Liudvikas Bukys

• This is an unhappy conversation on many many levels:

  AKMA:

  The officer in question (whose conduct was entirely professional, firm, and calm behind those mirrored shades) solemnly assured me that in order to use the library’s open wireless signal, I had to be seated within the library. The officer then wandered on back to the nearby police station.

  …

  ‘Maybe if you had permission it would be all right, but it’s a new law, sir; ‘theft of signal.’ It would be like if you stole someone’s cable TV connection.�

  …

  ‘It’s a federal law, sir; a Secret Service agent came and explained it to us.’
  [via Blogos]

• The comments on the article above include the useful link EFF: Best Practices for Online Service Providers that advocates minimizing legal problems by minimizing information collection.
• Having had to dig hard to track down aggressive intruders, I also worry about lacking the ability to investigate attacks on infrastructure (mine or everybody’s). While this application of “theft of services” looks bogus, it is a tool that I’d like to have when somebody is really attacking my network or systems. Meanwhile, there is a permanent tension between knowing what’s happening on your network (say, if you’re an ISP tracking botnets) and maintaining ignorance as a legal defense.

James Lick: Tracking A Zombie Army (PDF)
[via Asrg]

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management Frequently Asked Questions (November 2002):

ISO/IEC 17799: 2000 is a management standard, and deals with an examination of the non-technical issues relating to installed IT systems. These issues have to do with such matters as personnel, procedural, and physical security, and security management in general.

The Common Criteria standard is a technical standard. It is intended to support the specification and technical evaluation of IT security features in products. Normally, the products are evaluated as part of the development/production cycle. The Common Criteria standard also has a major usage as a structure, syntax and catalog of information technology specifications that can be used to describe user technical requirements for security in products.

…

The current US position is strongly in favor of the major revision of the [17799] document, which is currently underway. While there was no official US government position expressed, US TAG members from both the Commerce Department (via NIST) and Department of Defense (via the Defense Information Systems Agency) supported the US position.

Rogue/Suspect Anti-Spyware Products & Web Sites [via Diary Date] See also some dissent about the specifics.

The problem is the bad platform. The symptom is the miserythat so many users are living with. The cottage industry for solutions is better than nothing, but it’s still a mess.

Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, Mendel Rosenblum: Understanding Data Lifetime via Whole System Simulation:

We have used TaintBochs to analyze sensitive data handling in several large, real world applications. Among these were Mozilla, Apache, and Perl, which are used to process millions of passwords, credit card numbers, etc. on a daily basis. Our investigation reveals that these applications and the components they rely upon take virtually no measures to limit the lifetime of sensitive data they handle, leaving passwords and other sensitive data scattered throughout user and kernel memory. We show how a few simple and practical changes can greatly reduce sensitive data lifetime in these applications.

[via Justin Mason]

Jack Shafer in the Slate article E-mail Confidential - Who’s afraid of Time Inc.’s legal disclaimer? has his attorney dissect an email disclaimer in detail.

This boilerplate proliferates because professionals in the legal, auditing, and security consulting industries feel compelled to recommend its use. Unfortunately, the ratcheting ever-more-onerous language that gets accreted by these things for cover-your-butt reasons results in most of them being statements that are intellectually ridiculous, legally dubious, and rude.

At this point, consulting professionals should be embarrassed to recommend this stuff.

[via Jeff Nolan via Techdirt]

My home PC running Windows 2000 is finally free of Look2Me spyware. It’s very aggressive at staying alive. It creates an ever-changing series of DLL files. Removing or changing its registry entries causes it to immediately rewrite them.

As I noted last week, my first symptom was unwanted outgoing connections “phone home” connections caught by ZoneAlarm, resulting in eventual loss of TCP connectivity within about 20 minutes.

The tools at sysinternals were very helpful in seeing exactly what was going on, specificly the process monitor, registry monitor, and network connection monitor.

The removal instructions that finally worked were found at at the bottom of VX2Finder. Removal required VX2Finder, regedit/regedt32 (significant key has name along the lines of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian*), and Windows Safe Mode. Once you search for the right things it looks like there are a few ways to skin this cat.

I know, I’ve been “rooted” on a weak platform, and I should stop whining and do something about being less vulnerable.

The purveyors of this are as criminal as the virus-releasers. Their damage is diffuse so they are under the radar for now.

The fact that the present solution to this is cottage-industry homegrown hacks surprises me; I’d think that the anti-virus industry would be on this. It’s evidence that they’re running further behind than ever before.

Along the way I ran across the funny remark by Rob Leathern (one of the comments attached to a John Battelle article:

Looking at the top downloads at download.com is always interesting - typically two-thirds are adware/spyware-bundling music/video download programs, the other third are spyware removers.

I think the proportions are reversed now.

My home Windows 2000 machine is infested with Look2Me spyware. Who knows which of our family of five attached this IE “shell extension” nuisance. Now the question is: how I get rid of it? None of the published instructions has worked. The vendor’s uninstaller doesn’t. (Of course it’s overly kind to call a producer of unwanted intrusive privacy violation software a “vendor”.) The manual uninstall directions haven’t worked either. I know it’s still there because ZoneAlarm shows it trying to phone home.

Look2Me interacts really badly with ZoneAlarm, because while ZoneAlarm can and will prevent the frequent attempts by winlogon and rundll32 to contact 69.20.20.161 port 80, it does cause some kind of resource exhaustion that prevents any new TCP session from being establshed 20 minutes or so after a reboot.

Anybody with fresh ideas for uninstall, let me know. I suspect that people will be asking me for help for years to come as they find this page while searching for winlogon, rundll32, ZoneAlarm, or 69.20.20.161.

This all happened on a machine up-to-date with patches. Patches and reactive measures such as virus patterns don’t change the fact that Windows is a bad platform, for even casual use. The barriers against mischief are just too low - defense without depth.

Amit Klein: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[via joatBlog: Web Attacks]

Microsoft Shelves NGSCB Project As NX Moves To Center Stage

A lot of decisions have yet to be made,” said Mario Juarez, product manager in Microsoft’s Security and Technology Business Unit. “We’re going to come out later this year with a complete story.”

followed by hedging: Microsoft: ‘Palladium’ Is Still Alive and Kicking

Juarez said Microsoft is not providing any of its NGSCB bits as part of the new Longhorn pre-alpha release that it is distributing this week to WinHEC attendees. But he denied that this means that the company is exorcising NGSCB from the product. Instead, he said that the NGSCB team decided that the driver developers at the show wouldn’t be the right targets for this code.

Update 2004/05/19: Real details from Microsoft pointed to by Dana Epp