Blog.Ivacy.com

greenrom writes:

“I work for a small company as a software developer. While investigating a bug in one of our products, I found source code on a website that was nearly identical to code used in our product. Even the comments were the same. It’s obvious that a developer at our company found some useful code on the web and copied it. The original author didn’t attach any particular license to the code. It’s just 200 lines of code the author posted in a forum. Is it legitimate to use source code that’s publicly available but doesn’t fall under any particular license? If not, what’s the best way to deal with this kind of situation? Since I’m now the only person working on this code, there’s no practical way to report the situation confidentially. I’m new to the company, and the developer who copied the code is the project lead. Reporting him to management doesn’t seem like a good career move. I could rewrite the copied code without reporting him, but since the product is very close to release it would be difficult to make a significant change without providing some justification.”

An anonymous reader alerts us to a story out of Israel in which Google (its Israeli subsidiary) gave up the IP address of a Blogger user without being compelled to do so by a court. A preliminary ruling was issued in which a court indicated that the slander the blogger was accused of probably rose to the level of a criminal violation. Google Israel then made a deal with the plaintiffs, local city councilmen whom the blogger had been attacking for a year. Google disclosed the IP address only to the court, which posted a message (Google says the anonymous blogger got it) inviting him/her to contest the ruling anonymously. When no response was received within 3 days, Google turned over the IP address to the plaintiffs’ lawyers.

“The Motion Picture Association of America last month sent letters to the presidents of 25 major universities (pdf), urging them to download and install a ‘university toolkit’ to help identify students who were downloading/sharing movie files. The Washington Post’s Security Fix blog reports that any university that installs the software could be placing a virtual wiretap on their networks for the MPAA (and the rest of the world) to listen in on all of the school’s traffic. From the story: ‘The MPAA also claims that using the tool on a university network presents “no privacy issues — the content of traffic is never examined or displayed.’ That statement, however, is misleading. Here’s why: The toolkit sets up an Apache Web server on the user’s machine. It also automatically configures all of the data and graphs gathered about activity on the local network to be displayed on a Web page, complete with ntop-generated graphics showing not only bandwidth usage generated by each user on the network, but also the Internet address of every Web site each user has visited. Unless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic — and a great many universities do not — that Web server is going to be visible and accessible by anyone with a Web browser.”

Read more…

Mike writes

“According to a Washington Post article, federal officials are routinely asking and getting courts to order cellphone companies to furnish real-time tracking data on subscribers. The data is used to pinpoint the whereabouts of ‘criminal suspects’, according to judges and industry lawyers. In some cases, judges have granted the requests without even requiring the government to demonstrate probable cause that a crime is taking place or that the inquiry will yield evidence of a crime ‘Privacy advocates fear such a practice may expose average Americans to a new level of government scrutiny of their daily lives. Such requests run counter to the Justice Department’s internal recommendation that federal prosecutors seek warrants based on probable cause to obtain precise location data in private areas. The requests and orders are sealed at the government’s request, so it is difficult to know how often the orders are issued or denied.’”

rdavison writes

“According to a recent article on the Financial Times site, ‘internet users in France who download music and films without paying for them could find their web access shut down by a government body.’ The proposal originated with FNAC, an entertainment retailer. According to the article, the proposal has a good chance of being accepted. ‘In exchange for the clampdown on illegal downloading, the music industry has agreed to make individual downloads of archive French material available on all types of players by dropping digital rights management protection. The French film industry has agreed to release DVDs more quickly after a film’s first cinema screening, reducing the delay from 7½ months to 6 months. However, consumer groups and even some of Mr Sarkozy’s own members of parliament on Thursday attacked the proposal for a new internet policeman as a threat to civil liberties.’”

 holden writes

“Ian Goldberg, leading security researcher, professor at the University of Waterloo, and co-creator of the Off-the-Record Messaging (OTR) protocol recently gave a talk on protecting your IM conversations. He discusses OTR and its importance in today’s world of warrant-less wire tapping. OTR users benefit from being able to have truly private conversations over IM by using encryption to obtain authentication, deniability, and perfect forward secrecy, while working within their existing IM infrastructure. With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important. An avi of the talk is available by http as well as by bittorrent and a bunch of other formats.”

 Ross Anderson writes

In breaking news, the Chancellor of the Exchequer will announce at 1530 that HM Revenue and Customs has lost the data of 15 million child benefit recipients, and that the head of HMRC has resigned.

FIPR has been saying since last November’s publication of our report on Children’s Databases for the Information Commissioner that the proposed centralisation of public-sector data on the nation’s children was not only unsafe but illegal.

But that isn’t all. The Health Select Committee recently made a number of recommendations to improve safety and privacy of electronic medical records, and to give patients more rights to opt out. Ministers dismissed these recommendations, and a poll today shows doctors are so worried about confidentiality that many will opt out of using the new shared care record system.

The report of the Lords Science and Technology Committee into Personal Internet Security also poitned out a lot of government failings in preventing electronic crime - which ministers contemptuously dismissed. It’s surely clear by now that the whole public-sector computer-security establishment is no longer fit for purpose. The next government should replace CESG with a civilian agency staffed by competent people. Ministers need much better advice than they’re currently getting.

Steven J. Murdoch writes 

One of the steps used by the attacker who compromised Light Blue Touchpaper a few weeks ago was to create an account (which he promoted to administrator; more on that in a future post). I quickly disabled the account, but while doing forensics, I thought it would be interesting to find out the account password. Wordpress stores raw MD5 hashes in the user database (despite my recommendation to use salting). As with any respectable hash function, it is believed to be computationally infeasible to discover the input of MD5 from an output. Instead, someone would have to try out all possible inputs until the correct output is discovered.

So, I wrote a trivial Python script which hashed all dictionary words, but that didn’t find the target (I also tried adding numbers to the end). Then, I switched to a Russian dictionary (because the comments in the shell code installed were in Russian) but that didn’t work either. I could have found or written a better password cracker, which varies the case of letters, and does common substitutions (e.g. o → 0, a → 4) but that would have taken more time than I wanted to spend. I could also improve efficiency with a rainbow table, but this needs a large database which I didn’t have.

AceCaseOR writes:

In Los Angeles criminal court, security consultant John Schiefer, 26, has admitted infecting the systems of his clients with viruses to form a botnet containing a maximum of 250,000 systems. Schiefer used his zombies to steal users’ PayPal usernames and passwords to make unauthorized purchases, as well as to install adware on their computers without their consent. Schiefer agreed to plead guilty to four felony charges of accessing protected computers to commit fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. He will be sentenced Dec. 3 and faces up to 60 years in prison and a fine of $1.75 million.

Hugh Pickens writes:

Robert Niles at the Online Journalism Review discusses the issues surrounding the recent tragedy involving a MySpace user. A newspaper reporting on the story didn’t name the woman, citing concerns for her teen daughter. Bloggers went nuts, and soon uncovered the woman’s personal information. Niles writes: ‘The lessons for journalists? First, we can’t restrict access to information anymore. The crowd will work together to find whatever we withhold … Second, I wonder if that the decision to withhold the other mother’s name didn’t help enflame the audience, by frustrating it and provoking it to do the work of discovering her identity.