What are they trying to conceal? If I tell you, China has the right to kidnap you and “detain” you in Cuba...
http://www.bespacific.com/mt/archives/012412.html
September 08, 2006
State Department to Discontinue Publication of Certain Categories of International Agreements
Summary of Final Rule: "The Department of State is updating the regulations implementing 1 U.S.C. 112a and 112b in order to reflect amendments to the statutes governing publication of U.S. international agreements and their transmittal to the Congress. It will not be publishing certain categories of international agreements in the compilation entitled "United States Treaties and Other International Agreements" or in the "Treaties and Other International Acts Series." Further, the regulations are being amended to reflect adjustments to certain internal procedures within the State Department on the reporting of international agreements to Congress. Finally, the Department is adding a new requirement concerning procedures for consultation with the Secretary of State in the negotiation and conclusion of international agreements. Where an international agreement could reasonably require for its implementation the issuance of a significant domestic regulatory action, agencies proposing the agreement are to consult in a timely manner with the Office of Management and Budget (OMB), and the Department of State should confirm that timely consultations were undertaken." [Federal Register: September 8, 2006 (Volume 71, Number 174)][Rules and Regulations][Page 53007-53009]
I disagree with this analysis. They seem to think that automating a process that you can do manually changes the security dynamic. Similar to security through obscurity, this suggests that if it was the least bit difficult, you could assume it wasn't being done.
More on Facebook and the Contextual Integrity of Personal Information Flows
Posted on Friday, September 8th, 2006 at 8:13 am
There has been an interesting discussion on the Association of Internet Researchers mailing list (and across the blogosphere) regarding the addition of feeds at Facebook and the nature of the reaction by its users. Many have criticized the reaction by Facebook users for being naive, arguing that if they knowingly placed personal information on their public profile, they have no “expectation of privacy,” and shouldn’t (can’t) complain that their privacy has been violated simply if Facebook provides a new way for others to find that information. [I think the issue is: Do these kids understand the implications? Bob]
I disagree, and that’s where thinking about privacy as “contextual integrity” becomes helpful, allowing us to remove the slippery issue of expectations of privacy from the debate altogether.
Instead, one can simply look at the existing norms of information flow within the particular context. What has governed the flow of personal information - conceived as both the type of information that is appropriate to distribute, and to whom it is being distributed? Such norms dictate one’s expectations within that context, which frame their relationships and expected interactions with other people, with the state, and so on. “Privacy,” as a term/construct, doesn’t need to enter into the calculus. It is about norms of flow, and the contextual values & relationships that depend on the maintenance of these norms.
If the introduction of a new technology or practice into that context disrupts those norms, then a red flag must go up recognizing that this isn’t just the status quo, that something has changed that might impact the values within this particular context. Consider the Facebook example: previously, users posted personal information to their profile page and invited “friends” to have access to that page. Occasionally users would change their personal information, and a friend would have to happen upon their page at the right day and time to notice the change (they’d also have to have a good memory of the previous “state” of the page to notice if anything changed). Some level of serendipity and recall was required to notice changes to a friend’s personal information. That was the norm of information flow that governed relationships within Facebook.
The introduction of a news feed highlighting changes to friends’ profiles violates these established norms. While, the content has remained the same, but the distribution has changed: serendipity and personal memory is no longer a necessary ingredient, as the feed is automatically sent to every friend and provides precise details of each and every change to the user’s profile. The norms of information flow have changed.
(Fred Stutzman has a similar analysis, noting how Facebook’s actions “broke the cultural norms of the environment.”)
If the folks at Facebook had considered such an approach, they would have recognized the disruption to contextual integrity, perhaps anticipating the widespread revolt among users. Perhaps they would have engaged in the normative debate over whether the disruption is acceptable/ethical/etc. Perhaps they would have just introduced it as a new feature that users could opt-in for (rather than making the default, as I understand it). Perhaps they would have allowed users to select which personal information they want to have in feeds, and which friends could only discover by visiting their page.
It appears Facebook has listened to the backlash, and will be instituting similar kinds of controls and privacy provisions. Now if we could only get designers to recognize that protection of contextual norms and values needs to be a necessary part of the conceptualization and design of technology, not just something retrofitted after deployment…
Phishing sites hijack record number of brands
Online criminals are diversifying to target smaller financial institutions, ISPs, and government agencies
By Jeremy Kirk, IDG News Service September 11, 2006
Cybercriminals created a record number of phishing Web sites in July and also hijacked a record number of brands to help them do their work, a consortium that monitors online fraud said Monday.
The number of phishing sites -- or fraudulent Web sites try to fool people into handing over sensitive personal information -- rose to 14,191 in July, an 18 percent increase over May, the previous all-time high, said the Anti-Phishing Working Group (APWG).
The fraudulent sites mimicked a record 154 brands, up 20 percent over June and 12 percent over the previous high, also recorded in May, APWG said.
The latest figures show that online criminals are diversifying [the influence of all those MBAs they hire. The “long tail” don't you know... Bob] to target smaller financial institutions, Internet service providers and even government agencies, the group said. However, the financial services industry is still targeted the most, with more than nine out of 10 phishing sites aimed at that sector.
The technical sophistication of phishing attacks is also increasing. APWG said that 1,850 phishing sites attempted to download a Trojan horse, a program that conceals itself in another, harmless-looking file but can be used to harvest personal information or download other malicious programs to an infected computer.
APWG also said that one security vendor, Websense, detected special toolkits for sale on Russian Web sites to construct this kind of attack when a user visits a Web page. They can be fairly cheap, too: prices range from $20 to $300, APWG said.
