Tech News Weekly: Edition 05-09

http://news.cnet.com/8301-13772_3-10149229-52.html
We'll start this week's news with a little something light hearted. It seems instrument panels have been left unlocked and default passwords left unchanged on many large roadside electronic billboards which has given rise to Road Sign Hacking.

We see them everywhere these days, digital signs by the side of the road telling us about road conditions or that we should prepare to stop or that our local bridge might be closed next Tuesday from noon to midnight. And if you're like me, you've always just assumed that the message on the signs is legitimate and properly authorized.

But what if the sign, instead of reading something like "Ice Ahead" was flashing the message, "Zombies Ahead"?

http://arstechnica.com/hardware/news/2009/01/hard-drive-manufacturers-unveil-disk-encryption-standard.ars
The major storage manufacturers have agreed to a standardized form of disk encryption based on 128 or 256 bit AES.

The Trusted Computing Group (TCG) has released three final specifications for hardware-level data encryption, and virtually all the major storage manufacturers have declared that they intend to adopt the new standards in the near future. Self-encrypted disks are already available on the market— Seagate has been actively pushing its DriveTrust technology for several years—but there was no central standard for drive encryption developers to refer to. The two new encryption standards provide a blueprint for desktop, laptops, and enterprise-level protection, while the third (dubbed the Storage Interface Interactions Specification) details how self-encrypted drives should interact with various communication protocols.

These new encryption methods do not require the presence of a Trusted Platform Module (TPM), but it's hard to imagine why an OEM would bother to build a system using self-encrypting hard drives and not include one. The TCG expects self-encrypting drives (and presumably TPM modules) to become ubiquitous across the enterprise/business market over the next few years. "With 48 states and many countries enforcing data protection laws, it has become crucial for enterprises to protect all data to avoid fines, lawsuits or even being put out of business. Encryption with authentication directly in the drive or enterprise storage devices as outlined in the Trusted Computing Group specifications is one of the most effective ways to ensure data is secure against virtual and physical attacks,” noted Jon Oltsik, senior analyst, Enterprise Strategy Group.

http://arstechnica.com/tech-policy/news/2009/01/ct-legislator-moves-to-protect-online-student-speech.ars
In relation to the case of Avery Doninger (here and here) who was denied certain rights at school due to a post on her LiveJournal labeling school administrators "douchebags", a member of Conneticut's General Assembly has proposed laws to spell out the rights of students and educators regarding free speech on the Internet.

Thursday, we checked in on the case of Avery Doninger, the former Connecticut high school student who was barred from seeking reelection to her student council seat after calling school administrators "douchebags" in a LiveJournal post. As we noted, a federal court has ruled that, given the fuzzy state of the law concerning the scope of school authority over online student speech, Doninger can't press her First Amendment claim for damages against those who punished her. She plans to appeal that decision, but one state legislator has already declared his intention to introduce a bill establishing separation of blog and state.

According to the Journal-Inquirer, a local paper, former high school teacher Gary LeBeau, who sits on the state's General Assembly, will seek to create a "bright line" between speech produced on school computers or sent over school networks—which falls within the school's disciplinary purview—and private speech merely concerning the school. The court had found such a line lacking because "

• ff-campus speech can become on-campus speech with the click of a mouse."

http://arstechnica.com/microsoft/news/2009/01/microsoft-asks-open-source-developers-to-play-in-web-sandbox.ars
Microsoft has released its Web Sandbox technology under the Apache License 2.0, enabling its use in open source projects.

Microsoft has announced plans to release the code of its Web Sandbox project under the open source Apache Software License. This move reflects Microsoft's growing interest in contributing to interoperable standards-based Web technologies and also demonstrates the company's willingness to adopt well-established open source licenses for its own projects.

