STE WILLIAMS

The BBC was justified in broadcasting the unblurred face of a trucker who was pulled for being on the phone, and subsequently arrested for being drunk at the wheel, despite his right to privacy, Ofcom has ruled.

The trucker alleges that an episode of Motorway Cops violated his privacy in showing him being pulled, arrested, and led to a cell, despite his request that the footage not be used. Ofcom agrees that broadcast of the footage inside the police station was an invasion of privacy, but that it was justified by the public interest.

The show didn’t name the trucker, but it did broadcast footage of him talking on a mobile phone while driving a 44-ton truck. When an unmarked police vehicle tried to get him to pull over he lifted his other hand off the wheel to give a cheery thumbs up. Having got him to stop, police subsequently found an open can of lager in the truck’s cab.

Ofcom ruled that the footage taken while driving, and then failing the breathalyzer test (the trucker was found to be almost double the legal limit), were not an invasion of privacy as they happened in a public place. But once the action moves to the cop shop arrestees are entitled to expect some privacy, and while the truck driver didn’t explicitly ask for the filming to be stopped he was clearly unhappy with it.

Ofcom interpreted that to mean he would have liked it to stop, and thus in normal circumstances the filming would have to have stopped or at least the footage not be broadcast. But Ofcom also ruled that given the offence, and the fact that earlier footage showed it being committed, the public-interest argument outweighed any expectation of privacy.

The driver was fined £115 and banned from driving for a year, Ofcom says. He has argued that repeats of the programme would put his return to work at risk. Given he’s not named in the show we can’t help feeling he’s not done himself any favours in making the complaint, should prospective employers be doing a Google search or similar, as it has resulted in him being named in Ofcom’s latest enforcement bulletin (PDF, lots of details but quite dull to read).

Ofcom has also been investigating a claim by one “Mrs E” who was shocked to see her younger self on screen. She appeared in the audience of a TV show about parents accused of child abuse 20 years ago, and has suddenly seen the footage reused, much to the surprise of friends and colleagues who recognised her and started questions about what prompted her to attend.

Ofcom ruled that having agreed to be in the show in 1989 she gave up all rights to use of the footage thereafter, including subsequent repeats.

It would seem that in fact the “right to be forgotten” may have disappeared longer ago in some cases than people think. Unless we all change identities every now and then we may just have to get used to it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/ofcom_privacy/

A man, arrested in August on suspicion of menacing Tory MP Louise Mensch via Twitter and threatening emails, has been charged under section 127 of the 2003 Communications Act.

“A man arrested over allegations of malicious communications and threats made via email and a social networking site against Louise Mensch MP has been charged,” the Met said.

Frank Zimmerman, 60 (01/10/1951) of Spinney Road, Barnwood, Gloucester will appear on bail at Gloucester Magistrates’ Court on 12 December, said Scotland Yard.

He has been charged with improper use of a public communications network, it added.

Cyber cops cuffed Zimmerman on 25 August, following allegations lodged by Mensch a few days earlier.

Mensch took to Twitter to complain publicly about the alleged harassment before taking her complaint to police as she was in the US at the time of the incident.

The Tory politico, Rupert Murdoch botherer and erstwhile romantic novelist, who writes under the pen-name Louise Bagshawe, claimed that “some morons from Anonymous/LulzSec” had threatened her children via email.

“As I’m in the States, be good to have somebody from the UK police advise me where I should forward the email. To those who sent it; get stuffed, losers,” she said in August.

“Oh and I’m posting it on Twitter because they threatened me telling me to get off Twitter. Hi kids! ::waves:: I’ve contacted the police via the House of Commons and the email is with them now. I don’t bully easily, kids. Or in fact at all.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/louise_mensch_twitter_email_man_charged/

The majority of Android smartphone users are walking around with insecure devices running out-of-date OS builds, leaving personal and business data at greater risk of attack.

The latest figures from Google’s Android developer web site show that 44.4 per cent of users have the latest version of Android (Android 2.3 or later installed) on their devices. A further 1.9 per cent are running developer builds.

That leaves 53.7 per cent running older versions, the majority of which (40.7 per cent of the total userbase) are running Android 2.2 (Froyo). The stats come from users visiting Google’s App Store over a fortnight.