Also on the rise are "traffic redirector" Trojans, which force users to certain Web sites without their consent, APWG said.
Overall, the United States hosts nearly 30 percent of all phishing sites, followed by South Korea at 13 percent and China at 12 percent, APWG figures shoed.
Would anyone do it if there was no money in it?
http://www.eweek.com/article2/0,1759,2013924,00.asp?kc=EWRSS03119TX1K0000594
Money Bots: Hackers Cash In on Hijacked PCs
September 8, 2006 By Ryan Naraine
Botnet hunters tracking the latest MS06-040 worm attack estimate that one malicious hacker earned about $430 in a single day by installing spyware programs on thousands of commandeered Windows machines.
Security researchers are the German Honeynet Project discovered a direct link between the botnet-building attack and DollarRevenue, a company that pays between a penny and 30 cents per installation of its heavily criticized ad-serving software.
Within 24 hours, the IRC-controlled botnet hijacked more than 7,700 machines via the Windows Server Service vulnerability and hosed the infected computers with the noxious DollarRevenue files.
... The command-and-control infrastructure is most often an IRC server installed illegally on a high-bandwidth educational or corporate network. A botnet (short for "robot network") is a collection of broadband-enabled computers infected with worms and Trojans that leave back doors open for communication with the malicious attacker.
... "On one side, you have these big advertisers pumping money into the adware business," he said. "On the other side, you have these shady companies with shady affiliate deals, cashing in. I've seen reliable estimates that the business of serving ads via adware is worth $1.6 billion a year. That's a phenomenal industry."
As Google has recently demonstrated, it is difficult to protect the anonymity of those involved in child porn. But they continue to use the same services as people we do want to protect.
http://techdirt.com/articles/20060911/003846.shtml
Germany Trying To Shut Down Anonymous Servers?
from the if-you've-got-nothing-to-hide... dept
Anytime you see someone defending surveillance systems, you know that sooner or later, they'll utter the ridiculous phrase: "If you're not doing anything wrong, you've got nothing to worry about." That's the point at which you should absolutely start worrying. The corollary to this statement is often to naturally assume that anyone who is trying to hide something, must have done something wrong. For example, just last year, we wrote about a case in Minnesota, where the fact that someone had the popular PGP encryption on his computer was used as evidence against him (no attempt was made to show what he had encrypted, just that he had the encryption software, suggesting he must have wanted to hide something). There's some worry that a similar situation may now be happening in Germany, where Boing Boing reports German authorities are seizing various Tor servers in connection with an investigation into child porn distribution. Tor, of course, is a well-known anonymous surfing tool that's targeted at "whistle-blowers, political dissidents, researchers, and others concerned about exchanging information without authoritarian backlash." Of course whenever you have an anonymous system it will be misused. That's the price you pay for anonymity -- and many believe that the ability to be anonymous is often worth the cost that some will misuse it. At this point, it's too early to tell what the German officials are going to do, but apparently there's some fear that those who run Tor servers are going to be charged in a "guilt by association" type of situation. Hopefully, that's not the case at all, but it is a reminder that as valuable as anonymity is, it's still viewed with suspicion.
http://digg.com/security/TOR_Servers_Seized
TOR Servers Seized!
iamcitizen submitted by iamcitizen 9 hours 10 minutes ago (via http://itnomad.wordpress.com/2006/09/10/germany-crackdown-on-tor-node-operators/ )
German police are currently raiding server rooms all over Germany, and seizing TOR servers.
How could this be made more rational than “They are making a lot of noise” (perhaps they won't vote for me)
http://techdirt.com/articles/20060910/192931.shtml
A Look At Indecency Complaints To The FCC
from the roller-coaster-ride dept
The FCC refuses to detail its rules for what's "indecent" on TV, even as they've been handing out a lot more fines over the last few years. They claim to do so would be akin to censorship. Instead, they simply respond when people complain, and then determine (afterwards) whether the broadcast was technically indecent. Of course, as has been pointed out in the past, that's a problem when many of the claims of indecency are generated by web-based forms on the sites of certain "family-friendly groups" who urge their followers to complain, even if they haven't seen the video. In some cases, the vast majority of the complaints are from these form letters. Ironically, if the people sending in these complaints have seen the offending video at all, it's often because some of the "family groups" post them to their own websites to stir up the outrage. So, it shouldn't come as much of a surprise to see Matthew Lasar look through the stats on FCC indecency complaints and note that it's quite a roller coaster ride, with periods of time when the FCC gets almost no complaints, to times when suddenly over 100,000 come in. Of course, you could point out that the data alone does not prove that someone's "stuffing" the complaint box, since there probably isn't an equal distribution of content on television that people consider indecent. However, when combined with the other reports that have shown that nearly all, if not all of the complaints are based on the same form letter, it really does make you wonder what the FCC thinks it's doing. Considering that some studies have shown the vast majority of Americans think the FCC has no place censoring TV, it seems like maybe the FCC should focus on more pressing issues. Otherwise, we just get a chilling effect as affiliates refuse to run certain programs just in case groups gang up on them and the FCC declares the video indecent.
Just in case you missed this educational video...
http://digg.com/videos_comedy/MySpace_Seminar
MySpace Seminar
vogelzang submitted by vogelzang 22 hours 15 minutes ago (via http://www.youtube.com/watch?v=1zzLk9fS360 )
Hilarious SNL skit about a seminar for adults who wish to join myspace.
No comments:
Post a Comment