QODS ec

Saturday, July 17, 2004

PROG: Cetus Links: 16604 Links on Objects and Components / Python

Cetus Links: 16604 Links on Objects and Components / Python

PROG: Python Cookbook

ActiveState O'Reilly Python cookbook code samples ratings review

OT: Opinion: The Annoying World Of Computing

Opinion: The Annoying World Of Computing - OSNews.com

OT: NewsForge suddenly looks different

NewsForge | NewsForge suddenly looks different

LINUX: Toward true open source

NewsForge | Toward true open source

PROG: Miguel de Icaza: Mono and GNOME. The long reply.

Linux Today - Miguel de Icaza: Mono and GNOME. The long reply.

* From: Miguel de Icaza
* To: gnome-hackers gnome org, gnome-devel-list gnome org
* Subject: Mono and GNOME. The long reply.
* Date: 06 Feb 2002 01:06:50 -0500

Hello everyone,

I am sorry that I have not been able to respond earlier. I would
like to apologize to anyone who might have been confused about my
strategy with Mono and what I am trying to do. Also, I want to thank
everyone on the mailing list that has contributed to the discussion, I
used a lot of your ideas on this email.

Before starting though, I would like to ask my readers to forget
everything they have heard about .NET, because it is a marketing term
used to describe many different Microsoft projects, and there is a lot
of information both correct and incorrect about it floating around.

My goals with Mono are very specific, and I will address those
shortly, but for the sake of getting things done, please forget
everything you have heard about .NET.

* First, the Facts

GNOME is not adopting Mono or .NET as an implementation
technology. The headline from the Register is misleading,
for a number of reasons:

* The headline does not reflect any statements I
made on the interview (if you read the interview
you will notice this).

* The only future plans that have been approved by the
GNOME team (which has 11 voting members on its
board) are found here:

http://developer.gnome.org/dotplan/

* I am not the GNOME foundation or control GNOME like
Linus controls his kernel, I am just its founder and
a contributor.

* GNOME is not built by an individual, its built by
a team of roughly 500 contributors in many areas.

* Decisions in the GNOME world are done by active
contributors and module maintainers. I have given
my maintainership status on every module I
maintained to other members of the GNOME team as
I got more involved with Ximian and later on with
Mono.

So effectively I have no "maintainer" control.

At this point on time, the GNOME team is working on shipping
version 2.0 of the desktop and the development platform, a major
upgrade to the desktop offering, and everyone is quite excited
with this.

* What is Mono?

Mono is an implementation of three pieces of technology:

* A compiler for a new programming language, similar
to Java, called C#.

* A virtual machine for the Common Intermediate
Language (CIL) byte codes.

* A set of libraries that encapsulate useful routines
and classes: from hash tables, to XML manipulation,
to database management, to GUI applications, to web
construction tools.

These are usually referred in the Microsoft world as the `.NET
Framework' as opposed to .NET. When I say `.NET Framework' here,
I am talking about these technologies.

Seasoned industry programmers will notice that the above is
very much like Java and the Java VM. They are right, the above
is just like Java.

The CIL has one feature not found in Java though: it is
byte code representation that is powerful enough to be used as a
target for many languages: from C++, C, Fortran and Eiffel to Lisp
and Haskell including things like Java, C#, JavaScript and Visual
Basic in the mix.

I wish I had the time to go in more detail, but for the sake
of this argument, the above will suffice.

Although Ximian can only finance the work of a C# compiler
(that is all the resource I have at my disposal), I want to
encourage other people to work on free implementations of other
compilers.

I want to encourage other developers to look at targeting
existing compilers and interpreters to the CLI: JavaScript, Basic,
Perl, Python, C++, and maybe even get gcc core to generate CIL
bytecodes.

* The CIL and the promise of language independence:

Bertrand Meyer (the father of Eiffel) wrote an interesting
article that encapsulates my excitement about the possibilities of
the CIL:

http://eiffel.com/doc/manuals/technology/bmarticles/sd/dotnet.html

This technology allows programming languages to be considered
on the basis of how they will perform for a given task, and not
based on the runtime libraries that you will depend. Any software
engineer should read this article:

http://www.fawcette.com/dotnetmag/2001_12/online/online_eprods/bmeyer/default.asp

So no longer should a software engineer pick Fortran, because
that is the only language where his math libraries are available:
he can now pick the right language for the problem at hand.

* Mono and GNOME.

GNOME had always tried to have a good support for multiple
programming languages, because we realize that no matter how much
we loved C as a programming language, there was a large crowd of
people out there that would like to use the GNOME libraries from
their favorite programming language, which might not necessarily be
C.

This strategy has paid off very well. There are healthy and
striving Python, Perl, Guile and Ada communities out there that
use the Gtk+ and Gnome bindings to build applications. From rapid
prototyping to robust applications: we wanted to empower
developers.

Keeping language bindings up to date and shipping them on time
has always been a consuming process, because no matter how
automated this process has turned out to be, there is still a
considerable amount of manual work that needs to be done.

I do go into more details about this at the following places:

http://www.go-mono.com/rationale.html

http://scriptingnews.userland.com/stories/storyReader$1275

* An upgrade to the development platform: Part I.

Microsoft has terrible APIs to code against. Anyone who has
used Win32 and any combination of the various layered cakes that
have been built on top of it has stuck to that platform only
because of the size of the market, but it is one of the most
horrible APIs ever built.

To make things worse, an evolution of APIs, components, memory
management contracts and patched up versions of COM have made the
platform horrible.

Microsoft has injected fresh air into their platform by
building and designing a new programming platform that addresses
all these pains. They have incorporated many ideas from Java, and
they have extended it to address new needs that developers had.
They took where Java left off.

Now, the Unix platform, GNOME included has some of these
problems: our APIs have been evolving. Libraries have been built
by disconnected groups (PNG, JPEG, Gtk+, Xml, Bonobo, CORBA spec
apis, etc) and the end result is that a developer eventually has
to learn more than he wanted to in the course of developing a
large application.

Ximian funded for a long time the work on the Perl bindings,
and we had a lot of work going into Bonobo (more than we do today)
because we believed that this would help us achieve language
independence and empower scripting language developers (that is
why we were so psyched about CORBA/Bonobo support all this time).

When C#, the CLR and the class libraries were launched, we
looked at that, and we saw how they were solving the problem in a
very nice way. At least it appealed to me and others from a
purely technological standpoint. This new platform showed a lot
of promise.

After much researching and debating, we decided that a couple
of developers at Ximian will join me in working on a free
implementation of these specifications. These people came
precisely from the cross-language interoperability area: Dick
Porter had been working before on ORBit and our SOAP
implementation; Dietmar Maurer came from the Bonobo development
world and Paolo Molaro was working on Gtk+/Gnome/Bonobo bindings
for Perl. This is the original Mono developer lineup.

* Evolution, Gnumeric and GNOME.

I have written and maintained many lines of code as part of
my GNOME work. Ximian has developed Evolution which consists of
roughly 750,000 lines of code.

Large software projects expose a set of problems that can be
ignored for smaller projects. Programs that have long life times
have different dynamics when it comes to memory management than
smaller programs.

There is a point in your life when you realize that you have
written enough destructors, and have spent enough time tracking
down a memory leak, and you have spend enough time tracking down
memory corruption, and you have spent enough time using low-level
insecure functions, and you have implemented way too many linked
lists [1]

[1] indeed, GNOME uses Glib which is a massive step up from
the Unixy libc APIs.

The .NET Framework is really about productivity: even if
Microsoft pushes these technologies for creating Web Services, the
major benefit of these is increased programmer productivity.

Evolution took us two years to develop and at its peak had 17
engineers working on the project. I want to be able to deliver
four times as many free software applications with the same
resources, and I believe that this is achievable with these new
technologies.

My experience so far has been positive, and I have first
hands experience on the productivity benefits that these
technologies bring to the table. For instance, our C# compiler is
written in C#. A beautiful piece of code.

It can be argued that I could be wrong, and that these
technologies are too new. But my personal experience and the
experience of some of my friends with this platform has been
amazing. I want to share with others this simplicity. And I
want to empower developers: I want to enable a whole class of
developers to create great desktop applications that integrate
with GNOME.

* Why is Mono related to GNOME?

It is no secret that I have been working on Mono as a new
platform for software development, and it is also not a secret
that I want to help the GNOME project with Mono. This has been
the plan since the project was announced in July.

Mono will use Gtk+, Gnome-Db, Libart, Gnome-Print and other
GNOME technologies as part of its implementation of its class
libraries, because that is what my team and I are familiarized
with.

So when you copy your binary from Windows that was compiled
with the Visual Studio.NET and run it on your Unix platform,
it will just integrate nicely with your GNOME desktop.

We are also exploring a port to MacOS X, and for that
particular case, we will integrate with Aqua, not with Gtk+, but
you get the idea.

* GNU was based on a proprietary technology.

GNU is a free re-implementations of Unix. Linux is a
re-implementation of the Unix kernel. Before the advent of Linux
and the Berkeley Unix, Unix was a proprietary technology, built by
ATT (which back in the day, was a monopoly).

Still, developers took what was good from Unix, and
reimplemented a free version of it. Down to the Unix programming
language: C (which was also invented at ATT). Even C++ was
invented at ATT.

Think of Mono as following the same process: we are bringing
the best technology out there to our beloved free software
platform. And at the same time it serves to be a magnificent
upgrade on the development platform.

* I can not force anyone.

Whether people in GNOME or elsewhere will use Mono is
independent of my opinion. Mono will have to stand on its own
feet, and will have to convince developers on its own merits
before it succeeds.

When I made my comments to the Register reporter, I was
envisioning that in a couple of years Mono would be a really solid
technology: a good JIT engine, good class libraries and would be a
useful platform for innovation: it would allow people to focus
more on the problems at hand and worry less about the low-level
details of the platform.

