STE WILLIAMS

Kaspersky defends ‘unworkable’ web passports

Flamboyant anti-virus guru Eugene Kaspersky has defended his controversial internet passport plans.

Kaspersky, chief exec of malware exterminators Kaspersky Lab, first outlined plans to mandate use of a hardware token-based passport to get online around two years ago. The scheme is designed to deter abusive use of internet connections to send spam, steal data via hacking or participate in denial-of-service attacks. The programme would work in a similar way to how driving licences work in the offline world and would be applied alongside an Internet Interpol as a way of combatting the growing scourge of cybercrime.

“Everyone should and must have an identification, or internet passport,” Kaspersky explained. “The internet was designed not for public use, but for American scientists and the US military. Then it was introduced to the public and it was wrong… to introduce it in the same way.”

“I’d like to change the design of the internet by introducing regulation – internet passports, internet police and international agreement – about following internet standards. And if some countries don’t agree with or don’t pay attention to the agreement, just cut them off,” the Russian security biz boss added.

Despite criticism, Kaspersky has continued to push the internet passport idea during his frequent trips to high-level government security conferences in Australia, Brussels and most recently to last week’s London cyberspace conference. He is rarely challenged on even some of the more obvious downsides of the plan, which seeks to abolish net anonymity and seeks to prohibit use of services including The Onion Router (Tor), which is legitimately used by dissidents and civil rights activists around the world.

Critics, including Bruce Schneier, have torn into the internet passport scheme as unworkable and undesirable.

“Any design of the internet must allow for anonymity,” Schneier argues in a lengthy and thorough examination of the idea.

“Universal identification is impossible. Even attribution – knowing who is responsible for particular internet packets – is impossible. Attempting to build such a system is futile, and will only give criminals and hackers new ways to hide.

“Attempts to banish anonymity from the internet won’t affect those savvy enough to bypass it, would cost billions, and would have only a negligible effect on security,” he concludes, adding that “mandating universal identity and attribution is the wrong goal”.

El Reg put this criticism to Kaspersky hoping to secure a better explanation of his thinking. Instead we received a partial response that at least suggested he was open to further dialogue.

In his blog, Bruce Schneier has made some interesting and relevant arguments on the plan to create internet IDs. While I still maintain that this is a manageable solution, I respect Bruce’s opinions and encourage the debate surrounding this important and emotive subject.

Schneier is by no means alone in his criticism. Other detractors of the internet passport scheme include security blogger Dancho Danchev, who outlined five reasons why the proposal is bad news in a post on Zdnet’s Zero Day blog here. He points out that use of two-factor authentication is no defence against man-in-the-middle attacks as well as the cost and logistical problem involved in giving everyone “internet passports”.

In fairness, Kaspersky is far from alone in supporting the scheme, despite its potential difficulties. Other backers of the “driver’s licence for the internet” idea include Microsoft’s Craig Mundie. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/kaspersky_net_passport/

Boffins spy on iPhone screens from 200ft away

Vid North Carolina boffins have been watching text entered into iPhones from 60 meters (197ft) behind the shoulders of users – or from the front, by reading the reflections in the users’ glasses.

The process uses a standard video camera. It is even possible using an iPhone’s camera, though the range decreases and relies on the iPhone’s habit of popping up big versions of characters typed. Once the video has been fed through the researcher’s image stabilisation software, and run through some optical character recognition software and natural-language analysis, the meaning emerges, as this (silent) video demonstrates:

Apple’s iPhone isn’t the only smartphone to provide visual feedback by popping up an enlarged version of the character pressed, but the technique won’t work with those that don’t. The researchers also admit that alternative text-entry techniques, such as Swype, will confound the recognition, but those are only used by a minority.

There are some other videos showing how reflections can be read, and the accuracy possible, on the boffin’s own site. Their full paper (PDF, interesting, but very mathematical in places) demonstrates that with a decent video camera they were able to collect very accurate renditions of what was typed from a considerable distance.

