STE WILLIAMS

A bloke was arrested after a brawl over a counterfeit Apple mobile led to the fatal stabbing of a con man.

The fight kicked off in Zhengzhou, northern China, according to Henan province newspaper The Dahe Daily [Chinese], which published grizzly CCTV footage capturing the moment of the stabbing.

A 29-year-old cook surnamed Feng was out bargain hunting in a shopping district of the city when a man offered to sell him a brand new iPhone for only 2,000 yuan (£200). Realising too late that he’d been had and that the mobile was a knock-off, it is alleged that Feng returned to the area on a daily basis armed with a large knife in an attempt to find the con man.

In the end he didn’t find the miscreant who conned him, but happened upon a group of fraudsters who were trying to trick a young boy in the same way. Feng brandished his chopper and they dispersed, it is claimed.

A few days later Feng came across the same gang and, it is alleged, a scuffle broke out, during which he stabbed one of the crooks in the chest and severed a major artery in the right leg of another. The second victim died a day later due to excessive blood loss.

The market in shanzhai – China’s counterfeit products – has reached astounding proportions, with the highly sought-after iPhone providing knock-off merchants with a good source of income.

In the end, it’s unlikely that this case will keep shanzhai pedlars off the streets, but it may teach a few consumers not to buy electrical kit from dodgy-looking chaps in anoraks. Cops are investigating the death after Feng told them he could not remember what happened during the chaos of the brawl. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/06/iphone_murder_china/

Comment: Google’s new combined Privacy Policy (March 2012) has been widely criticised by privacy professionals and Data Protection Authorities (in particular the CNIL – the French Data Protection Authority). However, so far the reasons for this criticism have been made in general terms. Here is a more detailed explanation.

Google’s Privacy Policy is incoherent because it uses overlapping terms. This makes it difficult to follow, and makes it difficult to discern what type of information the policy is claiming to protect. It cannot be fair to users if they cannot easily understand what the privacy policy means for them. The policy is also unfair in conventional terms as it does not, in many instances, fully describe the purposes of the processing.

Secondly, as the CNIL claims, it may be that Google’s privacy policy is in breach of the Data Protection Directive – and even of USA’s Safe Harbor Principles² (see analysis below). Google’s privacy policy states that “Google complies with the US-EU Safe Harbour Framework”: but I can show that this claim cannot be substantiated if Google’s new privacy policy is implemented.

Contradictory and confusing: overlapping terms

The privacy policy uses a wide range of similar terms in different circumstances which I think are contradictory. For example, it uses the following terms: “information”, “personal information”, “personal data”, “data”, “non-personally identifiable information”, “personally identifiable information”, “sensitive personal information”, and “other information that identifies you”. Are these terms talking about the same thing? Put simply, the reader doesn’t know for certain.

So when one part of the policy offers protection for “personal information”, another offers protection for “personal data”, another for “personally identifiable information” and yet another for “other information that identifies you” is the policy referring to the same type of information or not? Answers on a postcard to Google.

This is not the only problem. At times the policy uses a qualifier (eg, “log information” or “location information”). “Log information” by the way are the “details of how you used our service, such as your search queries” while “location information” is “information about your actual location” (my emphasis).

Can we have a quick quiz? Can you tell me whether “information” about your use or your location is “non-personally identifiable information” or “personal information”? My own view is that, because the policy uses the word “information” to describe logs and locations, that Google thinks it to be the former, but I suspect you think it could well be the latter.

Confused? You can now safely join the ranks of those who do not know what Google’s Privacy Policy means in practice.

Why is it in breach of the Directive and Safe Harbor?

The CNIL has claimed that, at first reading, Google’s Privacy Policy is in breach of the Directive, a claim so far not accepted by Google. As the Directive is the legislation mentioned expressly in the Safe Harbor Framework, I have checked whether Google’s Privacy Policy is consistent with the terms of that Framework.

There are demonstrable areas where Google’s Privacy Policy is inconsistent with the Safe Harbor Principles². It follows that it is inconsistent with the Directive. These areas include the following:

1. Safe Harbor requires acceptance of the EU Directive definition of “personal data” – Google’s Privacy Policy uses a definition which is close to that used by the old UK’s Data Protection Act 1984 (and ignores the Directive definition of personal data completely).

2. Safe Harbor requires acceptance of the EU Directive definition of sensitive personal data – Google’s Privacy Policy does not include all items of sensitive personal data identified in the Directive.

