[fc-discuss] Financial Cryptography Update: The node is the threat: Mozilla, the CIA, Skype, Symantec, Sony, .... and finally a WIRE THREAT: Bush

iang@iang.org iang@iang.org
Sat, 21 Jan 2006 19:25:46 +0000 (GMT)


 Financial Cryptography Update: The node is the threat:   Mozilla, the CIA, Skype, Symantec, Sony, .... and finally a WIRE THREAT: Bush 

                            January 21, 2006


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000638.html



------------------------------------------------------------------------

Firefox reaches around 20% in one "weekend" survey in Europe. 
Bull-rating!  If this keeps going on, I'll run out of predictions by
the end of January.

http://arstechnica.com/news.ars/post/20060117-5995.html

In other news, a Firefox developer caused a furore on slashdot by
adding a URL tracking feature.	Firefox needs to meet the interests of
parties other than yourself in your browsing habits.  In this case, it
is probably Google;  the fact that the developer put the feature in
_without any way to turn it off_ is telling.

http://weblogs.mozillazine.org/darin/archives/009594.html
http://yro.slashdot.org/yro/06/01/18/1427212.shtml
http://whatwg.org/specs/web-apps/current-work/#ping

Readers will recall a recent thread on governance in non-profits which
goes some way to explaining this confusion.  Mozilla now has two
interested groups - those that supply money and those that don't.  How
Mozilla brings itself to reconcile the conflicts between these two
groups is worth watching - but also difficult to divine, as Mozilla
have a fairly consistent policy of debating in secret and announcing
later (the root list policy was a notable exception!).

The threats situation is daily growing more complex.  Let's review more
evidence (as if it is needed) on threat models.  Over in Milan,
prosecutors have revealed details of the CIA kidnapping case.  The
alleged kidnappers left behind disk drives with emails that warned the
agents to get out of Italy, as well as indicated who was the leader of
the kidnapping crew.

http://www.mercurynews.com/mld/mercurynews/news/politics/13665883.htm
============8<===============
On June 23, the day the warrants were issued, police searched the villa
in the Italian wine region of Asti where Lady had retired with his wife
at the end of 2003. From the hard drive of one of his computers police
recovered the e-mail message, which someone had attempted to delete,
plus other documents they say establish Lady as the organizer of the
kidnapping.
========>8===================

The prosecutors have distributed 22 search warrants throughout Europe
and intend to seek extradition from the US next.  One of the alleged
kidnappers was reached by reporters in Washington DC, but her name was
not published at the request of the CIA, who say she is still active
and undercover.  (Which would then put the reporters in the curious
position of obstructing justice if they ever travel to Europe!)

Back to threat models.	That email on that drive!  Darn it, the threat
is on the node, says I.  For a long time now I have been asserting that
_the node is the threat_ and I've conducted a search for evidence that
there is any threat to the wire.  Long, boring, and ultimately futile
was the quest!	But now, I can at last reveal the quest may be over:

The Bush administration is engaged in the novel legal experiment of
ordering illegal wiretaps so as to show why it needs the facility to
harvest Americans' conversations without a court supervision.  We now
have an Executive Order, no less, mandating the NSA to threaten the
wires of civilian America.  Now, in times past one could have said that
the NSA would have been strictly interested in bad guys outside the
country, giving some protection to the populace who weren't plotting
the overthrow of the USA.  But those days are gone, even inside
supporters of the administration are admitting that these extraordinary
powers are desperately needed to get back at the internal enemies that
made life so difficult for them in the past years.  And I'm not just
referring to the democrats or democracy.  So this means we have bona
fide evidence of a major eavesdropping threat to the wire - albeit one
to Americans only.

Still, even with this stunning Executive Order, no less, the threat to
the node remains more severe, I claim.	News just in from Skype China:

http://www.businessweek.com/technology/content/jan2006/tc20060112_43405
1.htm
============8<===============
Skype had a dilemma. The Internet telephony and messaging service
wanted to enter China with TOM Online (TOMO), a Beijing company
controlled by Hong Kong billionaire Li Ka-shing. Li's people told their
Skype Technologies (EBAY) partners that, to avoid problems with the
Chinese leadership, they needed filters to screen out words in text
messages deemed offensive by Beijing. No filtering, no service.

At first Skype executives resisted, says a source familiar with the
venture. But after it became clear that Skype had no choice, the
company relented: TOM and Skype now filter phrases such as "Falun Gong"
and "Dalai Lama." Neither company would comment on the record.
========>8===================

First blood!  This might be the first news that Skype is not protecting
its users, which might explain why that other panda-shaped company,
eBay, was ready to buy it.  OTOH, the news comes from BusinessWeek, who
aren't exactly above a hatchet job for political favours.

Either way, Skype was good while it lasted.  In the department of
corporate attackers it seems that Symantec has also been caught out
installing root kits on Windows machines.  They issued a patch, but not
before saying that they were unaware of any hackers taking advantage...
 Oh, and poor old Sony, another corporate attacker caught with its
hands in the root kit cookie jar has waved the white flag:

http://www.consumeraffairs.com/news04/2006/01/symantec_rootkit.html
============8<===============
Federal judge Naomi Rice Buchwald gave tentative approval on Jan. 12th
to a settlement
<http://www.consumeraffairs.com/news04/2006/01/sony_bmg_settle.html> in
one of the many lawsuits filed against Sony over the rootkits. The
settlement terms included offering cash payments or free music
downloads to buyers of the affected CD's, and prevents Sony from
selling any CD's with copy-protected software until 2008 at the
earliest.

Lawsuits filed by Texas Attorney General Greg Abbott and the Electronic
Frontier Foundation against Sony are still going ahead.
========>8===================

Thank heavens someone is taking on the attackers.  Security observers
(I no longer use the term 'security expert', a new year's resolution)
scurried for cover in case they were asked to suggest whether a crime
had been committed.  Windows users may as well get used to it - with
friends like that, they're not in dire need of new enemies.

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/