STE WILLIAMS

Attempts purportedly made by pro-Assad hacktivists to attack water systems in northern Israel have failed, recent reports reveal.

The Syrian Electronic Army have more or less cornered the market in attacks on high-profile media accounts on Twitter over recent months with attacks on the BBC, The Guardian, AP and others. Two victims – The Telegraph and The Onion – both reported that the attacks on their websites had been carried out using a multi-stage phishing attacks.

Twitter’s introduction of two-factor authentication, although flawed when it comes to shared group accounts, is a step in the right direction towards making such assaults more difficult.

In any case, the Syrian Electronic Army, at least according to Israeli security experts, have turned their attention to a far more difficult target: computers controlling the water system of the city of Haifa.

The attack was apparently launched around two weeks ago but failed, according to Yitzhak Ben Yisrael, Israel’s former cyber security adviser, AP reports. Yisrael made the comments during a recent lecture in the southern city of Beersheba.

The hack comes after Israeli airstrikes, allegedly against an arms convoy carrying missiles bound for Shiite Hezbollah militants, were launched on Syrian land at the beginning of the month. Hezbollah are long-time foes of Israel and allies of President Bashar al-Assad’s Syrian regime.

A previous run of attacks by hacktivist group Anonymous against Israeli websites in April also failed to cause any noticeable disruption. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/31/syrian_water_plant_hack_foiled/

The Electronic Frontier Foundation (EFF) has upgraded to full member status of the World Wide Web Consortium (W3C), and as its first act has registered a formal objection to the proposed addition of DRM to the HTML5 specifications.

Its objection stems from the Encrypted Media Extension (EME) which was advanced to first draft earlier this month by W3C. The EFF contends that the purpose of the extension is nothing more than enforcing DRM, and says that existing web standards are capable of doing the job.

“This proposal stands apart from all other aspects of HTML standardization: it defines a new ‘black box’ for the entertainment industry, fenced off from control by the browser and end-user,” said EFF international director Danny O’Brien.

“While this plan might soothe Hollywood content providers who are scared of technological evolution, it could also create serious impediments to interoperability and access for all,” he argued.

The EME system proposed by Microsoft, Google, and Netflix adds a JavaScript system to allow a variety of DRM licenses, and the proposals have been dismissed by some as unethical. While the EFF acknowledges the code is technically as sound as can be expected, it says the system takes HTML in an unhealthy direction.

“The W3C needs to develop a policy regarding DRM and similar proposals, or risk having its own work and the future of the Web become buried in the demands of businesses that would rather it never existed in the first place,” said EFF Senior Staff Technologist Seth Schoen.

“The EME proposal needs to be seen for what it is: a creation that will shut out open source developers and competition, throw away interoperability, and lock in legacy business models,” Schoen said. “This is the opposite of the fair use model that gave birth to the Web.”

It’s a tricky situation. With Silverlight and Flash both looking long in the tooth, it’s clear that HTML5 is the future – but whether or not that future needs to include DRM is up in the air. Netflix has said it won’t switch without it (since DRM is essential to its business model), and Google wants similar controls for YouTube.

The W3C’s chief executive Jeff Jaffe has defended EME’s inclusion, and says it is needed to ensure that access to certain comment isn’t limited to a variety of proprietary plug-ins. The result would be a dysfunctional two-tier web.

“It is W3C’s overwhelming responsibility to pursue broad interoperability, so that people can share information, whether content is protected or available at no charge,” Jaffe argues. “A situation where premium content is relegated to applications inaccessible to the Open Web or completely locked down devices would be far worse for all.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/31/eff_objects_drm_html5_with_w3c/

Google has decided it’s fair to tell the world about newly-discovered security flaws seven days after it learns about them, even if that’s not enough time for vendors of vulnerable software to provide a fix.

The Chocolate Factory used its Online Security Blog to deliver this edict, writing that “We recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company.”

“We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution.”

But that driving seems not to be happening at a speed Google thinks is appropriate, as the post goes on to say “we believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation.”

Seven days is therefore the time Google will allow to elapse before it “will support researchers making details available so that users can take steps to protect themselves.”