It seems that the biggest limitation was motion blur. Stabilisation can only work so well and as the characters pop up on the screen only for a moment, a single blur make a character impossible to read. That’s easily addressed with better video equipment, and better analysis, but this research was deliberately based on standard kit.

One can imagine Jason Bourne using such a technique, and it’s interesting to hear that it is possible. It might pay to think about one’s surroundings when entering a password, but in reality there are already plenty of other threats to be concerned about without worrying about what people might be able to pick up reflected in your sunglasses. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/distance_reading/

Anonymous backs off in clash with Mexican drug cartel

On-again-off-again plans by the Anonymous collective to publish details of the infamous Zetas drug cartel and their associates were finally cancelled over the weekend, following the supposed release of a kidnapped member of the hacktivist collective.

A statement from Anonymous Iberoamerica states that the still unnamed member of the collective was freed, adding that “although bruised, we can say he is safe and well”. Los Zetas are as well-known for kidnap and murder as they are for drug running in their native Mexico. They kidnap victims for money and those they can’t turn a swift profit on are usually killed.

The idea that the narcotraficantes may have responded to the threat of being outed by Anonymous by releasing a kidnap victim strains credulity to breaking point. The lack of details on when the supposed kidnap victim might have been taken makes the whole story even less plausible. The kidnapping supposedly happened during a leafleting campaign in the Mexican state of Veracruz but, as The Guardian reports, the last such protest occurred months ago and there’s no evidence of any police reports of an abduction.

Anonymous Iberoamerica claims that it has permanently dropped plans to expose names of associates of the Zetas drug cartel (#OpCartel) after threats that the drug lords would kill 10 people for every member of the cartel named. Los Zetas has already claimed responsibility for the murder of three bloggers from the northern Mexican border city of Nuevo Laredo in two separate incidents in September. One of the victims, Marisol Macias Castaneda, 39 – known online as “The Laredo Girl” and “Nena de Laredo” – was beheaded for posting about the Zetas on a local online discussion forum.

Mexican members of Anonymous told local media that they had decided to cancel #OpCartel, following a debate 10 days ago over fears that the operation could place innocent people at risk from reprisal attacks. However prominent members of the collective outside Mexico, including AnonymouSabu, said the operation would go ahead anyway. Anonymous Iberoamerica has acted as an outlet for information about #OpCartel but it is unclear who runs its operations. ®

Bootnote

The story has a curious footnote. Anonymous Iberoamerica posted an update on Sunday claiming that a suspected undercover agent of CISEN (the intelligence agency of the government of Mexico) entered its chat rooms in an attempt to provoke an administrator into reversing the decision to discontinue #OpCartel.

“This little incident that could have gone unnoticed in other circumstances but confirms what we already suspected: the Mexican government is behind infiltrating #OpCartel for purposes unknown (possibly to neutralise Anonymous’ war against criminal groups,” it said, adding extracts of the chat log to support its claim.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/anonymous_opcartel/

China’s web biz bosses crank up gossip crackdown

Chinese tech firms have agreed to add more bricks to the Great Firewall of China at the end of a summit hosted by the country’s government.

The chiefs of 40 or so companies, including search behemoth Baidu and Yahoo! suitor Alibaba, as well as Sina (owner of microblogging site Weibo) and IM service Tencent, agreed to “strengthen self-control, self-restraint and strict self-discipline”, the official news agency Xinhua said on Sunday.

Xinhua said that the tech firms had agreed to “resolutely curb” online rumours, pornography, fraud and other information deemed “harmful” to the state.

The agreement came after the bigwigs had been in three-day talks with the government’s State Internet Information Office.

The confab was part of a more general crackdown on the net in China. Last month, the Communist Party’s Central Committee held its annual meeting and issued a number of communiques on policy for the year, including one on the web.