3. Safe Harbor requires acceptance of the right of access to personal data – Google’s Privacy Policy includes some administrative exemptions from the right of access to personal data that are not authorised by Safe Harbor.

4. The confusion in the Privacy Policy does not meet the Safe Harbor requirement for clarity; there are several places where the purposes of the processing are not fully described by the Policy.

5. Google’s co-operation with data protection authorities specified in the Privacy Policy relates only to the transfer of personal data; Safe Harbor requires co-operation across the whole Framework.

Concluding comment

Everybody uses Google because its services are free and very useful. However, because they are “free”, it does not mean that Google can take the privacy of its users for granted in order to maximise profit. Its privacy policy¹, I am afraid to say, is incoherent, unclear, and likely lead to breaches of data protection legislation. In my view, the Policy needs a major overhaul.

Secondly, I don’t think Google (and other USA corporations, I have to say) have quite “got it” in the context of the messages coming out of the Leveson Inquiry. Google has not understood that a large multinational communications company, headed by the Murdochs, is in trouble not because it invaded the privacy of celebrities, but because it invaded the privacy of ordinary individuals. Google’s meat and drink is the processing of personal data and data relating to millions of ordinary citizens.

The Murdochs thought they were so large and powerful that they were invincible and it appears that Google does the same. By ignoring basic data protection laws and rules in the way described in its own policy, even those agreements established in the USA, Google is taking some unnecessary risks.

References

¹Google’s Privacy Policy and related FAQs

²The US Safe Harbor Harbor Privacy Principles – issued by the US Department of Commerce on 12 July, 2000.

^{This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.}

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/06/why_google_privacy_policy_is_so_difficult_to_follow/

Silicon Valley police tracking down a stolen iPad have made a massive drug bust resulting from rank stupidity by the thieves.

The Palo Alto policemen were tracking down a stolen iPad, using its GPS-based “Find My iPad” feature to determine its location. After tracing the filched fondleslab to an apartment building, they knocked on the door and asked to be let in, even though they didn’t have a warrant. Rather surprisingly, the occupants agreed.

“They probably thought if they didn’t, we’d suspect something,” Assistant District Attorney David Tomkins told The San Jose Mercury News. “Or they thought, ‘I’ll let them in – they probably won’t find anything.'”

However the police did find something – 780 pounds of crystal meth worth an estimated $35m, to be precise – scattered around the apartment building. District Attorney Jeff Rosen said that local police typically seize about 100 pounds of crystal meth every year, making this one of the biggest busts in their history.

“I told my dad about the bust,” said Rosen, “and he said, ‘They have $35 million, and they can’t go out and buy an iPad?'”

Three people, who were presumably high on their own supply when they invited the police in, have since been arrested. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/05/stolen_ipad_crystal_meth/

GitHub has reinstated the account of a Russian software developer who discovered a series of security flaws involving the code repository that he eventually shamed the site into fixing over the weekend.

Egor Homakov discovered a cryptographically-related security bug on GitHub that allowed attackers to gain administrator access to projects such as Ruby on Rails and scores of others. GitHub itself uses a vulnerable Ruby on Rails application framework, the root cause of the problem, leaving the code repository open to attack. Homakov reported this so-called mass assignment vulnerability on the Rails repository.

Administrators deleted the thread on the bug. Homakov reopened a ticket on the flaw (which involves a failure to failure to properly check incoming form parameters), only to be more or less ignored again.

Tired of these shenanigans, Homakov exploited the bug to add his public key to the Rails project on GitHub, making him an administrator of the project. At this point he could have deleted project histories – or worse. Instead, he overwrote timestamps to post a message under the guise of habitually drunken kleptomaniac robot Bender, of Futurama and e-vote hacking fame, that was dated 1,000 years in the future. He also pushed a new (innocuous) file onto the Rails repository.

Homakov explains what he did in a blog post entitled “Egor, stop hacking GH”.

Stirred into action, GitHub acted quickly to suspend Homakov over the harmless hack, which it initially treated as a full-on security attack. It also fixed the vulnerability that had allowed Homakov’s hijinks, which would have been avoided if his initial reports were taken seriously.

After reviewing Homakov’s activity, wiser counsel prevailed and GitHub restored the Russian software developer’s account. In fairness, the suspension only lasted a few hours, and GitHub’s initial caution was understandable. A blog post by GitHub explained it was Homakov’s actions in exploiting flaws to upload his personal key and make changes to the rails project that earned him a spell in the sin-bin.

There has been some confusion over today’s security vulnerability and our policy on responsible disclosure and account suspension that I’d like to clear up.

