Updated: 26.11.2002; 11:37:38 Uhr.
lies, laws, legal research, crime and the internet

Friday, November 1, 2002

Column: The fear that lies online

Excuse me for paraphrasing a perfectly good and inspirational saying from Franklin D. Roosevelt, but the only thing I have to fear... is fear-mongering e-mails from public relations firms representing technology companies.

Like this one:

"According to a recent report by the Council of Foreign Relations, the U.S. is still highly vulnerable to terrorist attacks, especially via vehicle hijacking. Hundreds of thousands of trucks carrying fuel or hazardous materials traverse our nation's highways every day unregulated, unsecured and ripe for hijacking...(Brand X) is one company that has been working to secure America's trucks."

Here's another:

"America's schools, like the rest of the country, are confronted with a deep sense of uncertainty and concern over student well-being in the face of terrorism threats, school shootings and other potential crisis situations...A growing number of school districts and educators across the country have discovered (Brand Y's) wireless telephones as the best way to keep their students and staff safe and sound."

And finally:

"With more kids using the Internet everyday, they face many unknown dangers of the Internet, such as inappropriate Web sites and subjects, Internet scam artists and online predators...(Brand Z) is launching a new parental controls product that helps parents monitor their kids' Internet activities."

Thanks to my e-mail in box, every week is Halloween.

Since 9-11, this has been the tone for many of the e-mails I get from publicity firms hired by tech companies, and from the in-house media relations specialists for those companies. The P.R. specialists have clicked onto something that the media discovered long before the World Trade Center came crashing down:

Fear sells.

With that as a dark, scary backdrop, the question now becomes... can this country be saved by technology?

I have received dozens of e-mails that would have you think so. They pitch me products and services like global positioning systems that can keep track of everything from a company's trucks to your child.

Security companies use threats like Love Letter, Code Red or Klez-e to sell me on selling you their anti-virus products. Companies that provide hidden surveillance systems promise to keep an eye out for terrorists while swearing to look the other way and honor your civil liberties. [CNN Technology]
23:33 # G!

FBI seeks to trace massive Net attack

As investigators continued tracking the source of a bid to topple the heart of the Internet this week, experts said the attack was neither the most efficient nor likely way to inflict pain on the average Web surfer.

"Most people had no idea this was happening," said Hari Balakrishnan, a computer science professor at the Massachusetts Institute of Technology. "If the top five most-visited sites were down, that's when people will tell you their service was disrupted."

It's called a "denial of service" attack. And investigators are hard at work trying to find those responsible, said FBI agent Steven Berry. A White House spokesman was asked whether cyber-terrorism was suspected.

"I'm not aware there's anything that would lead anybody in that direction. History has shown that many of these attacks actually come from the hacker community," spokesman Ari Fleischer told reporters.

Experts said the attacks would be hard to trace because hackers typically take over unsuspecting government and business computers as launch pads for bogus data. [CNN Technology]
23:31 # G!

CIA identifies cyber terror groups

A CIA report has warned that a number of terrorist groups are hatching plans to attack Western computer networks.

The report, which is a response to a list of questions from a US senator, names Sunni extremists Hezbollah and Aleph as groups believed to be developing cyber terrorism plans.

The report claims that the CIA is "alert to the possibility of cyber warfare attack by terrorists on critical infrastructure systems that rely on electronic and computer networks".

It added that attacks against critical infrastructure systems will become an increasingly viable option for terrorists, as they become more familiar with these targets and the technologies required to attack them.

The report identifies al-Qaeda and Hezbollah as becoming "more adept at using the internet and computer technologies".

"The FBI is monitoring an increasing number of cyber threats and the sort of groups most likely to conduct such operations include al-Qaeda and the Sunni extremists that support their goals against the US," said the report.

Aleph, formely known as Aum Shinrikyo, is the terrorist group that places the highest level of importance on developing cyber skills.

"This group identifies itself as a cyber cult and derives millions of dollars a year from computer retailing," the report stated. [vnunet Hacking]
23:21 # G!

Nice article on backlinks

David F. Gallagher: The Web's Missing Links. I link to this not only because he quotes me, but because he really did his homework and learned about all the various options of linkbacks, trackbacks, pingbacks, referrer scripts, and so forth. (149 words) [dive into mark]
23:14 # G!

China prevented repeat cyber attack on US

The Defense Department expected new cyber attacks from China but they never materialized: the Chinese government asked attackers not to repeat the 2001 defacement of U.S. government Web sites. [Help Net Security - News]
23:07 # G!

Hacker continues trail of malice

[ITWeb, 28 Oct 2002] A malicious hacker, going by the name r00t3rs, continued to deface Web sites with a .co.za domain name last week. The hacker has been linked to more than 30 Web site defacements over the past two weeks.

The hacker tends to focus on Web sites hosted at hosting companies, making it possible to compromise a much greater number of sites at a time. So far he appears to have focused on two hosting companies, but others may be targeted.

