The Lazy Genius

Pirate Bay finds gold in MediaDefender emails

Xavier Ashe — Sat, 22 Sep 2007 14:53:45 -0400

Thanks to the email-leakage from MediaDefender-Defenders we now have proof of the things we've been suspecting for a long time; the big record and movie labels are paying professional hackers, saboteurs and ddosers to destroy our trackers.

While browsing through the email we identified the companies that are also active in Sweden and we have tonight reported these incidents to the police. The charges are infrastructural sabotage, denial of service attacks, hacking and spamming, all of these on a commercial level.

The companies that are being reported are the following:

Twentieth Century Fox, Sweden AB
Emi Music Sweden AB
Universal Music Group Sweden AB
Universal Pictures Nordic AB
Paramount Home Entertainment (Sweden) AB
Atari Nordic AB
Activision Nordic Filial Till Activision (Uk) Ltd
Ubisoft Sweden AB
Sony Bmg Music Entertainment (Sweden) AB
Sony Pictures Home Entertainment Nordic AB

Stay tuned for updates.

Original Post.

MediaDefender-Defenders!

Xavier Ashe — Tue, 18 Sep 2007 15:51:13 -0400

The whole mail database was converted to HTML by Forrest F. (JRWR), and is hosted by the nicest guy on the planet.

Do note that this is not the official MediaDefender-Defenders website, just a browseable copy of the e-mail leak that snowballed. We're also not the guys that acquired these e-mails, we just nabbed them off of BitTorrent and converted them.

We got pulled offline by No-ip.com, who seemed to take offense and took jrwr.hopto.org offline. You can now find us here at mediadefender-defenders.com. However, as the world really should learn - whenever you take one site down, twelve new ones will spring online.

Update: We moved to the domain which.. one of the IRC guys got, and recieved our first C&D letter. More soon.

Feel free to come meet us at #MediaDefender-Defenders @ EFNet, and some new site features will be coming shortly.

I'm not sure why I find all this so entertaining, but I do. Go read some emails:

MediaDefender Damage Control: Cease and Desist!

Xavier Ashe — Tue, 18 Sep 2007 13:25:01 -0400

After the big leak of last week, today mediadefender is desperately trying to establish some level of damage control. This morning we received an email from their lawyers stating that the domain registrar should hand over our personal information. So here is an open letter to MediaDefender.

Dearest little asstunnels,

Let me start of by thanking you for your pittyfull attempt to have your emails removed from the entire internet (the thing that says www.). In no way we feel obligated to fulfill your request, as a matter of fact any organisation that tries to harm this site and the bittorrent user in general can expect nothing more from us but a big fuck you!

In case you havent noticed, this site is located in europe (I hope you can point it out on a map) were your stupid copyright claims have no base. But fair is fair you guys did suffer over the past week so here's bit of advice to you guys:

The the full email sent by Markus at Meganova. It gets rather colorful.

MediaDefender Internal Emails Go Public

Xavier Ashe — Mon, 17 Sep 2007 14:37:07 -0400

Unfortunately for Media Defender - a company dedicated to mitigating the effects of internet leaks - they can do nothing about being the subject of the biggest BitTorrent leak of all time. Over 700mb of their own internal emails, dating back over 6 months have been leaked to the internet in what will be a devastating blow to the company. Many are very recent, having September 2007 dates and the majority involve the most senior people in the company. Apparently this is not the first time that a MediaDefender email leaked onto the Internet.

According to the .nfo file posted with the Mbox file the emails were obtained by a group called “MediaDefender-Defenders”. It states: “By releasing these emails we hope to secure the privacy and personal integrity of all peer-to-peer users. The emails contains information about the various tactics and technical solutions for tracking p2p users, and disrupt p2p services,” and “A special thanks to Jay Maris, for circumventing there entire email-security by forwarding all your emails to your gmail account”

Note: The mbox formatted file is circulating publicly on BitTorrent, completely unedited. However, for publication here we have removed the username and password logins for Media Defender’s servers, and replaced them with asterisks and avoided publishing emails of a personal nature, e.g pay negotiations etc. We believe that the emails are the real deal and all the info posted here serves the public interest.

