p2pnet view – P2P | Freedom | Security | Advertising

HTTPS Everywhere was first released as a beta test version in June of 2010. Today’s 1.0 version includes support for hundreds of additional websites, using carefully crafted rules to switch from HTTP to HTTPS. HTTPS protects against numerous Internet security and privacy problems, including the search hijacking on U.S. networks that was revealed by an article published today in New Scientist magazine.

The article, entitled “US internet providers hijacking users’ search queries,” documents how a company called Paxfire has been intercepting and altering search traffic on a number of ISPs’ networks. HTTPS can prevent such attacks.

“HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed,” says EFF senior staff technologist Peter Eckersley. “Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking. Today’s Paxfire revelations are a grand example of how things can go wrong. EFF created HTTPS Everywhere to make it easier for people to keep their user names, passwords, and browsing histories secure and private. With the revelation that companies like Paxfire are out there, intercepting millions of people’s searches without their permission, this kind of protection is indispensable.”

HTTPS Everywhere 1.0 encrypts connections to Google Image Search, Flickr, Netflix, Apple, and news sites like NPR and the Economist, as well as dozens of banks. HTTPS Everywhere also includes support for Google Search, Facebook, Twitter, Hotmail, Wikipedia, the New York Times, and hundreds of other popular websites.

However, many websites have not implemented HTTPS at all. On sites that are HTTP-only, users still have to live with lower levels of privacy and security.

“More websites should implement HTTPS to help protect their users from identity theft, viruses, and other security threats,” said Senior Staff Technologist Seth Schoen. “Our Firefox extension is able to protect people using Google, DuckDuckGo or StartingPage for their searches. But we currently can’t protect Bing and Yahoo users, because those search engines do not support HTTPS.”

HTTPS Everywhere has been downloaded millions of times since last year’s initial beta release.

To download HTTPS Everywhere for Firefox:
https://www.eff.org/https-everywhere

p2pnetview – P2P | Freedom | Security:- The Internet has given rise to thousands of online chat forums, where participants can sound off on the issues of the day often shielded by the cloak of anonymity. Anonymous speech can be empowering – whistleblowers depend upon it to safeguard their identity and political participants in some countries face severe repercussions if they speak out publicly – but it also carries the danger of posts that cross the line into defamation without appropriate accountability.
Striking the balance between protecting anonymous free speech on the one hand and applying defamation laws on the other sits at the heart of a new Ontario Superior Court decision released last week. The case involved postings about Phyllis Morris, the former mayor of Aurora.

In 2010, the website auroracitizen.ca featured an online chat forum where participants discussed a local election campaign. Morris, who was defeated in the election, launched a legal action during the campaign against the site, the chat forum moderators, its lawyers, and website host to order them to disclose the identity of three anonymous posters.  Morris did not identify the specific defamatory words, but claimed that six posts were defamatory.

The court was therefore not asked to determine whether the posts at issue were in fact defamatory. Rather, it simply faced the question of whether it should order the disclosure of personal information about the posters themselves so that Morris could proceed with a defamation lawsuit.

The court rightly identified the core question as balancing “the competing interests of privacy, the public interest in promoting the administration of justice by providing the Plaintiff with the information sought to pursue her claim and the underlying values of freedom of expression and political speech.” Moreover, the court emphasized that the posts involved political speech, which is particularly deserving of protection.

In sorting out the balance, the court relied on a legal test established in 2010 Ontario defamation case that similarly involved anonymous online postings. That case identified four factors to consider: (1) Whether there was a reasonable expectation of anonymity; (2) Whether the plaintiff established a prima facie case of wrongdoing by the poster; (3) Whether the plaintiff tried to identify the poster and was unable to do so; and (4) Whether the public interest favouring disclosure outweigh the legitimate interests of freedom of expression and right to privacy of the persons sought to be identified if the disclosure is ordered.

In this particular instance, the court sided with the posters and refused to order the disclosure of their identities. Since the plaintiff (who has since indicated she plans to appeal) did not identify the specific defamatory words, she failed to establish a prima facie case of defamation. Moreover, the court also ruled that the posters had a reasonable expectation of anonymity and that there were insufficient efforts to try to identify them.

The case solidifies the emerging test for identifying anonymous posters on the Internet, establishing a balance that sends a message that anonymous speech is worthy of protection, but that the law will not support hiding your identity with the intent to defame.

Given the court’s careful analysis of the speech and privacy issues, the case also provides a reminder of the value of court oversight before ordering the disclosure of personal information. This may be in jeopardy since the government is currently contemplating lawful access legislation that require such disclosures without court oversight, tilting the balance away from privacy and creating a potential chill for those speaking out online.

Michael Geist – Michael Geist’s Blog
[Geist is the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa. He can be reached by email at mgeist @ uottawa dot ca]

p2pnet view –

Operation Payback – the PROTECT IP Bill

Greetings fellow surfers. Time to load your laser cannons …

As you know all too well, vested-interest ‘ trade’ groups have been successfully lobbying to consolidate internet censorship within the United States. They are demanding the ability to take down sites they deem “inappropriate” and, ultimately, to remove content that disagrees with their profit margins, personal whims, or other agendas.

This new ‘initiative’ is called the PROTECT IP Act:

This bill would allow the Obama government to force ISPs and search engines to censor websites under the guise of “copyright protection”. Instead of reducing piracy, this bill endangers the free flow of information.  Through domain seizures, ISP blockades, search engine censorship, and the restriction of funding to websites accused of infringement, this bill promises to take Internet censorship to the next level. Furthermore, it violates the citizens’ rights to due process, to free speech, to free expression and to legal representation at their hearing.

The Internet is a place where anyone and everyone can come together freely to share information and opinions. The freedom the Internet provides has served as a global aid for tens of millions of people in places like Egypt, Tunisia and Iran, to name a few. All of this has been accomplished largely without interference from corporations, governments, or any other global institutions until now.

We must unite and stand up to those who wish to censor the Internet. We must not allow them the freedom to moderate information and decide what we are “permitted” to view. We must protect what is rightfully ours.

We must protect the rights of the Internet.

You Are Anonymous
You are legion
You can not forgive this.
You can not forget this.
Expect eRevolution.

To the media

Institutions of the Media,

This message is a response to recent actions of the U.S. Government, the RIAA, the MPAA and others. For some time now, powerful interests have been vigorously lobbying the US Government in a campaign to censor the Internet. The PROTECT IP Act is the result of their campaign. Through domain seizures, ISP blockades, search engine censorship, and funding cuts to allegedly copyright infringing websites, the PROTECT IP Act will take Internet censorship to the next level. In its present form, this act threatens the very foundation on which the Internet was built: freedom of thought.

Anonymous are strong supporters of Internet freedom, and believe that the Internet should remain a place where any person, from any country, regardless of religion, race or political persuasion can communicate freely with the world. The Facebook and Twitter “revolution” and its role in the recent changes in the Middle East illustrates these principles.  The PROTECT IP Act would allow government agencies and corporate interests to control what we, the users of the Internet, are permitted to read, by censoring search results on sites such as Google or Yahoo. Do we really want to live in a country
where the government determines what we should and should not see?

We are asking for your help and support in keeping the Internet a place where information flows freely and without restriction. We believe that this is of vital importance to the media, since Internet users are quickly becoming its primary viewing audience.