* Rewriting GNOME.

Havoc brought up an important point recently, an article from
Joel Spolsky:

http://www.joelonsoftware.com/articles/fog0000000348.html

The short story is: rewriting code does not pay off, and I
agree with the thesis of the article. Rewriting GNOME in C# with
the CLR would be a very bad idea, if not the worst possible idea
ever.

But what makes the .NET Framework technologies interesting is
that they are evolutionary technologies:

* The runtime can be linked into an application.

Example:

bash$ cat hello.c
#include
main (int argc, char *argv [])
{
mono_init (argc, argv);
mono_assembly_load ("classes.dll");
mono_ves_execute ("Class.Main");
}

So existing applications can be "extended" with Mono, take
a piece of code like Gnumeric, and write a new chunk of it
using Mono for example.

* There is no language switch required.

You can keep using your fav language, and gradually start
writing new pieces of code in another language that runs
with all the benefits of "managed" execution.

I go into some more detail here:

http://mail.gnome.org/archives/gnome-devel-list/2002-February/msg00021.html

* GNOME 4

As you might realize by now, GNOME 4 is not planned, it is not
possible to know what is in there. So my comments on GNOME 4 only
reflect the fact that I personally believe that people will see
that Mono is an interesting platform to write new applications.

So in the future the applications that will be shipped, very
likely might contain Mono technologies. Whether this is limited
to new applications only, or this is something used in more
fundamental pieces of the system is an entirely different matter.

But for now, GNOME 4 is non-existant project.

* Fighting the System.

The .NET Framework will exist in the Windows world, and
because of this they will be widely deployed. It is a pointless
battle to pretend that boycotting the use of those technologies
will have any kind of effect on their reach.

The .NET Framework stands on its own feet, and developers
in the Windows world love it. Even if this was not the case,
Microsoft is using these technologies and distributing to as many
people as possible. We are witnessing the creation and deployment
of a new standard. Sure, it has a lot of corporate support, but
it will become a widely deployed technology.

* Other uses of Mono

Despite my love for Mono as a tool for writing GNOME
applications and giving developers new tools to write code in less
time, there is an extra advantage in having a free implementation
of the .NET Framework for Unix:

* Windows developers know how to write code for it.

* Lets make it easy to bring developers from the Windows world
into our platform.

* Training materials, tutorials, documentation, tips and
tricks are already available in large quantities, lets
leverage this.

* Mono Financing.

Right now Mono is financed by Ximian because we believe that
this will reduce our cost of development for future applications.
And thats why we are really focused on Mono for the desktop
(amusingly the ASP.NET support in Mono has evolved more rapidly,
because Gaurav and Leen have been very excited about this, and
just have been producing code like crazy).

So even in the Mono world, I do not get to make all the
decisions: people work on what they are interested in developing.

The Mono community is great! Lots of passionate programmers
work with us, and I feel very happy that I have had a chance to
work with all of them.

At this point in time Ximian has only a small team of full
time developers working on Mono (five) and a lot of the work is
being done by contributors on their spare time, or hackers that
want to see the .NET Framework run in other platforms, or
people who share our enthusiasm for the platform, or people who
just like to hack on a particular area and just love to code.

But I would like to hire more full time developers: the open
source development model is great for getting the fun/short things
done, but it is terrible to get the long-haul, boring, repetitive
or dull things done.

I want to be able to bring more people to work full time on
Mono. I would like to offer the services of Ximian as a project
manager to keep driving this project forward, and get cash
infusions to hire developers to work on this project.

The only restriction is that all of our work has to be free
software. But other than that, I am ready to take money from
anyone or listen to any kind of proposals for making this happen.

Some people wonder if we have got a Microsoft investment or
contract (because I like this Microsoft technology). The answer
is no. But I would take one if they wanted to fund my free
software project ;-) Man, I wonder what that would be like!

Implementing the .NET Framework is a massive effort, and I
want to enroll as many contributors as possible.


* API compatibility.

I believe that the `Embrace and Extend' philosophy is bad for
users and developers. Whether its a large corporation doing it,
or ourselves. I want to be as compatible as possible with the
APIs that were published by Microsoft.

This achieves various things:

* Allows developers to move back and forth.

* Reduces training.

* Helps us leverage existing knowledge.

Of course, this should not stop anyone from implementing new
APIs. And I even encourage people to write new classes, APIs and
components that will be reusable both on Unix and on Windows.

* What if we never can keep up?

There is the issue that we might not be able to keep up (right
now, we dont, as .NET Framework 1.0 is already out there, and we
are, well still underway). Also, theoretically there is the risk
of a given API being unimplementable on Unix.

Even if that is the case, we still win, because we would get
this nice programming environment, that althought might not end up
being 100% .NET Framework compatible, it would still be an
improvement and would still help us move forward. So we can reuse
all the research and development done by Microsoft on these ideas,
and use as much as we can.

So far all it seems like everything in .NET can be emulated in
our environment.

* Richard Stallman

I am not sure what people told Richard Stallman about my
plans. Given the confusion surrounding .NET, it is very possible
that people were asking `Miguel wants to depend on Passport' or
something just as bad as that.

My only intention is to write applications using the CLI as a
development platform, which is really not very exciting for a news
paper to report: "Programmer to use new compiler, new garbage
collector, news at 11".

Really, programmer's lives are boring, I wish my life would be
as exciting as other people's life appear to be.

* Further debate.

I have just scratched the surface in this email, I do like a
lot the technology behind the .NET Framework as you might have
noticed from the interviews, no secret there. I can go on for
hours, but I have to set a limit to this email.

I hope this explanation will get us through, feel free to
e-mail me if you believe I have missed something or if you are
interested in contributing to make this vision happen.

PS:

I would like to thank Nat Friedman for providing moral,
technical support all these years and his unconditional
friendship. It has been a fun adventure.

Without Nat I would probably have gone crazy by now.

PS2:

I kind of got sentimental after reading all the nice e-mail on
the GNOME lists. After all, writing software alone is not that
interesting, the most interesting part is interacting with other
developers, and watching how community projects grow.

I would like to thank all the people I have worked over the
years: every GNOME developer past and present, every Mono
developer past and present and all my friends at Ximian who have
created a great place to work.

This community is great, and I have loved working with an
increasing number of people as free software becomes more
popular. I know sometimes I have been unreasonable, but I am
trying to learn from my mistakes. Am just too good at being
mistaken.

Miguel.

PROG: The downlow on Mono

NewsForge | The downlow on Mono

OT: Mozilla and the future of the Web

NewsForge | Mozilla and the future of the Web

PROG: What is the true value of source code?

IT Manager's Journal | What is the true value of source code?

OT: I, Robot Boycott

I, Robot Boycott

PROG: Interfaces in C#

CodeGuru: Interfaces in C#

MAC: O'Reilly releases 'Mac OS X Panther Hacks'

O'Reilly releases 'Mac OS X Panther Hacks' | MacNN News

SEC: Marware introduces WiFi Spy

MacMinute | Marware introduces WiFi Spy

Friday, July 16, 2004

SEC: CRYPTO-GRAM, July 15, 2004

Gmail - CRYPTO-GRAM, July 15, 2004

CRYPTO-GRAM

July 15, 2004

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com



A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

Back issues are available at
. To subscribe, visit
or send a blank message to
crypto-gram-subscribe@chaparraltree.com.

Crypto-Gram also has an RSS feed at
.

** *** ***** ******* *********** *************

In this issue:
Due Process and Security
Security Notes from All Over: X-Ray Machines and
Building Security
Cryptographers and U.S. Immigration
Crypto-Gram Reprints
Security and Portable Storage Devices
News
Counterpane News
Security Notes from All Over: Coca-Cola and the NSA
The Doghouse: ICS
The CLEAR Act Does Not Help Fight Terror
Comments from Readers

** *** ***** ******* *********** *************

Due Process and Security

The U.S. Supreme Court recently decided the three legal challenges to
the Bush administration's legal maneuverings against terrorism. These
cases have been endlessly debated on legal and civil liberties
grounds. They were decided, mostly but not entirely, in favor of
presumption-of-innocence and due process.

But I want to talk about how important the decisions are to our
nation's security. Security is multifaceted; there are many threats
from many different directions. It includes the security of people
against terrorism, and also the security of people against tyrannical
government.

The three challenges are all similar, with slight variations. In one
case, the families of 12 Kuwaiti and two Australian men imprisoned in
Guantanamo Bay argue that their detention is an illegal one under U.S.
law. In the other two cases, lawyers argue whether U.S. citizens --
one captured in the U.S. and the other in Afghanistan -- can be
detained indefinitely without charge, trial, or access to an
attorney. In all these cases, the administration argues that these
detentions are lawful, based on the current "war on terrorism." The
complainants argue that these people have rights under the U.S.
Constitution, rights that cannot be stripped away.

There are some very broad security issues at work here. The
Constitution (which includes the Bill of Rights) was designed to ensure
the security of people: American citizens and visitors. Its
limitations on governmental power are a security measure. Its
enshrinement of human rights is a security measure. These measures
were developed in response to colonial tyranny by Britain, and have
been extended in response to abuses of power within our own
country. Laws mandating speedy trial by jury, laws prohibiting
detention without charge, laws regulating police behavior -- these are
all laws that make us more secure. Without them, government and police
power remains unchecked.

The case of Jose Padilla is a good illustration. Arrested in Chicago
in May 2002, he has never been charged with a crime. John Ashcroft
held a press conference accusing him of trying to build a "dirty bomb,"
but no court has ever seen any evidence to support this accusation. If
he's guilty, he deserves punishment; there's no doubt about that. But
the way to determine guilt or innocence is by a trial on a specific
indictment (charge or accusation of a crime). Without an indictment,
there can be no trial, and the prisoner is held in limbo.

Surely none of us wants to live under a government with the right to
arrest anyone at any time for any reason, and to hold that person
indefinitely without trial.