Read the whole post on TorrentFreak.

FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats

Xavier Ashe — Thu, 19 Jul 2007 23:36:58 -0400

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

Read the full article on Wired. I believe that this is the first confirmed use of an FBI Trojan horse program in a criminal investigation. That we know of ;)

Surf the Net Safely and Privately with JanusVM

Xavier Ashe — Mon, 25 Jun 2007 13:46:06 -0400

This morning, while having a little fun with VMWare Server, I stumbled on VMWare’s list of free virtualized environments. If you have any VMWare product installed on your box, you’ll definitely want to check this list out. Anyhow, like I already said, I stumbled on this list and quickly browsed the available products. That’s when I ended up on a very interesting security package named JanusVM. JanusVM is a virtualized security environment that allows you to surf the internet absolutely securely and privately. It was designed to run on VMware Player (or Server) and brings together openVPN, Tor, Squid, Privoxy and dns-proxy-tor to give you a transparent layer of security that is compatible with most TCP based applications.

JanusVM Features:

WiFi Support.
Supports multiple users in a LAN.
Protects you from most man-in-the-middle attacks.
Protects you from Javascript, Java, and Flash based side-channel privacy attacks.
Protects your identity and your true location by masking your IP Address.
Encrypts and re-routes your DNS request and ALL TCP traffic to ensure strong privacy.
Strips out most privacy sensitive information your web browser may leak.
Blocks popups, annoying ads, banners, and other obnoxious Internet junk.
Very simple setup and operation.
Works transparently for applications using TCP.

Setup is very easy. Just download and install VMWare player, download JanusVM and follow these simple instructions.

After setting up the environment, if you decide to keep JanusVM running on your box, please consider giving a small donation to the developer. Your donations will surely encourage him to keep on working on this fantastic project.

Nice, I'm downloading this now. Usually the presence of Tor on a corporate laptop is eyed suspiciously. Found on Geeks are Sexy.

Quicken Backdoor Could Give Feds Access to Finance Data

Xavier Ashe — Mon, 25 Jun 2007 09:10:07 -0400

A Moscow-based password-recovery vendor Thursday accused Intuit Inc. of hiding a backdoor in its popular Quicken personal finance program that gives it -- and perhaps government agencies -- access to users’ data files.

Intuit called the charges baseless, and said that although there is a way to unlock Quicken’s encrypted data, it’s only used by the company’s support team to help customers who have forgotten their passwords.

In a statement, Elcomsoft Co. Ltd., a Russian maker of password-recovery tools, said Quicken versions since 2003 have used strong encryption designed to foil hackers. But those editions also have a backdoor that unlocks the encryption with the 512-bit RSA key that Intuit controls.

"It is very unlikely that a casual hacker could have broken into Quicken’s password protection regimen," Vladimir Katalov, Elcomsoft’s CEO, said in the statement. "[We] needed to use advanced decryption technology to uncover Intuit’s undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key."

"Very unlikely..." my ass. Read the full article at CSOonline.com.

Z Backscatter Van Drive-By Screening System

Xavier Ashe — Mon, 14 May 2007 12:52:57 -0400

A breakthrough in X-ray detection technology, AS&E's Z Backscatter Van (ZBV) is a low-cost, extremely maneuverable screening system built into a commercially available delivery van. The ZBV allows for immediate deployment in response to security threats, and its high throughput capability facilitates rapid inspections. The system's unique "drive-by" capability allows one or two operators to conduct X-ray imaging of suspect vehicles and objects while the ZBV drives past.

The ZBV can also be operated in stationary mode* by parking the system and producing X-ray images of vehicles as they pass by. Screening can also be accomplished remotely while the system is parked. Remote operation allows scanning to be done safely, even in dangerous environments, while maintaining low-profile operation. The system is unobtrusive, as it maintains the outward appearance of an ordinary van.

