Security

F-Secure announced yesterday that it has found another Sony product that installs a rootkit and hidden directory on Windows machines. Last time it was the copy protection associated with music CDs, this time it’s software associated with a fingerprint reader for the Sony MicroVault USM-F memory stick, which Sony says is now no longer for sale. The use of the memory stick causes files to be installed into a hidden directory on your hard drive which is hidden from the operating system, including antivirus scanning. This means that, like the hidden directory created by the CD copy protection scheme, the directory can be used by other malicious software to hide itself.

Julian Sanchez points out the staggering misrepresentation by those arguing that the recent increase in wiretapping power amounts to nothing more than an update of FISA procedures to reflect current technology. (Hat tip to Tim Lee at the Technology Liberation Front.)

Bruce Schneier has posted all five parts of his interview with Transportation Security Administration head Kip Hawley: Part 1, Part 2, Part 3, Part 4, Part 5.

Both houses of Congress have passed a bill that updates the Foreign Intelligence Surveillance Act (FISA) to allow warrantless wiretapping when at least one party is a foreigner, without any requirement that the foreigner be suspected of having connections to terrorists. Wiretaps in such cases do not require approval of the FISA court, only of the attorney general and the director of national intelligence. As Tim Lee at Technology Liberation Front observes: So let me get this straight: the White House says “we think we should be able to eavesdrop on virtually any domestic-to-foreign phone call without court oversight, based on the say-so of one of the president’s subordinates.” And the Democrats response was “Hell no! Warrantless spying should require the say-so of two of the president’s subordinates!”Arizona’s Congressmen voted along party lines except for Harry Mitchell, who sided with the Republicans in favor of the bill, which provides for this expansion of powers for the next six months. (UPDATE, August 8, 2007: Actually, McCain didn’t vote on this bill at all, it’s another of his no-shows.) Kudos to Pastor, Grijalva, and Giffords for voting against this. (Hat tip to Technology Liberation Front and Stranger Fruit.) UPDATE (August 7, 2007): Ed Brayton at Dispatches from the Culture Wars has more on how this bill has gutted any oversight of what the Executive branch is doing. ...

I’m currently reading Pulitzer Prize winning author Tim Weiner’s 20-years-in-the-making history of the Central Intelligence Agency, Legacy of Ashes: A History of the CIA (2007, Doubleday). All of Weiner’s facts are sourced and on-the-record, including numerous recently declassified sources (some of which the government is attempting to re-classify). This review of the book by Chalmers Johnson, a former outside consultant for the CIA, does a good job of pointing out some of the highlights and arguing at the conclusion for the abolition of the CIA and letting the State Department’s Bureau of Intelligence and Research fill in for the foreign intelligence function. Weiner’s book points out how the CIA has been mismanaged since its creation from the ashes of the Office of Strategic Services, failing to come up with accurate information about major events of significance and leaving a wake of damage from failed covert ops designed to stop the spread of communism even where there was none. And it has regularly deceived presidents, massaged or fabricated intelligence information, and violated the laws of the United States. Johnson writes: Nothing has done more to undercut the reputation of the United States than the CIA’s “clandestine” (only in terms of the American people) murders of the presidents of South Vietnam and the Congo, its ravishing of the governments of Iran, Indonesia (three times), South Korea (twice), all of the Indochinese states, virtually every government in Latin America, and Lebanon, Afghanistan, and Iraq. The deaths from these armed assaults run into the millions. After 9/11, President Bush asked “Why do they hate us?” From Iran (1953) to Iraq (2003), the better question would be, “Who does not?"This paragraph understates the case–Johnson goes on to describe how the CIA provided funding for Japanese and Italian politicians. Weiner’s book observes that the CIA helped a convicted war criminal become prime minister of Japan in 1957 and bribed the leading officials of the Liberal Democratic Party, which it helped maintain in power until the 1990s. CIA broadcasts from Radio Free Europe called for uprisings. To their surprise, former Hungarian prime minister Imre Nagy, who had been expelled from the Communist Party, announced on state radio a break with Russia, and within days formed a new coalition government in October 1956, but CIA Director Allen Dulles rejected him because he had been a communist and RFE attacked him. RFE broadcasts as much as promised U.S. assistance to Hungarian rebels, only to leave them to die on their own in November 1956 when the Soviets crushed the rebellion. Tens of thousands of people were killed and thousands shipped off to Siberia. Dulles lied to Eisenhower about the content of the broadcasts, transcripts of which only became available in English in 1996, and claimed the U.S. had done nothing to encourage the Hungarians. I’ve still got much to read in the book (I’m only up to 1958), but so far it is eye-opening and appalling. UPDATE (August 11, 2007): The CIA has issued a press release taking issue with Weiner’s book for its bias. UPDATE (December 16, 2009): The CIA has published a review critiquing the accuracy and reliability of Weiner’s book. ...