Francis Cronje of Buys Attorneys, who has been following the hacker's movements, says: "The last week has seen a continued attack on local sites. We've never seen anything like this. Attempts to trace the hacker to an IP address or computer have failed thus far. The fact that this person focuses so much on local sites gives me the idea he or she is a South African.[per thou]

Some of the sites that were hacked late last week, such as www.audiospectrum.co.za, have been attacked again by other hackers this week, indicating that the underlying systems have not been patched yet.

Another hacker has also emerged locally. Known as int3rc3pt0r, the hacker has defaced a number of local sites, including www.vishuis.co.za. Unlike r00t3rs, this hacker does not remove the front page of the site and replace it with his own, rather adding his message into the body of the page. [moreover Computersecurity]
22:57 # G!

Don't Taint the Evidence!

Computer evidence can be invaluable, but it must be treated carefully to be admissible in court.

Each week vnunet.com asks a different expert from the antivirus world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week, Neil Barrett, technical director at security specialist Information Risk Management, looks at how easy it is to ruin potentially useful information on computer crimes.

Lots of crimes involve the use of computers, one way or another. They might be used to communicate with co-conspirators; they might be used to hold paedophilic images; and they might be used by hackers, fraudsters, stalkers and even murderers.

A sizeable number of crimes now involve computers either as tools or as 'victims'. And, of course, any computer activity leaves a trace, whether in a log file, as a deleted email, or as a 'last-access-time' stamp on a file. [Kill-HUP.com]
22:54 # G!

Hacking with Smart IP Spoofing

22:33 # G!

Decimal glitch spurs hotel overbill

[I have to wonder what happened to basic software testing?]

If you stayed at a Holiday Inn, Holiday Inn Express, or Crowne Plaza hotel and checked out between 24 Oct and 26 Oct 2002, you are likely to have been one of 26,000 people who were charged 100 times what they owed, such as $6,500 to $21,000 per night. A credit-processing error resulted in the decimal points being dropped. Most of the charges were later reversed, although many people discovered that their credit limits had been exhausted. Overcharged guests will get two free nights at any of those hotels. [Source: Article by Russ Bynum, Associated Press, 01 Nov 2002; PGN-ed] http://story.news.yahoo.com/news ?tmpl=story2&u=/ap/20021101/ap_on_re_us/guests_overcharged ["Fuzzy Gorilla" via risks-digest Volume 22, Issue 33]
22:33 # G!

Nintendo's strongarm tactics

With Nintendo facing fines of 149 million Euros from the European Parliament for anti-competitive practices, it's interesting to take a look back at just how bad their practices were. This 1997 article on Nintendo's strongarm tactics is a great overview of how the company got into 149 million Euros' worth of trouble:

Nintendo's next atrocity would be to use the considerable monopoly they had to control the consumer. Because of the game shortages, consumers would be more concerned about getting a particular title than the price. And because of Nintendo's domineering stance with the retailers, they were able to dictate the expected prices for their games.

In the electronics and computer industry, you can expect equipment to reduce in price over time. When new devices are created that make older ones obsolete, the older devices are reduced in price to compete with the newer ones. This is clearly evident if one simply peruses the want-ads in their local paper and notes the prices of computer systems that were considered state of the art a year previous. This logic applies to all aspects of the computer and electronics industry, including video games. Why then between 1985 and 1989 did the Nintendo Entertainment System only lower $10 in its price?

This was exactly what Attorney Generals from all fifty states were wondering when they began investigating the activities of Nintendo of America in 1989. They found that Nintendo had been fixing the price of systems and games in the stores, using intimidation to influence retailers to abide by their wishes, and were making astronomical profits. Nintendo had been doing this since they first brought out the NES in 1985. They had strived to construct the system inexpensively, however, it was being sold at the same price as the competing systems. An antitrust action was brought up against Nintendo by these same Attorney Generals, and on October 17, 1991, District Court Judge Sweet granted approval of settlement agreements. [775 F.Supp. 676 (S.D.N.Y. 1991)]



(via Hack the Planet) [Boing Boing Blog]
21:38 # G!

Protecting System Binaries From Trojan Attack

[Slashdot: BSD]
21:20 # G!

Digital copyright law (DCMA) on trial

A security researcher asked a federal judge Wednesday to let a challenge to the Digital Millennium Copyright Act continue.

Attorneys for Ben Edelman, who specializes in investigating flaws in blocking software, filed a 26-page document arguing that his work is imperiled by legal threats from N2H2, a filtering company based in Seattle.

N2H2 has asked a Massachusetts judge to dismiss the case, which the American Civil Liberties Union brought in July to let Edelman create and distribute a utility that decrypts N2H2's secret list of forbidden Web sites. The ACLU wants a court to declare that Edelman's research is not barred by the DMCA, by N2H2's shrinkwrap license, trade secret laws or other copyright laws.

"We're confident that the court will deny the defendants' motion to dismiss since they clearly intend to pursue their legal rights against Edelman if he goes forward with his research," said Ann Beeson, an ACLU staff attorney.

By suing on behalf of Edelman, who is a researcher at Harvard Law School's Berkman Center and a first-year law student there, the civil liberties group hopes to prompt the first ruling that would curtail the DMCA's wide reach. [CNET News.com]
20:54 # G!