Boing Boing has also posted about this rolling invader of privacy. Get the details from the manufacturer, AS&E.

New Computer Program to Reassemble Shredded Stasi Files

Xavier Ashe — Sat, 12 May 2007 10:58:15 -0400

Millions of files consigned to paper shredders in the late days of the East German regime will be pieced together by computer. The massive job of reassembling this puzzle from the late Cold War was performed, until now, by hand.

It's been years in the making, but finally software designed to electronically piece together some 45 million shredded documents from the East German secret police went into service in Berlin on Wednesday. Now, a puzzle that would take 30 diligent Germans 600 to 800 years to finish by hand, according to one estimate, might be solved by computer in seven.

Low tech decryption. Good article from Spiegel Online.

Anyone need a Watchlist?

Xavier Ashe — Wed, 18 Apr 2007 11:33:00 -0400

Prior to the airline hijackings on Sept. 11, 2001, the Federal Aviation Administration's "no-fly list" contained 11 names.

Soon after the attacks, the Transportation Security Administration was created, and given direct authority over airline security screening and the watch list. The list soon began to expand almost daily, according to government documents. The last credible report on the list put its length at 119,000 names, though the TSA says it has since narrowed it to a smaller number that must remain a secret.

While it was expanding the no-fly list, the TSA was also busy carving out a second list of people who were allowed to fly, but would be screened extra closely on their way to the gates. The government initially denied this "selectee list" existed, but a watchdog group eventually got the goods in a Freedom of Information Act request.

Of course, the TSA isn't the only agency making lists these days. Here's a quick Wired News field guide to post-9/11 watch lists.

Get the list on Wired.

Counter attack hacking OK-ed by courts

Xavier Ashe — Mon, 09 Apr 2007 11:56:22 -0400

This is a very interesting case. It seems if you are just collecting evidence while trying to protect your own systems, hacking a hacker is okay.

A federal appeals court just shot down an attempt by confessed superhacker Jerome Heckenkamp to overturn his computer crime convictions, which were an end result of information provided by a university sysadmin who broke into Heckenkamp's computer to gather evidence.

The warrantless cyber-search was justified by the "special needs" exception to the Fourth Amendment, because "the administrator reasonably believed the computer had been used to gain unauthorized access to confidential records on a university computer," the U.S. 9th Circuit Court of Appeals ruled Thursday.

Later in the article on Wired:

According to the decision, UWisc cracked Heckenkamp's computer in order to confirm that he was the hacker they were looking for. Heckenkamp turned out to be guilty, so Schroeder's tough talk has some surface appeal. But what if Heckenkamp had been innocent?

The whole policy has some nasty implications for student privacy. There's no judge in the loop; no independent finder of fact. So who decides when there's enough evidence to break into the student's machine and riffle through his files? And then there's the inevitable mission creep. What happens when system administrators crack a suspected hacker's computer, and find he's innocent of the hack, but also turn up evidence that he's been selling dope to his friends? Or downloading pirated music? And eventually, instead of Qualcomm, it'll be the RIAA or the MPAA calling up the University of Wisconsin for a little help.

It's Official: Pretexting Is Illegal

Xavier Ashe — Mon, 22 Jan 2007 14:25:57 -0500

President Bush signed a bill last week making a controversial practice known as "pretexting," a federal offense.

The law specifically forbids the act of misrepresentation, impersonation or deception in order to obtain personal telephone information. Just five months ago, pretexting fell into a gray area of the law.

The issue gained national attention when Hewlett-Packard filed a document with the U.S. Securities and Exchange Commission. The computer maker said its investigators had used tactics to find out which members of its board where leaking private company information to the media, which ended up as news reports. The scandal led to testimony before Congress and the resignation of several board members and HP employees.

Several lawyers and private investigators -- including some working for HP when the company obtained journalists' and board members' personal phone records during an investigation into leaks from its boardroom -- said that it was unclear whether pretexting was against the law.

The legal line is clearer now. The text of the Telephone Records and Privacy Protection Act of 2006 now states it is illegal to use fraud in order to obtain billing records and other information phone companies retain on individual customers. Law enforcement officers are exempted but generally need warrants to get the information.