The logic behind Google’s unilateral hurry-up is that “each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”

That’s a point it’ hard to argue against. But Google’s not explained what it considers “critical vulnerabilities”. The Online Security Blog directs readers to this document at the Chromium Projects that details different levels of security-related severity. The guidelines on offer there pertain only to web browsers. Just what represents a “critical vulnerability” in a word processor or Android app is not explained.

Vulture South therefore wonders if Google has just proclaimed itself judge, jury and executioner when it comes to software flaws, inasmuch as it will decide what is a critical problem, and has set the time in which vendors must address it or face public shaming … by Google.

There’s massive potential for this to blow up in Google’s face: imagine if it publicises a flaw that has been imperfectly mitigated, but the outing of the problem sparks wider attempts at exploitation.

Vulture South will therefore be keeping an eye on this blog: a more nuanced response seems sorely needed and seven days seems a reasonable time to wait for the update. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/31/google_gives_vendors_sevenday_bug_disclosure_deadline/

The Chinese Defense Ministry has rebutted claims in a US government report that it is systematically stealing American military secrets, and points out that China is producing enough of its own.

“We believe that the US remarks are a misjudgment. First it underestimates the Pentagon’s security capabilities, and second it underestimates the Chinese people’s wisdom,” said spokesman Geng Yansheng.

“China is fully capable of safeguarding national security requires the construction of weapons and equipment. Let’s just say, most recently, China’s aircraft carrier, new combat aircraft, transport aircraft and Beidou satellite navigation system and other equipment to fully illustrate this point.”

China does have an aircraft carrier, which was launched as the Soviet Navy’s Riga in 1988, left derelict, and then sold to the Chinese and renamed the Liaoning. It’s half the size of the US Nimitz-class aircraft carriers – of which the Navy has 10 – but Chinese shipyards are reportedly working on their own designs.

As for stocking the ship, the Chinese F-15 multi-role aircraft is in testing for carrier landings, and there have been some interesting sightings of Middle Kingdom airframes with stealth capability. El Reg has some doubts about any immediate threat, but the Chinese are making heavy investments in aerospace technology.

The punch in a pocket carrier

On the matter of satellite navigation, however, China is approaching a point where it won’t need to rely on the GPS system for much longer. Its home-grown sat-nav system Beidou (BDS) has 16 birds aloft, covering the Asia-Pacific region, and the government has mandated its use by civilians. It plans to go global by 2020.

Online arms race heats up

The US hacking claims that inspired the Chinese comments came from a redacted section of a Pentagon report (PDF) that identified the systematic plundering of US military intelligence by state-sponsored Chinese hackers.

The report, prepared by the Defense Science Board, claims theft of classified data on the F-35 Joint Strike Fighter, F/A-18 fighter, and V-22 Osprey tilting-rotor aircraft, as well as Black Hawk attack helicopter design plans. Specifications for the Patriot missile system and Aegis and Terminal High Altitude Area Defense anti-missile systems are also thought to have been compromised.

The Defense Science Board report was first published in public form in January, and concluded that “the United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military intelligence capabilities.”

The report recommends that the US should obtain “deeper intelligence about adversaries’ offensive software,” safeguard US nuclear forces so that they are less vulnerable, and set up a “Cyber Warrior” program within the Department of Defense to recruit and train the online security teams.

This will all be interesting grist for the mill when President Obama has his first meeting with the new Chinese president Xi Jinping next month. Many topics will no doubt be on the agenda, but based on the current row, online tactics will be high on the list. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/30/china_denies_hacking_disses_us_tech/

Hackers are believed to have compromised the accounts of millions of users operating or developing the Drupal open-source content management system (CMS).

The Drupal Association says an individual or group has gained unauthorised access to the accounts on its Drupal.org and groups.drupal.org sites.

Information exposed includes user names, email addresses, country information and hashed passwords.

Websites running the Drupal CMS, however, are not believed to be affected, Drupal Association executive director Holly Ross said.

Ross, though, advised users to reset passwords on all other sites where they’d used similar passwords to those on Drupal.org and groups.drupal.org.

The exec also pointed out that the hack wasn’t the result of a vulnerability in the Drupal software itself, but rather that hackers had attacked via a flaw in third-party software installed on the Drupal.org server.

Prominent users of Drupal include the US White House, MTV, Sony, Warner Music, the BBC and The Economist, while Drupal serves as a core platform for more than 10,00 modules. It competes against WordPress, Blogger and Joomla.