The July 21, 2007 issue of The Economist has an article about a Swiss company that has opened a market for software vulnerabilities: Since economics, like nature, abhors a vacuum, a small industry of “security companies” has emerged to exploit the hackers’ dilemma. These outfits buy bugs from hackers (euphemistically known as “security researchers”). They then either sell them to software companies affected by the flaws, sometimes with a corrective “patch” as a sweetener, or use them for further “research”, such as looking for more significant—and therefore more lucrative—bugs on their own account. Such firms seek to act as third parties that are trusted by hacker and target alike; the idea is that they know the market and thus know the price it will bear. Often, though, neither side trusts them. Hackers complain that, if they go to such companies to try to ascertain what represents a fair price, the value of their information plummets because too many people now know about it. Software companies, meanwhile, reckon such middlemen are offered only uninteresting information. They suspect, perhaps cynically, that the good stuff is going straight to the black market.Last week, therefore, saw the launch of a service intended to make the whole process of selling bugs more transparent while giving greater rewards to hackers who do the right thing. The company behind it, a Swiss firm called WabiSabiLabi, differs from traditional security companies in that it does not buy or sell information in its own right. Instead, it provides a marketplace for such transactions. A bug-hunter can use this marketplace in one of three ways. He can offer his discovery in a straightforward auction, with the highest bidder getting exclusive rights. He can sell the bug at a fixed price to as many buyers as want it. Or he can try to sell the bug at a fixed price exclusively to one company, without going through an auction. ...

The fact that color printers print a pattern of yellow dots on all pages that indicate which printer was used, for the purposes of being able to track the identity of who has printed any page, has been known since the EFF decrypted the codes and publicized the information in 2005. Now, however, the MIT Media Lab has started a project called “Seeing Yellow” to encourage printer owners to contact the manufacturers and complain, after it has been found that those who do so get reported to the U.S. Secret Service as subversives. (There is one known case, in which someone called to ask a printer manufacturer if there was a way to turn off the “feature.”) (Via Don Lloyd at Distributed Republic.)

While looking through multiple pages of results from a Google query that contained some operators like negations and “site:” specifications, Google was periodically failing to give results or displaying raw HTML in my browser, then ultimately came back with: Google Error We’re sorry… … but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can’t process your request right now. ...

Yesterday, the Washington Post reported on the FBI’s “Operation Bot Roast,” which busted several criminal users of botnets: _James C. Brewer, of Arlington, Texas. He was indicted Tuesday on charges of infecting more than 10,000 computers globally, including two Chicago-area hospitals operated by the Bureau of Health Services in Cook County, Ill. The computers at the two hospitals were linked to the health care bureau’s mainframe system. They repeatedly froze or rebooted from October to December last year, resulting in delayed medical services, according to the indictment. Brewer was released on a $4,500 bond, court records show. ...

Microsoft Research has partnered with Petfinder.com to come up with a new test for determining whether there’s a live human behind the keyboard or just a computer program. It’s called Asirra, Animal Species Image Recognition for Restricting Access. The method presents twelve photographs of dogs and cats from Petfinder.com (each of which has an “adopt me” link associated with it) and asks the viewer to select all of the cats. Historical Comments Einzige (2007-06-12): I definitely prefer looking at cute pictures to deciphering those frustrating CAPTCHA thingies! ...