Blackmoor Vituperative

The US Department of Homeland Security is insisting that Verisign hand over the master keys of the Internet.

If it succeeds, the US will be able to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system’s root zone on the Internet.

Effectively it would mean that US spooks could snoop on anyone in the Worldwide wibble and place control of the Interweb tubes firmly in the paws of the US government.

(from The Inquirer, Homeland Security wants master key for the Internet)

Another day, another security hole in Internet Explorer.

Are you listening yet? Switch to Firefox.

Yes, there’s another security hole in Internet Explorer. In other news, water is wet, politicians are dishonest, and teen-agers are horny.

Switch to Firefox, you knuckleheads.

A year after its original launch, a U.S. government-backed project that scans open-source code for flaws is expanding.

The effort, supported by a research contract from the U.S. Department of Homeland Security, is now scanning code of 150 open-source projects, up from the original 50.

“This allows open-source developers to find and resolve defects introduced into the project,” David Maxwell, open-source strategist for Coverity, said in a statement. Coverity makes source-code analysis tools and shares the DHS contract with Stanford University and Symantec.

Since the start of the project, 6,000 bugs that were found have been fixed, according to Coverity. About 700 developers are now registered to access the bug data and 35 million lines of code are scanned every day, the company said.

(from ZDNet, Open-source bug hunt project expands)

On the one hand, I don’t think the federal government should be spending money on things like this. But that is because I don’t think the federal government should be spending money on anything other than what it is specifically given authority to spend money on by the US Constitution — and that ain’t much.

On the other hand, if it’s going to unconstitutionally rob Peter to pay Paul, at least Paul is doing something useful with it in this case. I’d much rather it fund debugging open source software than pay to put every American’s personal information on an expensive, insecure ID card where any identity thief who wants it can grab it.

MySpace.com on Tuesday said it has filed suit against Sanford Wallace, seeking to bar the “spam king” and his affiliated companies from the social-networking site.

In the suit, filed Friday in U.S. District Court for the Central District of California in Los Angeles, MySpace accuses Wallace of violating state and federal laws including the federal Can-Spam Act and California’s antispam and antiphishing statutes, the company said in a statement.

MySpace charges that Wallace launched a phishing scam in October to fraudulently access MySpace profiles. He also allegedly created profiles, groups and forums on MySpace, spammed thousands of users with unwanted advertisements and lured MySpace users to his Web sites, according to the complaint.

“Individuals who try to spam or phish our members are not welcome on MySpace,” Hemanshu Nigam, chief security officer for MySpace, said in the statement. The lawsuit seeks a permanent injunction barring Wallace and his affiliated companies from the MySpace site, in addition to unspecified monetary damages.

(from ZDNet, MySpace wants to bar ‘spam king’)

I think MySpace is a colossal waste of time and energy, but at least they are trying to do the right thing here. This guy Wallace is spamming, phishing, spyware-spreading scum.

Here’s a security tip. Never, ever log into any URL that has been emailed to you. Never.

Always go directly to the URL you have bookmarked (for your bank, let’s say), and log in there.

One of the most common scams I see nowadays is scumbags sending so-called “HTML mail” to their intended victims, and making that so-called “HTML mail” look like an official email from someone the victim does business with (eBay, PayPal, and various banks are the most common spoofed emails). In this so-called “HTML mail” there will be a Login button, or a what appears to be a web address. However, if you look at where this address actually goes, it goes to some scumbag piece of filth’s server, typically in China or Romania but it could just as easily be in Idaho, who then grabs your login and password and rob you of everything you have in that account, and then they sell it online to other scumbag pieces of filth on underground web sites.

There are two things you should learn from this.

1) So-called “HTML mail” is EVIL. Don’t send it. Don’t read it. Disable it in your email client if you can.

2) Never, ever log into a URL that has been emailed to you. Never, ever.

In today’s Let’s Be A Little Overdramatic file, a newly released report from the U.S. Patent and Trademark Office suggests that networked file and music sharing could harm children and threaten national security.

The November, 2006, report, entitled “Filesharing Programs and Technological Features to Induce Users to Share,” makes two main points across the span of its 80 pages:

• that peer-to-peer networks could manipulate sites so children violate copyright laws more frequently than adults, exposing those children to copyright lawsuits and, in turn, make those who protect their copyrighted material appear antagonistic, and
• file-sharing software could be to blame for government workers who expose sensitive data and jeopardize national security after downloading free music on the job

Interestingly, the report makes numerous references to RIAA and MPAA legal actions against file-sharing activity, as well as cites a 2005 Department of Homeland Security report that government workers had installed file-sharing programs that accessed classified information without their knowledge.

(from Shadow Monkey, File sharing a threat to children and to national security)

Well, now, we wouldn’t want RIAA and MPAA to appear antagonistic, would we? Why, that would be like making Wilhelm Marr look antisemitic. What a gross injustice that would be.

As for the danger to national security, anyone who has ever held a security clearance (me, for example) knows who is to blame for any such security breach: the nut behind the keyboard. Or, to put it another way, what we have here is a poor workman blaming his tools. I can’t even comprehend how anyone could put classified documents on a workstation connected to the Internet, and then install file-sharing software on that workstation, without being aware of the security ramifications. The very concept just baffles me. Were the InfoSec people asleep?

Anyway, here are links to the report. I wonder how much MPAA and RIAA spent to underwrite it?

PDF version
HTML version

Microsoft zero-day vulnerabilities are increasingly so commonplace, the risk is lost with the message. On Feb. 2, Microsoft issued another security alert, this one for Excel, that largely went unnoticed.

In its security bulletin, Microsoft warned that “other Office applications are potentially vulnerable” to the zero-day flaw.

Zero-day refers to a flaw for which there is an exploit but no available fix. The Excel vulnerability is Microsoft’s fifth zero-day exploit since December, and part of an increasingly troubling trend.

(from eWeek, New Zero-Day Threat Excels)

Does a house have to fall on you? Anyone still using MS Office after all this time and all these security vulnerabilities probably shouldn’t be permitted to use a computer. Switch to OpenOffice, you blockheads.

A fourth yet-to-be-patched security vulnerability in Microsoft Word is actively being exploited in cyberattacks.

In other news, water is wet, teen-agers are horny, and politicians lie and steal. Switch to OpenOffice, you blockheads.

An easy-to-exploit security vulnerability in Apple Computer’s QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks.

The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January.

(from eWeek, Apple Vulnerability Project Launches with QuickTime Exploit)

I think this is great. Anything which helps educate Apple users and knocks their undeserved arrogance down a notch or three is a good thing.