Cnet’s download.com site has apparently begun bundling toolbars and spyware with nmap and other open source tools.
The EFF has filed a friend of the court brief in a Colorado federal courtroom, asserting that compelling a defendant to reveal the password to her computer’s encrypted hard drive is a violation of the Fifth Amendment. This will be an interesting legal precedent; I don’t think that the British tactic of holding someone in contempt until their password is revealed has been used here in the USA.
From this article at the Wall Street Journal:
The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force… Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say.
As Lauren Weinstein pointed out on the IP list, you couldn’t possibly come up with a better challenge to incite black hats. “You think only a foreign government can take out a power grid? Well, watch _this_!”
An interesting analysis of the new “Trusted Identities in Cyberspace” initiative has been posted over at the Miller-McCune web site. It’s a refreshingly frank and clear-eyed assessment of the proposal, and a nice antidote to the manically cheery and optimistic presentation by NIST.
Popular online storage and backup provider Dropbox has changed their terms of service – apparently they want to reserve the right to decrypt the data that you’re storing on their service if the US government asks them to do so.
Independent of how intrusive this must be for non-US users, it’s an interesting reminder of how little control you have over data that resides “in the cloud”. Don’t worry, though. I’m sure that the software and process for decrypting user data is very secure, and complex, and will never be used by an outside intruder or a disgruntled insider. Safe as houses.
The National Strategy for Trusted Identities in Cyberspace, or NSTIC, will be publicly launched at an event at the Commerce Department this morning. The concept behind the initiative is simple: create a standardized authentication framework so that users don’t need to leave PII, or Personally Identifiable Information, in the hands of every web site where they need to handle personal matters.
There’s even an adorable little animation explaining the concept. A user can establish an account with any of a number of registrars, some of which are public and some of which are private. The registrar then issues an authentication token that can be used as proof of identity on sites that conform to the standard. Obviously, this depends heavily on maintenance of proper security at the registrar – but that’s still better than the current situation, where your doctor, your bank(s), your employer, etc. all have copies of your personal information, shielded only by a simple password.
It seems that the feds have really gone out of their way to make this vendor-neutral and decentralized; I hope it takes off. I’m sick of seeing headlines about massive data breaches harvesting tons of PII.
Another botnet, this one named Coreflood, has been taken down with the help of the courts. Court approval for the replacement of five US-based command and control servers enabled officials to dismantle the botnet, which was used for wire fraud and other illegal purposes.
According to the law currently on the books, email stored for more than 180 days in a hosting environment – including on so-called “cloud” servers like those of Hotmail or Gmail – is considered “abandoned” and can be obtained without a warrant. Efforts to rectify this mid-1980s legislative situation are being actively opposed by the Obama administration, who apparently feel that due process is a bit of a hassle and would rather not deal with the realities of how people now use email.
Nortel, the bankrupt Canadian networking giant, sold off its IPv4 address space this week to raise money to pay its creditors. The addresses sold to Microsoft for $7.5 million, an average of roughly eleven and a half dollars per IP.
As the article says, prices are only likely to go up as the reality of a dual-stack or v6 implementation becomes more apparent.
Brian Krebs has done his usual excellent job outlining the Microsoft takedown of the Rustock botnet. Because of the resiliency of the architecture, a combination of technical and legal maneuvers were employed to seize the control structure of the botnet and render the compromised clients ineffective.