The Bush administration has countered that it cannot try these people
in public because that would compromise its methods and
intelligence. Our government has made this claim before, and
invariably it turned out to be a red herring. In 1985, retired Naval
officer John Walker was caught spying for the Soviet Union; the
evidence given by the National Security Agency was enough to convict
him without giving away military secrets. More recently, John Walker
Lindh -- the "American Taliban" captured in Afghanistan -- was
processed by the justice system, and received a 20-year prison
sentence. Even during World War II, German spies captured in the U.S.
were given attorneys and tried in public court.

We need to carry on these principles of fair and open justice, both
because it is the right thing to do and because it makes us all more
secure. The United States is admired throughout the world because of
our freedoms and our liberties. The very rights inherent in these
Supreme Court cases are the rights that keep us all safe and
secure. The more our fight against terrorism is conducted within the
confines of law, the more it gives consideration to the principles of
fair and open trial, due process, and "innocent until proven guilty,"
the safer we all are.

Unchecked police and military power is a security threat -- just as
important a threat as unchecked terrorism. There is no reason to
sacrifice the former to obtain the latter, and there are very good
reasons not to.

A version of essay was published in the Minneapolis Star Tribune.


** *** ***** ******* *********** *************

Security Notes from All Over:
X-Ray Machines and Building Security

The other week I visited the corporate headquarters of a large
financial institution on Wall Street; let's call them FinCorp. FinCorp
had pretty elaborate building security. Everyone -- employees and
visitors -- had to have their bags X-rayed.

Seemed silly to me, but I played along. There was a single guard
watching the X-ray machine's monitor, and a line of people putting
their bags onto the machine. The people themselves weren't searched at
all. Even worse, no guard was watching the people. So when I walked
with everyone else in line and just didn't put my bag onto the machine,
no one noticed.

It was all good fun, and I very much enjoyed describing this to
FinCorp's VP of Corporate Security. He explained to me that he got a
$5 million rate reduction from his insurance company by installing that
X-ray machine and having some dogs sniff around the building a couple
of times a week.

I thought the building's security was a waste of money. It was
actually a source of corporate profit.

The point of this story is one that I've made in "Beyond Fear" and many
other places: security decisions are often made for non-security
reasons. When you encounter a security risk that people worry about
inordinately, a security countermeasure that doesn't counter the
threat, or any security decision that makes no sense, you need to
understand more of the context behind the decision. What is the agenda
of the person who made the decision? What are the non-security
considerations around the decision? Security decisions make sense, as
long as you understand them properly.

Much more about this can be found in "Beyond Fear":


** *** ***** ******* *********** *************

Cryptographers and U.S. Immigration

Seems like cryptographers are being questioned when they enter the U.S.
these days. Recently I received this (anonymous) comment: "It seems
that the U.S. State Department has a keen interest in foreign
cryptographers: Yesterday I tried to renew my visa to the States, and
after standing in line and getting fingerprinted, my interviewer, upon
hearing that my company sells [a cryptography product], informed me
that "due to new regulations," Washington needs to approve my visa
application, and that to do so, they need to know exactly which
companies I plan to visit in the States, points of contact, etc.
etc. Quite a change from my last visa application, for which I didn't
even have to show up."

I'm curious if any of my foreign readers have similar stories. There
are international cryptography conferences held in the United States
all the time. It would be a shame if they lost much of their value
because of visa regulations.

** *** ***** ******* *********** *************

Crypto-Gram Reprints

Crypto-Gram is currently in its seventh year of publication. Back
issues cover a variety of security-related topics, and can all be found
on . These are a selection
of articles that appeared in this calendar month in other years.

How to Fight:


Crying Wolf:


Embedded Control Systems and Security:


Phone Hacking: The Next Generation:


Monitoring First:


Full Disclosure and the CIA:


Security Risks of Unicode:


The Future of Crypto-Hacking:


Bungled SSL:


Declassifying Skipjack:


** *** ***** ******* *********** *************

Security and Portable Storage Devices

I recently read a research report about the security threat from
portable storage devices. Pocket USB drives, MP3 players, portable
FireWire drives, and the like are becoming larger, faster, and more
common. The research report suggests that companies go so far as to
restrict the use of these devices.

I think this is kind of silly. Yes, these devices can store a lot of
data. But so can DVDs. And CDs. And before that, floppies held a lot
of data. (Data was smaller then.) And don't forget paper.

There are two separate issues here: deliberate copying and stealing of
information, and inadvertent copying and leaking.

Regarding the former, banning iPods and USB devices doesn't do
any good...because the thief will ignore the ban. USB thumb drives
are tiny. What are you going to do, strip search everyone who goes in
and out of the building? The ban is a silly countermeasure that annoys
all your innocent employees and doesn't faze the potentially guilty ones.

Regarding the latter, it may do some good but not enough to make it
worthwhile. Exactly how is my iPod going to accidentally download
sensitive files, and then accidentally upload them somewhere
insecure? I use my USB thumb drive for file transfer because it's
easier than a CD-R. It's not magically more or less dangerous than a
CD-R.

The report also talks about the risk of these devices accidentally
introducing malicious code into the network. This is a risk, sure, but
it's also a risk to allow employees to plug laptops into the network,
bring floppy disks from home, and do half a dozen other things. The
way to secure a network from these sorts of attacks is through
ubiquitous antivirus software, not by trying to control what sorts of
devices an employee can use.

I used to work for the U.S. Department of Defense, and every evening
when I left work a guard searched the papers in my bag. Back then,
computers were still new and the real risk was papers marked
"Confidential," "Secret," or worse. Once in a while the guards would
catch someone taking classified material out of the building, but it
was never someone doing it maliciously. (If it had been, he would have
hid the papers better.) It was someone who forgot. Outside of a
military environment, this sort of countermeasure just isn't worth
it...and probably isn't for most military installations.

It's a big deal to have confidential information leave an
organization's building, and it's been a big deal since long before
computers. In the end, you have to trust your employees. If they want
to steal information, or if they make mistakes, they'll do it
regardless of your precautions. You can change the mechanisms of those
actions, but don't confuse changing mechanisms with making things safer.


94319%2C00.html> or

** *** ***** ******* *********** *************

News

Artfully concealed items confiscated by TSA screeners:
or

Interesting, but also confusing. Who were these people who tried to
conceal knives and sneak them onto airplanes? Were they hijackers,
random loonies, or people trying to evade airport security because they
didn't want to check baggage? I think the motivations of the people
makes a lot of difference.

An overview of steganography, from the point of view of computer forensics:


The Minneapolis-St. Paul International Airport is testing a new
security system: travelers can bypass long security lines by subjecting
themselves to advance security checks. I'm curious to see how this
system fares, but I am skeptical about its widespread adoption. As a
high-level frequent flyer, I can already bypass long lines at most
airports by using special lanes. First-class passengers get the same
privileges. But who else would use a system like this? I can't figure
out who it is targeted towards.
advance_security_checks> or
ndex.html> or



Analysis of the Voynich Manuscript:
A-70E1-10CF-AD1983414B7F0000> or

Popular back-door program has a back-door in it.


Avoiding identity theft: a primer.


Torture has been in the news since 9/11, most recently regarding the
U.S. military's practices at the Abu Ghraib prison in Iraq. Politics
isn't my area of expertise, and I don't want to debate the politics of
the scandal. I don't even want to debate the moral issues: Is it moral
to torture a bomber to find a hidden ticking bomb, is it moral to
torture an innocent to get someone to defuse a ticking bomb, is it
moral to torture N-1 people to save N lives? What interests me more
are the security implications of torture: How well does it work as a
security countermeasure, and what are the trade-offs? This is an
excellent pair of essays about how ineffective torture really
is. Given that torture doesn't actually produce useful intelligence,
why in the world are we spending so much good will on the world stage
to do it?

or
tml> or

Great talk by Cory Doctorow on digital rights management:


It's still easy to fool fingerprint scanners:


Good article about sloppy programming and security:


CERT is advising people not to use Internet Explorer. (Me, I'm a happy
Opera user.)


Great article on the origins of an Internet hoax: the one about Bill
Gates paying to track your e-mail.


Seven habits of highly secure companies:


Forget about the issues. Who has the more secure website: Bush or Kerry?


Airport security put real explosives in a piece of luggage to test some
bomb-sniffing dogs. Problem #1: they lost track of the bag. Problem
#2: it was a real piece of luggage belonging to an unwitting passenger.
ws#8167> or

The timeline for fixing a Mozilla security flaw. It's amazing how
quickly and competently it was handled:


Hacking for profit:
7,00.html?nas=SEC-94407> or

FBI's Guide to Concealable Weapons:


Report on the security of Canadian DOD networks:
-92eb-40d0-a9c3-f47216966493> or

Here's a great security attitude. The article discusses a hole in
Friendster that allows users to obtain information about who is looking
at their online profiles. "Notified of the security holes Moore and
Chisholm exploit, Friendster rep Lisa Kopp insists, 'We have a policy
that we are not being hacked.' When I explain that, policy or no, they
are being hacked, she says, 'Security isn't a priority for us. We're
mostly focused on making the site go faster.'"


** *** ***** ******* *********** *************

Counterpane News

Counterpane has a new white paper on how monitoring helps with
compliance. As more and more companies fall under the perview of
Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, etc., complaince will become
more important to security


And we have another paper about our Enterprise Protection Suite, our
comprehensive security service package. Centered around monitoring,
EPS is a way for companies to get their networks secure -- fast.


** *** ***** ******* *********** *************

Security Notes from All Over: Coca-Cola and the NSA

Coca-Cola has a new contest. Hidden inside 100 cans of Coke there's a
SIM card, GPS transmitter, and a microphone. The winners activate the
Coke can by pressing a button, which will call a central monitoring
facility. Then Coke tracks the winners down using the GPS transmitter
and surprises them with their prize.