Drupal has now reset the passwords on accounts and asked users to pick a new password next time they log in. Ross warned Drupal users to look out for suspicious emails asking for personal information and to be on the look out for spam.

“Also, beware of emails that threaten to close your account if you do not take the ‘immediate action’ of providing personal information,” Ross wrote. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/30/drupal_sites_hacked/

Comment Picture this dystopian scenario. A robotic jet aeroplane takes off on a bombing mission. But this is not one of the “Predator” or “Reaper” drones in use today above Afghanistan – there’s no human pilot in constant control as there is with those, and once the jet is in the air there’s no way for human commanders to communicate with it.

The jet flies along at high speed for hours, hugging the ground and weaving through valleys to avoid being picked up on radar. It navigates using various different means. It can make use of the signals from GPS satellites in the sky, like a common-or-garden satnav, but it is not dependent on them: it also has terrain-matching radar and inertial guidance.

The jet completes its journey and decides without any human input at all whether it has in fact found its designated target. Assuming the robot decides affirmatively, a massive warhead plummets out of the sky on that spot and colossal explosive destruction is unleashed. No human being presses a button or pulls a trigger to allow this.

The day of the autonomous weapon has dawned.

Fanciful? No indeed. Why, we read in the Guardian:

“Killer robots” that could attack targets autonomously without a human pulling the trigger pose a threat to international stability and should be banned before they come into existence, the United Nations will be told by its human rights investigator this week.

That will be rather difficult, however. The autonomous robot jet bomber as described already exists: it is the Tomahawk cruise missile, and it went into service in the 1980s. Most US warships and submarines are armed with it (Royal Navy submarines carry it too). It has been used in anger on many occasions: hundreds of Tomahawks were launched in the opening stages of the 2011 Libyan intervention to suppress Colonel Gadaffi’s air defences, and British and US forces have used them against many other targets.

There are lots of other weapons of this sort, likewise in use for decades, generally classified as cruise or anti-shipping “missiles”. Most of them, however, actually function as robotic jet aeroplanes for most of their flight. All of them acquire their targets autonomously by various methods, without any communication with the humans who launched them.

The earnest Christof Heyns, UN special rapporteur, is going to need a time machine if he aims to get autonomous weapons banned before they come into existence, then. What’s he on about?

In short, he’s on about machines which will be familiar to regular Reg readers already: for instance the US Navy’s X-47B, an unmanned Stealth jet which could do the same sort of job as a Tomahawk if it were armed (at the moment it is just a prototype intended to see if robo-jets can operate from US Navy aircraft carriers). Blighty’s Taranis demonstrator – as and when it actually gets in the air – could evolve into something providing a similar capability, if desired. There’s also the Euro “Neuron” project.

It’s quite true that it would be an obvious thing, when using such robo-jets, to send them off on a strike mission to hit a target without any bandwidth-gobbling, potentially detectable-by-the-enemy video feeds and constant person-in-the-loop as seen in the Predators and Reapers of today. But we’re already doing that on a routine basis with Tomahawks, so it’s not a new idea.

The only technically new things about the X-47B et al is that they have Stealth, making them a bit harder to detect, and they are meant to come back to base after delivering their warheads. The autonomous-targeting bit is old hat.

So is the idea that there ought to be a ban on some kind of new and terrible “killer robots”, in fact. Various poorly informed do-gooders, lawyers (and occasionally, fruitcakes) have been trying to stoke up the idea for years – see “Related Stories” below.

This latest push is, of course, motivated primarily by some people’s dislike of the current US programme of assassinations aimed at jihadi terrorists in various nations of the Middle East, generally carried out by Reaper or Predator drones. Heyns is special rapporteur on extrajudicial, summary or arbitrary executions, not on robots or weapons. As with other campaigners before him, his ignorance of military technology has led him to argue for a pre-emptive ban on something which is already in widespread use.

One can approve or disapprove of the ongoing CIA “drone” strikes as one wishes, of course. But it’s always amazed us here on the Reg killer robot desk that people get so worked up about the relatively surgical and carefully targeted drone campaign and ignore the colossal, devastating manned bombing offensives delivered by US and allied air forces in recent years, which by our estimates have killed anywhere from 10 to 100 times as many people. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/30/o_noes_ban_the_killer_robots_again/

PayPal has denied that it refused a teenage security researcher a reward for finding a potentially nasty bug on the basis that he was too young. The payments processing firm said that while it had denied the 17-year-old a reward, it was because another researcher had already reported the flaw.