The general public needs to be made aware of the consequences of the PROTECT IP Act. The people must not be left in the dark, and Anonymous is determined to not let this happen. We ask that you pledge to do the same.

~ Anonymous.

Also see:
http://torrentfreak.com/u-s-to-introduce-draconian-anti-piracy-censorship-bill-110511/
http://www.bbc.co.uk/news/technology-13387795
http://news.cnet.com/8301-31921_3-20062398-281.html
http://news.cnet.com/8301-13578_3-20062419-38.html

BBC, “Americans face piracy website blocking,” BBC News  (13 May 2011): accessed 15 May 2011, http://www.bbc.co.uk/news/technology-13387795>.

Downes, Larry, “Leahy’s Protect IP bill even worse than COICA,” cnet News  (12 May 2011): accessed 15 May 2011, <http://news.cnet.com/8301-13578_3-20062419-38.html>.

Ernesto, “U.S. To Introduce Draconian Anti-Piracy Censorship Bill,” Torrent Freak (11 May 2011): accessed 15 May 2011, <http://torrentfreak.com/u-s-to-introduce-draconian-anti-piracy-censorship-bill-110511/>.

McCullagh, Declan, “Senate bill amounts to death penalty for Web sites,” cnet News (12 May 2011): accessed 15 May 2011, <http://news.cnet.com/8301-31921_3-20062398-281.html>.

To perpetrators of Censorship, the makers of this bill, and to the RIAA/MPAA

Your repeated attempts to seize control of the Internet have captured our full and undivided attention.

You seek to control the free flow of Information for your own ulterior motives. You try to impose draconian laws under the guise of “copyright” while ignoring the basic tenets of the First, Fourth, and Fifth Amendments to the US Constitution. Anonymous will not let this happen.  We will not submit to your intimidation and bullying and stand prepared to take all necessary measures to halt your agenda of internet censorship.

You have declared war on the Internet, a war that you cannot win, against an entity you do not understand. We are a sovereign nation, the first, last, and only free nexus of Information. We are a Cyber Nation that you do not and can not control. We are united, and we will stop at nothing to preserve our Freedom.

You have been warned. Cease your attempts at censorship, or face the wrath of the Hivemind.

We Are Anonymous
We are Legion
We do not forgive
We do not forget
Expect us

Also see:

http://torrentfreak.com/u-s-to-introduce-draconian-anti-piracy-censorship-bill-110511/

http://act.demandprogress.org/act/protectip_docs/?source=fb

http://bit.ly/m2jaze

http://www.bbc.co.uk/news/technology-13387795

http://news.cnet.com/8301-31921_3-20062398-281.html

http://news.cnet.com/8301-13578_3-20062419-38.html

http://leahy.senate.gov/imo/media/doc/BillText-PROTECTIPAct.pdf

The ‘revelationse’ were also carried by various lamescream media outlets, which probably should have been more circumspect, given the source.

Among them was VanityFair under the heading ‘Exclusive: Operation Shady rat—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza kicking off with: “Here, Vanity Fair’s Michael Joseph Gross breaks the news of Operation Shady rat’s existence—and speaks to the McAfee cyber-security expert who discovered it … “McAfee cyber-security expert.

Gross goes on: “When the history of 2011 is written, it may well be remembered as the Year of the Hack.

“Long before the saga of News of the World phone hacking began, stories of computer breaches were breaking almost every week. In recent months, Sony, Fox, the British National Health Service, and the Web sites of PBS, the U.S. Senate, and the C.I.A., among others, have all fallen victim to highly publicized cyber-attacks. Many of the breaches have been attributed to the groups Anonymous and LulzSec. Dmitri Alperovitch, vice president of threat research at the cyber-security firm McAfee, says that for him, “it’s been really hard to watch the news of this Anonymous and LulzSec stuff, because most of what they do, defacing Web sites and running denial-of-service attacks, is not serious. It’s really just nuisance.”

“’Just nuisance,” that is, compared with a five-year campaign of hacks that Alperovitch discovered and named Operation Shady rat—a campaign that continues even now, and is being reported for the first time today, by vanityfair.com, and in a lengthier report on the larger problem of industrial cyber-espionage in the September issue of Vanity Fair. Operation Shady rat ranks with Operation Aurora (the attack on Google and many other companies in 2010) as among the most significant and potentially damaging acts of cyber-espionage yet made public. Operation Shady rat has been stealing valuable intellectual property (including government secrets, e-mail archives, legal contracts, negotiation plans for business activities, and design schematics) from more than 70 public- and private-sector organizations in 14 countries. The list of victims, which ranges from national governments to global corporations to tiny nonprofits, demonstrates with unprecedented clarity the universal scope of cyber-espionage and the vulnerability of organizations in almost every category imaginable. In Washington, where policymakers are struggling to chart a strategy for combating cyber-espionage, Operation Shady rat is already drawing attention at high levels. Last week, Alperovitch provided confidential briefings on Shady rat to senior White House officials, executive-branch agencies, and congressional-committee staff. Senator Dianne Feinstein (D-CA), chairman of the Senate Select Committee on Intelligence, reviewed the McAfee report on Shady rat and wrote in an e-mail to Vanity Fair: “This is further evidence that we need a strong cyber-defense system in this country, and that we need to start applying pressure to other countries to make sure they do more to stop cyber hacking emanating from their borders.” McAfee says that victims include government agencies in the United States, Taiwan, South Korea, Vietnam, and Canada, the Olympic committees in three countries, and the International Olympic Committee. Rounding out the list of countries where Shady rat hacked into computer networks: Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India. The vast majority of victims—49—were U.S.-based companies, government agencies, and nonprofits. The category most U.S.-based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors—13 in all.

Really?

P2pnet has for years known McAfee’s cyber-security expertise is dodgy, to be kind, often relying on celebrities such as such as Jessica Biel or Brad Pitt for punch.

Now, “Two security companies are questioning claims that a cyber espionage campaign uncovered by a rival firm was sophisticated or even extraordinary, says, Computerworld, Going on, “In its report, McAfee said it was “surprised by the enormous diversity of the victim organizations” and ‘taken aback by the audacity of the perpetrators.’

But,’Shady RAT’ hacking claims overblown, say security firms

“Not sophisticated, certainly not out of the ordinary, argue McAfee rivals,” says the story. Oh dear! The story adds,

“What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth,” said McAfee, referring to the now-nearly-constant attacks on Western companies and organizations by campaigns like Shady RAT.

“Moscow-based Kaspersky Lab on Thursday begged to differ, saying that McAfee has simply not provided enough information to justify the claims being bandied about.”The report contains nothing on what particular data has been stolen or how many computers in each organization were hit by the attacks,” said Alex Gostev, Kaspersky’s chief security expert. “Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyber attack in history is premature.”

Jon Newton – p2pnet

p2pnet view

It’s as if some people come in looking desperately for something to “flame”.  No matter how clearly you think you’ve explained something, you always get a few acting as if you’re trying to hide something, or you’re just straight-out lying.

CASE IN POINT: “p2pnet runs NO trackers!”

This is not an opinion, an assumption, or some “foregone conclusion”.  I don’t need to “investigate” anything, or even be the site admin, to make this statement, because it is a FACT!

But, what keeps this fact from being accepted as just that?  The same thing that has all our backs up in the first place – all that F$%N’ CORPORATE INTERFERENCE we’re always talking about!