The Web Sandbox project aims to mitigate some of the security risks that are associated with building Web mashups that mix in untrusted content from third-party sources. The task of isolating untrusted code poses some complex technical challenges. Web Sandbox is one of several ongoing research projects that are implementing experimental solutions. It is similar in function to Google's Caja project.

http://arstechnica.com/tech-policy/news/2009/01/digital-britain-will-legislate-graduated-response-for-isps.ars
Britain is preparing legislation that will require ISPs to install a graduated response system to reports of piracy.

The UK has officially announced its intention to legislate a "graduated response" system for P2P copyright infringement, though it sounds remarkably balanced compared to some proposals; the government insists that the "availability of legal content in the forms that consumers want" is actually the most important step content owners can take to address the problem. Disconnection of users without a court order appears not to be on the table, either.

The government's long-awaited interim Digital Britain report has just been released. It's a lengthy document that lays out UK thinking about universal broadband, spectrum reform, and digital radio, but nestled right in the middle of the report is one of the most controversial ideas: a mandatory "code" for ISPs to follow, and the creation of a government "Rights Agency" to help stakeholders deal with the issue of civil copyright infringement online.

http://arstechnica.com/gaming/news/2009/01/pc-gears-of-war-drm-causes-title-to-shut-down-starting-today.ars
In a stunning example of how DRM comes back to bite the legitimate consumer in the proverbial backside, the PC game Gears Of War was rendered unplayable for legitimate owners on the 28th when the certificate used in the registration process expired.

Gamers who tried to play Gears of War on the PC Thursday ran into a slight snag: it seems that the digital certificate that allows the game to run expired on January 28, 2009. Basically that means if you keep your PC's clock up to date, you can no longer play the game. The official Epic forum is ablaze with complaints about this issue, as the still-kicking community becomes enraged.

"I had this problem this evening, I had to change the date and time (from PM to AM) and I am able to get in just fine," one frustrated gamer posted. "I also changed it back to the current date and time and it didn't work. Change it back to yesterday AM and it works fine... EPIC games won't be on my list anytime soon...."

http://arstechnica.com/gaming/news/2009/01/judges-ruling-that-wow-bot-violates-dmca-is-troubling.ars
The popular 'Glider' bot for World of Warcraft was ruled to be a 'circumvention device' under the DMCA and that the founder of the company who produced it was personally liable for the actions of the company.

Blizzard notched another victory in its legal campaign against World of Warcraft bots when a judge on Wednesday ruled that a leading bot violates the Digital Millennium Copyright Act. MDY Industries LLC, the firm that develops and sells the Glider bot, already suffered a major setback last summer when the judge granted Blizzard summary judgment on several key issues. This week's decision deals with the issues the judge believed could not be decided until the conclusion of this month's trial. The judge ruled that Glider violated the DMCA's ban on "circumvention devices," and he also found that MDY's founder, Michael Donnelly, was personally liable for the actions of his firm.

As we've noted before, Blizzard's legal arguments, which Judge David G. Campbell largely accepted, could have far-reaching and troubling implications for the software industry. Donnelly is not the most sympathetic defendant, and some users may cheer the demise of a software vendor that helps users break the rules of Blizzard's wildly popular role playing game. But the sweeping language of Judge Campbell's decision, combined with his equally troubling decision last summer, creates a lot of new uncertainty for software vendors seeking to enter software markets dominated by entrenched incumbents and achieve interoperability with legacy platforms.

http://arstechnica.com/security/news/2009/01/meet-son-of-storm-srizbi-2-0-next-gen-botnets-come-online.ars
I would normally consider stories like this to be sensationalist, but it does include some interesting tidbits about the next generation of botnets.

As notable as the sustained fall-off in spam levels has been, we've all known it's only a matter of time before botnets began to worm their way back into the the Internet. It turns out that part of the reason spam levels may have stayed lower these past months is that the same authors who might have normally spent time resurrecting their dead botnets on new servers were instead writing new botnets altogether. The new malware networks aren't just rehashes of what's come before; many of them incorporate advanced techniques to render themselves harder to detect/remove.