NSA engineers drink Coke. Lots and lots of Coke. The possibility that
an active microphone in a Coke can could be in one of the NSA's highly
secure facilities is worth considering. A reasonable threat analysis
might look like this: "You know, the chances that one of these 100 cans
out of hundreds of millions of cans ends up in our building is
extremely small -- somewhere around 1 in 100,000 -- so it's not worth
worrying about."

But the NSA's Information Staff Security Office) decreed
differently: "It is important that ALL cans of Coca-Cola within our
spaces be inspected. This includes cans already in our buildings and
those being delivered on a daily basis. If you discover one of these
cans, DO NOT activate it. Instead, you should alert your ISSO
immediately and report the incident."

This is hysterical. Can you imagine inspecting every can of Coke
entering the NSA, opening each of the hundreds of cases of Coke and
inspecting every can for a GPS transmitter? What does this cost? What
is the NSA not doing because they're doing this instead?

Of course the engineers at NSA are already starting to create Coke cans
with antennas, circuit boards, and keypads. They are leaving them
around snack messes as practical jokes.

And where's Pepsi in all of this? Shouldn't they be advertising
"surveillance-free cola"?

Funny stuff, but there's a serious point here. Again and again,
security decisions are clouded by agenda. The NSA's Coca-Cola
inspection policy is an example of CYA. Some executive within NSA
didn't want to be personally responsible for a GPS receiver slipping
through security, so he decided that everything should be
inspected. It's a small risk to the greater population, but it's a
larger risk to him. His agenda is different from that of society's,
but because his agenda matters more to him and it's his decision, his
is what gets followed.

We as a society need to figure out how to make security trade-off
decisions another way. Having specific individuals or corporations
make security trade-offs for us based on their agenda isn't making us
more secure, and it's costing us a whole lot of money.



** *** ***** ******* *********** *************

The Doghouse: ICS

ICS of Atlanta has developed the "Tree" cryptographic algorithm.

How is Tree different? Well, for one thing, it "uses no math." I'm
not quite sure how that's possible on a computer, but that's what
Tree's creator claims. From an e-mail exchange: "...99.99% of the
people out there use math to encode and they use math to 'break' the
code. Since we don't really use math, it would be quite hard to break."

Not only do they not use math, they don't have a key. "Tree does not
use a 'key'.... I just put in text, hit 'encode' and poof, there is
the encoded message, to decode, I put in coded messages, hit 'decode'
and poof, done. That's it. No key."

Amazing.

How do they demonstrate Tree's security? "Over 100 professionals in
mathematics & in computer science at Massachusetts Institute of
Technology & at Georgia Tech, had sample encoded messages submitted to
them. Not a single person could break this code!" Think about
it. These guys sent unsolicited e-mails containing some ciphertext to
over 100 professionals, and not one of them decrypted the
messages. Anyone have any other explanations for this behavior, other
than the possibility that these 100 professionals immediately dropped
what they were doing and spent fruitless weeks trying in vain to break
Tree?

And if all that isn't enough to make you run screaming from these guys,
their website proudly proclaims: "Tree Encoded Files Can Be 'Zipped.'"

That's right; their encryption is so lousy that the ciphertext doesn't
even look random.



** *** ***** ******* *********** *************

The CLEAR Act Does Not Help Fight Terror

Danny Sigui lived in Rhode Island. After witnessing a murder, he
called 911 and became a key witness in the trial. In the process, he
unwittingly alerted officials of his immigration status. He was
arrested, jailed, and eventually deported.

In a misguided effort to combat terrorism, some members of Congress
want to use the National Crime Information Center (NCIC) database to
enforce federal civil immigration laws. The idea is that state and
local police officers, who check NCIC in routine situations, will be
able to assist the federal government in enforcing our nation's
immigration laws. There are a limited number of immigration agents at
the Department of Homeland Security, so asking the 650,000 state,
local, and tribal police officers to help would be a significant "force
multiplier."

The problem is that this idea, currently a pair of legislations in
draft called the CLEAR Act and the Homeland Security Enhancement Act
(HSEA), aren't going to help fight terrorism. Even worse, this will
put an unfunded financial burden on local police forces, and is likely
to make us all less safe in the long run.

Security is a trade-off. It's not enough to ask: "Will increased
verification of immigration status make it less likely that terrorists
remain in our country?" We have to ask: "Given the police resources we
have, is this the smartest way to deploy them?"

The CLEAR Act and HSEA will certainly result in more people being
arrested for immigration violations, but will probably have zero effect
on terrorism. Some of the 9/11 terrorists were in the country
legally. Others were easily able to keep their heads down. It's not
as if terrorists are waiting to be arrested, if only the police have
sufficient information about their immigration status. It's a nice
theory, but it's just not true.

And none of this comes cheaply. The cost of adding this information to
criminal databases easily runs into the tens of millions of
dollars. The cost to the local police forces of enforcing these
immigration laws is likely to be at least ten times that. And this
cost will have to be borne by the community, either through extra taxes
or by siphoning police from other duties. I can't think of a single
community where the local police are sitting around idly, looking for
something else to do. Forcing them to become immigration officers
means less manpower to investigate other crimes. And this makes us all
less safe.

Terrorists represent only a very small minority of any culture. One of
the most important things that a good police force does is maintain
good ties with the local community. If you knew that every time you
contacted the police, your records would be checked for unpaid parking
tickets, overdue library fines, and other non-criminal violations, how
would feel about policemen? It's far more important that people feel
confident, and safe, when calling the police.

When a Muslim immigrant notices something fishy going on next door, we
want him to call the police. We don't want him to fear that the police
might deport him or his family. We don't want him hiding if the police
come to ask questions. We want him, and the community, on our side.

By turning police officers into immigration agents, the CLEAR Act and
HSEA will discourage the next Danny Sigui from coming forward to report
crimes or suspicious activities. This will harm national security far
more than any security benefits received from catching non-criminal
immigration violations. Add to that the costs of having policemen
chasing immigration violators rather than responding to real crimes,
and you've got a really bad security trade-off.

This essay was originally published on CNet:
_3-5236260.html> or

** *** ***** ******* *********** *************

Comments from Readers

From: Anonymous
Subject: Witty

You said: "Witty was speedily written. Security company eEye
discovered the vulnerability in ISS's BlackICE/RealSecure products on
March 8, and ISS released a patched version on March 9. eEye published
a high-level description of the vulnerability on March 18. On the
evening of March 19, about 36 hours after eEye's public disclosure, the
Witty worm was released into the wild."

We updated our BlackIce on March 17th (Wed) and subsequently checked
from inside the updated version that no further updates were available
(also on Wed). On 20th (Sat) Witty arrived and the computer in question
was destroyed.

The most noticeable thing about this to me is the spin ISS put out to
suggest it wasn't a big problem. Patch available a week in advance --
no way (and yes, I do have a valid support contract). I'd have
preferred it if they put more effort into telling people about the fix
than revising history later; unfortunately, the latter is probably more
cost-effective for new and unaffected customers, and the others are
perhaps "lost" anyway.

It took me half a day to remake the computer and a few things were
lost, but nothing of great importance. Where this trend in destructive
viruses really alarms me is with home users who keep "prized"
possessions on their computers, such as un-backed-up digital photos of
important events. Destroying this kind of data is a nasty crime in my
book. (Plus in a world where computers are increasingly seen as
appliances, the number of opportunities for this sort of damage will
only increase.)

I hope Witty will actually improve things, by showing vendors of
"protection" products that flaws in them are particularly critical, and
if they don't behave in an exemplary manner it will hurt them in the
wallet as they lose customers they won't be getting back. I think this
is the only process likely to help with Witty-alikes. Unfortunately, as
in politics, I suspect many firms will still feel it's cheaper to
invest in PR after the event than better behavior before. Here's
hoping I'm wrong.

From: Mart van de Wege
Subject: One-time codes for electronic banking

I spotted this little bit in your June Crypto-Gram: "For additional
security, she then pulls out a card that has 50 scratch-off
codes. Jubran uses the codes, one by one, each time she logs on or
performs a transaction. Her bank, Nordea PLC, automatically sends a
new card when she's about to run out."

I get a feeling that Wired is a bit behind in its coverage. This system
has been in use by the Dutch bank Postbank for several years already.

Its Girotel system works by first requiring a user login with a
so-called GIN (Gebruikers Identificatie Nummer, translated User
Identification Number). After that Girotel requires all transactions to
be confirmed with a Transaction Authentication Number (TAN). These TAN
codes are supplied as a list on paper to the client, and are
replenished as soon as the client has only a limited number left (I
believe the threshold is 10, but I'm not sure).

This system has been functioning for at least 10 years to this date, to
the great satisfaction of both the bank and the users. Its
platform-neutral nature has allowed Postbank to upgrade its software
from a standalone client that would dial-in directly to an online
version, with no change in the interface, and no compromise to security.

From: "Bryan L. Fordham"
Subject: National ID cards

People in Europe said "I've had the national ID card for X number of
years, and I only had to show it once to police. Otherwise I use it to
vote, buy drinks, etc."

This seems to strengthen the argument against such IDs, not hurt
it. If you only had to show it once it's not terribly useful; how does
it help security? And second, my driver license already allows me to
show my age and prove I'm me when I go to vote. Why do we need another
card?

From: "Steven Shaer"
Subject: Iranian whatever....

Regarding your article on the Iranian code breaking, I think you have
ignored another obvious (IMHO) scenario: Perhaps the CIA/NSA purposely
leaked to Chalabi that they had the Iranian codes broken and perhaps
the reason was that they didn't have the codes broken. One can think
of a number of different scenarios where you would want your adversary
to THINK he had your codes broken when you didn't, including that the
U.S. wanted Iran to change their technology to a technology they had a
back door into from the current technology they didn't have a back door
into! Another possible reason would be to throw suspicion within the
Iranian government on certain individuals which would be beneficial to
U.S. interests.