Before I ultimately get into the tracking thing again, let’s take a trip down Memory Lane, shall we?…

A HISTORY OF SELFISH, UNASHAMED INTRUSION

Ever since the inception of e-mail, the Great Marketing Machine saw it as another advertising tool, and a “cool new resource” for furthering its never-happy agenda.  We got direct spam.  First, server admins reacted by trying to inform everyone (very clearly, I might add) that their networks did not exist to promote “unsolicited business” of any kind, that e-mail was for personal use, and they needed the recipients’ consent to send anything to them.  Thus, spam was stigmatized early in the game as a very unacceptable activity.

Strangely enough, there was no actual need to stigmatize spam – it was clearly outlined in most of the very first Terms of Service agreements that were signed (and, at that point in time, they actually DID sign them!) by all early users of the Internet, private and corporate alike.  It was all included in the broader term “network abuse”, and people DID lose their accounts for violating their TOS on those grounds.

Well, spam may have been labelled “unacceptable”, but that obviously never mattered to the corporate mindset.  Spam increased quickly, and without a single hickup, despite network admins even threatening to cut their accounts and/or blacklisting other IPs and even full networks from accessing their networks.  We countered it with filters, then we got “spoofed” senders.  We countered with blocklists, and the corporates decided to do something that was nothing short of waging war on all e-mail users… we got viruses!

Sure, we were often lead to believe viruses were written by “rebels” (usually “living in a basement”) who were somehow only looking for some “misplaced recognition” that they could “sabotage” someone else’s computer in some way.  But, the fact is, that’s only a small part of the story.  You need only ask yourself, what would really make it *profitable* to do such a thing?

Virus writers were greeted with open arms, as they were commissioned by the determined corporate marketers, to help them fool the user into unwittingly allowing a number of things to happen to himself, such as direct pop-up ads served by their own browsers, or Windows Messenger service.  Some attempted to rewrite system files, in order to screw with the users’ ability to stop their future intended intrusions (such as reenabling messenger, should it be turned off).  The selfish, deceitful and malicious nature of a psychopathic agenda took on a very blatant form, and it should have been quite obvious (to anyone who was paying attention) that corporate interests were already the biggest threat to the health of the Internet, and the computers that were forming it in exponentially-increasing numbers.

Many of you know this story, but for the sake of others, I’ll continue a little more…

So, thanks to the determination of the corporate marketing community to prevent you from enjoying your computer without their interference, antivirus software became a necessity.  The corporates countered with socially-engineered virus delivery and malware, and exploiting alternate network ports (which were wide open and abundant at that point), to either do an end-run around your AV, or take down your defense entirely!  The new viruses began installing their own software, containing everything from independent network connection to e-mail and FTP capabilities, in order to ”phone home” without your immediate knowledge, download more stuff intended to “rewire” your configuration itself.  Soon, system setups and administrative controls were being altered, and people really were losing control of their computers to unknowns from remote locations.

Then came firewalls, as there was now the necessity to control not only who was connecting TO you, but also who YOUR machine was trying to reach (and by whose instigation).  We got things like web exploits, poisoned torrent files, and DNS hijackings as an answer to that.  Fast forward to the present day, and the whole thing has yet to stop.  We now play with peerblockers to cut down on the “bad peers” who would deliver us a virus or track us with intent to sue.  We’re running script blockers to stop malicious code from executing on our machines.

Code that was planted by the Great Marketing Machine, on some of our favourite websites, thanks to the cooperation of clueless hosts, who are in a position to allow it, and were paid to do so.

TRACKING ISSUE – QUANTSERVE

I’m still getting comments about Google and Quantserve injecting malicious code via WP.  And, in the case of Quantserve, at least, that’s correct!  In the case of including Google in the same complaint, however, there’s a problem.  You can’t have BOTH Quantserve and Google tracking operating through the same site.

The funny thing is, I NEVER DENIED the existence of EITHER of these scripts. What I denied, and still deny, was the accusation that *p2pnet* is the one serving either of them. Thus the persistent statement, “p2pnet runs NO trackers!”  Now that I have more of the facts, which I already promised to deliver once I had them, I can elaborate…

It is quite obvious that WordPress has acted against the very wishes of the “open community”, and very quietly tweaked a common plug-in used by many WP sites (WP-Stats), thus allowing Quantcast 3rd-party tracking of those sites.  This is totally UNACCEPTABLE for many sites… *especially* this one!

If anyone bothered to actually read what I’ve said, someone would’ve absorbed the part where I said the fact alone that a tracker was embedded in WP was enough for me to strongly recommend BLOCKING Quantcast and Quantserve AT THE FIREWALL LEVEL. Perhaps nobody understood the term “embedded in WP”??

The one thing I did get schooled on was that WP-Stats is no longer a “benign” thing.  But, I don’t feel guilty with that wrong assumption.  I was SUPPOSED to trust it!  Lots of people experienced with WordPress (of which I am not) were taken by the surprise, as it wasn’t just “unethical”, but a complete change in the way WP had been doing business up to this point.

Not only is the plug-in poisoned for WP users, but it also causes performance problems for many.

I wrote another thing people need to come to grips with that many seem to have failed to read: I’M NOT THE SITE ADMIN! I’m just handling the site’s comments and trying to keep it active while the owner is recovering from heart surgery and all its complications. I don’t have access to p2pnet’s server, and cannot effect network control changes. Even if I could, I’m not about to arbitrarily act on things like that without Jon’s input, or at least the involvement of the site’s administrator.

Naturally, I’m in the process of getting the proper approval (from someone who may not need this right now, I remind you), and intend to take that and get the proper assistance from the one who can address it at the server level, if required. I’m not going to take it upon myself to disable a plug-in, or install any counter-scripts, without his blessing, and have to consider what other factors may come into play, should I do such a thing.

Another piece of browbeating I’m getting says that “WP explains it in detail on their website. Full code and information is available on numerous websites about both.”

WordPress appears to be doing no such thing!
There’s no mention of Quantcast or the injection of the Quantserve script in any of their pages about WP-Stats. And, it looks like their admins are being very evasive on other forums that are asking about it. They’re simply downplaying what it does, and spinning it with talks of supposed “cool features” everyone’s going to get out of it, while the site admins are livid and ready to throw in the towel on WP over it.

If anyone has a link that shows WordPress itself detailing the Quantserve script (and I mean in an honest, unsuppressed way), please post it!

There has been a counter-script (another plug-in) released that is designed to block the 3rd party access, while keeping the user-pertinent functionality in it. Looks good, too, except that it’s still an alpha release. The author, a well-known coder who has written lots for WP, is stating that there may still be a bug in it.

Again, I don’t own or administer this site, nor do I have stake in it (other than deep personal interest, of course).  I’ve put this matter to the right people, and that’s all I *can* do.

TRACKING ISSUE - GOOGLE ANALYTICS

The jury’s still out on why the Google Analytics script even shows up in connection with p2pnet.

None of p2pnet’s plug-ins enable this, Jon doesn’t run any Google Ads or Google anything, and Quantserve is already present, thanks to WP-Stats.  (Remember, I said the 2 trackings can’t be run from the same site at the same time.)

At the moment I can only theorize 2 possibilities:

1. Analytics is getting permission to be injected DIRECTLY by WordPress.
2. Google is playing a mean game with cookies, and exploiting individual machines at the user level.

If WordPress is cooperating, Jon’s gonna freak when gets back into the game.

