Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Bulletin: Domain Exploitation Society Celebrates
"Swinging" New Top-Level Domains
http://lauren.vortex.com/archive/000780.html
Frostbite Falls, Minn. (ZAP)—The Minnesota-based Society for Leveraged
Internet Mercenary Exploitation Domains (SLIMED) expressed enthusiastic
satisfaction with leading domain registrar Go Daddy's decision to feature
the new ".co" [sic] Top-Level Domain (TLD) as the default on its home page (
http://www.godaddy.com ) today, reducing to "trash" status the old,
obsolete, useless, silly, obscene, disgraceful, painful, purulent, and less
expensive ".com" TLD that all consumers already understand.
"This decision by Go Daddy to emphasize .co [sic] signals the real beginning
of the TLD gold rush—with literally thousands of new TLDs promised over
the next few years by Internet Control Authorities," said Boris Puteo,
SLIMED media affairs and financial director, at an interview today during a
celebratory gala at the ultra-exclusive "Masa" restaurant in New York City.
"TLDs are like gold," said Puteo, "even better than gold in fact, since you
can't force people to buy bullion, but you've got everyone over a barrel
when it comes to protective domain registrations!"
Puteo refuted claims that the coming deluge of new TLDs will carry enormous
costs and confuse consumers, while opening avenues for vast numbers of new
phishing scams and spam attacks, without bringing any real positive value to
ordinary Internet users.
"If people can't figure out the difference between .co [sic] and .com,
they're just, well, sic [sic!] in the head. Why can't these bleeding heart,
pencil-necked geeks stop rocking the boat ( http://bit.ly/dh6zOf [Lauren's
Blog] ) and just get back into their cubicles and their damned programming
-- oh excuuuse me, I mean "softwaaare engineeeering!" said Mr. Puteo, "Just
leave the moola magic to us!"
SLIMED's Puteo also noted that an illuminating and very short new YouTube
video ( http://bit.ly/yt-tld-process ) was now available for viewing --
showing the Top-Level Domain consideration procedure in action, and
incontrovertibly demonstrating the complex, serious, lucid, and deliberative
process involved in TLD approvals.
"Top-Level Domains really swing! And while I probably shouldn't be telling
you this yet, SLIMED is hoping to make a deal with Burundi so that we can
sell ".bi" TLD domains to everyone who swings both ways! God, I love the
Internet!" Puteo added.
—and Why This Matters!
"Uncrackable" G2 Android Phone Successfully and
Permanently Rooted—and Why This Matters!
http://lauren.vortex.com/archive/000778.html
Greetings. Almost exactly a month ago, in "New Android Phone (Falsely)
Accused of Containing a 'Malicious Root Kit'" ( http://bit.ly/alTj4v
[Lauren's Blog] )—I noted the situation with the new T-Mobile G2 Android
phone (aka HTC Vision), where a new protection scheme had been employed by
the manufacturer to (try) prevent "rooting" (also known as "jailbreaking").
I also expressed my hope that "permanent rooting" efforts in progress would
be successful.
As I discussed, I view having complete control over my cell phones as being
important for privacy and security reasons—and in terms of overall user
freedoms as well. A "locked-down" device cannot be relied upon to run the
systems and applications of users' choosing. And while there are certainly
those persons who disagree with me on this point, I consider these freedoms
to be extremely important in an age of ever increasing and widely
distributed technologies.
So I'm very pleased to report that as of this morning, the G2 has been
successfully and permanently rooted ( http://bit.ly/bzUQVM [xda-developers]
), opening the door to specialized applications and the running of the
excellent "CyanogenMod" enhanced systems ( http://www.cyanogenmod.com ).
Incredible work guys!
As it turns out, it was quickly established that the G2 was not using a
firmware rewrite system, but rather was employing the protected mode of
JEDEC Embedded MMC memory (eMMC). Temporary rooting of the device was
possible from early on since the underlying Linux kernel was caching changes
related to user root attempts, but the eMMC protection mechanism was
preventing those changes from ever being successfully written to flash
system memory—so all such changes were lost at the next boot of the
phone.
For the last month I've been lurking on various Web sites and a key IRC
channel, watching a core group of dedicated hackers (and I'm using "hackers"
in the original, positive sense of the word), as they gradually teased their
way into the phone's systems—truly a joy to watch. One individual in
particular, with a "handle" that would be recognized by any fan of the
original "Star Trek" series, deserves special commendation indeed.
The level of technical expertise exhibited by this group is extraordinary.