A study by application security firm Bit9 found that the sheer complexity of the Android ecosystem – in which updates are distributed in different ways and at different times (if at all) based on manufacturer, phone family, phone model, carrier, and geographic location – has meant security has taken a back seat, leaving smartphone users more vulnerable as a result.

Bit9 looked at the 20 most popular Android handsets from the likes of Samsung, HTC, Motorola, and LG. It found many Android smartphone suppliers launch new phones with outdated software out of the box. To make matters worse, many suffer from tremendous lag times in rolling out updates to later and more secure versions of Android.

Six of the 20 surveyed phones are running Android 2.2, a version that shipped 18 months ago in May 2010. A further seven are running builds of Android that are at least nine months old. Only seven of them were up to date.

The average time between when an update is available from Google and when it is pushed to the phone is 185 days – slightly more than six months. For example, across the Samsung models Bit9 studied, the average lag time is over 240 days (over eight months).

In some cases, the phones are not updated at all as the manufacturers shift their focus to newer models, leaving existing customers stranded with insecure software. In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone, according to Bit9.

Security nightmare for BOFHs

“Smartphones are the new laptop and represent the fastest emerging threat vector,” said Harry Sverdlove, CTO of Bit9. “In our bring-your-own-device-to-work culture, people are using their personal smartphones for both personal and business use, and attacks on these devices are on the rise.”

Android smartphone manufacturers are prioritising form and functionality over security, leaving consumers and businesses at greater risk as a result of running out-of-date and insecure smartphone software. The consumerisation of IT, where more people are using their personal devices at work, is putting companies at risk for data leakage and intellectual property theft. Running around with outdated smartphone software is not just bad practice, it creates real security risks.

For example the DroidDream malware, which moved Google to pull at least 50 apps from the Android Market in March and invoke a “kill switch” to remove those applications from more than 250,000 Android users’ phones, relied on a specific vulnerability in the operating system that Google fixed in its 2.3 (Gingerbread) release and a point release of 2.2.2 (Froyo).

“The malware itself was delivered as a standard app that users had to choose to install, but its ability to take complete control (root) the phone was dependent on the patch level of the phone,” Sverdlove explained.

In August 2011, a vulnerability was discovered that could allow an attacker to hijack the browser. Google fixed this problem in 2.3.5 and 3.1. While no attacks based on the vulnerability have been carried out to date it would be rash to wait until a major attack is underway before patching.

Most minor and major updates of Android include “security updates”, and most Android phones come with manufacturer enhancements and third-party components (eg, Java and Flash) as well. Each of those components is equally at risk if they are not properly and regularly updated.

Despite this need for security updates the distribution model adopted by phone manufacturers and their carriers has created a chaotic and insecure environment in which it can take several months for important updates to be distributed, if at all.

“Manufacturers and phone carriers have shown that when they are in the business of owning software updates, they perform poorly,” Harry Sverdlove, CTO of Bit9 told El Reg. “Their interest is in selling newer phones and carrier contracts; they are not incentivised to prioritise security for existing phones.”

Sverdlove acknowledged there are no easy answers but suggested a number of steps to improve the situation. Much like the PC industry, smartphone manufacturers could relinquish control of the operating system software updates. This process has already been implemented with the Apple iPhone and Google Nexus phone.

Secondly security professionals and consumers need to put pressure on the manufacturers to be more responsible in prioritising security updates. In the meantime, corporations need to evolve to a “secure app store” model and allow only specific devices and trustworthy applications into their environment.

Bit9 does not as yet market services or technology that secures mobile devices. It carried out the research in the interests of raising awareness about what it sees as a growing problem. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/android_patching_mess/

The Tor Project is tapping Amazon’s EC2 cloud service to make it easier for volunteers to donate bandwidth to the anonymity network.

Developers with the project have released preconfigured Tor Cloud images that volunteers can use to quickly deploy bridges that allow users to access the service. The new system is designed to take some of the pain out running such Tor relays by reducing the work and cost of deploying and running the underlying hardware and software.

“Setting up a Tor bridge on Amazon EC2 is simple and will only take you a couple of minutes,” developers a project member wrote in a post published on Monday. “The images have been configured with automatic package updates and port forwarding, so you do not have to worry about Tor not working or the server not getting security updates.”