The document said the government wanted to “strengthen guidance and administration of social internet services and instant communications tools and regulate the orderly dissemination of information” and “apply the law to sternly punish the dissemination of harmful information”.

Phrases like “rumours” and “harmful information” are often taken by observers as code for any viewpoints that disagree with the ruling party’s agenda.

Microblogging sites are proving challenging for the Chinese government’s infamous Great Firewall of China because of the speed with which short messages can be resent and spread to huge numbers of people.

Weibo, a Chinese version of Twitter, has proved particularly irksome to Chinese officials. In July, the site provided news and updates on a bullet-train crash in Wenzhou that contradicted the official accounts, as well as expressing anger at how the authorities responded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/chinese_censorship/

Anonymous runs amock in Israel, Finland, Portugal

Anonymous activists marked the 5 November anniversary of the Gunpowder Treason Plot to get up to all sorts of mischief over the weekend.

The websites of Israel’s Mossad and Shin Bet intelligence services as well as the Israel Defence Force were reportedly offline for a brief period over the weekend following a 4 November threat by Anonymous to take down the sites.

The threats came in response to the detention and deportation of 27 Gaza flotilla activists, who had set sail from Turkey for Gaza with supplies aboard two boats, by the Israeli military on Friday. The ships were boarded after ignoring calls to turn back, according to Israeli media reports. It’s unclear whether or not the boats contained medical supplies.

Anonymous posted a video protesting the ongoing blockade of Gaza and describing the boarding as “piracy on the high seas”. It threatened cyberattack reprisals, however the Israeli government said a subsequent outage of Israeli military websites was down to a “systematic malfunction”, Threatpost reports.

All three websites were otherwise alive and kicking during the weekend.

Meanwhile Portuguese hacktivists defaced five their nation’s websites, including that of JSD (the youth division of the ruling Social Democratic Party) and Freeport, a mall built despite environmental concerns. The hacks were reportedly carried out by LulzSec Portugal, a previously unknown branch of the infamous hacker crew that merged with Anonymous earlier this year.

Further north, Anonymous Finland claimed responsibility for the publication of personal details of thousands of Finns from hacked government databases on Friday. The group temporarily published a sample of info on 16,000 people as proof of the hack, which it said was easily accomplished using a basic SQL injection attack. The hack was motivated by an apparent desire to shame the government into improving its security.

For all the cyber-strikes taking place in the names of Anonymous over the past few days, the most famous threatened action – an assault on Facebook – never took place. Senior figures in the hacktivist collective distanced themselves from talk of the Facebook attack weeks ago so the lack of action comes as little surprise. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/anonymous_shenanigans/

Adidas pulls down sites hit in ‘sophisticated’ hack

Adidas has taken some of its websites offline as a precaution following the discovery of a “sophisticated, criminal cyber-attack”.

The sportswear manufacturer said it decided to take potentially affected websites offline, as a precaution, following the discovery last Thursday of a hack attack. It reassured customers that it had no reason to think consumers’ data had been exposed as the result of the assault, the causes of which it is continuing to investigate. In a statement (extract below), Adidas said it planned to beef up the security of the affected sites before restoring them online. Sites affected include adidas.com, reebok.com and various local e-commerce shops.

On November 3, 2011, the adidas Group found out that it was the target of a sophisticated, criminal cyber-attack. Our preliminary investigation has found no evidence that any consumer data is impacted. But, while we continue our thorough forensic review, we have taken down affected sites, including adidas.com, reebok.com, miCoach.com, adidas-group.com and various local eCommerce shops, in order to protect visitors to our sites.

Since learning about the issue, we have put in place a number of additional data security measures. The changes reflect enhancements to the high standards consumers have come to expect from the adidas Group and its brands.

Nothing is more important to us than the privacy and security of our consumers’ personal data. We appreciate your understanding and patience during this time.

A holding page at Adidas.com, for example, states that “due to technical difficulties our website is currently not available”, and points surfers towards Adidas eCommerce shops that remain open (in Canada, France, Germany, Netherlands, Russia, the UK and the US).