Europe Fines Nintendo $147 Million for Price Fixing

The European Commission fined Nintendo, the Japanese video game maker, $147 million for colluding with seven European distributors to fix prices on its products. [New York Times: Technology]
20:49 # G!

Law Firm Soap Operas

I've been silent on a couple of law firm soap operas playing out very publicly in the press lately. But for the benefit of any readers who may not be wired into the rumor mill, let me try to sum them up for you...

Pillsbury Winthrop and Latham & Watkins

  • Frode Jensen, a partner in the NY office at Pillsbury Winthrop, left to join Latham & Watkins. On September 3, Latham put out a press release (courtesy of Google's cache; the release is no longer on Latham's site) announcing the move. From the press release: "We know Frode well from the opposite side of the table," said Kirk Davenport, Chair of the New York Corporate Practice. "He is a very capable lawyer, and his extensive contacts and experience in several industries, including the biotechnology sector, will be an asset to our New York corporate practice." (For those keeping score, Pillsbury is an 800 lawyer law firm with offices around the globe; Latham has nearly 2000 lawyers worldwide.)

  • The following day, Pillsbury's chairman Mary Cranston issued her own press release. In the press release, Cranston indicated the firm had investigated sexual harassment claims against Jensen and "concluded there was a reasonable likelihood that harassment had occurred and responded with a variety of measures." (How's this for the most duplicitous comment ever made in a press release: "It is always sad to lose a friend and colleague to another firm, however, under the circumstances of the past year, Mr. Jensen's move is probably in the best interest of all concerned, and we wish him well with his new firm.")

  • The day after that, Pillsbury's managing partner admitted in an interview that the reason for their action was that a recruiter had advised Pillsbury's management that lateral hiring would be negatively affected by Jensen's departure.

  • Shortly thereafter, Jensen dropped his bid for partnership at Latham and sued Pillsbury for $45 million.

Clifford Chance

  • On October 15, six associates drafted a memo to the New York Partners at Clifford Chance. The Memo, available here, is a thirteen page (single-spaced!) memo outlining just how bad things have become at Clifford Chance.

  • The memo is a response to CC's dismal showing in the latest American Lawyer Associates Survey. (The full list of firms and their rankings is here.) (Side note: CC beat Pillsbury Winthrop by just two spots.)

  • The memo identifies seven specific complaints:

    • the 2420 hour billable hour requirement for all associates (I'll save you the calculator: assuming just five holidays and no vacation, that's 9.5 billable hours per working day for an entire year.)

    • the assignment system

    • performance reviews

    • poor internal communications

    • the pro bono program ("pro bono" is where lawyers volunteer their time for clients who can't afford legal representation)

    • partner indifference

    • insufficient training

  • Supporting claims of how bad the billable hour requirement is, the associates indicated that lawyers felt pressured to pad their bills to meet the requirement. This got picked up in this past weekend's Financial Times and this week's Forbes, both of which comment on clients' fears that their bills are being padded.

  • Slate ran an unsympathetic article by Dahlia Lithwick yesterday titled "Free the Baby Lawyers!" in which she concludes:
    Consider their final suggestions for improving quality of life at their firm:

    • "Put plates and utensils in the pantries, so that people working late can avoid eating out of containers"

    • "Get an online food delivery system ... so that people working late can order food easily"

    • "Set up a recreation room with a TV"

    • "Get concierge service for things like dry cleaning"

    • "Free shoeshines"

    • "Give out corporate accessories and toys"

    Do these people even understand that one could eat dinner, watch television, or shine one's shoes at home? And wouldn't it be fun for them to socialize with real people instead of malevolent bosses? The absurdity of the Clifford Chase memo isn't that these associates regret their Faustian bargain. It is that they just want shiny shoes for their troubles.

  • As a result of all of this press, clients are demanding explanations from CC. Partners have called "war councils" on both sides of the Atlantic to address morale, client retention, and damage control in the press.

  • As if you didn't know what the discussion would be, feel free to stop by The Vault's discussion board about the issue. And then swing by Greedy Associates for even more.

And you thought life in the legal profession was boring!

[tins ::: Rick Klau's weblog]
20:46 # G!


If you named your company (not to mention the site) Law.com, don't you think http://law.com/ would pull up the home page?

Turns out you'd be wrong. You need to go http://www.law.com/ . Come on guys, figure out the DNS!

[tins ::: Rick Klau's weblog]

A "Internet Expert" recently explained to a friend that addresses not starting with "www" are not rearchable worldwide.
20:12 # G!

Judge amends decision after reading correction on blog

A former law clerk noted an error in a Fifth Circuit decision on his blog. The judge who wrote the decision turns out to be a regular reader of said blog, and he immediately amended the decision and wrote to the blogger with the news. Judges read blogs. Judges correct Federal court rulings based on blogs. Wow. Link [Boing Boing Blog]
17:47 # G!