In the meantime, for those who still think p2pnet is some willing party to any of this tracking, have a look at these:

http://wordpress.org/support/topic/wordpresscom-stats-and-quantserve

http://wordpress.org/support/topic/plugin-wordpresscom-stats-quantserve-code-in-stats-javascript

http://wordpress.org/search/quantserve?forums=1

Devil’s Advocate – p2pnet

Follow Jon on Twitter.

More

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

World War III will be a global information war with no division between civilian & military participation ~ Marshall McLuhan

Use free p2pnet newsfeeds for your site. Subscribe to p2pnet.net | rss feed: http://p2pnet.net/feed

p2pnet view

“p2pnet has been following the tacky career of Steve Gibson (bottom right), the US shyster who’s been buying up copyrights and then using them to extort money from people he accuses of infringement.

He operates on the same Mafia principle as did Vivendi Universal, EMI, Warner Music and Sony Music’s RIAA: that 9.9 times out of 10, the people he goes after won’t have the knowledge, money or legal resources to be able to defend themselves.

So they’ll pay him to go away.

He’s currently trying to get $6,000 out of Brian Hill (top right), a young guy who suffers from the potentially deadly ‘brittle’ form of diabetes, andwho’s also mildly autistic.

There’s no way Brian will be able to come up with that kind of money, even if he wanted to. But that’s not going to stop Gibson.“

Following up on this, Jon has forwarded an e-mail from Brian Hill, complete with court documents attached, outlining a (supposed) voluntary dismissal of the suit against him by Righthaven, as well as Righthaven’s rant against Brian being struck down by the judge.

PDFs:            <  Notice-of-Dismissal >   <  Order-to-Strike >

The fact that these can be posted says something!

Brian says…

“My attorney gave me the okays to forward the documents to all media contacts, and I am also sending to bloggers as well as this means good news for me. This is all on public record now so might as well save all reporters time by forwarding you these two attached documents.”

Also a few links about the recent event that has happened:

http://blogs.westword.com/latestword/2011/04/brian_hill_righthaven_suit_judge_order.php

http://www.vegasinc.com/news/2011/apr/11/righthaven-drops-copyright-lawsuit-against-autisti/

Jon comments…

“This is a major victory for those unfairly targeted whenever they never notified anyone that the photos were copyrighted and never sent any legal warnings or even takedown notices to any of the defendants. How else will they know they infringed copyright law without any warnings sent to them. Also the court cases being fought over excerpts determine Fair Use exemptions in the future as to why these cases are being watched by a lot of people.”

As all who have watched my Righthaven lawsuit have noticed my website had been put on self suspension out of fear due to the lawsuit. I decided to bring it back under a few adjustments and conditions to my own website in order to better protect myself in the future. As I am making this announcement to all reporters who have been tracking my story you can now see what my website looks like.

These are the legal precautions I am taking as the condition for bringing the website back:

(1) My website will have a takedown page and will start a small fundraiser to be able to afford DMCA Act Safeharbor protection since my website is open to blog posts from anyone who wants to register. I don’t want what any person decides to post to lead me into another lawsuit so I am setting up pages for cease and desist orders.

(2) I will have someone check my websites images to see if any are a potential infringement so I can remove them accordingly. That way I don’t make a stupid mistake ever again.

(3) I will cite any laws that will protect reporters and bloggers on my website or a separate law page that will be used to protect Free Speech, Free Press, and other civil liberties.

(4) I will start gathering more people to join my website as a team of volunteer news bloggers that will write their own stories so we can get the news out without violating anyones copyrights.

I will comply with any cease and desist order as long as it is completely authorized under copyright law and not some prank to attack my website because I know somebody could pull a fake cease and desist order. Takedown notices I will comply with as well as long as it’s not a prank.

That is all! My local news website has returned and once the legal precautions I’ve been working on are added my website will be fully up and running.

Seems like positive news.

Hats off to you, Brian! 

For those interested, Brian Hill’s blogsite can be found here.

p2pnet view

Evidence of the offending activity seems to be based solely from reports acquired from the Firefox plug-in, NoScript, involving Quantcast and Google trackers.

Here’s the bald-faced truth on the subject, whether anyone chooses to accept it or not…

Quantserve

Quantserve is definitely a tracking service, run by Quantcast (3rd party), that doesn’t just measure “raw traffic statistics”, as I was lead to believe.  Quantserve measures and graphs the whole “demographics” thing, much like Google Analytics and a lot of others.  Cookies are installed to the visitor machines, and javascript is embedded at the WordPress level.

Before I go any further, I cannot comment on whether or not Jon is aware of this activity, or whether or not it’s even an actual threat.  For all we know, Jon has full knowledge and has disabled the service’s ability to ultimately claim the results, which would be a perfectly acceptable remedy in my eyes.

It would seem Quantserve may be a “compulsory” feature when using WordPress to host your site.  Can the site owner choose to disallow it, without any “repercussions”?  I don’t know the answer to that (yet).  Is it something I want to bother Jon about at this point in time, while he’s struggling with his recovery?  Certainly not!

The best recommendation I can make at this time would be for the users to simply block Quantserve and Quantcast from their machines.  The fact that they feel the need to embed it in WordPress itself seems to warrant that thinking.

NOTE: If you have quantcast.com and quantserve.com blocked by NoScript, the cookies still get planted on your computer, if you haven’t already instructed your browser to block them as well.  If you haven’t already done this, and you wish to shut out Quantserve, I would recommend you refer to the appropriate instructions for your browser.

Google Analytics

While dataminers like Quantcast are certainly a great concern, they certainly don’t compare to Google.  Google is, without a doubt, becoming the biggest threat to worldwide network security, and the privacy of every concerned internet user.

They have created a barrage of “services” (most of them “free”) that definitely have a lot of positive potential, yet have demonstrated over and over again how psychopathic they are with our personal information.  Google repeately claims to have no evil intentions, yet they’re never very clear with what info they’re gathering, what need there would be for it, and often deny they’re even gathering it at all.  They never directly offer you a way to control or consent to any of this from your end.

Google has no interest in what anyone but Google wants.  When confronted with privacy concerns, they claim to be a ”do no evil” company, and that “your privacy is very important” to them, everything worded in true Corporate Speak.  Google arbitrarily decides what we supposedly should be okay with, and arbitrarily shuns any other arguments as “inapplicable” or “misinformed”, or simply “nonsense”.  Those qualities are true psychopathic qualities.

Google has often been referred to as an “octopus” on steroids.  Its tentacles seem to reach every crevice of the World Wide Web in its quest to stay locked on to everyone’s online activities.  Despite thousands of major requests from individuals, groups, and companies to respect private networks (and street properties alike), they continue to plant cookies that keep reporting back directly from the subject computers, and logging the whole thing.

There’s a shitload of Google activites I could go into great detail with, but it’s time to give you the point to all that preamble…

When a user’s computer has any of these cookies installed, it doesn’t matter if a website participates in Google Analytics or if it even has any Google Ads, the tracking script kicks in, and that computer’s activities are logged.  Without the site’s blessing and without user consent.

This also can create an illusion that the site in question is doing the tracking for Google.  That would seem to be the biggest conundrum reflected in the discussion on this subject.