Read the full article on InformationWeek.

Rush job MI5 security alert service wide open to snoopers

Xavier Ashe — Fri, 12 Jan 2007 11:39:28 -0500

MI5 new e-mail alert service sends web subscription forms to the US without encryption, according to an investigation by Spyblog.

The service, launched by MI5 on Tuesday, is designed to allow subscribers to receive email notification of changing national security threat levels by email. This information is already available on MI5's website for anyone who cares to look.

Worse than being of limited value, Spyblog discovered data submitted to the form is sent to US email marketing and tracking firms without the informed consent of subscribers, evidence of either incompetence or "indifference to the privacy and security of the general public". The privacy campaign website described the heavily promoted service as a "rush job" and a "shambles".

"Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them," Spyblog rants.

Ha. From The Register.

Personal firewall for the RFIDs you carry

Xavier Ashe — Thu, 07 Dec 2006 12:08:35 -0500

A Platform for RFID Security and Privacy Administration is a paper by Melanie R. Rieback and Georgi N. Gaydadjiev that won the award for Best Paper at the USENIX LISA (Large Installation Systems Administration) conference today. It proposes a "firewall for RFID tags" -- a device that sits on your person and jams the signals from all your personal wireless tags (transit passes, etc), then selectively impersonates them according to rules you set. Your contactless transit card will only send its signal when you authorize it, not when some jerk with an RFID scanner snipes it as you walk down the street. The implementation details are both ingenious and plausible -- it's a remarkable piece of work. Up until now, the standard answer to privacy concerns with RFIDs is to just kill them -- put your new US Passport in a microwave for a few minutes to nuke the chip. But with an RFID firewall, it might be possible to reap the benefits of RFID without the cost.

This is a must-read paper for anyone who cares about electronic privacy and who wants to catch a glimpse of the future.

Download the full paper (PDF). [via]

6 DMCA new exemptions - good and bad...

Xavier Ashe — Fri, 24 Nov 2006 19:51:57 -0500

Copy protection on games for which there is no longer support from any publisher is no more. Under the new DMCA laws, copy protection can legally be cracked is the copyright holder no longer has any interest in the game.

This means that old school games can now be preserved, and there shouldn't be any legal ramifications to the individual or group who does so.

Other alterations to the laws included allowing cell phone software to be cracked to allow for use on other service providers, allowing blind people to use third-party software to read copy-protected books, and allowing educators to make DVD scene compilations.

The new laws will begin on Monday and last for three years.

From GWN. [via] EFF has more details about all 6 changes in the DMCA code:

1. Audiovisual works included in the educational library of a college or university’s film or media studies department, when circumvention is accomplished for the purpose of making compilations of portions of those works for educational use in the classroom by media studies or film professors.

2. Computer programs and video games distributed in formats that have become obsolete and that require the original media or hardware as a condition of access, when circumvention is accomplished for the purpose of preservation or archival reproduction of published digital works by a library or archive. A format shall be considered obsolete if the machine or system necessary to render perceptible a work stored in that format is no longer manufactured or is no longer reasonably available in the commercial marketplace.

3. Computer programs protected by dongles that prevent access due to malfunction or damage and which are obsolete. A dongle shall be considered obsolete if it is no longer manufactured or if a replacement or repair is no longer reasonably available in the commercial marketplace.

4. Literary works distributed in ebook format when all existing ebook editions of the work (including digital text editions made available by authorized entities) contain access controls that prevent the enabling either of the book’s read-aloud function or of screen readers that render the text into a specialized format.

5. Computer programs in the form of firmware that enable wireless telephone handsets to connect to a wireless telephone communication network, when circumvention is accomplished for the sole purpose of lawfully connecting to a wireless telephone communication network.

6. Sound recordings, and audiovisual works associated with those sound recordings, distributed in compact disc format and protected by technological protection measures that control access to lawfully purchased works and create or exploit security flaws or vulnerabilities that compromise the security of personal computers, when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities.