From: Toby Bryans
Subject: Re: Cell Phone Jamming and Terrorist Attacks

This whole thing is particularly annoying as the only functionality of
the mobile phones that was used during the attacks was the alarm. They
were not called to detonate -- they all had an alarm set for a
particular time: they don't even have to be on, as particular brands of
phone can turn themselves on if an alarm is due.

Blocking mobile phones will not make any difference to this attack. You
may as well ban people from wearing wristwatches...

Of course, there are examples of political opportunism on both sides of
the pond:



...would of course also make no difference with this particular attack.

From: Alexey Kirpichnikov
Subject: Photographing Subways and Terrorist Attacks

I live in Ekaterinburg, Russia and I'd like to say that photography is
still prohibited in our subway. I don't know the reason and this seems
quite funny to me. :) I think that even security officers here
understand that this ban has no sense at all, because my friends tried
to take photos in subway and it was ignored by policemen.

Still, "no photo and video" signs are everywhere in subway stations.

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. Back
issues are available on .

To subscribe, visit or send
a blank message to crypto-gram-subscribe@chaparraltree.com. To
unsubscribe, visit .

Comments on CRYPTO-GRAM should be sent to
schneier@counterpane.com. Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See .

Counterpane Internet Security, Inc. is the world leader in Managed
Security Monitoring. Counterpane's expert security analysts protect
networks for Fortune 1000 companies world-wide. See
.

Copyright (c) 2004 by Bruce Schneier.

LINK: bitoogle :: the bit torrent file search engine (bittorrent)

bitoogle :: the bit torrent file search engine (bittorrent)

Wednesday, July 14, 2004

LINK: The Prime Puzzles & Problems Connection, by Carlos Rivera

The Prime Puzzles & Problems Connection, by Carlos Rivera

PROG: Programming Texts/Tutorials

Programming Texts/Tutorials

Best of the best

PROG: Network functions in C - Tutorial

Network functions in C - Tutorial

OT: 'Easter egg' cheats cracking casinos?

National Post

SEC: BUFFER OVERFLOWS DEMYSTIFIED

BUFFER OVERFLOWS DEMYSTIFIED

SEC: Metasploit Framework (Part One)

SecurityFocus HOME Infocus: Metasploit Framework (Part One)

LINUX: Novell O'Reilly Linux Desktop Contest

Gmail - [vox] Novell O'Reilly Linux Desktop Contest

Copied from O'Reilly newsletter
-----------------------------
Dear Reader,

Most of us know by now that Linux is a dependable workhorse behind the
firewall. But these days we're hearing more about companies using this
open source platform on the desktop too.

We thought it would be a great idea to collect some of these success
stories and publish them for others to learn from as they contemplate
bringing Linux out into the light of fluorescent tubes and crowded
cubicles.

To facilitate that process, Novell and O'Reilly are announcing
The Great Linux Desktop Migration Contest. We're looking for
entries in three categories:

- Greatest Benefits Realized from Migration
- Best Migration Plan
- Most Practical Migration Tips

There are some terrific prizes including a trip to Barcelona,
Spain to attend Novell BrainShare Europe 2004. But you have
to write up your experience soon because the deadline is
August 9, 2004. Read all about it today at the official
contest web site:

http://www.linuxdevcenter.com/linux/contest/
_______________________________________________

LINK: Terminal Island

Terminal Island

very cool site, never seen anything like it

GOOGLE: Google Adds Picasa To Bolster Blogger unit

MediaDailyNews 07-14-04

GOOGLE: Google Acquires Picasa for Online Photo Management

NewsFactor Network - E-Commerce - Google Acquires Picasa for Online Photo Management

LINUX: Dell Reseller Offers Lindows-Loaded PCs

Dell Reseller Offers Lindows-Loaded PCs

M$: Longhorn and Tiger: Who's Copying Whom?

Longhorn and Tiger: Who's Copying Whom?

M$: Microsoft: Expect 1 Billion Windows PCs by 2010

Microsoft: Expect 1 Billion Windows PCs by 2010

SEC: Group Offers to Sell Supposed Dragon IDS Code

Group Offers to Sell Supposed Dragon IDS Code

SEC: IE vs. Mozilla on the Shell Hole—Whose Bug Is It?

IE vs. Mozilla on the Shell Hole—Whose Bug Is It?

SEC: Jaded Users Roll Their Eyes at IE's Latest Security Debacle

Jaded Users Roll Their Eyes at IE's Latest Security Debacle

SEC: UNIRAS Brief - 360/04 - Microsoft - Security updates to address newly discovered issues in Microsoft(R) Windows(R)

Gmail - [INFOCON] UNIRAS Brief - 360/04 - Microsoft - Security updates to address newly discovered issues in Microsoft(R) Windows(R)



-----BEGIN PGP SIGNED MESSAGE-----

-
----------------------------------------------------------------------------
------
UNIRAS (UK Govt CERT) Briefing Notice - 360/04 dated 13.07.04 Time:
21:36
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination
Centre)
-
----------------------------------------------------------------------------
------
UNIRAS material is also available from its website at www.uniras.gov.uk
and
Information about NISCC is available from www.niscc.gov.uk
-
----------------------------------------------------------------------------
------

Title
=====
Microsoft security updates to address newly discovered issues in
Microsoft(R) Windows(R)

Detail
======
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Today 13 July 2004, Microsoft is releasing 7 security updates for newly
discovered vulnerabilities in Microsoft Windows.

- One Microsoft Security Bulletin affecting Microsoft Windows with a
maximum severity of Moderate, MS04-018
- One Microsoft Security Bulletin affecting Microsoft Windows with a
maximum severity of Important, MS04-019
- One Microsoft Security Bulletin affecting Microsoft Windows with a
maximum severity of Important, MS04-020
- One Microsoft Security Bulletin affecting Microsoft Windows with a
maximum severity of Important, MS04-021
- One Microsoft Security Bulletin affecting Microsoft Windows with a
maximum severity of Critical, MS04-022
- One Microsoft Security Bulletin affecting Microsoft Windows with a
maximum severity of Critical, MS04-023
- One Microsoft Security Bulletin affecting Microsoft Windows with a
maximum severity of Important, MS04-024

Summaries for these new bulletins may be found at the following page:
- http://www.microsoft.com/technet/security/bulletin/ms04-jul.mspx

Customers are advised to review the information in the bulletins, test and
deploy the updates immediately in their environments, if applicable.

Microsoft will host a webcast tomorrow to address customer questions on
these bulletins. For more information on this webcast please see
below:
- Information about Microsoft's July Security Bulletins
- Wednesday, July 14, 2004 10:00 AM - Wednesday, July 14, 2004 11:00 AM
(GMT-08:00) Pacific Time (US & Canada)
- http://go.microsoft.com/fwlink/?LinkId=30865

- The on-demand version of the webcast will be available 24 hours after the
live webcast at:
- http://go.microsoft.com/fwlink/?LinkId=30865

MS04-018

Title: Cumulative Security Update for Outlook Express (823353)

Affected Software:
- Microsoft Windows NT Workstation 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
- Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP and Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me) - Review the FAQ section of this
bulletin for details about these operating systems.

Affected Components:
- Microsoft Outlook Express 5.5 Service Pack 2
- Microsoft Outlook Express 6
- Microsoft Outlook Express 6 Service Pack 1
- Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition)
- Microsoft Outlook Express 6 on Windows Server 2003
- Microsoft Outlook Express 6 on Windows Server 2003 (64 bit
edition)

Impact of Vulnerability: Denial of Service

Maximum Severity Rating: Moderate

Restart required: In some cases, this update does not require a restart.
The installer stops the required services, applies the update, and then
restarts the services. However, if the required services cannot be stopped
for any reason or if required files are in use, this update will require a
restart. If this occurs, a message appears that advises you to restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx
**********************************************************************

MS04-019

Title: Vulnerability in Utility Manager Could Allow Code Execution
(842526)

Affected Software:
- Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Restart required: In some cases, this update does not require a restart.
The installer stops the required services, applies the update, and then
restarts the services. However, if the required services cannot be stopped
for any reason or if required files are in use, this update will require a
restart. If this occurs, a message appears that advises you to restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx
**********************************************************************

MS04-020

Title: Vulnerability in POSIX Could Allow Code Execution (841872)

Affected Software:
- Microsoft Windows NT Workstation 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
- Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Restart required: In some cases, this update does not require a restart. The
installer stops the required services, applies the update, and then restarts
the services. However, if the required services cannot be stopped for any
reason or if required files are in use, this update will require a restart.
If this occurs, a message appears that advises you to restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx
**********************************************************************

MS04-021

Title: Security Update for IIS 4.0 (841373)

Affected Software:
- Microsoft Windows NT Workstation 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Service Pack 6a

Affected Components:
- Microsoft Internet Information Server (IIS) 4.0

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Restart required: Yes

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx
**********************************************************************

MS04-022

Title: Vulnerability in Task Scheduler Could Allow Code Execution
(841873)

Affected Software:
- Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP and Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1

Affected Components:
- Internet Explorer 6 when installed on Windows NT 4.0 SP6a (Workstation,
Server, or Terminal Server Edition)

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Restart required: In some cases, this update does not require a restart. The
installer stops the required services, applies the update, and then restarts
the services. However, if the required services cannot be stopped for any
reason or if required files are in use, this update will require a restart.
If this occurs, a message appears that advises you to restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx
**********************************************************************

MS04-023

Title: Vulnerability in HTML Help Could Allow Code Execution
(840315)

Affected Software:
- Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP and Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this
bulletin for details about these operating systems.