I’ll now repeat what I said in a few comments:  p2pnet does not employ a Google tracker, does not facilitate Google Analytics (google-analytics.com), and does not subscribe to Google Ads.  One look at any p2pnet page should tell you that.  The same handful of static advertisers has always been all you’ve ever seen.  If a Google Analytics tracker is trying to connect with you, it’s because you already have at least one cookie on your machine that’s trying to phone home.

You also have to remember that these cookies are often dished out in multiple formats, some of which are designed with backup mechanisms that rewrite them upon deletion, and even rewrite the others as well.  (Do no evil, eh?! )

As you should know, I don’t have any stake in this site.  I’m just a reader and contributor to p2pnet myself, and I also have to connect the same way everyone does.  When it comes to this particular issue, what may set me apart from some of you could simply be that I barred Google from my computer, in multiple ways, ages ago.

Surfer made a really constructive statement in “Ensuring Online Privacy“:

“If you do nothing more than just put www.google-analytics.com in your firewall, you are doing yourself a great service. This particular domain name keeps track of what sites you visit so that google ads can be more precisely targeted. Many domains out there use APIs from Google that are intrusive and violate your privacy by not only tracking hits to a particular website, but sends additional data back to Google themselves for their own nefarious uses.”

I can attest to that.

I not only banned Analytics a long time ago, but I also don’t accept AdSense or Buzz, and don’t use Google DNS or any other “services” that would give Google any excuse for “implied consent”.

When the issues of Quantserve and Analytics came up, I fired up 3 different browsers (Firefox with NoScript was, of course, one of them), and brought up my firewall monitor, my peerblocker, and a few other utilities, while going to a few sites, and calling up p2pnet.  First I tried it without clearing any caches, and then repeating the whole thing after clearing different ones, eventually all of them.  I also tried going to p2pnet only, after clearing caches, and looking at the results.  The results were the same every time, with one exception, which I’ll talk about after the results…

Google Analytics, as well as Quantserve and Quantcast, only showed up at the firewall level, and were unsuccessful, as their packets were tossed away.  There were also no cookies installed by any of them, and p2pnet’s cookie remained unaltered, containing only the login info it’s supposed to.  And here’s the clincher:  p2pnet’s IP address was only attached to Quantserve, along with another WordPress IP.  The IP addresses reported for Analytics had no relation to p2pnet or WordPress.

As I said, there was one exceptional result I promised to relate.  When I cleared all caches and went straight to p2pnet, there were no Google entries at all.  Not even at the firewall.  That’s because Analytics doesn’t emanate from p2pnet, and because I didn’t pick up the cookies from anywhere else that Google needs me to have to track me TO p2pnet. 

p2pnet view P2P | Freedom | Security:

Ironically, a movie was made about a good friend of mine who was a Lieutenant Colonel in Military Intelligence that helped develop the Carnivore Program for the FBI. I only knew him as “casper” online, but I helped support him when he was illegally arrested for leaking the software to the public in protest. Unfortunately, he was an elderly gentleman and died while incarcerated for treason. You may have heard of the movie “Swordfish”?

My point is, governments all over the world have been attempting to invade your privacy since 1995, only a few years after the internet itself came into popular use. First there was MySpace, with all good intentions, until it was bought out by Rupert Murdoch’s massive media empire. Then came Fa$eBook, which was forced to open its’ database to the NSA. What better way of keeping a “docket” of every single American Citizen, and Foreign National than scraping all the dirty little secrets sheeple post to their Fa$eBook account? Governments monitor everything, including Twitter, via what are called BBN’s.

All data transferred in and out of the US must pass thru one of the 11 BBNs here in the states, which is quite ingenious actually. Why bother monitoring all 350 million people on the internet when you can intercept data at a few key distribution points?

Point in fact, someone “tweeted” some outlandish snippet concerning bodily harm to a public official, and the FBI was knocking on his door within 45 minutes. Another someone posted a similar “topic” to Reddit and the FBI contacted the admins of Reddit within 15 minutes, wanting to know information about the poster. No warrant, no legal jurisdiction, no due process, just give up the information, namely the IP address of the offender.

I ask you, how is it even possible for the government to know about these apparent discretions in such a short amount of time? Even J. Edgar Hoover himself was not this paranoid. There once was a time when the 1st Amendment could only be suspended for dire threats against POTUS, apparently, not any more.

Here are a few tips to keep your government out of your business…

Twitter, FaceBook, MySpace -  Some day they will all merge, and be called MyTwitFace. Your best efforts should be to get off these social networks, as they are a direct line to the government’s enforcement wing that only reports to the shareholders of the MAFIAA, and other anti-consumer corporations. This is one of the primary reasons that when you attempt to delete your account from FaceBook, it never goes away, it stays in their database at the behest of government agencies.

Firewall - There are numerous sources of government-blacklisted IP addresses that you can easily enter into your router firewall, your computer’s firewall, or in a software firewall. If anything, block IP addresses that end in .gov and .mil unilaterally.

Proxy - Not so much of a good idea these days. Once it was fairly simple to use a Proxy to hide your computer’s origin, however the Department of Defense has a tool that can trace back thru up to 5 proxy bounces in order to find the originating IP address. This is no longer used by the hard core users because of this.

VPN - Virtual private network usage is still covered by prior restraint, so the government cannot eavesdrop on it, and it is typically encrypted from the originating IP address to the VPN provider. Using a VPN allows you to ‘appear’ on the internet as if your IP address is somewhere else in the world, and provides you with an entirely different IP address than the one assigned to your router by your provider. This is typically a pay-for service, and worth every single penny in providing anonymity while surfing the internet. It also can be use to bypass the ‘region’ of content that is possibly not available in your area, such as Spotify. It allows you to appear to be in another country, depending on the VPN service your select. Typically a VPN service will have several servers to choose from in order to make it look like you are somewhere you are not.

PiggyBacking - This is not for the novice. This is a sophisticated hack that takes control of the ‘last mile’ router of your provider in order to gain access to the entire C-Class IP range your provider uses, and distributes your particular IP address to your router. With access to the last mile router, you can choose from any of the 255 IP addresses in the range, basically using someone else’s IP address supplied by your provider. This particular hack is being scrutinized much more closely by providers nowadays and is slowly becoming obsolete.

Outbound Blocking - As few know, a substantial amount of software on the market today “phone home” for a variety of reasons. Phoning home was invented and patented by Apple, and built into their first offering of MacOSX. During controlled testing we found that during bootup, MacOSX sends data about your computer to Cupertino, Apple’s headquarters. Adobe products have been phoning home since the inception of the Creative Suite program bundle, and it is being adopted by more and more software designers every day. To ensure that your computer works the way you want it to, use outbound blockers suck as Little Snitch, Zone Alarm, or Outpost Firewall.

Surfing - Surfing the internet is a typical activity, checking your mail, reading the sites you like, etc. To surf the internet safely use Firefox. It has numerous plugins like AdBlock and NoScript that will not only eliminate abusing your bandwidth, that you pay for, with unwanted (and unnecessary) ads, scripts, and tracking technology used to violate your privacy by keeping track of your surfing habits.

Encryption - Just like the enforcement agencies across the world have warned that continued legislation violating privacy rights will force end users to begin using encryption, well, we have. We began using AES256 encryption for all P2P transfers as far back as 2001, because its none of your fucking business what I am uploading or downloading. You can also setup a local VPN and allow your users to connect to your computer via this VPN that will encrypt data transfers for you. There is also built-in web sharing in all modern operating systems that you can configure to allow P2P access to your machine by trusted users, these are closed loops systems and cannot be monitored.

