The Washington Post reports that IE 7 will not have the long known flaw that allows a website to steal the data that may be hanging out in your clipboard.
For those who don't know, the clipboard is where anything you cut and paste hangs out. The trick is, it stays there until you cut or copy something else. So, if the last thing you copied was your tax record from one document to another and then you visit a nosy website, they could have all that data.
If it seems as stupid to you as it does to me that IE allowed this in the first place, then you'll understand why security people like me knock Microsoft all the time (this is hardly the first or last instance of this kind of thing).
For another example, see this article, under the heading of Macro Viruses.
The EFF (who is also the organization spearheading the lawsuits against AT&T) is now taking on the secret profiling program that has hit the news recently. From their e-newsletter:
The Automated Targeting System (ATS) creates and assigns "risk assessments" to tens of millions of citizens as they enter and leave the country. In November, DHS announced that the program would launch on December 4, but Homeland Security Secretary Michael Chertoff later admitted that the program had already been in operation for several years.
Under ATS, individuals have no way to access information about their "risk assessment" scores or to correct any false information about them. But while you cannot see your score, it will be made readily available to untold numbers of federal, state, local, and foreign agencies. The government will retain the data for 40 years.
In a widely-heralded and very long-sought victory for CAGW and all taxpayers, the Treasury Department announced last May that it would stop collecting the excise tax on long distance telephone service. Known as the Spanish-American War Tax, this “temporary� tax on phone service, considered a luxury at the time, has survived for 108 years, far surpassing its raison d’etre, which lasted just four months. You can apply for a refund of the payment of that tax from 2003-2006 when you file your 2006 tax return next year.
In this article, they explain that the Government can use the laws the way they're written now to read any e-mail that is hosted on someone else's computer (like the servers at AOL, Google, Hotmail).
A man who was partially convicted based on his e-mails is suing saying that it's unconstitutional for them to read his e-mails without a warrant. While the case is in appeals, the arguments are that e-mail should have the same privacy protections as snail mail while the government cites several reasons why they can and should be able to read them.
Schneier links to an article about RFID passports being cloned in under 5 minutes. The authorities have stopped denying it's possible and have shifted to denying that it can be used for any nefarious purposes.
The UK Home Office however dismissed the ability to get hold of the information on the chip.
A spokesman said: "It is hard to see why anyone would want to access the information on the chip.
"Other than the photograph, which could be obtained easily by other means, they would gain no information that they did not already have - so the whole exercise would be pointless: the only information stored on the ePassport chip is the basic information you can see on the personal details page."
Well, it sure is hard to see why anyone would want to see someone's credir report, criminal history, medical information, social security card, birth certificate, etc etc. Are these people for real? And they're the ones in charge of security?
At the end of the article, they say the same thing I have always said: This "security feature" is actually LOWERING the security of passports… And not by a small amount.
Bruce Schnier found an intereting article in the NY Times about a bored computer science student wrote a webpage that printed nearly identical boarding passes to those used by Northwest Airlines. Using the fake passes, people were successfully able to bypass airport security. The important part of this article, is the fact that the student did no hacking, no cracking, no breaking of any system. All he did was make passes that looked real.
No cryptographic recipe was cracked; no airline computer system was compromised. Without visiting an airport, Mr. Soghoian needed access to nothing other than a public Web site to embarrass those responsible for airport security.
As security professionals have been saying for years, these measures make life difficult for law-abiding citizens, but do nothing to stop the bad guys.
In an amusing example of the kind of thing I wrote about on the 14th, Sony created a fake website called "alliwantforchristmasisapsp" where two employees of their marketing firm pretended to be young, hip gamers who blogged about wanting a PSP.
The tide began to turn against Sony's initiative after popular webcomic Penny-Arcade publicly outed the chicanery in a deliberate move to force a little transparency up ins. The Internet was quick to kick the horrid thing to death after that point in a classic example of pile-on. For a brief moment, the blog existed in a state of apology with the following classic phrase resplendent:
A laptop containing the personal information of 328,000 current and former employees of Boeing was stolen in Chicago, according to the company.
The laptop theft was the third to befall Boeing in the past twelve months.
Boeing is contacting the affected employees by mail and has promised to set up free credit monitoring for them through the Experian credit bureau.
Doesn't that make you feel warm and fuzzy? Boeing gets to look like they're being responsible about the problem and the Credit company gets all kinds of money for a worthless service.
WASHINGTON–U.S. Department of Homeland Security Secretary Michael Chertoff on Thursday defended forthcoming national ID cards as vital for security and consistent with privacy rights.
From the article:
"Do you think your privacy is better protected if someone can walk around with phony docs with your name and your Social Security number, or is your privacy better protected if you have the confidence that the identification relied upon is in fact reliable and uniquely tied to a single individual?" Chertoff asked rhetorically.
Has anyone heard of "false dilema" before? This is where you are presented with two choices when there are actually many. One choice is always extremely horrible to make the other seem reasonable. An example could be, "Would you rather put RFID in your credit cards or have a horde of violent viking warriors destroy your home and burn your family?"
Use of "false dilema" is a sure sign of low intelligence or complete lack of respect for the audience.