Affected Components:
- Internet Explorer 6.0 Service Pack 1 when installed on Windows NT 4.0
SP6a (Workstation, Server, or Terminal Server Edition)

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Restart required: In some cases, this update does not require a restart. The
installer stops the required services, applies the update, and then restarts
the services. However, if the required services cannot be stopped for any
reason or if required files are in use, this update will require a restart.
If this occurs, a message appears that advises you to restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx
**********************************************************************

MS04-024

Title: Vulnerability in Windows Shell Could Allow Remote Code Execution
(839645)

Affected Software:
- Microsoft Windows NT(r) Workstation 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
- Microsoft Windows NT(r) Workstation 4.0 Service Pack 6a with Active
Desktop
- Microsoft Windows NT Server 4.0 Service Pack 6a with Active Desktop
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
with Active Desktop
- Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP and Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this
bulletin for details about these operating systems.

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Restart required: In some cases, this update does not require a restart.
The installer stops the required services, applies the update, and then
restarts the services. However, if the required services cannot be stopped
for any reason or if required files are in use, this update will require a
restart. If this occurs, a message appears that advises you to restart.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx
**********************************************************************

PLEASE VISIT http://www.microsoft.com/technet/security FOR THE MOST CURRENT
INFORMATION ON THESE ALERTS.

If you have any questions regarding the security updates or its
implementation after reading the above listed bulletin you should contact
Product Support Services in the United States at 1-866-PCSafety
(1-866-727-2338). International customers should contact their local
subsidiary.

Thank you,
Microsoft PSS Security Team

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQPQkAJoTaijrcixLEQJLqwCgxkitvA48KVbfszKNOZNnrC4c7wkAnRYK
fZ4CsskFTS9dKC02Q2RDIOcO
=UHe5
- -----END PGP SIGNATURE-----

-
----------------------------------------------------------------------------
------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@niscc.gov.uk

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

-
----------------------------------------------------------------------------
------
UNIRAS wishes to acknowledge the contributions of Microsoft Corporation for
the information contained in this Briefing.
-
----------------------------------------------------------------------------
------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the
vulnerability affects you, it may be prudent to retrieve the advisory from
the canonical site to ensure that you receive the most current information
concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and
opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors or
omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in
connection with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response Teams
(IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
-
----------------------------------------------------------------------------
------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQCVAwUBQPRJFIpao72zK539AQE2/QP/VZKLmYbxoFi+JWSWG2D71WJuVAUWc9SV
7tEmmZxARyfop/QXMdVUyVagKww6paQton9C792t+zUvkS8TpOdkS8IA55ySMmW2
5etWJ5jRKbiXcf4yTEyh2w8AQivgzHFGlFyLhMwWU98K7FZxEKKGfDGqDoKgVOAv
/sKDCQFMC9U=
=nuES
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Information is the currency of victory on the battlefield.
GEN Gordon Sullivan, CSA (1993)
------------------------------------------------------------------------

INFOCON Mailing List @
IWS - The Information Warfare Site
http://www.iwar.org.uk

------------------------------------------------------------------------
To subscribe, change your subscription or unsubscribe go to http://www.iwar.org.uk/mailman/listinfo/infocon/
------------------------------------------------------------------------

Tuesday, July 13, 2004

SEC: SANS PrivacyBits Volume 2, No. 28

Gmail - SANS PrivacyBits Volume 2, No. 28

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS PrivacyBits July 13, 2004 Vol. 2, Num. 28
***********************************************************************

TOP OF THE NEWS

-- U.S.A.: DNA Databases Need Privacy Protection
-- U.S.A.: Private Calif. Info Erroneous Sent to Swedish Firm
-- U.S.A.: California Website Law Has Far Reaching Ramifications

THE REST OF THE WEEK'S NEWS

-- U.S.A.: U.S.A. Patriot Act Stays as It Is
-- Phishing Predicted to Double by 2005
-- U.S.A.: Nevada Rates #2 for Identity Theft
-- U.S.A.: Gateway Settles Privacy Case with FTC
-- UN Wants Joint Cooperation to End Spam
-- U.S.A.: VoIP Vulnerable to Call ID Manipulation
-- Canada: BCGEU Protests Privatization of Welfare & Loss of Privacy Protection
-- Norway: ID Theft Victim Gets Divorce Papers Before She Marries
-- Australia: Trade Agreement and Telecom / IT Agreement Signed
-- U.K.: Blunkett to Call for EU-wide DNA Database
-- U.K.: Public to Get Access to Individual Insolvency Register
-- New Zealand: InternetNZ Responds to Proposed Anti-Spam Bill
-- U.K.: CMA Calls for Fix for Past Spam Legislation
-- Netherlands: 419 Scammers May Have Used Stolen UPC Cable-Modems
-- Switzerland: Data Protection Commission Report Warns of Privacy Threats
-- U.S.A.: Michigan to Get Child Porn Law
-- U.S.A.: Ex-FBI Agent Pleads Guilt to Illegally Accessing Gov't Computers

TUTORIALS

-- Protecting Your Children's Personal Information

OPINIONS

-- Checking of Foreign Visitors Flawed
-- Will Store Tags Tag You?
-- Why the U.S. Can't Be Trusted With Our Personal Data

THE LIGHTER SIDE

-- Shortlist for Nasty Privacy Invaders Oscars Announced

FEDERAL REGISTER

-- DOE Amends Personnel Assurance Program Records
-- Air Force Alters Student Records
-- DoD to Create Visual Information Management System

******************* Sponsored by SANS SCHOOL STORE ********************

Check out our School Store for recently released books on Business Law,
Solaris Securing Solaris, Computer Security Incident Handling and
exclusive books and merchandise. Also, check out our section on
recommended books written by SANS faculty, PDF samples on our
Step-By-Step Guides, and current specials on Oracle Security, 7-Pack
Guides, and T-shirts. For more information go to
https://store.sans.org/

***********************************************************************
This Week's Featured Security Training Program:

SANS largest Fall conference will be in Las Vegas this year

September 28 to October 6

with seventeen immersion tracks taught by SANS' best teachers, and
special one day technology update programs and a big vendor expo.
http://www.sans.org/ns2004

***********************************************************************

TOP OF THE NEWS

-- U.S.A.: DNA Databases Need Privacy Protection
(08 July 2004)
According to Dr. Russ B. Altman, a professor of genetics and medicine
at Stanford University, the number of genetic databases is continually
increasing. He asserts, "Now is the time for society to think about
privacy issues and come up with answers." There is currently hundreds
of thousands of people now in genetic databases whose data can be
accessed by a "determined knowledgeable person." In addition, Altman
notes Stanford has tried to keep their database of about 5,000
confidential but found that "every thing we tried ruined it for
research." He suggests the solution would be to set strict limits on
who can create genetic databases and to establish systems that would
limit access to those databases.
http://www.forbes.com/lifestyle/health/feeds/hscout/2004/07/08/hscout519997.html
[Editor's Note (Murray): The issue that we need to debate is existence
and use, not access.]

-- U.S.A.: Private Calif. Info Erroneous Sent to Swedish Firm
(07 July 2004)
An investigation is underway to determine how hundreds of internal
e-mails containing private employee data were sent out erroneously to a
Swedish firm for the last two years. Robert Carlesten, managing
director of Sweden-based internet company Ord&Bild, contacted magazine
Computerworld asserting he has been receiving e-mails at his internet.ac
domain containing personal information including names, employee
numbers, attachments relating to the payroll files for Contra Costa
County, California's Superior Court for the last two years. Attempts
to contact the senders were not answered. Tom Whittington, CIO of
Contra Costa County, admits the county was not aware of the problem
until being notified by Computerworld.
http://www.computerweekly.com/articles/article.asp?liArticleID=131790
[Editor's Note (Triulzi): A long long time ago (as in early 90's)
someone had registered a lot of names of systems in Imperial College's
Computer Centre (domain cc.ic.ac.uk) under the .cc domain. This might
sound stupid but in Imperial you could always reach a box using name.cc
if the resolver was setup correctly but if it wasn't... you'd end up
straight on the rogue systems (actually: one box, many aliases). Why?
Well, speculation is rife but of course you could always alter the login
program and harvest logins and accounts.]

-- U.S.A.: California Website Law Has Far Reaching Ramifications
(06 July 2004)
Under a new Californian law, the On-line Privacy Protection Act (OPPA)
of 2003, effective July 1, 2004, California companies operating a
commercial Web site are required to post a conspicuously placed privacy
policy on their website, disclose the kinds of personal data that they
collect and share with third parties clearly marked in their privacy
statements, abide by their policies, inform consumers of processes to
opt out of data sharing and to publish a date it goes into effect.
After a 30-day notification period, sites violating any of these
provisions will be subject to civil lawsuits. Noting that the Web
effectively has no borders thereby holding any company doing business
with a Californian accountable for compliance, Carolyn Hodge director
of marketing for Truste, which operates an online privacy certification
program, asserts, "There are a lot of companies, period, that are
dealing with California citizens that are not in compliance."
http://zdnet.com.com/2102-1104_2-5258824.html?tag=printthis
[Editor's Note (Murray): It is one thing for California to pass laws
governing enterprises domiciled in California. It would be quite
another for them to attempt to regulate every business, wherever
domiciled, with whom a California resident elects to do business.]