Robert Kugler, 17, found a cross-site scripting flaw on the payment processing firm’s website before claiming a reward under PayPal’s bug bounty programme.

Initially, Kugler claimed PayPal had told him in an email that he was ineligible for a reward because he was too young.

The terms and conditions for the reward scheme do not mention anything about the bounty being restricted to those over 18.

The German student recently published details of the bug, along with what he claimed were extracts from his email correspondence with PayPal, on a full disclosure mailing list, provoking damaging headlines along the lines of “PayPal Stiffs Teen Who Found Website Bug”.

In response to queries from El Reg, PayPal said Kugler had been denied the reward not because he was too young, but because someone else had previously reported the same flaw, directly contradicting Kugler’s account.

The eBay payments subsidiary said it was resolving the vulnerability, stressing that there was no evidence that it had been abused in any attacks to date and therefore no need for undue concern.

While we always appreciate contributions by the security community to PayPal’s Bug Bounty Program, we reward participants when they are the first to report valid security vulnerabilities.

In this specific situation, the cross-site scripting vulnerability was already discovered by another security researcher, so [the bug] would not have been eligible for payment, regardless of age [of the researcher], as we must honour the original researcher that provided the vulnerability.

We appreciate the security researcher’s efforts and this situation illustrates that PayPal can do more to recognise younger security researchers around the world. As a first step, we are sending an official letter of recognition for the researcher’s contribution and we are exploring other ways to recognise younger security researchers when they do discover a vulnerability and responsibly disclose that discovery.

PayPal’s conditions do state that its bounty is only awarded to the first person that discovers the previously unknown bug. El Reg asked PayPal which researcher was first to report this bug, as well as how many bug bounties it had paid out. It declined to answer both questions, so we’re none the wiser.

“PayPal does not share the details on the researchers or the number of bugs found,” a spokesman said.

Kugler said he is less than impressed with PayPal’s handling of his vulnerability report and how it runs its bug bounty programme more generally.

“It’s a strange behaviour from PayPal,” Kugler told El Reg. He claimed: “In my email correspondence with PayPal, no one ever mentioned someone else found the bug! They only said: ‘You’re disqualified because of being 17 years old’.”

He went on to claim: “After all that media attention they introduced: ‘No, we disqualified his bug because someone else already found it, not for being 17 years old’. Maybe it’s just me, but I think they just want to avoid the payment. Two security researchers (one from China and one from India) found the same bug and always the same reply: Someone else found it, we are sorry!”

XSS marks the spot

Cross-site scripting (XSS) vulnerabilities arise from web application development mistakes. Attackers can exploit XSS vulns to inject scripts or pop-ups from untrusted sites that would appear to surfers as originating from the site they are visiting. XSS flaws are a common vuln, most regularly abused in phishing attacks.

The cross-site scripting flaw in the search function on PayPal’s German site which Kugler (and perhaps others) discovered is a bit more serious, however, because it is capable of being abused to access credentials.

“An XSS attack occurs when a script drawn from another website is allowed to run but should not,” Kugler explained. “The type of flaw can be used to steal information or potentially cause other malicious code to run.”

The PayPal XSS bug was fixed on Wednesday, according to Kugler.

A bug’s life

Bug bounty programmes have become commonplace across the industry over recent years. The schemes offer an incentive for researchers to report flaws to vendors, rather than selling details of them on vulnerability marketplaces to whoever stumps up enough cash.

Google, in particular, is an expert at attracting media attention to its own bug bounty programme. PayPal, by contrast, is reluctant to talk about its own vulnerability reward scheme, perhaps because the nature of its payment-handling business makes it reluctant to get drawn into a any kind of discussion about the security of its website.

The only known recipient of a bug bounty from PayPal is Germany-based security research outfit Vulnerability Laboratory, which earned a $3,000 reward back in January after discovering and reporting a critical bug to PayPal five months prior.