In many cases, those availing themselves of the images to set up Tor bridges will qualify for Amazon’s free usage tier. That will allow volunteers to run a bridge on EC2 for a full year. Those who don’t qualify will need to pay about $30 a month.

Tor bridges are relays that aren’t listed in the main directory, making them harder to be blocked by repressive governments and service providers. The volunteer-maintained relays act as the first hop in the network. From there, traffic is forwarded to other relays.

The preconfigured server images are available in six of Amazon’s service regions, including Virginia, Northern California, Oregon, Ireland, Tokyo, and Singapore. They come with bandwidth limits to keep the cost of running a bridge below the $30 threshold. Once they are installed, they require little maintenance, the Tor posting said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/tor_amazon_bridge/

Smart meters issued by an electric utility in Maine are interfering with a wide range of customers’ electronic devices, including wireless routers, cordless phones, electric garage doors, and answering machines.

The Central Maine Power Company has received complaints from more than 200 customers since the meters were installed a little more than a year ago. The utility has deployed almost 425,000 of the devices, which use low-power radio transmissions to send meter readings. The 200 complaints received to date are probably a small subset of those affected, the state’s public advocate said.

“We have asked CMP to do a better job informing customers about these potential problems, and while CMP’s website does refer to the issue, we don’t think it goes far enough,” Public Advocate Richard Davies said in the statement. “My agency is troubled by the possibility that people may be spending their time and money fixing a problem that may be caused by CMP’s meters, and that can and should be fixed by CMP.”

In a list of frequently asked questions, utility officials said the meters operate on the same 2.4GHz frequency band used by many cordless phones and 802.11 wireless devices.

“Separating interfering devices usually reduces interference, so make sure the wireless device is located as far from the smart meter as possible,” the posting advises. “Also, adjust the position of the antenna on the device, if possible, and move the wireless device away from any walls that may absorb the signal.”

The utility also said interference can sometimes be overcome by changing the Wi-Fi channel used by their router. In the US, channels 1 and 11 are favored, the utility said.

In the past, some electric customers have reported that their power bills spiked immediately after their old meters were replaced with smart meters. Some have also complained about the health effects from the radio transmissions of smart meters, although there is little scientific evidence to back up these claims.

Security experts have also warned that smart meters are susceptible to hack attacks that could potentially take down the power grid. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/smart_meter_interference/

Hackers used automatic scripts to target ATT wireless subscribers in an unsuccessful attempt to steal information stored in their online accounts, company officials said.

In an email sent to targeted subscribers, ATT warned of an “organized attempt” to break into their accounts. The advisory was sent to less than 1 per cent of the company’s wireless subscribers, spokesman Mark Siegel told The Register. The company informed the users “out of an abundance of caution.”

“The people in question appear to have used ‘auto script’ technology to determine whether ATT telephone numbers were linked to online ATT accounts,” company officials said in an accompanying statement.

If the script was able to isolate phone numbers that were linked to online accounts, ATT’s website may be configured in a way that puts subscriber privacy at risk. Last year, hackers obtained the email addresses of 114,000 early adopters of Apple’s iPad by exploiting weaknesses in an ATT website.

Security advisors say login mechanisms on websites should never return error messages that indicate an email address, phone number, or user name is valid. Siegel declined to elaborate on the attack or how ATT’s website responded to the attack script.

“No accounts were breached and our investigation is ongoing to determine the source or intent of the attempt to gather this information,” the statement said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/att_attack/

An “Occupy Flash” website is urging PC users to rip Adobe’s ubiquitous media player off their computers and embrace HTML5.

The Occupy Flash site describes its goal as ridding the world of Adobe’s Flash Player plug-in because, it says, HTML5 has won the future of the web. Adobe earlier this month admitted it is no longer developing the mobile version of Flash.

Flash Player is a security nightmare, doesn’t work on most devices and makes the web less accessible, the group said, adding: “At this point, it’s holding back the web.” The group continues:

It’s a fossil, left over from the era of closed standards and unilateral corporate control of web technology. Websites that rely on Flash present a completely inconsistent (and often unusable) experience for fast-growing percentage of the users who don’t use a desktop browser. It introduces some scary security and privacy issues by way of Flash cookies.

The group wants the world to avoid another situation similar to the lingering existence of Microsoft’s Internet Explorer 6, where the browser lives on because “a contingent of decision makers” mandates its use.