First the good news: SecureWorks reports that Storm is dead, Bobax/Kraken is moribund, and both Srizbi and Rustock were heavily damaged by the McColo takedown; Srizbi is now all but silent, while Rustock remains viable. That's three significant botnets taken out and one damaged in a single year; cue (genuine) applause.

http://arstechnica.com/tech-policy/news/2009/01/icanns-fast-flux-report-open-for-comments-short-on-data.ars
Domain registrars are concerned about efforts by ICANN to determine what can be done about the use of Fast Flux hosting for illegal purposes.

Fast flux and double flux hosting present both registrars and registrants with a thorny problem. These two hosting methods are not classified as attack methods in and of themselves, but are often employed by spammers and malware botnets.

At "best," fast flux hosting obfuscates and delays security personnel working to shut down an attack; a particularly sophisticated double flux hosting system could allow a botnet to grow and remain active long enough to establish itself as a threat of Storm-worthy proportions. That last mention isn't an accident; fast flux hosting was a prominent Storm tactic.

http://arstechnica.com/telecom/news/2009/01/verizon-weve-having-a-little-database-trouble.ars
US ISP Verizon have "lost" 3,400 database records pertaining to customers who chose to opt-out of their marketing campaign.

Verizon seems to have run into a glitch with one of its customer databases, losing thousands of  records. Here's the background: in compliance with Federal Communications Commission rules, the company has established a system to permit consumers to "opt out" of letting Verizon use their phone records for marketing campaigns.

The wireless giant hires a vendor to handle these requests. Verizon then integrates this data, or "customer proprietary network information" (CPNI), into a database, which it says it checks prior to launching a campaign. CPNI usually includes calling records and the services that consumers use, such as voicemail or call forwarding. The opt out system caused quite a stir in late 2007, when the FCC beefed up its CPNI security rules, but it has more or less faded into the background auto flow of telecom policy since then.

http://arstechnica.com/telecom/news/2009/01/irish-isp-agrees-to-disconnect-repeat-p2p-users.ars
An Irish ISP has settled a court case with the music industry by agreeing to a graduated response plan to target repeat offenders in online piracy.

One of Ireland's largest ISPs, Eircom, has capitulated to the major music labels and agreed to implement a full "graduated response" program—complete with disconnections. Users get two warnings regarding file-sharing, and a third violation brings down the banhammer. The music industry has already said that it intends to pursue the same agreement with Ireland's other ISPs.

The dispute began some time ago when the Irish branches of EMI, Warner, Universal, and Sony filed suit against Eircom. They charged that the ISP was essentially aiding and abetting piracy by doing things like advertising its services on The Pirate Bay, and the labels believed they could get a judge to force the ISP to install network monitoring equipment.

http://arstechnica.com/tech-policy/news/2009/01/cox-opens-up-throttle-for-p2p-non-time-sensitive-traffic.ars
US ISP Cox is preparing to throttle "non time-sensitive" traffic across its network.

It takes guts—or perhaps something a bit further down the anatomy—to wait until Comcast has been smacked down for singling out P2P, the Obama administration has come to power, and Democrat Michael Copps (temporarily) heads the FCC to roll out a new Internet traffic management system that delays only some kinds of content during moments of congestion.

But that's exactly what Cox Cable, the third largest cable system in the US, has just announced.

According to the announcement made Tuesday night, Cox will trial the system in Kansas and Arkansas first, expanding it to the rest of its territory later in the year if all goes well.

http://news.bbc.co.uk/2/hi/uk_news/education/7850871.stm
The British "Child Protection Database", containing contact details for every under-18 year old in England will be accessible to 390,000 people, and parents will not be permitted to have their child removed from the database, it has been revealed.

The ContactPoint database is intended to improve information sharing between professionals working with children.

Children's Minister Baroness Morgan said parents would not be allowed to remove their children from the list.

The Conservatives attacked the £224m database as "another expensive data disaster waiting to happen".

The Liberal Democrats have also previously opposed what they called an "intrusive and expensive project".