The flaw, a SQL injection vulnerability in the official PayPal GP+ Web Application Service, created a potential mechanism for hackers to inject commands through the compromised web app into the backend databases, potentially tricking them into coughing up sensitive data in the process.

Although he struck out when he reported a problem to PayPal, Kugler has successfully collaborated with other vendors.

The German teen has received a $3,000 award from Mozilla for finding a privilege escalation bug in Firefox, and another $1,500 for locating a seperate flaw in Mozilla Updater. He also received a hat tip for security research from Microsoft, getting a shout out on its list of security researchers – though no financial reward for his efforts as yet.

“IT security is an interesting topic and I like to test things,” Kugler told El Reg. “Sometimes things work differently under special circumstances, it’s exciting to study this behaviour.” ®

* Additional reporting by Iain Thomson

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/30/paypal_bug_bounty/

Belarus has eclipsed the US to become the biggest single source of global spam, according to cloud-based email and web security firm AppRiver.

Junk volumes from the landlocked former Soviet republic, which borders Poland and Russia, hit an all-time high on 13 April and have sustained this level since then.

In January, AppRiver security researchers were seeing an average of 3.1 million spam messages per day from Belarus. After the spike happened on 13 April, AppRiver said it began recording an average of 12.3 million spam messages per day – which is now climbing.

Only one in a thousand messages from Belarus is legitimate, with 99.9 per cent of the electronic messages consisting of junk mail, said the security firm. Current volumes of junkmail from Belarus are exceeding those from the US, the historic source of most of the world’s internet detritus.

“The actual message content was very slim and simple,” explains AppRiver security analyst Jonathan French in a blog post. “Most of the messages just simply contained a link and a few words. Many of the links did not lead to active webpages, with most giving 500 or 404 server errors.”

“The links that did work lead to pharmacy websites trying to sell drugs to visitors. There was a very small amount of the messages that also lead to websites hosting malware,” he added.

French told El Reg that most users would likely recognise the messages, which come from .ru domains and make no attempt at spoofing, as spam. He’s currently at a loss to explain the sustained spam spike from Belarus.

“I can only speculate at the cause, but I assume there was nothing special about the April 13th date when spam volume began to rise,” French told El Reg. “It may have just been the time for the campaign organiser(s) to start after preparing the machines and systems for this particular campaign. It has been ongoing a while and showing no signs of declining.”

Belarus, best known as the last holdout of a Stalinist-style regime in Europe, has rarely – if ever – been mentioned as a major source of spam. However, a quick check with Sophos revealed it had also logged Belarus as the world’s worst spam-relaying country over the last 30 days.

Belarus now accounts for 16.3 per cent of the world’s spam, compared to 15.1 per cent from the US and 7.45 per cent from the Ukraine, according to exclusive figures produced for The Register. China accounts for 5.78 per cent of the world’s spam-relaying.

Sophos’s stats, like the figures from AppRiver, look at the locations of abused computers (almost always Trojan-infected zombie drones) rather than the physical location of current spam kingpins. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/30/belarus_surprise_worlds_spam_relaying_top_dog/

A critical vulnerability in trendy web programming kit Ruby on Rails is being abuse to transform web servers into nodes in a growing botnet army.

The security bug (CVE-2013-0156) in the open-source application framework was patched in January, but months later many website owners have failed to apply the update, leaving code on numerous sites vulnerable.

Shortcomings in Ruby on Rails’ parameter-parsing code allows miscreants to bypass authentication systems, inject and execute arbitrary code, or perform a denial-of-service attack on a Rails application, an advisory by US CERT explains.

The bug can be exploited to force a vulnerable server to download, compile and run some C code that takes control of the machine. Once compromised, the web server becomes a remotely controlled drone in a network of zombie computers, which blindly obey commands issued from afar by crooks in an IRC chatroom. These orders could be to send out spam, pummel a target on the internet in a distributed denial-of-service (DDoS) attack, or similar.

Martijn Grooten, anti-spam test director at Virus Bulletin, noted that the communications channel used to send instructions to the zombie bots is unencrypted, and therefore open to hijacking by any cyber-crim. Although perhaps basic in its design, the botnet is a powerful resource for various potential forms of cybercrime.

Ruby on Rails is knocked by some security experts – such as Gunter Ollmann, CTO of IOActive – as a development platform that’s unfit for production servers. Nonetheless the technology is widely deployed. Those that do use it are advised to update their systems to versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15.