Economic warfare enters the cyber-age

Tech-savvy terrorists start using the web for sabotage

The internet could become the latest weapon in the arsenal of increasingly technically sophisticated terrorist groups, ushering in a new age of economic warfare.

Addressing delegates at the Compsec security show in London this week, Brian Jenkins, special advisor to the US International Chamber of Commerce, warned that terrorists already use the internet to communicate with each other and to obtain and provide information and disinformation.

They deface or take down sites that hold opposing views and may even be reconnoitring network and system vulnerabilities via the internet, he said.

While Jenkins sees cyber-terrorism as a mainly theoretical risk, reports indicate that terrorists are increasingly starting to use the web for sabotage purposes.

And the threat of this will increase as society becomes more reliant on internet-based systems.

"Over time, terrorists may become more like hackers and hackers may become more like terrorists," he said during his keynote speech.

"Most terrorists still seem to prefer bombs and bloodshed, but increasingly they're recognising that a combination of attacks is more efficient in economic warfare."

The most likely threats are shutting down key systems such as air traffic control, and unleashing extended denial of service attacks to parts of a critical infrastructure such as the national grid.

Another means could be corrupting data in, for example, banking systems causing people to lose confidence, while a so-called 'forced multiplier' attack would see terrorists undertaking physical and cyber attacks concurrently to magnify any potential damage.

Alan Brill, senior managing director at consultant Kroll Associates, picked up the theme during his speech. He insisted that organisations must secure all assets, whether physical or technological, if their security policies are to be effective.

"At least 75 per cent of the companies we looked at had no formal relationship between physical and IT security, but that's become unacceptable and dangerous to the corporation and it cannot be allowed to continue," he said. [vnunet Hacking]
17:44 # G!

The Pinch of Piracy Wakes China Up on Copyright Issue

Anyone in China who makes movies, writes books, develops software or sings songs knows that popularity is barely half the challenge; they must also fight intellectual piracy. [New York Times: Technology]
17:41 # G!

Questions + Answers: Kevin Mitnick

Kevin Mitnick has been the world's most notorious hacker for over a decade. After two jail terms, the second lasting five years, he was released in September 2000.

He has since written a book on the art of social engineering and is starting a consultancy to advise companies on the best way to protect IT infrastructures. [Help Net Security - News]
17:40 # G!

Chaostreff Aachen wird gegründet

Chaos everywhere! In diesem Sinne treffen wir uns am 14. November um 20 Uhr im "kaktus" (Pontstr, Nähe RWTH). [c4 Headlines]
17:02 # G! Translate

Responsible bug disclosure by corporate fiat

I must have a masochistic streak. Nothing else could explain why I occasionally argue in this space that people should act responsibly when disclosing holes in software. If I even hint that the doctrine of full disclosure has limits, the reaction is overwhelming. Among other things, I've been called a Microsoft lackey, a fascist, and "just a plain dolt." You'd think I was criticizing CISSPs.

Most of the negative feedback seems to stem from the belief that I'm opposed to full disclosure. In fact, I'm not.

But I believe that it's time for the security community to develop a broadly supported model for disclosing security vulnerabilities. This model should ultimately result in full disclosure of every security hole in every application. Just not all at once. [Powered by News Is Free]
16:12 # G!

Verizon Settles With Alleged Spammer

Since the Sept. 11 terrorist attacks last year, FBI director Robert Mueller has taken the unprecedented step of making the fight against cybercrime and cyberterrorism the bureau's No. 3 priority behind counterterrorism and counterintelligence. But private-sector cooperation in that fight remains woefully inadequate, Mueller told an invitation-only meeting of industry and government officials today.

"We probably get one-third of the [cybercrime] reports that we would like to get," said Mueller, speaking at the National Forum on Combating e-Crime and Cyberterrorism, sponsored by the Arlington, Va.-based Information Technology Association of America and El Segundo, Calif.-based Computer Sciences Corp.

"You're not enabling us to do the job," Mueller said, referring to the lack of incident reporting coming from the private sector. Without more companies stepping forward and cooperating with law enforcement on prosecuting known or suspected cybercrimes, the FBI's analysis and prediction capability will not improve, nor will the overall state of security on the Internet, said Mueller.

"We understand that there may be privacy [and public relations] concerns," said Mueller. "We, as an organization, have learned that you don't want us [responding] in raid jackets, you want us there quietly." However, for the attacks to stop, "there has to be a sanction."

For its part, the FBI under Mueller's stewardship has undertaken a massive reorganization designed to make the agency more nimble and savvy when it comes to responding to and understanding cyberbased attacks against the nation's critical infrastructure.

In addition to making cybercrime and cyberterrorism one of the bureau's top three priorities, Mueller said the FBI has changed its hiring practices to focus on recruiting "a new type of agent" that can bring a "bedrock of experience" from the world of IT.

The bureau has also taken steps to improve information sharing with other federal, state and local agencies. So far, Mueller has set up three joint FBI-Secret Service cybercrime task forces and recently created a computer forensics laboratory in San Diego, with plans to establish additional labs throughout the country. The labs will include the participation of various agencies, including the Customs Department and the Immigration and Naturalization Service.