*************************** SPONSORED LINKS ***************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) Are you concerned about or tasked with HIPAA security implementation?
Get guidance from
http://www.sans.org/info.php?id=513

(2) Are you surfing bugged web pages?
Find out:
http://www.sans.org/info.php?id=514

(3) Do you worry about the security of you Oracle backend database?
Check out:
http://www.sans.org/info.php?id=515

***********************************************************************

THE REST OF THE WEEK'S NEWS

-- U.S.A.: USA. PATRIOT Act Stays as It Is
(10 July 2004)
Efforts to block the part of the Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
(USA PATRIOT ACT) Act of 2001 allowing authorities to obtain special
court orders requiring book dealers, libraries and others to surrender
records of purchases and visits on library computers were defeated in
the Republican-led House of Representatives in a 210-210 vote. While
there have been bills introduced to block portions of the Act, Congress
has never passed any of them. President Bush had threatened to veto the
bill if passed.
http://www.etaiwannews.com/World/2004/07/10/1089425583.htm

-- Phishing Predicted to Double by 2005
(08 July 2004)
A new study, "E-mail Anti-Phishing and Anti-Fraud Market Trends
2004-2008", by The Radicati Group, a technology market research firm,
predicts that the amount of unique phishing scams will increase from 51
per month to 110 per month by 2005; this will result in a significant
amount of money being spent on e-mail anti-phishing and anti-fraud
solutions. According to Jonathan Penn, principal analyst for identity
and security at Forrester Research, "As it [phishing] grows it affects
more and more [consumers] by eroding their confidence in both e-commerce
transactions as well as the companies." Janice Yee, author of this
study, recommends organizations monitor domain name registrations,
provide written instructions for accessing specific pages instead of
sending emails with links, and institute policies to let customers know
what kind of e-mail they can expect to receive. Yee maintains that
increased consumer education is the solution to controlling phishing
attacks.
[Editor's Note (Murray): There is a minimum threshold of public trust
and confidence necessary to the success and value of the internet. The
increasing level of fraudulent traffic puts that trust and confidence
in jeopardy. Once broken, it will take generations to repair.]

-- U.S.A.: Nevada Rates #2 for Identity Theft
(08 July 2004)
According to the Federal Trade Commission, the state of Nevada makes up
a large portion of the half-a-million people filing identity theft
complaints last year; more than 2,500 Nevadans filed identity theft
complaints. According to the statistics 30 percent were victims of
credit card fraud, 26 percent telephone or utilities fraud, and 20
percent were bank fraud.
http://www.krnv.com/global/story.asp?s=2013504&ClientType=Printable

-- U.S.A.: Gateway Settles Privacy Case with FTC
(07 July 2004)
A settlement was reached in a privacy case by the Federal Trade
Commission (FTC) against Gateway Learning Corporation, known for its
"Hooked on Phonics" products. The FTC charged that Gateway Learning
altered its privacy policy to allow the sharing of information with
third parties without notifying and receiving consent from consumers.
Gateway Learning, according to the FTC, subsequently rented its customer
list, which included the address and names and age range of the children
of its customers, to direct marketers. It was alleged that Gateway
Learning failed to remove the names of those who had opted in under the
previous privacy policy. Howard Beales, director of the FTC's Bureau
of Consumer Protection maintains, "It's simple if you collect
information and promise not to share, you can't share unless the
consumer agrees. You can change the rules but not after the game has
been played."
http://www.clickz.com/news/print.php/3377851

-- UN Wants Joint Cooperation to End Spam
(07 July 2004)
The International Telecommunications Union (ITU), a United Nation agency
based in Geneva, Switzerland, hosted a meeting for industry regulators
from approximately sixty countries to discuss standardizing legislation
around the world in order to make it easier to prosecute spammers.
According to Robert Horton, acting chief of the Australian
Communications Authority, "(We have) an epidemic on our hands that we
need to learn how to control. International cooperation is the ultimate
goal." The ITU states that legislation from the United States, Europe,
Australia and South Korea will be suggested as models for other
countries to base new laws on.
http://www.australianit.news.com.au/common/print/0,7208,10066694%5E15306%5E%5Enbv%5E,00.html

-- U.S.A.: VoIP Vulnerable to Caller ID Manipulation
(07 July 2004)
People have used Caller ID blocking to maintain their privacy, but with
the introduction of Voice over Internet Protocol (VoIP) that privacy can
not be guaranteed. Hackers have discovered that by manipulating quirks
in VoIP they can spoof Caller ID and reveal blocked numbers. Land and
cellular phone services in the U.S. are strictly regulated by the
Federal Communications Commission (FTC) who determines how telephone
carriers must handle Calling Party Numbers (CPNs), Caller ID and
blocking; some financial institutions and businesses were often allowed
by the FCC to unblock numbers by paying a high fee. However, VoIP
networks, which are currently not under the control of the FCC, allow
ordinary netcitizens to manipulate the systems to unblock blocked
numbers. A hacker who successfully demonstrated his ability to unblock
numbers sent over a VoIP connection, is scheduled to give a talk on this
subject at the DefCon hacker convention later this month.
http://www.theregister.co.uk/2004/07/07/hackers_gut_voip/print.html
[Editor's Note (Murray): This is IP telephony, not simply VoIP. In IP
telephony our expectation about how the system will behave is the same
as we already have from POTS (plain old telephone service.)
(Triulzi): Caller ID "manipulation" is an interesting concept... In
Europe the ID returned can be rather creative. For example a large
Italian multinational uses BT Concert to make international calls so on
UK mobiles their calls appear to be from a London number (and calling
it gets you a Concert calling card message). Another example is
occasional calls from the US which present themselves as "001" which is
sort of correct except for the lack of detail. There are many more
without forgetting to mention the "anonymous" ID which can mean a number
of things: caller ID witheld, no caller ID exchange between networks,
network failures, etc. It would make a pretty amazing change for caller
ID to suddenly start working reliably with VoIP which would then make
it meaningful to manipulate.]

-- Canada: BCGEU Protests Privatization of Welfare & Loss of Privacy
Protection
(07 July 2004)
George Heyman, president of the British Columbia Government and Services
Employees' Union (BCGEU), wrote a letter to British Columbia's Privacy
Commissioner David Loukidelis, asking for an investigation of the
government's plan to privatize the delivery of welfare in rural areas
under Section 42 of the Freedom of Information and Protection of Privacy
Act. In his letter he wrote, "the services [in the government proposal]
... require the submission of very personal information. The Ministry
of Human Resources ... is not protecting the personal information from
such risks as unauthorized access, collection, use, disclosure and
disposal. The Invitation to Quote (ITQ) therefore violates the Section
30 requirements that the Ministry must protect this personal
information."
http://www.bcgeu.ca/index.php4?do=printer&id=2396
[Editor's Note (Murray): Governmental services of all kinds are
routinely delivered in sparsely populated parts of Canada by private
contractors. Modern systems have greatly increased the quality of that
service delivery while reducing some of the necessity for it. I would
have a great deal more sympathy for this complaint if came from a more
disinterested party.]

-- Norway: ID Theft Victim Gets Divorce Papers Before She Marries
(06 July 2004)
A 22-year old Norwegian woman was surprised when she recently received
a notice of divorce in her mail; she never was married. A victim of
identity theft, her ID was used during a wedding of a Pakistani man last
year conducted at the Islamic Cultural Centre in Oslo. However, the
Cultural Centre maintains it carefully checks all credentials before
performing a marriage; they did not marry the wrong people. According
to the police, the man has several aliases and will probably never be
found.
http://washingtontimes.com/upi-breaking/20040706-030207-9445r.htm
[Editor's Note (Murray): As our society becomes more and more mobile and
congregations more dynamic, the potential for this very serious kind of
fraud will increase. It demonstrates the necessity for roles of both
the church and the state in marriage.]

-- Australia: Trade Agreement and Telecom / IT Agreement Signed
(06 July 2004)
Australia's Prime Minister John Howard and Thai Prime Minister Thaksin
Shinawatra signed a Free Trade Agreement between the two nations which
contains an agreement to open up the IT and telecommunications. At the
same time, Australian Communications Minister Daryl Williams and his
Thai counterpart Surapong Suebwonglee were signing a joint
telecommunications and information technology agreement aimed at
targeting spam. Mr. Williams states, "I welcome the opportunity it
provides for our two countries to share information about anti-spam
strategies and policies."
http://australianit.news.com.au/common/print/0,7208,10051927%5E15322%5E%5Enbv%5E15306,00.html

-- U.K.: Blunkett to Call for EU-wide DNA Database
(06 July 2004)
U.K. Home Secretary David Blunkett is hosting a two-day informal summit
for the "Group of Five" ("G5") nations of France, Germany, Italy and
Spain in his Sheffield constituency to discuss increasing cross-border
cooperation. Reports indicate that Blunkett will be calling for the
creation of an EU-wide DNA database of criminals and terror suspects to
aid the government's war on terror. Prior to the summit, Blunkett told
the Press Association, "Cooperation between European member states is a
powerful tool in the fight against terrorism and organized crime."
http://www.zdnet.co.uk/print/?TYPE=story&AT=39159683-39020651t-10000022c
[Editor's Note (Murray): Nation states often attempt to accomplish by
treaty what they cannot do politically or constitutionally. The citizen
usually comes out on the short end of such arrangements.]

-- U.K.: Public to Get Access to Individual Insolvency Register
(06 July 2004)
The U.K. Insolvency Services has launched an online version of its
Individual Insolvency Register (IIR), offering instant access to
information about bankrupts 24 hours a day, seven days a week. The
register will contain information on whether a person is an undischarged
bankrupt the subject of a bankruptcy restriction order, or party to an
individual voluntary arrangement. Desmond Flynn, chief executive of the
Insolvency Service, notes that members of the public will be able to use
the IIR to make informed decisions such as whether or not a person would
make a good business partner.
http://www.vnunet.com/print/1156438
[Editor's Note (Murray): Such notices used to be a routine source of
revenue or copy for newspapers. It should not surprise anyone that in
the modern world such information would be on-line.]