Three days ago, user @homakov opened an issue on rails/rails about the prevalence of the mass-assignment vulnerability. Two days ago he responsibly disclosed a security vulnerability to us and we worked with him to fix it in a timely fashion. Today, he found and exploited the public key form update vulnerability without responsible disclosure. For this reason we temporarily suspended his account for violation of section A8 of the GitHub Terms of Service pending a full investigation into what happened. Now that we’ve had a chance to review his activity, and have determined that no malicious intent was present, @homakov’s account has been reinstated.

GitHub took the opportunity to refer interested parties to its code on vulnerable disclosure. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/05/github_hack/

Two British men have denied hacking into Sony’s systems and downloading 50,000 files covering Michael Jackson’s entire back catalogue – including unreleased songs.

James Marks, 26, from Daventry in Northamptonshire, and James McCormick, 25, from Blackpool, appeared at Leicester Crown Court charged with computer hacking and copyright infringement offences. Both pleaded not guilty and were bailed to stand trial in January 2013.

Sony had bought the material from the Jackson estate for $250m (£164m) in 2010, months before data was allegedly siphoned from Sony’s insecure network. A breach was discovered during an audit of Sony’s gear following last year’s Sony’s PlayStation Network mega-hack.

“Everything Sony purchased from the Michael Jackson estate was compromised,” claimed a source, talking to The Sunday Times. “It caused them to check their systems and they found the breach. There was a degree of sophistication. Sony identified the weakness and plugged the gap.”

The songs allegedly lifted included an unreleased duet featuring Jackson and Queen front man Freddie Mercury, as well as unpressed versions of songs from studio recordings of Jackson’s albums including Off The Wall, Thriller and Bad, according to music industry news sites. The court was told 50,000 files were allegedly swiped but this does not mean that the same number of songs were taken, contrary to earlier media reports.

Sony Music has yet to comment. Marks and McCormick were arrested by officers from the Serious and Organised Crime Agency in May before charges of violations against the Computer Misuse Act and Copyright, Designs and Patents Act were filed last September, a SOCA spokesman confirmed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/05/jackson_catalogue_hack_charges/

Cybercrooks broke into NASA’s computer systems 13 times last year gaining “full functional control” of important systems in the worse cases, according to the testimony before the US Congress by the space agency’s inspector general.

Paul Martin told a Congressional panel on information security at the space agency that NASA spent $58m of its $1.5bn annual IT budget on cyber security. The space agency has long been a prestige target for hackers of various skill levels and motivations, including profit-motivated malware distributors (cybercrooks) and intruders thought to be in the pay of foreign intelligence services.

Poorly implemented security policies mean that these attacks were often successful. In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems, Martin testified (PDF) before the US House Committee on Science, Space and Technology last Wednesday.

Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7m.

In the most serious of these incidents, hackers gained control of systems at NASA’s Jet Propulsion Laboratory. The attack was traced back to IP addresses in China, Martin explained. Another of the most serious APT (advanced persistent threats) that hit NASA last year resulted in the extraction of user credentials from 150 space agency workers.

Martin told the panel:

In FY 2011, NASA reported it was the victim of 47 APT attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorised access to NASA systems. Our ongoing investigation of another such attack at JPL involving Chinese-based internet protocol (IP) addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts.”

The compromised access would have allowed hackers to gain “full functional control over these networks” including the ability to extract data, delete sensitive files, plant hacking tools, add accounts or modify logs meant to provide a warning that such attacks had taken place.

More than 130 NASA computers were infected by DNS changer malware connected to the Operation Ghost Click bust, Martin testified. NASA computers were among the millions of PCs worldwide infected by malware capable of highjacking internet searches to run click-fraud scams, punt scareware at potential victims and to promote unlicensed pharmaceutical stores.

Fortunately, we found no evidence of operational harm to NASA or compromise of sensitive data caused. Nevertheless, the scope and success of the intrusions demonstrate the increasingly complex nature of the IT security challenges facing NASA and other Government agencies.

Martin noted the agency faced particular difficulties, including its need to share its scientific research, and acknowledged the agency had made progress in improving security loopholes uncovered by previous audits. Nonetheless he criticised the agency for lagging behind other US government agencies in encrypting data on laptop computers.

He said the government-wide encryption rate for mobile devices stood at around 54 per cent. However, as at the start of February 2012, only 1 per cent of NASA portable devices/laptops have been encrypted.