UK Passport RFID Cracked

Xavier Ashe — Fri, 17 Nov 2006 12:58:57 -0500

Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?
...

"The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."

Within minutes of applying the three passports to the reader, the information from all of them has been copied and the holders' images appear on the screen of Laurie's laptop. The passports belong to Booth, and to Laurie's son, Max, and my partner, who have all given their permission.

Booth is staggered. He has undercut Laurie by finding an RFID reader for £174, which also works. "This is simply not supposed to happen," Booth says. "This could provide a bonanza for counterfeiters because drawing the information from the chip, complete with the digital signature it contains, could result in a passport being passed off as the real article. You could make a perfect clone of the passport."

From The Guardian.

Why you should protect your wireless network with WPA

Xavier Ashe — Mon, 30 Oct 2006 18:20:05 -0500

RFID in the mail... No need to open the Envelope!

Xavier Ashe — Mon, 23 Oct 2006 16:10:36 -0400

They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”

But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

Good Article in the New York Times. Found on Boing Boing, which has more links:

And here is a related post from the guys who did the hack on RFID-cusp blog. (Thanks, Tom Heydt-Benjamin).

Consumerist has a post worth reading here.

Anti-RFID activist group CASPIAN has a response here (see also these previous BB posts about the group's founder, Katherine Albrecht).

Fugitive exec nabbed after Skype call

Xavier Ashe — Fri, 25 Aug 2006 10:55:27 -0400

Kobi Alexander, the founder of Comverse, was nabbed in Negombo, Sri Lanka yesterday by a private investigator. He is wanted by the US government in connection with financial fraud charges. He is accused of profiting from some very shady stock-option deals, to the detriment of Comverse shareholders. Once the deals became public and he was indicted, he resigned as CEO and fled the US.

Alexander was traced to the Sri Lankan capital of Colombo after he placed a one-minute call using Skype. That was enough to alert authorities to his presence and hunt him down.

The fugitive former CEO may have been convinced that using Skype made him safe from tracking, but he—and everyone else that believes VoIP is inherently more secure than a landline—was wrong. Tracking anonymous peer-to-peer VoIP traffic over the Internet is possible (PDF). In fact, it can be done even if the parties have taken some steps to disguise the traffic.

VoIP and law enforcement have been in the news lately, due primarily to the Communications Assistance for Law Enforcement Act. CALEA, passed in 1994, gives the FBI the ability to easily tap landline and cell phone calls. As written, CALEA had originally included some exemptions for Internet-based systems, but the FBI convinced the Federal Communications Commission that they should not apply to VoIP traffic. As a result, VoIP operators in the US will need to make their systems wiretap friendly.

If nothing else, Alexander's capture reinforces the message that despite appearances, nothing we do on the Internet is truly anonymous.

From ArsTechnica

Federal judge orders halt to NSA spy program, rules it unconstitutional

Xavier Ashe — Thu, 17 Aug 2006 13:34:58 -0400

In the first federal challenge ever argued against the Bush administration's NSA spying program, U.S. District Court Judge Anna Diggs Taylor rules that the program to monitor the phone calls and e-mails of millions of Americans without warrants is unconstitutional. Calling for a halt to this abuse of presidential power, Judge Taylor states that "[t]here are no hereditary Kings in America and no powers not created by the Constitution," so all the president's "inherent powers" must derive from the Constitution.

Just announced! From the ACLU website. Read the decision from the courts (PDF). Here's the CNN story.

UPDATE: A Banner across the top on CNN.com reads: The U.S. Department of Justice has announced that it will appeal a federal judge's ruling that the government's warrantless wiretapping program is unconstitutional. Guess the fights moves on.

Plausible Deniability ToolKit

Xavier Ashe — Mon, 07 Aug 2006 08:56:34 -0400

We can only hope you are viewing this via Tor. Once you are done, clear your browser cache. Reading about Plausible Deniability should not be crime, but unfortunately having done so could be considered circumstantial evidence that could be used against you.