And no matter how much you think you know about these systems, it's
definitely a learning experience to view these reverse-engineering efforts
in progress. (By the way, did you know that many modern cell phones' radio
modems can be controlled via a superset of the ancient—more than 30 years
old!—Hayes modem "AT" command set? Yep. True innovation can live a long
life indeed!)
It seems likely that this same basic rooting technique will be useful—at
least for now—when dealing with some other new HTC Android phones hitting
the streets.
I'm not suggesting that everyone needs to root their cell phones. There are
operational risks in doing so—such as the possibility of "bricking" your
phone (making it nonoperational) if you screw up. Nor does everyone need
the ability to run the sorts of applications and systems that require
rooting.
That being said, I do consider having the *choice* of running such software
to be an important one, and the concept of devices that lock out user choice
is frankly offensive to me.
The conflicting world views represented by various flavors of closed systems
-- vs. open systems—will certainly trigger continuing struggles, not just
in the mobile device world, but in technology generally as we move toward
ever more complex and "cloud-aware" systems.
But to distill this all down to a simple sound bite, as far as consumers of
technology are concerned:
"Open Wins."
Lauren Weinstein http://www.vortex.com/lauren Tel: +1 (818) 225-2800
PFIR (People For Internet Responsibility): http://www.pfir.org
NNSquad (Network Neutrality Squad): http://www.nnsquad.org
Compared with what happened with Wikileaks, the following story may not be that interesting in general, but there are still a few lessons. Internet certainly brings new twists. A real story: Synopsis A video was made during a traffic violation and catching of the perpetrator by law enforcement officers on their vehicle. An edited version of the video was duplicated many times (17 times from a news report) at the local law-enforcement office as a TRAINING MATERIAL for other law-enforcement officers (!). A copy was made and sent to local prosecutor's office for the purpose of charging the perpetrator eventually. Later, though, the perpetrator's charge was dropped due obviously to political pressure (is the foregone conclusion in the press.) Now the story had an interesting twist. An irate officer in a different branch of the law-enforcement agency, which handles such traffic violations, released the video of the dangerous violation on YOUTUBE (!) of all the places. No one knows how he got the video yet. (But producing 17 copies for training is not a such a good idea if the video was going to be used in a court proceeding although the charge was dropped later.) Now it seems that the video on youtube was from the training video. The government was mollified, and police asked the local office of Google, who owns youtube, to find out the IP address from which the video was posted. (Well, I thought all the youtube servers are in North America basically. It turned out that local police office asked Google local branch to selectively pick up the IP address from the youtube server logs so that the the relevant IP addresses are available. The local office of Google COMPLIED AFTER a court order was produced. ) Some old lessons that we can glean out. - Poor Handling of sensitive data in an office, and law enforcement agency of all the places. Before it was known that 17 copies were made for training purposes in an unencrypted form (from what I read), both the local prosecutor's office and law enforcement agency's were trying hard to clear their names, but there must have been the feeling of "there you go" when the existence of 17 copies for training purposes created at the law enforcement agency became known. The prosecutor's office had a very strict data handling procedure and their report was that the leakage from their office is very unlikely if not impossible. - Server side data in a foreign country may be revealed to your disadvantage. The man who put the video on youtube probably didn't expect the IP address of an internet cafe-like establishment where the video was posted to be known so quickly. He probably thought Google, being in a foreign country, may not reveal such information to a request from local police easily. Cloud computing, and out-sourcing in general may not be such a great idea if we need to go across country borders. Anyway, with a friendly court order, it may be that YOUR search habit may be known to the law enforcement agency as far as I can judge from the way the local branch of Google acted at this time. (If you are a male, and happen to reach the page of a Japanese cross-dressing shop or studio (?) when you are looking for "Artemis", an EU initiative for embedded computer systems, tough luck. Pray that Google does not reveal the log :-) Cast of Characters: Now the REALLY INTERESTING part is that this REAL story was played by the following actors. A le Carre or Forsyth may be able to concoct a better novel from these elements. Perpetrator: A Chinese captain who manned a fishing boat that entered a territorial water near a group of small islands claimed by Japan. (The islands are near 25 degrees 45' North, 123 degrees 31' East) Law Enforcement Agency: Japanese Coast Guard Traffic Violation: The Chinese captain smashed his boat into two Japanese Coast Guard Boats (twice) violently when the coast guard boat warned in Chinese and plodded the Chinese boat to go out of the claimed water. Sea Shepherd boat looked like a sheep in comparison. Local Prosecutor's office: located in Ishigaki Jima (a relatively large island) near where the smashing and apprehension took place. Mollified Government: the Japanese Government, of course. Political pressure: the rumor has it that the Japanese cabinet wanted to keep the things behind the closed door by not irritating Chinese nationalists who claim the territorial right on the same region, and thus avoiding the costly banning of export of rare metal material from China to Japan, and other temporal inconveniences which have been noticed by Japanese business and industry after the arrest of the Chinese captain. Somehow the Ishigaki local prosecutor's office dropped the charge against the Chinese captain and released him along his boat. (The rest of the crew had been freed much earlier.) An irate officer who released the video to youtube: he is a boat officer at the office of Japan Coast Guard in Kobe about 1500 km from Ishigaki Jima island. How he obtained the video is anyone's guess. Obviously Internet is a great boon to a whistle blower like him. He confessed to his superior after the IP address was traced to an internet Manga cafe which he seems to have used. He seems to have contacted a local newspaper or TV reporter citing the people's right to know a few days before admission. The video in full was not released officially even to the members of parliament who wanted to know what was going on. Only a select few members saw the abridged version of the video in a closed session so far. The video has been on Japanese TV news in the last several days. An interesting story with the new twist added by the Internet.