If you do nothing more than just put www.google-analytics.com in your firewall, you are doing yourself a great service. This particular domain name keeps track of what sites you visit so that google ads can be more precisely targeted. Many domains out there use APIs from Google that are intrusive and violate your privacy by not only tracking hits to a particular website, but sends additional data back to Google themselves for their own nefarious uses.

One thing is certain. Legislation will never overcome technology, as slow as they shut down sites like Limewire, new and improved versions appear, like Limewire Pirate Edition. To put this all into perspective, they still, to this day, have not been able to take down The Pirate Bay.

So, if you do not want to end up on the wrong end of some misguided lawsuit by some massive conglomerate for something as heinous as jaywalking, then do yourself a favor, and practice some proactive implementation of privacy on your part. In a world hell bent on destroying your right to privacy, you can fight back by literally taking your privacy into your own hands, and give them the one finger salute.

p.s. I even submit my articles to Jon using VPN.

surfer – p2pnet
Share the wealth

Follow Jon on Twitter.

More

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

World War III will be a global information war with no division between civilian & military participation ~ Marshall McLuhan

Use free p2pnet newsfeeds for your site. Subscribe to p2pnet.net | rss feed: http://p2pnet.net/feed

Internet security company Comodo says it suspects Iran-based hackers were behind a “state-driven attack” in which fake online certificates targeted the companies.

Says the company’s fraud incident report >>>

• The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might).
• The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.
• The perpetrator has executed its attacks with clinical accuracy.
• The Iranian government has recently attacked other encrypted methods of communication.
• All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.

States Peter Eckersley on the EFF’s Deep Links >>>

On March 15th, an HTTPS/TLS Certificate Authority (CA) was tricked into issuing fraudulent certificates that posed a dire risk to Internet security. Based on currently available information, the incident got close to — but was not quite — an Internet-wide security meltdown. As this post will explain, these events show why we urgently need to start reinforcing the system that is currently used to authenticate and identify secure websites and email systems.

There is a post up on the Tor Project’s blog by Jacob Appelbaum, analysing the revocation of a number of HTTPS certificates last week. Patches to the major web browsers blacklisted a number of TLS certificates that were issued after hackers broke into a Ceritificate Authority. Appelbaum and others were able to cross-reference the blacklisted certificates’ serial numbers against a comprehensive collection of Certificate Revocation Lists (these CRL URLs were obtained by querying EFF’s SSL Observatory databases) to learn which CA had been affected.

The answer was the UserTrust “UTN-USERFirst-Hardware” certificate owned by Comodo, one of the largest CAs on the web. Comodo has now published a statement about the improperly issued certs, which were for extremely high-value domains including google.com, login.yahoo.com and addons.mozilla.org (this last domain could be used to trojan any system that was installing a new Firefox extension, though updates to previously installed extensions have a second layer of protection from XPI signatures). One cert was for “global trustee” — not a domain name. That was probably a malicious CA certificate that could be used to flawlessly impersonate any domain on the Web.

Comodo also said that the attack came primarily from Iranian IP addresses, and that one of the fraudulent login.yahoo.com certs was briefly deployed on a webserver in Iran.¹ This is strong circumstantial evidence that the attack was perpetrated by Iranians, though it also possible that the perpetrators used compromised systems in Iran in order to frame Iran.”

What should we do about these attacks?

Discussing problems with the revocation mechanisms that should (but don’t) protect users who don’t instantly get browser updates, Appelbaum makes the following assertion:

If the CA cannot provide even a basic level of revocation, it’s clearly irresponsible to ship that CA root in a browser. Browsers should give insecure CA keys an Internet Death Sentence rather than expose the users of the browsers to known problems.

Before discussing whether or not such a dramatic conclusion is at all warranted, it is worth considering what the consequences of blacklisting Comodo’s UserTrust CA certificate would have been. We used the SSL Observatory datasets to determine what had been signed by that CA certificate. The answer was that, as of August 2010, 85,440 public HTTPS certificates were signed directly by UTN-USERFirst-Hardware. Indirectly, the certificate had delegated authority to a further 50 Certificate Authorities, collectively responsible for another 120,000 domains. In the event of a revocation, at least 85,000 websites would have to scramble to obtain new SSL certificates.

The situation of the 120,000 other domains is more complicated — some of these are cross-certified by other root CAs or might be able do obtain such cross-certifications. In most — but not all — cases, these domains could continue to function without updating their webserver configurations or obtaining new certs.

The short answer, however, is that the Comodo’s USERFirst-Hardware certificate is too big to fail. If the private key for such a CA were hacked, by the Iranians or by anybody else, browsers would face a horrible choice: either blacklisting the CA quickly, causing outages at tens or hundreds of thousands of secure websites and email servers; or leave all of the world’s HTTPS, POP and IMAP deployments vulnerable to the hackers for an extended period of time.

Fortunately, Comodo has said that the master CA private keys in its Hardware Security Modules (HSMs) were not compromised, so we did not experience that kind of Internet-wide catastrophic security failure last week. But it’s time for us to start thinking about what can be done to mitigate that risk.

Cross-checking the work of CAs

Most Certificate Authorities do good work. Some make mistakes occasionally ², but that is normal in computer security. The real problem is a structural one: there are 1,500 CA certificates controlled by around 650 organizations ³, and every time you connect to an HTTPS webserver, or exchange email (POP/IMAP/SMTP) encrypted by TLS, you implicitly trust all of those certificate authorities!

What we need is a robust way to cross-check the good work that CAs currently do, to provide defense in depth and ensure (1) that a private key-compromise failure at a major CA does not lead to an Internet-wide cryptography meltdown and (2) that our software does not need to trust all of the CAs, for everything, all of the time.

For the time being, we will make just one remark about this. Many people have been touting DNSSEC PKI as a solution to the problem. While DNSSEC could be an improvement, we do not believe it is the right solution to the TLS security problem. One reason is that the DNS hierarchy is not trustworthy. Countries like the UAE and Tunisia control certificate authorities, and have a history of compromising their citizens’ computer security. But these countries also control top-level DNS domains, and could control the DNSSEC entries for those ccTLDs. And the emergence of DNS manipulation by the US government also raises many concerns about whether DNSSEC will be reliable in the future.

We don’t think this is an unsolvable problem. There are ways to reinforce our existing cryptographic infrastructure. And building and deploying them may not be that hard. Look for a blog post from us shortly about how we should go about doing that.

________________________________

1. This is strong circumstantial evidence that the attack was perpetrated by Iranians, though it also possible that the perpetrators used compromised systems in Iran in order to frame Iran.

2. A few previous examples.

3. These numbers are from the SSL Observatory. Before we performed those scans, we are unsure that anybody knew how many CAs were trusted by our browsers and operating systems, because CAs regularly delegate authority to subordinate CAs without announcing this publicly

According to Comodo, the nine certificates were >>>

Domain: mail.google.com [NOT seen live on the internet]

Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E

Domain: www.google.com [NOT seen live on the internet]

Serial: 00F5C86AF36162F13A64F54F6DC9587C06

Domain: login.yahoo.com [Seen live on the internet]

Serial: 00D7558FDAF5F1105BB213282B707729A3

Domain: login.yahoo.com [NOT seen live on the internet]

Serial: 392A434F0E07DF1F8AA305DE34E0C229

Domain: login.yahoo.com [NOT seen live on the internet]

Serial: 3E75CED46B693021218830AE86A82A71

Domain: login.skype.com [NOT seen live on the internet]

Serial: 00E9028B9578E415DC1A710A2B88154447

Domain: addons.mozilla.org [NOT seen live on the internet]

Serial: 009239D5348F40D1695A745470E1F23F43

Domain: login.live.com [NOT seen live on the internet]

Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0

Domain: global trustee [NOT seen live on the internet]

Serial: 00D8F35F4EB7872B2DAB0692E315382FB0

Stay tuned.