Although it is "absolutely critical" that the private sector and the government work together, Harris Miller, president of the ITAA acknowledged that "the reality is that our interests are not always in alignment." However, the chances of successfully battling e-crime and cyberterrorism without government help "are literally zero," he said.

Given the increasingly organized nature of cybercrime syndicates and various other "techno-gangs," it is critically important for companies to come forward when they are the victims of a crime, said Paul McNulty, U.S. Attorney for the Eastern District of Virginia. Without that cooperation, there is a real chance that "cyberspace could become an economic blight ... where people are afraid to go."

There remains, however, a "huge gulf between industry as vendor and industry as customer," said Marty Stansell-Gamm, chief of the Computer Crime and Intellectual Property Section at the Justice Department. Discussions have not yet taken place that would enable industry to speak with one voice, she said. [moreover Computersecurity]
16:07 # G!

Business-Software Piracy Climbs

AP - Trade group says piracy rate rose slightly in 2001, costing the United States $1.8 billion in retail sales [TechWeb: Security]
16:04 # G!

The Great Security Panic

After a good solid 40+ years of handing our credit card info to minimum-wage workers at stores that don't shred anything and often throw out this info in dumpsters in the alley - we are now taking a rather inexplicable interest in the security of information that is strongly encrypted from end to end. Do we really need more security in home computers, and on the net in general, or is this just a bunch of greedy nerds trying to flex their geek-muscles in public? Is this a legitimate concern, or just sheep being fattened up for the slaughter? Is my sarcasm coming through, or are you really unsure of my stance on the issue? [kuro5hin.org]
15:49 # G!

Do Bug-Hunting Security Firms Put Users at Risk?

When researchers at GreyMagic Software discovered a batch of security vulnerabilities in Microsoft's Internet Explorer earlier this month, their first response was to test the vulnerabilities and make sure they were for real. What they did next, however, raised the ire of Microsoft and others within the software industry.

In addition to sending information about the vulnerabilities to Microsoft, GreyMagic published information on their public Web site about the vulnerabilities along with code showing how the vulnerabilities could be exploited. They also sent e-mail announcing their discovery to a variety of public Web sites frequented by computer security experts and computer hackers.

"Under the full disclosure policy, we're releasing these vulnerabilities to the public and to Microsoft at the same time," the company, which is based in Israel, said in an e-mail notifying the public about the vulnerabilities. "Notifying Microsoft ahead of time and waiting for them to patch the reported issues proved as nonproductive". [LinuxSecurity.com]
15:47 # G!

Software piracy down

Evening tech news: An industry group representing the world's largest software makers has named California, New York and Utah among the states with the greatest drop in piracy rates for business software. [The Macintosh News Network]
15:36 # G!

The open secrets of Saddam's inbox

Anyone who thinks they can send private e-mails to Iraqi President Saddam Hussein unnoticed by the outside world should think again.

Journalists from the American website Wired.com say they have found an easy way to access the Iraqi leader's inbox, taking advantage of security holes in software used by the country's official internet service provider.

For weapon use, have function: no colour, no smell, will let person dead in a few second

Message from China They found that dozens of people write to the Iraqi president's address - press@uruklink.net - each week, with anything from threats of nuclear annihilation to offers to help fight against the Americans.

But some writers appeared to be interested in more shady dealings.

The chairman of a London-based company e-mailed the Iraqi leader in August offering to act as a mediator for Iraq's purchase of unnamed products in Western Europe.

"Please consider this letter as secret... I ensure you absolute secrecy," the message read, according to Wired.com. [BBC News Online]
15:29 # G!

Site shuts down credit transactions after security complaint

E-commerce site cybergames.co.za was this week forced to stop accepting credit card payments after an anonymous complaint that the site was not secure.

Credit card gateway company SETcom on Monday suspended the site's account and refused to process further credit card transactions after being informed that no encryption was being used to protect client details on the site.

"It is down and it will stay down until the issue is addressed," says SETcom MD David Liu.

A concerned citizen going by the pseudonym "Tyrebender" late last week informed the company that Cybergames was using no encryption when accepting credit card details. Such details sent via an unencrypted connection can be readily intercepted and misused. [Help Net Security - News]
15:18 # G!

Aiding and Abetting Hackers A Crime

Cyber-crime laws and cops are now targeting those who write and distribute hacker toolkits. Currently, the case helping to establish a precedent on how authors of virus toolkits will be prosecuted in the UK is the case involving the author of "TOrnkit", a suite of programs designed to enable hackers to hide their presence on cracked Linux computers. The law being used to prosecute the 21-year-old author of this toolkit, who Scotland Yard nabbed last week in a London suburb, is the 1990 Computer Misuse Act. How this law is interpreted with regard to "TOrnkit" will go a long way in setting the playing field for the prosecution of other authors of "hacker-helper" code.

Dave Dittrich, University of Washington's senior security engineer commented. "Most of the versions (of TOrnkit and other hacker toolkit software) are circulated in the (hacker) underground, and they're tightly held." [LinuxSecurity.com]
15:13 # G!