The Plausible Deniability Toolkit is not a set of tools to download, but a set of ideas and philosophies to adapt to protect your privacy in an ever-increasingly scary world of eroding personal rights. The "hacker defense" rarely works, even if it is the truth!

This idea was first proposed at DefCon 14. The slides are available here. As the talk was just given, please give us a few days of sobriety to add to this page, and know there are a lot more links coming in the next few days. Feel free to send suggestions to pdtk@nmrc.org, but this in itself could be risky. We would advise you to sent up a Hotmail, Yahoo, or Gmail account via Tor just for this purpose, and GPG the message if you like. We will have a pdtk GPG key in a few days.

Plausible Deniability ToolKit

Human Implanted RFID Cloned at HOPE

Xavier Ashe — Mon, 24 Jul 2006 16:45:06 -0400

Newitz said she has an RFID chip implanted in her right arm manufactured by VeriChip Corp., a subsidiary of Applied Digital.

“Their Web site claims that it cannot be counterfeited — that is something that Jonathan and I have shown to be untrue.”

The pair demonstrated the cloning process: Westhues held a standard RFID reader against Newitz’s arm to register the chip’s unique identification number.

Next, Westhues used a home-built antenna connected to his laptop to read Newitz’s arm again and record the signal off her implanted chip.

Westhues then takes the standard RFID reader and waves it past his laptop’s antenna. The reader beeps, showing Newitz’s until then “unique” ID. “It actually has no security devices what-so-ever,” Newitz said of VeriChip’s claims that its RFID chips can not be counterfeited.

Read the full story on Reuters Newsblogs.

A Chronology of Data Breaches Reported Since the ChoicePoint Incident

Xavier Ashe — Tue, 11 Jul 2006 09:09:00 -0400

The data breaches noted below have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. A few breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws.

The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.

For tips on what to do if your personal information has been exposed due to a security breach, read our guide.

Get the List.

VA laptop recovered; FBI says data not accessed

Xavier Ashe — Thu, 29 Jun 2006 15:42:39 -0400

The government has recovered a stolen laptop computer and hard drive with sensitive data on up to 26.5 million veterans and military personnel.

The FBI said Thursday there is no evidence that anyone accessed Social Security numbers and other data on the equipment.

Veterans Affairs Secretary Jim Nicholson, in announcing the recovery of the computer, said there have been no reports of identity theft stemming from the May 3 burglary at a VA employee's Maryland home.

The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams "has determined that the data base remains intact and has not been accessed since it was stolen." More tests were planned, however.

Nicholson said the laptop and hard drive were turned in to the FBI. No suspects were in custody.

From CNN. So some punk kid who broke into his house finally watched the news and figured he better turn it in. Good move. I know this will make many veterens very happy.

Get your claim in against Sony/BMG

Xavier Ashe — Tue, 23 May 2006 15:56:13 -0400

Listen up anyone who "purchased, received, came into possession of or otherwise used" music CDs containing Sony's flawed DRM software anytime after August 1, 2003. Under the terms of the class action settlement approved Monday, you are entitled to file a claim for a replacement CD, free downloads of music from that CD (with Apple's iTunes named as one of the three download services, ironically), and even "additional cash payments" which we presume are likely to amount to a stack of Abes not Benjamins, folks. Pretty much what Sony BMG was already offering to their customers when this whole fiasco hit back in November. Additionally, Sony BMG definitively agreed to halt manufacture or distribution of that XCP and MediaMax nastiness masked by the rootkit. Now be sure to get your claim in now consumers, so that Sony BMG hears loud and clear that you do know what a rootkit is, and yes, you care. Afterall, the settlement only lasts until the end of 2007 at which point Sony BMG is free to introduce copy protection software once again. Click for a PDF copy of the settlement.

From Engadget.