Between April 2009 and April 2011, NASA reported the loss or theft of 48 of the agency’s mobile computing devices, some of which resulted in the leak of all manner of sensitive data. For example, the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the codes used to command and control the International Space Station. Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programmes. Martin warned:

Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft.

Martin added that Office of Inspector General investigators had conducted more than 16 separate investigations of breaches of NASA networks during recent years, several of which have resulted in the arrests and convictions of foreign nationals in China, Great Britain, Italy, Nigeria, Portugal, Romania, Turkey, and Estonia.

NASA was one of the organisations breached by the British hacker Gary McKinnon, during his self-admitted search for UFO files on US military systems during 2001 and 2002. A decade after his initial arrest, McKinnon and his supporters are still fighting attempts to extradite him to the US to answer charges related to alleged intrusions against US military and NASA systems.

Linda Cureton, NASA’s Chief Information Officer, defended the space agency’s record in a statement (PDF) submitted to the Congressional committee.

She said:

Like most Federal agencies, NASA has seen the full spectrum of cyber attacks, ranging from minor attacks, where countermeasures are sufficient and appropriate, to sophisticated attacks where in some cases countermeasures are reactive and need improvement. NASA has a high public and internet profile, its information can be highly attractive to attackers, and whenever IT security compromises occur they tend to generate media attention when the information is public in nature.

NASA has acted on previously reported shortcomings by scanning its websites for flaws, improving its patch management and developing an incident response programme, she explained.

She added:

Since NASA’s infrastructure is worldwide, the agency is striving to achieve a risk-based balance between security, system operability, and user requirements. While demanding a culture of security awareness, NASA will continue to improve the defense of our IT security posture and build security into the System Development Life Cycle (SDLC) of our IT solutions and everyday work habits.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/05/nasa_security_congressional_testimony/

Investigators have cracked the encryption key for a laptop drive owned by a Colorado woman accused of real-estate fraud – rendering a judge’s controversial order to make her hand over the passphrase or stand in contempt of court irrelevant.

The government seized the Toshiba laptop from Ramona Fricosu back in 2010 and successfully asked the court to compel her to either type the key into the computer or turn over a plain-text version of the data held on her machine.

Her lawyer’s argument that compelling her to hand over encryption keys would violate her Fifth Amendment rights against self-incrimination was rejected. Prosecutors offered Fricosu limited immunity in this case without going so far as promising they wouldn’t use information on the computer against her.

The Electronic Frontier Foundation filed a brief supporting the defence in the case, arguing that Fricosu was being forced to become a witness against herself. District Judge Robert Blackburn refused to suspend his decision for the time it would take to convene an appeal. The regional 10th U.S. Circuit Court of Appeals refused to review his decision.

Fricosu was left with the stark choice of either coughing up her encryption keys by the end of February or risk a spell behind bars for contempt of court. Philip Dubois, Fricosu’s attorney, claimed that his client had forgotten the encryption passphrase.

The closely watched case set the scene for a legal showdown that would test the US Constitution’s Fifth Amendment rights in the digital age. However the Feds handed the plain-text contents of the laptop to Dubois on Wednesday. It seems more than likely that the authorities had come across the right passphrase without Fricosu’s forced assistance.

“They must have used or found successful one of the passwords the co-defendant provided them,” Dubois told Wired.

Fricosu, and her ex-husband co-defendant Scott Whatcott are both accused of mortgage fraud.

The development comes days after a federal appeals court ruled in a separate case that a defendant did not have to hand over keys to decrypt a laptop drive believed to be storing images of child abuse. The ruling by the Atlanta-based US 11th Circuit Court of Appeals in the case of an unnamed Florida suspect upheld the defendant’s right to resist forced decryption.

This was the first appellant court to rule on the balance between Fifth Amendment rights against compelled self-incrimination and the public interest in allowing police to potentially unearth evidence in criminal cases involved encrypted computers and storage devices. However the ruling is not binding in other regions, especially in the absence of a Supreme Court ruling on the issue.

The US Fifth Amendment holds that no one “shall be compelled in any criminal case to be a witness against himself”. Supreme Court rulings have previously ruled that a criminal suspect can be compelled to turn over a key to a safe possibly containing incriminating evidence, but is not obliged to supply the combination of a safe to investigators. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/forced_decryption_ruling_moot/

The UK’s Channel 4 News has dropped a fresh load of privacy grief in Larry’s lap, with an expose into the way advertisers hitch-hike on apps’ permissions.