Mithören von Telefonaten kann verfassungswidrig sein

Das Mithören von Telefongesprächen über eine Freisprechanlage kann das Persönlichkeitsrecht des Anrufers verletzen. Das hat das Bundesverfassungsgericht jetzt entschieden.

Karlsruhe - Das Gericht gab damit zwei Beschwerdeführern Recht, deren Telefonate mit Vertragspartnern von Zeugen mitgehört worden waren. Als sie anschließend in Prozesse verwickelt wurden, sagten die Lauscher vor Gericht aus. Die Aussagen hätten vor Gericht nicht verwertet werden dürfen, weil das Recht am gesprochenen Wort verletzt sei, urteilten die Karlsruher Richter. (Aktenzeichen 1 BvR 1611/96 u. 805/98 - Beschluss vom 9. Oktober 2002) [Spiegel Online: Politik]
15:06 # G! Translate


Foxtrot [Bag and Baggage]
14:47 # G!

Autotote programmer hacks winning Pick Six bets

Autotote (a subsidiary of Scientific Games Corp in New York state) develops the software for most of the nation's off-track betting systems. One of its programmers apparently "software-engineered" the system to yield a $3 million Pick Six payoff from the Catskill NY OTB site, to be collected by a man in Baltimore who had placed his bets by phone before the first race. The bets were somewhat unusual: picks for the first four races, and wild-card multiple bets spanning all possibilities for the remaining two races. Because of a design decision to minimize loading of the Autotote system, local OTB data on the first four sets of bets is not posted to the host network until just after the first four results were known. Apparently, a little internal engineering resulted in the first four bets being altered to name the winners of the first four legs, including 26-to-1 and 13-to-1 long shots, along with all possible combinations for the fifth and sixth races. The Baltimore man was the only person with the winning Pick-6 combination, and also had consolation combinations for picking 5 out of 6. We presume some sort of collusion. However, a spokesman for SGC said that their anomaly detection system caught this event before any payoffs occurred, after which 72 other consolation winners were then allocated proportionally larger sums. He added that he and his technical people had "considered it absolutely impossible" to hack into the system. One wag later posted a note on the SGC Internet Web site asking if he could still post a bet on those races. Incidentally, the programmer has been fired, and the case is under investigation. [Source: Computer programmer fired in Pick Six investigation, Greg Sandoval and John Scheinman, *The Washington Post*, 1 Nov 2002, D01; PGN-ed]

[In this forum, we have been long been noting many of the risks in gambling systems as well as in electronic voting systems. Even in a system that has seemingly been carefully designed for security and integrity, a little bit of insider action can result in very nasty results. PGN] [Lillie Coney via risks-digest Volume 22, Issue 33]
14:44 # G!

Anders Jacobsen: Reuters "Hack"

Worum ging es? Der Nachrichtenagentur Reuters wurde vorgeworfen , einige schwedische Unternehmen «gehackt« zu haben um so vorzeitig an Informationen zu gelangen. Nun aber kam heraus, dass sich alle Beteiligten einig sind, dass Reuters die Informationen direkt von der Website des Unternehmens hat! (Ausführlicher Artikel im Wired ) Was ist passiert? Ein klassisches «Security by Obscurity«-Sicherheitskonzept, das mal wieder schiefgelaufen ist: Der Bericht, den Reuters haben wollte, lag offen und ungeschützt auf dem Webserver des Unternehmens, nur war er von nirgends verlinkt. Reuters «riet« also einfach die Adresse und fand den Bericht (bei Dateinamen wie «Quartalsbericht01.pdf«, «Quartalsbericht02.pdf«, «Quartalsbericht03.pdf« ist das auch wirklich nicht schwer...). Die juristische Seite: Ist es «Hacking«, wenn jemand ein öffentlich zugängliches Dokument von einem Webserver abruft? Auf keinen Fall! (Sage ich. Dazu gibt es aber auch andere Auffassungen.) Ich rufe ab, was ich will. Wenn ich es nicht bekommen soll, muss es halt geschützt werden. Ob irgendwo ein Link steht oder nicht, ist ganz egal. Die praktische Seite: Liebe Kunden, liebe noch-nicht-Kunden, liebe Welt: Wenn Sie nicht wollen, dass irgendwer Ihre supergeheimen Dokumente liest, dann packen Sie sie nicht auf ihren offenen Webserver! Alles, was durch einen URL direkt adressiert werden kann, wird adressiert werden! Und wenn dann nicht mindestens ein Passwort auf dem Verzeichnis liegt, wandert die Datei halt durchs Netz. Fragen Sie jemanden, der sich mit sowas auskennt [tm]! [Martin Roell's eBiz Weblog]
12:43 # G! Translate

Law enforcement officials pledge to keep secret names of hacking victims

WASHINGTON (AP) -- Senior law enforcement officials assured technology executives Thursday that government will increasingly work to keep secret the names of companies that become victims to major hacking crimes, along with any sensitive corporate disclosures that could prove embarrassing.