There's more good stuff in the article, but I'll let you read it yourself. I want to end by saying this, we're supposed to trust a national card ID system when the same organization that gave us RFID passports? I don't think so.
Obligation Inc. is documenting the exploits of BusRadio, a company that is producing programming intended for play on school busses. From the Obligation.org page on the issue:
These men realize that once on a school bus, children are a captive audience. Any captive audience can be exploited by forcing them to hear advertising. So Steven Shulman and Michael Yanoff developed BusRadio and were greatly aided by the venture capital moneyman Robert Davoli of Sigma Partners. As far as I can tell, this is the first time Sigma has chosen to financially back a very controversial company.
The Washington Post reports that the FTC has begun to crack down on false word-of-mouth advertising. This is where a company pays people to tell friends about their products. From the article:
As the practice has taken hold over the past several years, however, some advocacy groups have questioned whether marketers are using such tactics to dupe consumers into believing they are getting unbiased information.
This is a great demonstration for anyone who is skeptical that RFID chips can be used to track people. It's a good example because the chips have no personal identifying information, yet can still be used to track people. As long as the chips have unique IDs, those IDs can be used for surveillance.
Scheier goes on to say:
To me, the real significance of this work is how easy it was. The people who designed the Nike/iPod system put zero thought into security and privacy issues. Unless we enact some sort of broad law requiring companies to add security into these sorts of systems, companies will continue to produce devices that erode our privacy through new technologies. Not on purpose, not because they're evil — just because it's easier to ignore the externality than to worry about it.
Hackers have gained access to databases at the University of California-Los Angeles (UCLA), making off with the personal information of 800,000 current and former students, employees, and faculty.
The data breach is thought to be the largest of its kind at an American college or university.
I've always said it's less about the security of the system than it is the value of the data stolen. If it weren't so easy to use and abuse people's personal data, then ID Theft wouldn't be such a problem.
With Credit Seucrity Freezes, a crook could have all your data and still do nothing with it.
The National Institute of Standards and Technology (NIST) is recommending that the 2007 version of the Voluntary Voting Systems Guidelines (VVSG) decertify direct record electronic (DRE) machines.
In the article, they explain how NIST has found that the machines have no paper trail, and that a single programmer could rig an entire election. Uh…hello? This is not news, this was well know for a long time before now. Hopefully now that NIST has said it, someone in congress will pay attention.
Gamasutra reports that Nintendo is looking into possible solutions for the accidental destruction of TVs or nearby items/people when players in America get a little too excited when playing and accidentally throw the remote.
The article quotes Ninetendo execs as having considered ways to prevent people from getting so excited or by making a special glove people could wear. Apparently they haven't thought that strengthening the wrist strap and putting a small amount of rubber gripping on the edges of the remote where it's held would likely fix the problem just fine. For an extra measure, put rubber edge protectors on the four corners of the front of the remote so if it did fly, it would be less likely to damage anything.
A member of the Senate Banking Committee denounced RFID "no-swipe"
credit cards at a press conference Sunday. Senator Charles Schumer
(D-NY) said contracts for the cards should have warning boxes disclosing
"the known weaknesses of the technology." He cautioned cardholders about
their vulnerability to identity thieves, commenting you "may as well put
your credit card information on a big sign on your back."
RFID is an extremely dangerous technology if left unregulated and businesses are rushing to get it to the market before people know what's happening. That's why situations like this happen:Â
CASPIAN demanded a recall of RFID credit cards last month after the New
York Times reported that a team of security researchers found that
virtually every one of the "no-swipe" credit cards it tested was
vulnerable to unauthorized charges and put consumers at risk for
identity theft.
I had to laugh when I read this today at Penny-Arcade:
I must say that, completely independent of actual gaming consoles, the these squabbles over resolution in next-gen displays are mainly disheartening. From a consumer perspective, it's a bramble. Now the discussion is about whether or not the device is actually displaying the full resolution it's capable of, or if the television is upscaling it, or if there is a token on the media explicitly disallowing full res, and it's a pile of shit. All of this confusion for paying customers, so that pirates will be detained an additional fifteen minutes before they descend, their scythes awhirl.
For those who don't know, Penny-Arcade is a site that has been doing comics centered on the gaming industry for years. They are well known in the community and make enough money now to basically play games all day. That way, they usually have something to say about every system and every game
In a recent newsletter, the Electronic Frontier Foundation writes:
Despite complaints from privacy advocates and parents, schools in states across the country are considering using fingerprint scans to track students. Kids at Sandlapper Elementary in Columbia, South Carolina, have their fingerprints scanned to pay for their breakfast and check out library books, while officials at the Hope Elementary School District in Santa Barbara, California, have just announced similar plans to use finger scans to charge students for their lunches.
Let's be clear about this: People need anonymity. It is up to the individual to decide whether to disclose that they were at a particular place, associate with particular people, or are involved in particular events. That's what it means to be innocent until proven guilty.
This is really simple folks: Criminals lose all their rights, law abiding citizens retains them all. For the necessity of investigation, people who can be reasonably suspected of being involved in wrong-doing can be looked at more closely (with a warrant), but other than that, no government body should be tracking, monitoring, or data mining information about anyone.
We have to be especially careful in the schools lest our children grow up never knowing that they aren't free.