The creation of the Ruby on Rails botnet was first identified by security researcher Jeff Jarmoc of Matasano Security. “This is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months,” Jarmoc concluded in a post on his personal blog.

Cybercrooks are increasingly looking towards exploiting vulnerable software on web servers, rather than less powerful client PCs, in order to create stronger zombie networks. For example, compromised WordPress installations have recently been abused to create a botnet linked to recent DDoS attacks. Web servers invariably have much higher capacity internet connections than home PCs, making them eminently suitable as a platform for overloading targeted websites with junk traffic. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/30/rails_botnet_threat/

Updated A couple of weeks back, Australia’s Securities and Investment Commission (ASIC) made a mistake: by trying to take down a Website promoting an investment scam*, it accidentally blocked 1,200 sites using the same IP address as the scammer.

ASIC was able to attempt the take down thanks to a “Section 313 Notice”, a legislative instrument that instructs telcos and ISPs to block sites that break Australian laws.

It has now emerged that there is little or no oversight or transparency in how such notices are issued, who’s allowed to request one or when they’re permitted to make such requests. That means, as a Senate Estimates hearing was told, that nobody really knows exactly how many agencies might have the right to use the notices to, as Greens Senator Scott Ludlam put it, “knock a site off the Internet”.

A “Section 313 notice” refers to this section of the Telecommunications Act. The act requires carriers to try and prevent their networks being used to commit offenses, and requires them to assist an undefined list of “officers and authorities” of the Commonwealth, states and territories in preventing crimes using their networks.

Unfortunately, when the legislation was framed, the legislators had in mind telephones and fax machines, not the Internet. Its application to the Internet was the brainchild of Senator Stephen Conroy, as a way to implement the Interpol “worst of the worst” Internet blacklist (which mainly concerns child pornography) without having to pass new legislation.

While Senator Conroy stated to Estimates that the Australian Federal Police’s use of s313 notices in this way has been effective, the s313 notice has become an example of scope creep, with other agencies getting in on the act.

The new problem turned up by Senator Ludlam is this: neither communications minister Senator Stephen Conroy nor his department are completely certain regarding how many Australian government agencies might have the power to request s313 notices. The horizon of the notices’ scope is an unknown.

Following a meeting convened by on May 22, 2013 and attended by a number of departments – including the Attorney-General’s Department, ACMA, ASIC, the AFP, the Department of Immigration, ASIO and others – Senator Conroy told Estimates that the government will set in train a process to improve the transparency surrounding the use of s311 notices.

The problem, as Ludlam revealed in questioning the minister and his department, lies in the definition of why notices may be sought. Since law enforcement is on the list, he asked whether it might reach all the way down to state police services; and since the “protection of public revenue” is offered as a reason for seeking a notice, he also asked whether the power might extend all the way down to local government (since they collect rates).

That question has had to be taken on notice by the Department of Broadband Communications and the Digital Economy (DBCDE), which Conroy heads.

As of much concern, the DBCDE was also unable to say whether s313 notices had already been used by state agencies, nor how many times they might have been used outside the purview of the federal government. Again, that question had to be taken on notice.

“I’ve asked the department to provide advice on a number of possible transparency measures,” Conroy said. “I agree … that there needs to be a greater degree of transparency.”

It is, perhaps, a small reassurance that the notices at least don’t reach as far as copyright matters. Perhaps. Maybe. When Senator Ludlam asked whether a rights-holder could ask the police to seek a s313 notice, Senator Conroy responded: “I doubt that an individual citizen can walk in [into a police station – El Reg] and ask for a 313.” ®

*Bootnote: The back story is that ASIC requested a block on a site based on the site’s IP address. Of course the target was on a shared server, so of course it blew away a whole heap of harmless sites, leading to a public outcry and embarrassment all round. “My lord, I ‘ave a cunning plan” is never a good way to approach law enforcement. ®

Update:

Australian Securities and Investment Commission chair Greg Medcraft has reportedly told a Sydney conference his organisation will review its use of the s313 notices.

He said the notices had been used ten times in the last 12 months to bar access to Websites promoting frauds and scams, and that most of these are overseas. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/30/dbcde_worlddog_might_be_able_to_block_oz_sites/