Facebook's new chat/e-mail feature apparently records everything you say Based on *preliminary information* I heard from the Facebook launch announcement today for their new "chat/e-mail" system (Facebook keeps insisting that it isn't really e-mail), users will *not* have the ability to declare chats or related conversations to be "off the record"—everything will apparently be recorded. Individual users will have the ability to archive or delete their *own* copies of transcripts, but it appears that there is explicitly *not* a functionality similar to Google's "off the record" chat feature, which permits users to declare that their conversations with given individuals should not be routinely preserved. "It just didn't make sense for us," were pretty much the words that Zuckerberg used in response to a question on this topic. We'll have to wait for more info, but this could be a major privacy problem in the making.
Joseph P. Kahn, *The Boston Globe*, 15 Nov 2010 The e-mail was clearly misguided in its interpretation of intellectual-property rights and the Internet. It was also dismissive, unapologetic, and, if made public, potentially far more embarrassing to sender than recipient. If? Try when. A recent testy e-mail from Cooks Source managing editor Judith Griggs to freelance writer and blogger Monica Gaudio read, in part, "you should be happy we didn't just 'lift' your whole article and put someone else's name on it!'' Gaudio posted the e-mail online, and it went viral. When it did, one question about Griggs's judgment eclipsed all others: How could anyone assume a communication like that would remain private? With minor variations, the same could be asked of others making news recently with their private-made-public communications, ones that quickly spread to social-media websites like Facebook and Twitter, to gossip sites like Gawker and Deadspin, and to mainstream media sites like Poynter Online - to the chagrin of those who composed them. Tucker Carlson, who edits *The Daily Caller*, a political-journalism website, posed as suspended MSNBC host Keith Olbermann in e-mails to a Philadelphia columnist last week, then claimed he did not expect that his prank e-mails would be published. Campaign staffers for gubernatorial candidate Tim Cahill, the state treasurer, e-mailed state Lottery officials last summer urging them to launch a taxpayer-funded ad campaign likely to benefit him. Harvard Law School student Stephanie Grace's e-mail to friends about affirmative action and race touched off a furor on the Harvard campus this year. The NFL is investigating accusations that pro football star Brett Favre sent explicit photos and messages to several women, most notably a New York Jets sideline reporter who worked for the team when he played there. Dozens of golfer Tiger Woods's text messages to one of his mistresses, Joslyn James, were posted on her website in March, tarnishing Woods's image and contributing to his divorce. What part of “Forward With Attachments'' do these people not seem to understand? ... http://www.boston.com/ae/media/articles/2010/11/15/once_you_hit_send_you_can_forget_privacy/
A long article by James Verini in the Sunday *NYT* Magazine section reviews the case of Albert Gonzalez (RISKS-25.26, 25.32, 25.77, 25.98). http://nyti.ms/bDG1RQ
I manage a number of VOIP servers. And I too have noticed a surge in brute-force attacks. Almost all of which are REGISTER attempts. These generally are very simple name and extension scan with simple password lists. The beauty of the attack is that only one account needs to be compromised before unlimited calls are made Assuming internal routing rules ain't so good. Properly set up VOIP servers now include rate limitation as part of the default scripts. It's the Asterisk derived servers that are set up by the home user or the office junior that seem to be the problem. A typical exploit is to connect by SIP and then dial out via the target's landline interface - very common with Asterisk - or dial out by the upstream VOIP wholesaler. With all servers, the real problem is that passwords are often insecure. Usually deliberately so, so that the customer can remember them. This means that even though RFC2617 http digest authentication is used, the attacker just needs to keep hammering away till something gives. Publishing your sip phone number makes it even easier as there is a known user to test passwords against. Personally I enforce use of cryptographically strong password.
