]

The continuing efforts to eliminate judgment from human processes scares me no end.

[McGee's Musings]

Homeland Security, Totalitarian Nightmare, and Freedoms

Mon, 29 Jul 2002 17:27:02 GMT

HOMELAND SECURITY is not only a joke, it's a joke that a lot of people who have been supporting the war aren't finding very funny. The combination of ineptitude with bureaucratic power-grabbing is looking like a real vulnerability for the Administration. [InstaPundit]

Ever since the big crackdown after 9/11, I've gone along with the program. You know, accepted the extra hour at the airport, watched as (seriously) 80-year-old ladies with artificial knees were given the full treatment at the airport. I didn't come out squawking about the various internal security changes in the U.S., although I was not pleased with the PATRIOT Act. After all, we were at war, and you've got to accept some inconveniences. But I was really not very happy about the way things were going, and it took Kim du Toit to make me realize why:

Message to the President: You are sailing into waters where you do not belong. Not that we don't trust you-- it's nothing personal. But we're not going to give any government this much power over our lives-- and this includes you and your successors. You'd have to persuade us that you've done everything, and I include nuking Mecca in the definition of "everything", before I would even think of letting you turn this nation into the totalitarian nightmare of your "Homeland Security" initiatives.

That's it. That is exactly it. It's grandmothers being searched instead of young Arab males. It's British mothers being thrown out of the country while the Saudis get a "visa express." It's us being inconvenienced while bureaucrats stumble around in a PC coma. When the citizens of the U.S. said they supported the War on Terrorism, it's because they thought it would be waged against terrorists, not them.

Kim's right. I will vigorously fight against any restriction or violation of my rights under the Constitution and Bill of Rights as a U.S. citizen until all possible alternatives have been exhausted. And even then, it'll be temporary and extremely grudging. During WW2 Americans accepted rationing and other inconveniences, and if necessary we can do the same this time. But we want to see that we're sacrificing for a reason. So you want to mess with my rights, FBI? Let's see a real housecleaning over there, with people fired and the gangrenous flesh of your bloated, ass-covering bureaucracy hacked away. When you're a tight, professional, productive organization with some real results to show us, maybe we'll trust you with a bit more power. Right now I think you probably need less.

And that goes for the rest of "Homeland Security," too. First, get your act in order. Fire the incompetent and the deadwood (that would solve any budget problems you claim to have, as well). Quit doing dumbass shit like rejecting Arabic languages experts you desperately need, just because they smoked some weed back in the sixties. Try, for god's sake, to run your organizations with at least 1/10th the efficiency of the average Subway franchise.
Second, let's see some truly suspicious folks take some heat before you ask us to get cavity searched. That's not "racial profiling" - that's police work. Let's see some mass deportations of illegal aliens and our borders closed to "visitors" from known terror states before you have the meter reader looking in my windows.
Third, before you get any expanded powers, show us you can use those you already have without screwing up. Accusing some guy who waved a gun around at a party of making "terroristic threats" doesn't fill us with confidence. We get this feeling you may decide it's too hard to go after real terrorists, so let's go arrest that guy down the street who said cranky things about the government.

We are not the enemy, and we don't like being treated like the enemy while the real enemy walks free.

Find out just what the People will submit to and you have found out the exact amount of injustice and wrong which will be imposed upon them; and these will continue until they are resisted with either words or blows, or with both. The limits of tyrants are prescribed by the endurance of those whom they oppress.
--Frederick Douglass