DOJ jails Spam King, Alan Ralsky

Xavier Ashe — Fri, 28 Apr 2006 19:34:25 -0400

Local hacker "Memehacker" IMed in with a scoop on Alan Ralsky, the famed "Spam King" covered by the Observer and the Detroit News. Here's the breaking story:

Valleywag: Tell me the scoop in three sentences.
Memehacker: Alan Ralsky is currently being held by the feds and his file is sealed for the next 72hrs by the DOJ. We are concerned that he is going to narq out the entire network since they have enough on him to send him to jail. This means hackers, spammers, anyone who has worked in spam legally or illegally for the last 5 years at least.

The DOJ wants to do a dragnet, they have the top dog, but they want the whole system as well.

Get the scoop on Valleywag. (via)

Wireless Recycling

Xavier Ashe — Fri, 28 Apr 2006 19:09:13 -0400

Wireless Recycling has a slick interface which walks users through the steps necessary to secure old cellphones before passing them off to others.

The process is as simple as selecting your phone manufacturer, make / model, and clicking ‘Submit’. The end result is a downloadbale PDF file for securing your mobile handset of any personal data.

From UNEASYsilence.

Studies Say HIPAA Privacy Rule Compliance Not Improving

Xavier Ashe — Thu, 27 Apr 2006 11:24:57 -0400

According to a survey from the American Health Information Management Association (AHIMA), compliance with the Health Insurance Portability and Accountability Act (HIPAA) patient privacy rules appears to be on the wane. Of 1,117 hospitals and health systems responding to the survey, 91 reported HIPAA compliance last year while 85 percent said they were in compliance this year. The top reasons given for declining compliance were "lack of resources and diminished management support." However, 75 percent of respondents said they were "fully or mostly compliant" with HIPAA's information security rules, marking a 60 percent improvement over last year's figure. A separate study conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society (HIMSS) found the level of compliance with patient privacy rules among companies involved in health care is higher than 80 percent, but says that figure has not changed in the last six months. The respondents in this study said their problems with compliance were due to HIPAA's vaguely worded rules and the ever-changing array of available technology.
-http://govhealthit.com/article94120-04-19-06-Web
-http://www.eweek.com/article2/0,1759,1949646,00.asp

From SANS News Bites.

ISP snooping gaining support

Xavier Ashe — Tue, 18 Apr 2006 16:40:26 -0400

The explosive idea of forcing Internet providers to record their customers' online activities for future police access is gaining ground in state capitols and in Washington, D.C.

Top Bush administration officials have endorsed the concept, and some members of the U.S. Congress have said federal legislation is needed to aid law enforcement investigations into child pornography. A bill is already pending in the Colorado State Senate.

CNET News.com was the first to report last June that the U.S. Department of Justice was quietly shopping around the idea of legally required data retention. But it was the European Parliament's vote in December for a data retention requirement that seems to have attracted broader interest inside the United States.

At a hearing last week, Rep. Ed Whitfield, a Kentucky Republican who heads a House oversight and investigations subcommittee, suggested that data retention laws would be useful to police investigating crimes against children.

Wow. From C|Net News.

All About NSA's and AT&T's Big Brother Machine, the Narus 6400

Xavier Ashe — Tue, 11 Apr 2006 12:44:54 -0400

Earlier today we found out that the EFF had sued AT&T over their secret work with the NSA on surveillance of millions of US citizens without wiretaps. We learned that paragraph 65 of this complaint shows EFF is trying to turn it into a nationwide Class Action suit covering all current and former customers (any after 9/2001) of AT&T. And we learned that a retired AT&T technician had stepped forward and disclosed the installation of secret NSA spy equipment in the San Francisco trunk facility. As well as the belief that similar equipment is in place in Seattle, San Jose, Los Angeles and San Diego.

Specifically, this equipment was the Narus ST-6400, a machine that was capable of monitoring over 622 Mbits/second in real time in May, 2000, and capturing anything that hits its' semantic (i.e. the meaning of the content) triggers. The latest generation is called NarusInsight, capable of monitoring 10 billion bits of data per second.

Follow me over the jump and let's learn some more about the private company Narus, it's founder Ovi Cohen, and board member Bill Crowell. Shall we?

Read it all on Daily Kos.