The motives – much less the identity – of the hackers remains unclear. Adidas’ statement implies that hackers might have planted malicious scripts on the targeted website, an explanation that would certainly explain why the sites were taken down as a precaution. However this remains only one of several possible explanations and there’s no public reports from anti-firms to support the theory.

Eddy Willems of German anti-virus firm G Data praised Adidas for acting responsibly.

“The attack on Adidas is an example of how cyber-crime has become an International sport in the past year or so, as we have seen more and more big brands compromised worldwide,” he said.

“The good thing is that Adidas, unlike many recent cyber-crime victims, seems to be acting quickly and have security in mind. The hack appears to be only to the website and not the databases which suggests that no customer data have been compromised,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/adidas_hack_attack/

HP to pipe dole queue data into clouds

A records management system is being developed for the Department of Work and Pensions that could be used by other government agencies.

HP is doing the work under its contract for application services with the department. Graham Lay, vice-president of HP Enterprise Solutions, said the company is making the investment in the system and that the DWP will be charged for its use on a ‘per item’ basis.

It will provide a repository of client information for use throughout the DWP, and is being developed on a model that could be adopted elsewhere through a cloud platform.

Speaking at a round table on cloud computing staged by the company, Lay said the technology is making the initiative possible. Under more traditional models of application provision, it would have been a slow process to make it available for other authorities and the chances of it being used elsewhere were quite small.

He added that cloud platforms could support the effort to make applications available beyond the commissioning body.

“As far as we are concerned, we would like to see the services we set up used as widely as possible across government,” he said. “This is a key trend in the greater use of shared services.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/dwp_repository/

iPhone gets NFC tap-cash tech

Discover is to run trials of pay-by-wave for iPhones in Chicago and Salt Lake City, despite having to strap the requisite radios to the outside of the Jesus mobes’ cases.

Apple’s iPhone doesn’t have the required Near-Field Communication hardware, and NFC Times reports that for the trials Discover will be using the iCarte case, which has an NFC radio and secure component built in. The company is reportedly already testing Android and BlackBerry handsets, but reckons iPhone compatibility is essential.

“A good number of your cardholders are going to be iPhone users. As a network, I need a certified [iPhone] option,” the company told NFC Times, explaining that the removable microSD solution touted by Device Fidelity wasn’t an option as it adds another layer of complexity.

Device Fidelity’s solution also needs a special casing too, as the iPhone doesn’t have a microSD slot, but it does mean the microSD card can be switched to a different model of handset, taking the electronic wallet with it.

Discover calls its proximity payment system Zip, as opposed to Visa’s PayWave and MasterCard’s PayPass. All three systems use NFC technology to make payments and all three are already used in plastic cards, so it should be possible (one day) to have a single phone with all three installed, but don’t hold your breath.

While the payment systems are settling into recognisable camps, the whole business of vouchers and electronic coupons is still up for grabs. US network operators have banded together to make ISIS, a platform that hosts the payment cards; in the UK all the operators (except Three) have formed a similar consortium. Those platforms will have to compete with Google Wallet, and other players who will no doubt emerge in the next year or two.

Discover says it’s happy to create an instances of Zip that will install on the ISIS platform and Google Wallet, but it’s also testing coupons of its own. For the trials those will be on-screen QR Codes or just displayed discounts to be shown to the shopkeeper, but even that demonstrates that Discover is far from ceding control of what’s anticipated to be an important market. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/discover_nfc_iphone/

‘Insatiable’ Brits gobble Blu-Ray, deserve reward

Britain’s appetite for buying movies makes it a lively laboratory for Hollywood’s marketing experiments. One of these is the “triple play” bundling of a Blu-Ray DVD, regular DVD and digital file in the same package – a practice now standard here. Unfortunately, however, we won’t be at the forefront of UltraViolet just yet, billed as the second generation of triple play.