The effort, described at a cybercrime conference in northern Virginia, is designed to encourage businesses to report such attacks and build public confidence in Internet security. Officials promised to use legal mechanisms, such as protective orders and sealed court filings, to shield corporate hacking victims from bad publicity.

"It's important for us to realize that you have certain concerns as victim companies that we have to acknowledge," FBI Director Robert Mueller said. He promised, for example, that FBI agents called to investigate hacking crimes will arrive at offices discretely without wearing official jackets with "FBI" emblazoned on them.

"The mere calling of us in an investigation can have an adverse impact on the image of your company," said Mueller, who has made cybercrime an FBI priority. In exchange for this protection, Mueller said, companies should more frequently admit to the FBI when they are victims of hacking. "You're not enabling us to do the job," he said.

Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers. Companies say they fear loss of trust by customers and shareholders, costs associated with a formal investigation and increased scrutiny by regulators.

New efforts to protect the identities of hacking victims also contrast markedly with traditional hacker culture, which frequently blames companies and organizations that are targets of online attacks for failing to secure their networks adequately.

"There may very well be ways that law enforcement can get a criminal sanction imposed but not have all the names of the companies made public," said Marty Stansell-Gamm, chief of the Justice Department's computer crime section. But she cautioned: "That's not something that law enforcement can guarantee."

Instead, Stansell-Gamm said companies that have publicized hacking crimes along with their own explanations have fared well with customers and shareholders.

"Companies that worry too much about public response underestimate the public's ability to assess the situation with some sophistication," she said. "If a bank robber sticks a gun in a teller's face, the public is not confused about whose fault that is."

Paul McNulty, the U.S. attorney for the Eastern District of Virginia, said government's goal is to "prosecute cases while at the same time achieving the kinds of protection and addressing the concern that the business community rightly has." He pledged that prosecutors will "minimize publicity so there is no disincentive to come forward."

McNulty's district is home to major technology companies and one of the Internet's most important physical junctions.

He cited congressional efforts, supported by the Bush administration, to exempt from the Freedom of Information Act any details that companies might disclose to the proposed Department of Homeland Security about vulnerabilities in their operations. He said amending the law could be helpful "in case there is a concern that reports of hacks or intrusions in federal records might find their way into the hands of those who would use that information against us."

Another U.S. attorney, Roscoe Howard of the District of Columbia, said the Constitution requires that a criminal defendant be permitted to face the accuser at trial, but he noted that many computer-crime investigations culminate with a plea agreement, where the names of victim companies can be kept secret.

"Nobody wants to be yanked out in front of the public to say, 'Hey, I was the victim of a crime.' Most people don't want their 15 minutes," Howard said. "We can protect you where we can, and we will do that when it's within the law and the constitutional rights of the defendant. When we've got individuals (as witnesses) we want to keep off the stand, we just won't use them." [AP via New Jersey Online via moreover Computersecurity]
11:50 # G!

Deceptive Spammers Settle FTC Charges

Operators who used spam, deceptive earnings claims, and fictitious testimonials to sell spam e-mail lists as business opportunities have agreed to settle Federal Trade Commission charges that their operations violated federal laws. The settlements will bar the defendants from making false, misleading, or deceptive claims about their e-mail lists, software, service, marketing program, or any other business opportunity.

The FTC alleged that Richard Jon Scott, doing business as Cyber Data, and Sonya Lockery, doing business as Internet Specialists, sent spam to consumers claiming that by purchasing their bulk e-mail lists, consumers could make easy money selling products and services on the Internet. Internet Specialists also promoted the spam list on a Web site. Cyber Data's e-mail claimed that purchasers reasonably could expect to earn "over $10,000,000" by selling a $5 product via bulk e-mail. Internet Specialists made similar earnings claims, and its Web site and e-mail contained earnings claims that appeared to be endorsements from previous purchasers.

The FTC charged that both Scott and Lockery made false earnings claims and falsely characterized the quality of their bulk e-mail lists. Cyber Data claimed that its e-mail address lists contained "no duplications," and included "almost every person on the Internet today." According to the FTC, Internet Specialists falsely claimed that its 11 million e-mail address list consisted of consumers who were "highly responsive" because they had "either requested to receive e-mail advertisements or have responded to our ads." It also claimed its lists contained no duplicates.

The settlements permanently will bar the defendants from making any false, misleading, or deceptive claims about potential earnings from any bulk e-mail list, software, service, or marketing program, or any other business opportunity. The settlement with Cyber Data bars it from claiming that its e-mail lists contain no duplicates and includes almost everyone on the Internet today. The settlement with Internet Specialists also bars the "no duplicate" claim and bars misrepresentations that the lists include addresses of individuals interested in receiving bulk e-mail ads.

Based on financial documents that the defendants provided, the order requires Cyber Data to pay $20,000 in consumer redress and suspends payment by Internet Specialists. Should the court find that the financial statements are materially inaccurate, the order requires Cyber Data and Internet Specialists to pay the total amount of their profits from the schemes.

The Commission vote to accept the stipulated final judgments and orders was 5-0.