The Channel 4 piece has drawn a furious response from European Commission VP Viviane Reding, who has told the broadcaster: “this is against the law, because nobody has the right to get your personal data without you agreeing to this.”

Reding said people have “no idea” what’s happening to their data: “The are spotting you, they are following you, they are getting information about your friends, about your whereabouts, about your preferences. That is certainly not what you thought you bought into when you downloaded a free of charge app. That’s exactly what we have to change.”

What Channel 4 discovered, with the help of MWR Infosecurity, was that the permissions a user grants to a free application carrying ads are also granted to the advertiser. This meant ad networks can access to the user’s “contacts, calendar and location”, the researcher claims.

The unnamed researcher told Channel 4: “We found that a lot of the free applications in the top 50 apps list are using advertising inside the applications and that the permission that you grant to these applications is also granted to the advertiser. If users knew about this I think they would be concerned about it but at the moment I don’t think they are aware of the situation and how widely their information can be used.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/05/more_android_privacy_fail/

On the heels of last week’s controversy regarding the photo-slurping habits of iPhones come reports that Android can play similar games with privacy.

Following the template it used to demonstrate the iOS vulnerability, the New York Times commissioned an Android app developer, Ralph Gootee of Loupe, to put together a demo app which, once installed, grabs the newest photo in the target smartphone and posts it to a public Website.

The exploit depends on a flaw in how permissions are granted by Android: the user is asked whether the app can access the Internet. A “yes” response also gives the app access to the photo library, even though this isn’t mentioned to the user.

A similar (not free) demonstrator was put together by a commenter to this story from El Reg.

While it’s hard to tell whether these privacy issues are deliberate or stuff-ups, it’s increasingly clear that both Apple and Google are struggling with the granularity of permissions. Neither users nor developers want to navigate a phone’s entire feature set merely to work out what an app can and cannot do; but it’s hard to simplify permissions without them leaking from one function to another. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/04/android_photo_slurp/

RSA 2012 Former British Prime Minister Anthony Charles Lynton Blair was RSA’s pick to close out their annual security conference in San Francisco, and he took the opportunity to bash WikiLeaks as “disgraceful.”

Blair took time out from his busy official role of bringing peace to the Middle East to pad his pockets speak for an unspecified sum at the conference’s closing keynote, where he told his audience that he had very little knowledge of technology – claiming he never even owned a mobile phone until he left political office. This was an advantage, as it turned out, given the News International hacking scandal, he joked.

Privacy is for politicians Blair claims

That said, he has some trenchant views on privacy and the activities of organizations such as WikiLeaks. Individuals need to have private communications, he said, but at the same time there are people who threaten our way of life that have to be stopped. Politicians, however, need privacy to function, and he denounced WikiLeaks for breaking that by publishing State Department cables.

“The thing with the WikiLeaks is that it was, in my view, a very bad and disgraceful thing to do,” he said. “I was in Washington for meetings yesterday, and I have to be able to speak frankly. You can’t have a situation where you’re dealing with issues of extraordinary sensitivity and say there has to be complete openness.”

Blair did say that, when it came to IT security legislation, politicians need to talk to people on the front lines to formulate laws that make sense and would work in the real world – a remark that bought warm applause from the audience.

He also admitted to getting social media wrong. When social media first emerged, he said that politicians saw it as something which would act as a brake on the conventional media. In fact, he said it was having a multiplier effect, and now it was up to the mainstream media to provide clear facts. Social media is also having a revolutionary effect in cutting the influence of government censorship, he said.

He also described explaining technology to his 11-year old son. While the younger generation was adopting technology faster than their parents, Blair asserted that you needed “the wisdom of the oldies” to put the technology itself in context.

Blair said that, despite massive changes in geopolitics, democracy was the future for the world, and cited the creation of the internet as an example of how free thinking is superior in driving innovation. Ultimately the economies of China and others will move towards a democratic model, in his opinion.

One can’t help but wonder at RSA’s recent choices for keynote closers. Past alumni have included Simon Singh, author of “The Code Book”, and serial (but reformed) fraudster Frank Abagnale – people with knowledge of, and an interest in, security. But in the last few years RSA’s choices have strayed from this path in favor of politicians giving stump speeches.

Last year Bill Clinton gave the closing address (from which press were barred – possibly to disguise the fact that Bubba gave almost exactly the same speech as he had at several other tech conferences that year), and this time we got another technology know-nothing.

While booking washed-up politicians might look good, one suspects delegates would rather have something on-topic. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/03/tony_blair_rsa/