-- New Zealand: InternetNZ Responds to Proposed Anti-Spam Bill
(05 July 2004)
InternetNZ, New Zealand's non-profit Internet Society, has responded to
Associate IT Minister David Cunliffe's signal he intents to introduce
an anti-spam bill into parliament this year by making a series of
recommendations including that sending an e-mail of a "commercial or
promotional" nature without the consent of the recipient by made a civil
offence, responsibility for policing the spam law be given to either the
Internal Affairs Department or the Commerce Commission and internet
service providers be given the right to bring action under the law.
Cunliffe is expected to present a plan for the anti-spam bill for
consideration by the Cabinet by next month.
http://www.stuff.co.nz/stuff/print/0,1478,2961554a28,00.html
[Editor's Note (Murray): While unsolicited commercial e-mail is a
nuisance, it is only a small part of all spam. While commercial
enterprises can be expected to comply with the law, most spammers
cannot. Paper junk mail exists in part because it is subsidized by
first class mail. Spam exists in large part because the sender is
subsidized by the receiver. As long as this inequity persists, it is
likely that spam will persist.]

-- U.K.: CMA Calls for Fix for Past Spam Legislation
(05 July 2004)
The Communications Management Association (CMA), during a debate into
Broadband Britain at the Enterprise Networks show in London, stated new
laws are needed to fight the threats to Britain's Internet-enabled
companies and consumers. The CMA also noted that these new laws would
help correct the mistakes made by the government in its previous
attempts to combat spam. According to Carolyn Kimber CMA chair, "We
want to see the Computer Misuse Act and the privacy and electronic
communications legislation combined into a single effective piece of
legislation."
http://www.zdnet.co.uk/print/?TYPE=story&AT=39159672-39020651t-10000022c

-- Netherlands: 419 Scammers May Have Used Stolen UPC Cable-Modems
(05 July 2004)
Norbert Spekking, security officer for the Dutch cable operator UPC,
admitted at the trial of the fifty-two Nigerians arrested earlier this
year in Amsterdam for running so-called 410 scams that someone in the
company may have provided the cable modems used in the scams. UPC does
not tolerate spammers; last year its Internet subsidiary Chello cut off
dozens of subscribers sending 410 e-mails. Due to the fact that the
Nigerians were not registered users, it took longer to shut them down.
Since the Nigerians' arrests, almost no 419 scams have been sent through
UPC's network.
http://www.theregister.co.uk/2004/07/05/dutch_419_inside_job/print.html
Related Article: Amsterdam: Home Of the 419 Lottery Scam
http://www.theregister.co.uk/2003/07/11/amsterdam_home/print.html
Related Article: Dutch Police Arrest 52 Email Scammers
http://www.theregister.co.uk/2004/01/29/dutch_police_arrest_52_email/print.html
[Editor's Note (Murray): In order to deal with the spam and phishing
problems, edge connector ISPs must reliably identify and authenticate
their customers and users. Their motive for doing it will be to ensure
that users are paying customers.]

-- Switzerland: Data Protection Commission Report Warns of Privacy Threats
(05 July 2004)
The head of Switzerland's data protection commission Hanspeter Thur,
speaking at the launch of the commission's annual report asserted that
anti-terrorism measures and more e-government are undermining personal
privacy. He condemned the U.S. for its new border control requirements
in which incoming airlines must hand over sensitive passenger data
including information about religion and credit card numbers calling the
new measures inappropriate and not useful. His main concern was that
personal data stored on a database could be abused. The commission's
annual report noted that the United States' data protection law was not
comparable to the one in Switzerland. He also criticized the government
of Switzerland's e-governance drive, claiming that recent technological
developments could result in conditions described by George Orwell in
his book, "1984."
http://www.swissinfo.org/sen/swissinfo.html?siteSect=105&sid=5067201
[Editor's Note (Murray): Law enforcement advocates have a much louder
and more convincing voice in the policy formulation than to the privacy
advocates. That said, if all of Mr. Thur's colleagues were speaking
out, the policy would be more moderate.
(Triulzi): Switzerland is normally rather restrained on these matters,
especially as it is widely noted for being fanatically precise with
personal detail verification (e.g. getting a CHF32/$25 dollar season
pass for the swimming pool requires me to show my residence permit and
passport at the local town hall) so for the data protection commissioner
to speak out against CAPPS there must really be something wrong (not
that this hadn't been noted before]

-- U.S.A.: Michigan to Get Child Porn Law
(04 July 2004)
Michigan will become the second state to make sending adult spam to
children illegal when Governor Jennifer Granhold signs a bill that
allows parents to declare their kids' e-mail addresses off-limits to
certain types of spam such as pornography. The law will create a
state-run registry of e-mail addresses for children submitted by parents
which can not be used to market anything that children can not legally
purchase. According to the bill's sponsor, Senator Mike Bishop,
(R-Rochester Hills), "The Internet is such an unknown frontier, it very
much intimidates parents looking to protect kids. There's so much filth
and garbage that comes right at them."
http://www.detnews.com/2004/technology/0407/04/d01-202622.htm

-- U.S.A.: Ex-FBI Agent Pleads Guilty to Illegally Accessing Gov't Computers
(02 July 2004)
A retired Federal Bureau of Investigations agent pleaded guilty to a
federal misdemeanor charge admitting he illegally conspired to access
personal information from government computers; he never disclosed why
he wanted the information. He will be sentenced October 4, 2004.
http://www.newsday.com/news/local/wire/ny-bc-ny-brf--fbiagent-char0702jul02,0,4757870,print.story?coll=ny-ap-regional-wire

TUTORIALS

-- Protecting Your Children's Personal Information
Learn what kind of information list brokers have for sale and what you
can do to protect your children from direct marketing.
http://seattletimes.nwsource.com/cgi-bin/PrintStory.pl?document_id=2001972591&zsection_id=2001780260&slug=preschoolprivacy06&date=20040706

OPINIONS

-- Checking of Foreign Visitors Flawed
By Joan Friedland Michele Waslin
Waslin discusses the U.S. Department of Homeland Security's U.S. Visitor
and Immigrant Status Indicator Technology (US-VISIT) program and the
various flaws in the program.
http://www.myrtlebeachonline.com/mld/sunnews/news/opinion/9123103.htm?template=contentModules/printstory.jsp

-- Will Store Tags Tag You?
By Arik Hesseldahl
According to Hesseldahl, where ever the acronym RFID (radio frequency
identification) is used in any context, the word privacy is not far
behind. His opinion piece looks at the various privacy issues
surrounding RFID.
http://www.forbes.com/2004/07/06/cx_ah_0706rfid_print.html
Related Article: Buy With A Wave Of A Phone
http://www.forbes.com/2004/07/01/cx_ah_0701rfid_print.html
Related Article: Master Of The RFID Universe
http://www.forbes.com/2004/06/29/cx_ah_0629rfid_print.html

-- Why the U.S. Can't Be Trusted With Our Personal Data
This opinion piece looks at the European point of view regarding the
U.S. demand for personal data of Europeans entering the U.S.
http://www.expatica.com/source/site_article.asp?subchannel_id=19&story_id=9106

THE LIGHTER SIDE

-- Shortlist for Nasty Privacy Invaders "Oscars" Announced
Privacy International has announced the shortlist for awards for nasty
privacy invaders; awards areas include: Worst Public Servant, Most
Invasive Company, Most Appalling Project, Most Heinous Government
Organization and Lifetime Menace Award. Among the nominees are British
Gas (Most Invasive Company) for blaming the Data Protection Act when an
elderly couple died when British Gas disconnected their gas and the Safe
Harbour Agreement (Most Appalling Project) governing the transmission
of data between European Union nations. While the awards are given to
U.K. nominees, the U.S. was also mentioned. The awards ceremony will
be held July 28, 2004 at the London School of Economics.
http://www.theregister.co.uk/2004/07/05/privacy_awards/print.html

FEDERAL REGISTER

- -- DOE Amends Personnel Assurance Program Records
The Department of Energy (DOE) is amending its Personnel Assurance
Program Records system and identifies the new authority for collecting
and maintaining the information.
Comments due: 22 August 2004.
Effective: 23 August 2004.
http://edocket.access.gpo.gov/2004/04-15331.htm

-- Air Force Alters Student Records
The Department of the Defense's Department of the Air Force is renaming
its Student Records system and expanding the category of individuals
covered to include "foreign military personnel, civilians, faculty and
staff," and expands the categories of records maintained to include
"aero rating, flying status, and equipment issue."
Comments due: 08 August 2004.
Effective: 09 August 2004.
http://edocket.access.gpo.gov/2004/04-15439.htm

-- DoD to Create Visual Information Management System
The Office of the Secretary of the Department of Defense is providing
notice of the addition of the Visual Information Management System
(VIMS), which will track individual who uses the VIMS Internet site to
order multimedia products, to its Inventory of Record
Systems Subject to the Privacy Act of 1974.
Comments due: 08 August 2004.
Effective: 09 August 2004.
http://edocket.access.gpo.gov/2004/04-15440.htm

==end==

PrivacyBits Editorial Board:
Jim Dempsey, Aminah Grefer, Roland Grefer, Mark Hofman, William Hugh
Murray, Stephen Northcutt, Arrigo Triulzi

If you would like to provide public feedback regarding this issue of the
eNewsletter, you can do so at the PrivacyBits Feedback Forum
http://forum.sans.org/discus/messages/8764/11232.html

To discuss related topics and legislation, or contribute tutorials or
comments, you can enter the PrivacyBits Forum at
http://forum.sans.org/privacybits

Participation in the SANS forums requires free registration. Go to
http://forum.sans.org/cgi-bin/discus/board-profile.cgi to register a
forum account or to update your current forum account.

If you prefer to submit your comments in private, have additional
news items or other information you would like to share with us,
please send an email to PrivacyBits@sans.org.

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/

An archive of past issues of the PrivacyBits newsletter
is available at http://www.sans.org/newsletters/privacybits

The PrivacyBits newsletter is also available as a RSS feed at
http://www.sans.org/newsletters/privacybits/rss

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFA89Sc+LUG5KFpTkYRAtAqAKCAlQ1Pu/CZe9HOC++Rm8xfA32MugCfRPCX
WVdumNOddCGeKlXBxqCqUD8=
=m8np
-----END PGP SIGNATURE-----


Get Firefox!