20th Century Fox says Blu-Ray sales rose 49 per cent in Q3 over the previous quarter, and Vincent Marcais, Senior Vice President of International Marketing, Twentieth Century Fox Home Entertainment, says he expects Blu-Ray viewing to overtake DVD in 2013.

“The UK has the biggest per capita proportion of buyers in the world, the demand of British movie buyers is insatiable. Ninety per cent of UK consumers who are actively involved with video choose to buy. That’s really striking, compared to US where people are renting.”

As for UltraViolet, the cloud locker scheme devised by cross-industry consortium DECE, it would seem we’ll have to wait for that too. But Marcais thinks we in the UK deserve a little something for our open-walletedness.

“Where you get a lot of people who buy content, I think we should reward that,” he says. “The notion for consumers is safety – buy once and play everywhere.”

“Personally, I’m convinced that Blu-Ray will be the gateway to the UltraViolet file, so if you buy a Blu-Ray disc that has an UltraViolet copy on it, you have the safety of an HD disc – but it’s also in the locker for you on all your other devices. In the beginning that’s going to be the environment.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/bluray_up_uv_wait/

Open ‘Facebook killer’ survives on cash donations

Diaspora, the social network that sells itself as a privacy-conscious alternative to Facebook, is relying on user donations instead of advertising to get it going.

And by contrast to its other competitor, Google+, Diaspora also allows pseudonyms. The decentralised service aims to address some of the multitude of privacy and content control issues that have dogged Facebook and, arguable to a lesser extent, Google+, while still giving users the ability share content and ideas with their friends online.

Users retain the copyright of uploaded photos and the like, which is only shared among groups that users actively define, not friends-of-friends or the whole network (often the default options on Facebook).

The service was launched in November 2010 and remains in alpha. However having signed up to try the invitation-only service months ago, El Reg finally received an invitation to try it on Thursday, so things appear to be moving (albeit slowly). The emailed invitation (extract below) was nothing if not enthusiastic:

Finally – it’s here

The social network you have been waiting for has arrived. Revamped, more secure, and more fun, DIASPORA* is ready to help you share and explore the web in a whole new way.

Sign up now

Last month the developers behind the software – students at New York University’s Courant Institute of Mathematical Sciences – began soliciting donations via PayPal. Diaspora’s account was frozen for a short while by the eBay-owned payments biz, without explanation, but has since been restored. The site added other donation methods, including BitCoins, following the episode.

Once signed up to Diaspora, users are immediately invited to link their Diaspora and Facebook accounts to “speed things up a bit” and “enable cross-posting”.

This may help populate a profile, but we can’t help thinking that linking to Facebook creates privacy concerns all by itself and runs against Diaspora’s aims to make “privacy controls both clear and straightforward”. You can also add links between Diaspora and Twitter accounts or import contacts from email accounts into Diaspora.

Users are invited to use #hashtags to classify posts and find people who share their interests. They are presented with a “stream” populated with all of their contacts, tags they follow, and “posts from some creative members of the community” who have apparently chosen to share comments, video clips and pictures with everyone on the network. Contents are arranged in “aspects” – friends, family, work colleagues etc – on the site.

There’s a lot of help for newbies as well as the facility to ask questions. The interface is clean and well-designed, perhaps partly because there’s only one application on offer, Cubbi.es, which offers a way to collate photos. There’s also a messaging feature. Overall the web interface is much closer in look and feel to Twitter than Facebook.

The site is useable but still a work in progress, as its alpha designation implies. Upcoming features promised include an ability for users to export their data and to create communities.

Diaspora is based on open-source technology. Early versions of its code were riddled with all manner of security holes, so cautious progress towards a full launch – adopting the open-source ethos of quickly fixing bugs as and when they arise – may be just as well.

There’s also the capacity management issues to think about: after all, it’s a site run on a modest budget, partially helped by T-shirt sales, and running as a not-for-profit concern. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/05/diaspora_social_network/