Flash is resident on more than 90 per cent of internet-connected PCs, according to Adobe, and is the default choice for many building online animations, ads, films and other media content.

Inevitably this means there will be “some pain and sacrifice involved” in removing Flash, the site bravely states, “but the more of us who run browsers that don’t support Flash, the quicker that pain will subside”.

There’s no indication of who is behind Occupy Flash or how many people are involved. Instead the group decided to stay anonymous.

Anybody with half a memory will remember it was Apple’s late chief executive Steve Jobs who launched a solo crusade against Flash, saying HTML5 was the saviour of the web. It would therefore be easy to conclude Apple or some juiced-up Apple fanbois are continuing Jobs’ work through Occupy Flash. The site has claimed it has no corporate backer.

One thing Occupy Flash has admitted, though, is that it’s shamelessly co-opted a populist terminology, as it has not – nor can it – occupy anything. “Regardless, we love the idea of normal people taking on big corporations in the interest of the population at large,” the site’s administrators add. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/occupy_flash/

US lawmakers have launched an investigation into the threat of cyber espionage from Chinese telecoms firms operating in the US, singling out Huawei and ZTE.

The House of Representatives committee on intelligence said yesterday that it was focused on the threat to America’s security and critical infrastructure coming from “the expansion of Chinese-owned telecommunications companies – including Huawei and ZTE – into our telecommunications infrastructure”.

According to the committee, the probe will be looking at “the extent to which” the companies give the Chinese government the opportunity to spy on the US, whether for political or economic reasons and how much of a threat to critical infrastructure the firms are. Which doesn’t seem to offer much chance of the investigation maybe finding that the companies aren’t at all involved in spying.

“The fact that our critical infrastructure could be used against us is of serious concern,” Republican congressman and committee chairman Mike Rogers said in a canned statement. “We are looking at the overall infrastructure threat and Huawei happens to be the 800 pound gorilla in the room, but there are other companies that will be included in the investigation as well.”

“As the formal investigation begins, I stand by my caution to the American business community about engaging Huawei technology until we can fully determine their motives,” he added.

The investigation comes shortly after an intelligence report presented to Congress alleged that Russia and China are using cyber espionage to steal US economic secrets, a charge China subsequently denied.

“Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the intelligence community cannot confirm who was responsible,” the Office of the National Counterintelligence Executive said in the report.

Following media coverage of the report, Chinese Foreign Ministry spokesman Hong Lei told a daily news briefing that accusing the country of cyber attacks without an investigation was “both unprofessional and irresponsible”.

“I hope the international community can abandon prejudice and work hard with China to maintain online security,” he added.

Rogers, who is a former FBI agent, said yesterday that the committee “already knows the Chinese are aggressively hacking into our nation’s networks … and stealing secrets worth millions of dollars in intellectual property”.

A Huawei spokesperson told The Register in an email that the integrity of its gear had been proven by deployment by 45 of the top 50 telecoms service providers around the world “without security incident”.

“We acknowledge that network security concerns are very real and we welcome an open and fair investigation, whether by Congressional Committee or otherwise, focused on concerns raised by the interdependent global supply chain used by virtually every telecommunications equipment manufacturer providing solutions in the US and elsewhere,” the firm said.

A ZTE statement said: “ZTE is wholly committed to transparency and will cooperate in addressing any inquiries regarding our business. Our company is publicly traded with operations in more than 140 countries and we are confident a fair review will further demonstrate that ZTE is a trustworthy and law-abiding partner for all US carriers and their customers.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/us_probe_chinese_telco_firms/

Analysis The cause and perpetrators behind interference against two US scientific satellites remains unknown to American military commanders more than three years after the mysterious event.

The Congressional US-China Economic Security and Review Commission said in its latest annual report that two US-maintained environment-monitoring satellites experienced interference at least four times in 2007 and 2008. Draft versions of the dossier, seen prior to the publication of the completed report last Wednesday, suggested the interference came from a ground station in Spitsbergen, Norway, and paints China as the chief suspects behind the presumed attacks.

However the satellite services firm running the ground station told El Reg that there’s no evidence of any attack against its systems. Separately the commander of US military space operations said that insufficient evidence made it impossible to confidently attribute blame over the possible attempts to take control of the Landsat-7 and Terra AM-1* satellites, which are both managed by NASA.