Follow me on Twitter.

Deep Links – Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?, March 23, 2011

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

World War III will be a global information war with no division between civilian & military participation ~ Marshall McLuhan

Use free p2pnet newsfeeds for your site. Subscribe to p2pnet.net | rss feed: http://p2pnet.net/feed

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

That’s how smiling RSA senior boss Art Coviello (right)  puts it in an open letter to customers.

The BBC, however, is somewhat more succinct.

“Hackers have stolen data about the security tokens used by millions of people to protect access to bank accounts and corporate networks”, it says, going on >>>

It did not disclose exactly what had been purloined and only said that the information “specifically related to RSA’s SecurID two-factor authentication products”.

RSA’s SecurID tokens are used by millions of people alongside passwords to beef up security.

As its name suggests, two-factor authentication involves improving security using two methods of identifying a user. The first factor is usually the traditional login ID and password combination.

The second factor can be a SecurID token that is paired with back-end software that generates a new six digit number every minute.

A token paired with this software generates the same numbers so only the holder will be able to type in the right digits and get access.

States RSA >>>

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

But “There could be “tremendous repercussions” if criminals piggy-backed on what they know to stealthily get at corporate and other critical systems”, the BBC has Richard Stiennon, chief research analyst at security firm IT-Harvest, saying.

“You’d never have a sign that you’ve been breached.”

Boasts the company, “As the chosen security partner of more than 90% of the Fortune 500, we help the world’s leading organizations succeed by solving their most complex and sensitive security challenges.”

Follow me on Twitter.

BBC – Hackers tackle secure ID tokens, March 18, 2011

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

World War III will be a global information war with no division between civilian & military participation ~ Marshall McLuhan

Use free p2pnet newsfeeds for your site. Subscribe to p2pnet.net | rss feed: http://p2pnet.net/feed

“Foreign cyber hackers who attacked federal government departments could have been looking for information on weapon technology and natural resource policy, an expert in China’s cyber spying program says.

“The attacks, revealed by CBC News, targeted the Finance Department, the Treasury Board and Defence Research and Development Canada”, says the story.

“It’s unclear what information the hackers, believed to [sic] based in China, were after.”

But “China has denied any responsibility for the attacks”, says the post, adding:

“The attack gave hackers access to highly classified information and was first detected in early January. The attacks forced the government departments that were targeted to disconnect temporarily from the internet.”

Auditor-general Sheila Fraser (right),”first raised the alarm” about Canada’s weak security in 2002, said the CBC yesterday, quoting her as warning:

“There are access controls that need to be fixed; there are a whole series of minimum security issues that are not being dealt with. There are vulnerabilities. Government needs to fix them.”

She checked again three years later “and found not much had changed”, it says, and this time, “It is important that these things be dealt with and be fixed — the government is vulnerable to attacks”, she declared.

Evidently, says the CBC, “it still is.”

Follow me on Twitter.

p2pnet – Canadian government computers hacked, February 17, 2011
states – Hackers after weapon information: expert, February 18, 2011
CBC – Foreign hackers attack Canadian government, February 17, 2011

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

World War III will be a global information war with no division between civilian & military participation ~ Marshall McLuhan

Use free p2pnet newsfeeds for your site. Subscribe to p2pnet.net | rss feed: http://p2pnet.net/feed

“The bug was one of about 100 found by noted browser vulnerability researcher and Google security engineer Michal Zalewski (right) using a new ‘fuzzing’ tool”, says the story, going on the vulnerabilities were also in Firefox, Chrome, Safari and Opera.

According to Zalewski, a developer working on WebKit — the open-source browser engine that powers both Apple’s Safari and Google’s Chrome — “accidentally leaked” the location of the then-unreleased fuzzing tool. Google’s search engine then added that location to its index.

“On Dec. 30, I received … search queries from an IP address in China, which matched keywords mentioned in one of the indexed cross_fuzz files,” Zalewski said, the story states, continuing:

“Those searches were looking for information on a pair of functions in ‘Mshtml.dll,’ IE’s browser engine” he said were unique to the vulnerability, and that had “absolutely no other mentions on the Internet at that time.”

“The person or persons searching for the functions then downloaded all the available cross_fuzz files.”

Address ‘accidentally leaked’

On http://lcamtuf.coredump.cx/, Zalewski states >>>

I have reasons to believe that the evidently exploitable vulnerability discoveable by cross_fuzz, and outlined in msie_crash.txt, is independently known to third parties in China.

While working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces. As a result, the fuzzer directory, including msie_crash.txt, has been indexed by GoogleBot.

I have confirmed that following this accident, no other unexpected parties discovered or downloaded the tool; however, on December 30, I received the following search queries from an IP address in China, which matched keywords mentioned in one of the indexed cross_fuzz files:

125.77.xxx.x – - [30/Dec/2010:11:11:31 +0100]
GET /cross_fuzz/msie_crash.txt HTTP/1.1
Referer: http://www.google.com.hk/search?q=mshtml+breakaaspecial&hl=zh-CN&newwindow=1&safe=strict&client=pub-1549238212314499&prog=aff&channel=8696049412&sa=2
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; GreenBrowser)

125.77.xxx.x – - [30/Dec/2010:11:39:15 +0100]
GET /cross_fuzz/msie_crash.txt HTTP/1.1
Referer: http://www.google.com.hk/search?client=pub-1549238212314499&prog=aff&channel=8696049412&q=breakcircularmemoryreferences
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; GreenBrowser)

These search queries are looking for information on two MSHTML.DLL functions – BreakAASpecial and BreakCircularMemoryReferences – that are unique to the stack signature of this vulnerability, and had *absolutely* no other mentions on the Internet at that time.

The person had no apparent knowledge of cross_fuzz itself, poked around the directory for a while, and downloaded all the accessible files; suggesting this not being an agent one of the notified vendors, but also being a security-minded visitor.

“The pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means”, Zalewski says, adding, “other explanations for this pair of consecutive searches seem extremely unlikely.”

Computerworld has Jerry Bryant, an MSRC spokesman, saying yesterday, “neither Microsoft or the Google security researcher identified any issues. On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version. We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable.”

Zalewski “released cross_fuzz on Saturday, even though Microsoft had not yet patched any of the IE flaws”, it says, noting:

“Other browser makers, including Mozilla and Opera, as well as the WebKit team, have fixed some — although not all — of the bugs Zalewski found using cross_fuzz.

“Microsoft asked Zalewski to delay cross_fuzz’s release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company’s security experts had not responded to information he provided.”

Fuzzing “is a common research practice used to locate vulnerabilities and find flaws in code”, the story says, adding:

“A fuzzer automates the technique by inputting data into applications or operating system components to see if — and where — crashes occur.”

Follow me on Twitter.