The settlement with Scott and Cyber Data was filed in U.S. District Court for the Eastern District of California, Sacramento Division. The settlement with Lockery and Internet Specialists was filed in U.S. District Court for the District of Connecticut. [moreover Computersecurity]
11:47 # G!

Judge Grants Preliminary Injunction Against Aimster

In the consolidated suit, the Recording Industry Association of America accused Aimster, which has changed its name to Madster, of copyright infringement: Aimster/Madster, says the RIAA, allows the exchange of pirated material (check out Rolling Stone's coverage here).

Madster's defense -- unlike Napster, which was open to everyone, Madster limits its service to users of AOL's Instant Messenger (which, it should be noted, is itself open to everyone).

On Wedensday, Judge Marvin Aspen of the U.S. District Court for the Northern District of Illinois granted a preliminary injunction against Madster. Reuters reports that the judge instructed Madster to implement filtering software, "so that it does not infringe copyrighted works over its network." [LawMeme]
11:42 # G!

E-mail greeting card hides porn

The e-mail looks harmless enough: A link to a greeting card that appears to be sent by a friend.

But clicking on the link can place porn images on a desktop, download a barrage of x-rated ads, or send similar e-cards to those listed in Outlook's address book.

No downloadable e-mail attachments to install. No infected disks shared. All the user has to do is go to a link.

E-mail marketers -- many of them porn sites -- are increasingly borrowing tactics used by hackers to trick potential customers into seeing their messages, anti-virus experts say. And often, they use Microsoft's ActiveX Controls, which are meant to make Web pages more interactive, to instantly download their unwanted programs. [CNN Technology]
11:39 # G!

Cryptographic Terminology 101

No matter how good your internal security, your data isn't safe if it's sent externally as plain text. To protect your sensitive information from prying eyes, you need cryptography. Dru Lavigne's latest column gives a crash course on this field's vital terminology. [O'Reilly Network Articles]
11:14 # G!

Islamic hackers ready for cyber war?

SYDNEY, Australia (Reuters) -- Pro-Islamic hackers are on the frontline of a potential new cyber war after the end of a ceasefire by "hacktivists" and virus designers that followed the September 11 attacks on the United States, Internet experts say.

Pro-Islamic hackers are escalating attacks against countries backing the U.S. war on terror and its campaign against Iraq, while the "Bugbear" worm and last week's strike on the Internet backbone signal that cyber villains are again on the prowl.

London-based computer security firm mi2g said on Tuesday that October had already qualified as the worst month for overt digital attacks since its records began in 1995, with an estimated 16,559 attacks carried out on systems and sites.

The firm which advises banks, insurance and reinsurance firms on security said politically motivated attacks had risen "sharply."

"We have noticed that more and more Islamic interest hacking groups are beginning to rally under a common anti-U.S., UK, Australia, anti-India and anti-Israeli agenda," it said.

According to the zone-H database, an independent site which monitors hacker activity, politically motivated Web site defacements make up around 11 percent of the total. [CNN Technology]
10:40 # G!

CH: E-Mails mit obsz[^]nen Striptease-Inhalten sind verboten

Bundesgericht - Wie die Nachrichtenagentur SDA nun publizierte, hat das Bundesgericht eine bedingte Gefängnisstrafe von 15 Tagen bestätit, die ein Jurassier aufgrund von gefälschten Mails mit Striptease-Inhalten fasste. Der Jurassier hatte ein Mail mit erotischem Striptease erhalten, dass angeblich von einem Büro für Frauenfragen stammte und für die Chancen junger Schulabgängerinnen im Berufsleben warb. Im Anhang entblätterte sich eine junge Malerin und zeigte dabei Brust und Genitalbereich. Verurteilt wurde der Jurassier, weil er das Mail an fünf Bekannte weitersandte und dabei den Absender der Leiterin des jurassischen Büros für Gleichstellung von Mann und Frau angab. Diese erhielt das Mail über einen Umweg auch, war aber gar nicht glücklich damit. Der wirkliche Absende wurde wegen Verbreitung von Pornografie und Ehrverletzung zu 15 Tagen Gefängnis bedingt und einer symbolischen Genugtuung von einem Franken an die Klägerin verurteilt. Als Strafverschlimmernd wertete das Bundesgericht den automatischen Ablauf der Bilderserie, der sich unfreiwilligen Betrachtern direkt öffnete. [newsBYTE]
10:27 # G! Translate

Secure Programming for Linux and Unix HOWTO

10:05 # G!

EU ./. Reynolds

The European Union filed suit in federal court in New York Wednesday against R.J. Reynolds, alleging the tobacco giant smuggled cigarettes into Iraq in a scheme that violated U.S. sanctions and enriched both Saddam Hussein's regime and a Kurdish separatist group accused of terrorism. The company allegedly laundered the profits through New York banks and cheated the EU out of billions of dollars in tax revenue. [Law.com]

They also claim Reynolds is working with the Mafia to smuggle cigarettes into the EU
8:56 # G!

Maximillian Dornseif, 2002.
November 2002
Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Oct   Dec


Subsections of this WebLog

Subscribe to "disLEXia" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.