“The best information that I have is that we cannot attribute those two occurrences,” said General Robert Kehler, commander of the U.S. Strategic Command, Reuters reports. “I guess I would agree that we don’t have sufficient detail.”

Kehler made his comments during a conference call on cyber and space issues.

Earlier drafts of the commission’s report traced the cause of the probe interference to the Norwegian ground station owned and run by Kongsberg Satellite Services (KSAT), which denied any occurrence of interference via its facilities. In response to queries by El Reg, the satellite services issued a statement saying a thorough investigation has turned up nothing amiss. Neither NASA, which maintains the satellites, nor regulators at the National Oceanic and Atmospheric Administration had complained, it added

The statement read:

KSAT has not experienced any attempt to enter into the company’s systems from outside sources. Furthermore, KSAT does not have any indication that hacking of satellites using the KSAT Svalbard station has taken place. A careful screening of our security systems has not indicated any attempts to access SvalSat from unauthorized sources.

We have not received any message from NASA that their satellites were hacked. To our knowledge, NASA has not observed any external, unauthorized access to their satellites.

The internet is occasionally used for distribution of x-band payload data received from the satellites to the end user. Hence, this communication channel cannot be an access point for unauthorized access if it had happened. Due to the layout of our communication systems it is not possible to access any NASA satellites from KSAT sources.

The US government, represented by NOAA, regularly inspects KSAT operation. Irregular activity has not been observed nor reported.

References to KSAT and Svalbard were removed from the commission’s final report because, according to a KSAT spokesman, the hacking allegations were “unsubstantiated and no evidence has been found”.

Despite this, the congressional committee report continues to argue that interference against the US satellites remains a threat. It says Chinese military doctrine advocates the use of techniques for disabling an enemy’s ground-based satellite control facilities during a time of conflict.

China is now among the top few space powers in the world. China’s leadership views all space activities through the prism of comprehensive national power, using civil space activities to promote its legitimacy in the eyes of its people, to produce spin-off benefits for other industries, and for military-related activities. For example, China appears to be making great strides toward fielding regional reconnaissance-strike capabilities. China has also continued to develop its antisatellite capabilities, following up on its January 2007 demonstration that used a ballistic missile to destroy an obsolete Chinese weather satellite, creating thousands of pieces of space debris.

As a result, in April 2011, astronauts evacuated the International Space Station out of concern of a possible collision with this debris.

In addition, authoritative Chinese military writings advocate attacks on space-to-ground communications links and ground-based satellite control facilities in the event of a conflict. Such facilities may be vulnerable: in recent years, two U.S. government satellites have experienced interference apparently consistent with the cyber exploitation of their control facility.

The report says links between supposedly secure control networks and the internet offer a soft underbelly that’s open to attack.

Malicious actors can use cyber activities to compromise, disrupt, deny, degrade, deceive, or destroy space systems. Exploitations or attacks could target ground-based infrastructure, space-based systems, or the communications links between the two.

Authoritative Chinese military writings advocate for such activities, particularly as they relate to ground-based space infrastructure, such as satellite control facilities.

Satellites from several U.S. government space programs utilize commercially operated satellite ground stations outside the United States, some of which rely on the public Internet for “data access and file transfers,” according to a 2008 National Aeronautics and Space Administration quarterly report.

The use of the Internet to perform certain communications functions presents potential opportunities for malicious actors to gain access to restricted networks.

Next page: Chinese whispers

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/us_sat_hack_mystery/

Gadget enthusiasts have managed to root the Nook Tablet.

The Android-based device, only unveiled by Barnes Nobles in the US last week, was pwned by the same group of developers who previously rooted the Amazon Kindle Fire. In both cases rooting the devices gives users the ability to install apps themselves, rather than been restricted to those offered by the manufacturer.

More details on how the Nook hack was carried out can be found on the XDA Developers forum, together with users’ mixed experiences, here. Not everyone can successful complete the rooting process though many can, suggesting that the script which pulls off the job may be either unreliable or (more likely) fiddly and in need of refinement.

The Nook Tablet is an eBook reader with a colour screen that also includes the ability to watch videos, view photos and play music. It includes Wi-Fi connectivity. Like its predecessor the device is only sold in the US, at least for now, because of a lack of distribution partners in either Europe or Asia Pacific. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/nook_tablet_rooted/