Computerworld – Chinese hackers dig into new IE bug, says Google researcher, January 3, 2011

World War III will be a global information war with no division between civilian & military participation ~ Marshall McLuhan

Use free p2pnet newsfeeds for your site. Subscribe to p2pnet.net | rss feed: http://p2pnet.net/feed

That’s Charlie ‘I’m that Apple 0day guy’ Miller (right) on Twitter.

Says kawaiigardiner – “@0xcharlie Maybe you should stop being a grade A [deleted] and actually tell Apple what those bugs are – [deleted] wouldbe security attention [deleted].”

Apple yesterday released plugs for more than 130 security holes in Mac OS X, “smashing a record the company set last March when it fixed over 90 flaws”, says Computerworld, going on:

“The update for OS X 10.6, a.k.a. Snow Leopard, and OS X 10.5, better known as Leopard, was Apple’s first since September and the seventh for the year.”

Now you know.

Follow me on Twitter.

Computerworld – Apple smashes patch record with gigantic update, November 11, 2010

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

Use free p2pnet newsfeeds for your site. It`s really easy!

That’s TinKode on Twitter.

And the pic on the right was what you saw at 6:16 am Pacific.

On Baywords,Minister Of Defence United Kingdom (www.mod.uk) – Hacked, says the headline.

Under it is a Royal Navy logo, followed by the post >>>

The Ministry of Defence (MoD) is the United Kingdom government department responsible for implementation of government defence policy and is the headquarters of the British Armed Forces. The MoD states that its principal objectives are to defend the United Kingdom and its interests and to strengthen international peace and stability.

==[ Author  : TinKode
==[ WebSite : InSecurity.Ro
==[ Date    : 05.11.2010
==[ Hour    : 22:55 PM
==[ Target  : www.royalnavy.mod.uk
==[ Document: Minister_Of_Defence_UK.txt
==[ Method  : SQL Injection
==[ HackTXT : http://pastebin.com/raw.php?i=M2MUEdv4

——————————————————-

Thanks TinKode @ ISR

The pastebin link leads to user names and admin passwords.

Stay tuned.

Follow p2pnet on Twitter.

November, 2010

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

Use free p2pnet newsfeeds for your site. It`s really easy!

But this time it has nothing to do with risky Jessica Biel or risky Brad Pitt or risky piracy, to name the topics of several of its trumped-up risk fluff reports.

This time it’s risky .COM.

Dot com, eh?

It’s now “the riskiest, with fifty-six percent of all risky sites discovered ending in .COM”, according to its 2010 Mapping the Mal Web report, quoted by Security Week.

But while .COM is the riskiest top-level domain, “the riskiest country domain is Vietnam (.VN)”, says the post, going on >>>

Japan’s .JP ranks as the safest country domain for the second year in a row and .TRAVEL as the safest overall domain. It’s interesting to note that .JP (currently $89.99 …) and .TRAVEL ($89.99 …) domains are also some of the most expensive domains. Are cybercriminals getting cheap with other people’s credit cards? Or do the higher price make it more risky?

But guess what?

“Cybercriminals target regions where registering sites is cheap and convenient and pose the least risk of being caught”, says Paula Greve, “director of web security research for McAfee Labs” in the post.

Oh, rilly?

No need to stay tuned.

Follow p2pnet on Twitter.

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

Use free p2pnet newsfeeds for your site. It`s really easy!

Under discussion is Firesheep, a “simple-to-use Firefox plugin” presented at Toorcon in San Diego.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed, says its creator, Eric Butler, in the story.

Just “Double-click on someone, and you’re instantly logged in as them.”

“It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else”, says Butler on his {Codebutler} site, continuing >>>

This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users.

The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?

Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Experts have been able to take advantage of the possibilities before the advent of Firesheep, says Butler in Help Net Security

However, Firesheep make it easy for anyone, he says.

“Among the websites whose cookies Firesheep can identify are Facebook, Flickr, Amazon.com, bit.ly, Google, Twitter, Yahoo, WordPress, and many others”, the story reveals.

Says Butler on his {Codebutler} site.

“Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

“Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.”

Stay tuned.

Follow p2pnet on Twitter.

Help Net Security – Firefox extension makes social network ID spoofing trivial, October 25, 2010

First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi

Use free p2pnet newsfeeds for your site. It`s really easy!

Intel is to buy fumbling ’security’ firm McAfee for “about $7.68 billion” to “expand in security software”, says Bloomberg News.

“The acquisition of McAfee, which trails Symantec Corp. in security software, helps Intel expand in wireless devices”, it says, observing:

“Intel Chief Executive Officer Paul Otellini is trying to revive a stalled effort to break into handsets. While Intel’s chips run more than 80 percent of personal computers, they aren’t in any phones now on the market.”

With Intel’s focus “being primarily on CPUs and wireless, being able to incorporate security into these devices would give it a substantial upper hand over AMD (as if it needs one, Intel absolutely dominates AMD in all areas except graphics)”, says ZDNet,noting:

“The deal is subject to the usual regulatory and shareholder approval.”

Follow p2pnet on Twitter … ..

… and identi.ca

Bloomberg News – Intel to Buy McAfee for $7.68 Billion, August 19, 2010
ZDNet – Why did Intel buy McAfee for $7.7 billion?, August 19, 2010

Use free p2pnet newsfeeds for your site. It`s really easy!

Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

The US military “is attempting to blacken China’s image”, says state news agency Xinhua.

In fact, America was “the top country of cyber attack origin in 2008, accounting for 25 percent of worldwide activity”, says the story, citing US security firm Symantec as the source.

“The US purpose (of releasing such a report) is to tarnish China’s image and exaggerate the threat China poses,” the story has Hu Qiheng, president of the Internet Society of China (ISC), saying.

“The ISC said more than 1 million Internet Protocol addresses in China were controlled by overseas hackers while 42,000 Chinese websites were tampered or hacked in 2009″, says the story, adding:

“Ni Feng, deputy director of the Institute of American Studies with the Chinese Academy of Social Sciences, said the United States has greatly outstripped any other country in terms of Internet technological power.”

Follow p2pnet on Twitter … ..

… and identi.ca

Xinhua – Chinese experts rebute Pentagon cyber report, August 18, 2010

Use free p2pnet newsfeeds for your site. It`s really easy!

Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

And they’ll soon be deployed in the EU.

But researchers at the University of Southern California and at Rutgers University say the WiFi systems present serious security and privacy problems.

The team studied Tire Pressure Monitoring Systems using both laboratory experiments with isolated tire pressure sensor modules and experiments with a complete vehicle system aind in their abstract to Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study, they say “eavesdropping is easily possible at a distance of roughly 40m from a passing vehicle”.

Not only that, but, “reverse-engineering of the underlying protocols revealed static 32 bit identifiers and that messages can be easily triggered remotely, which raises privacy concerns as vehicles can be tracked through these identifiers, they say, going on >>>

Further, current protocols do not employ authentication and vehicle implementations do not perform basic input validation, thereby allowing for remote spoofing of sensor messages.

We validated this experimentally by triggering tire pressure warning messages in a moving vehicle from a customized software radio attack platform located in a nearby vehicle.

The paper includes recommendations for improving the privacy and security of tire pressure monitoring systems and other coming in-car WiFi sensor networks.

(Cheers, Ivan)

Follow p2pnet on Twitter … ..

… and identi.ca

August, 2010

Use free p2pnet newsfeeds for your site. It`s really easy!

Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php