I am surprised that I don't see more mentions of using an open source and free tool such as PasswordSafe <http://passwordsafe.sourceforge.net/>. It generates strong passwords, allows for a different password for every account. All I have to remember is the pass-phrase to unlock my safe.
The volumes of spam arriving at my inbox and spam captured by my ISP's filter (from which I can recover false positives) have both dropped dramatically in recent months. This was NOT because of a reduction in spam or the elimination of any botnets. Instead, this reduction in spam resulted from my ISP installing a "pre-filter". The pre-filter trashes any E-mail message from a non-registered domain or from a non-assigned IP address. These messages are irretrievably trashed and cannot be recovered. After all, there should be no false positives when checking for an invalid domain or IP address. Of course, this pre-filter might also trash legitimate messages from munged addresses. However, why would someone munge their address in a private communication? David E. Ross <http://www.rossde.com/>
The BBC reports on November 15 2010 in http://www.bbc.co.uk/news/technology-11757347 that spam volumes are down in the three months from August 2010. The article suggests that is because of law enforcement services shutting down botnets and big users of such nets. Peter Bernard Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de [PGN says: I'm still running about 3000 a day between me and RISKS that are filtered, and still hundreds more that have to be deleted by hand. I am increasingly grateful for all contributors who use the "notsp" in the subject line of your submissions. I'm increasingly dependent thereupon.]
Great writeup on the shell-injection vulnerability in the absentee voting machine. It occurs to me that this hole is actually the oldest in the book: a case of treating data as executable code. A file extension should be data, yet thanks to the convenience of string concatenation, it becomes executable instructions on the command line.
Not only are "the apps are storing a user's information in the memory of a cellphone" but I have been absolutely dumbfounded with the "security" inherent with these "smartphones". For example, browser cookies and caches are not easily cleared, call and text histories are saved from day one, and login, email and other master passwords are easily "typed-in once then forgotten". It seems that the users have forgotten, and are encouraged to forget by the interface, basic security awareness. Something has failed us greatly when concern about being able easily monitor and optionally clear any personally entered or downloaded data in these tools is rarely voiced! Also, have you ever seen someone who has lost their phone? Not only are they devastated and powerless, but they suddenly become catatonic when you ask, "Of course, all your data is backed up, isn't it"?
>>>>> <e-p@nc.rr.com> writes: > A woman died and and her husband was hospitalized after someone in the house > accidentally pressed the "remote-start" button for her car in their garage > in Raleigh NC. > http://www.wral.com/news/news_briefs/story/8586538/ This story was updated later: http://www.wral.com/news/local/story/8589199/ Police initially reported that someone unintentionally pressed the remote-start button for the car. They later determined that the car was accidentally left running. Wake County Medical Director Dr. Brent Myers said cases like this are all too common in winter. Several people die each year, usually from using heaters or letting their vehicles warm up in enclosed spaces. Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> [Typo corrected in archive. PGN]
Another risk: In the comments to the linked article, methinks posted: "These journalists have got to change their ways. This woman's identity was not released for a reason. By say that the house is located haf a block from a particular intersection and showing a picture of it, then anyone who knows them is going to find out from the news instead of a loved one. The same thing happened with the clerk in Fayetteville. They printed all sort of information so that it was real easy to figure out who it was. No respect at all for the victims and their loved ones. Limit the info printed until the police release names."
Android has exhibited a similar bug for at least two DST change cycles; I was bitten by it when we "sprang forward" in the US last March. I was not alone in filing a bug, but no one at Google appears interested in fixing it. http://code.google.com/p/android/issues/detail?id=7155
No wonder the item seemed familiar - the actual accident happened on 10 Jul 2009, and the item on nbcnewyork.com was last updated on July 12, 2009 (with news of a lawsuit, one may presume). I guess no news is good news ;-) Alexandre Peshansky, Snr. Bioinformatics Analyst, ICTR/RIC Albert Einstein College of Medicine of Yeshiva University (718) 430-2440 [Drat! You're absolutely correct. See "Teenager Falls Into Manhole While Texting" (Michael Barkoviak via Monty Solomon), RISKS-25.73, 16 July 2009.]
Dots don't kill people. People, and knives, and stupid cultural beliefs and attitudes, kill people.
Please report problems with the web pages to the maintainer