Slashdot Mirror

At least the story also appeared on the (usually very reliable) Heise Newsticker.

Whether it will fly in the EU is another thing...

(If someone is interested in the acutal interview, here is a (german) link: Die erotischen Probleme der Menschen im Weltall sind nicht das Thema)

"guaranteed work for the next decade" by computer security experts worldwide.

Totally! And make no mistake: That's by design, not by error: NSA access was built into Windows: http://www.heise.de/tp/r4/artikel/5/5263/1.html

Additionally, it may be of great interest and surely value for everyone to know and realize that the NSA is except from all laws that do not specifically mention NSA in the text of that law. Check it our for yourselves. THAT MEANS THAT ONLY LAWS WHERE NSA IS SPECIFICALLY MENTIONION NSA APPLY TO NSA. They are the premiere intelligence agency in the world, they answer to no-one and only a handful of laws actually apply to them... Scared yet? That's just the tip of the iceberg of trouble we're in.

No, that's the death of America!

It's beyond me how not anyone could have flagged your post as "insightful". I object most strongly to the entire sentiment of your post.

To put things into perspective: I'm not at all worried about this particular case. I know that whatever I send over the Internet can and probably will be snooped by Echelon, and even without that, the Internet is simply not a safe medium for confidential data. Nor am I suprised that not all data is necessarily instantly destroyed. Nor that Google is involved. The bigger the target, the more likely the attack.

What concerns me is your sheep-like blind faith in your corrupt and evil government, combined with your attitude of "if I give up some of my freedoms, this will enable my government to protect me better." You and countless ill-informed dimwits like yourself are the supportive base of a massive, concerted, very deliberate attack on the American Way, the American Constitution and the ideals on which the country was founded. Many good men died for your right not to be micro-managed by an intrusive and abusive government, and your mindless surrender of this right invalidates their lifetime heartblood.

I'll try to calm down briefly to explain better why I am ranting at you. Here are some things that need to be considered:

First off, the actual threat to your life and safety from terrorism is negligible. Acts of terrorism usually kill a few dozen to maybe a few hundred people. 9/11 was an outstanding exception that will hopefully be the high water mark for one or more decades. Yes, it sucks to be one of the 3500 people killed in NY, but please consider that:

• Many, many more people are killed every year in the US by gun-wielding Americans;
• Many, many more are killed by reckless and/or drunk drivers;
• Far more die early because they willingly neglect their health, either smoking or drinking or eating excessively;

On the other hand, there is strong evidence that US lawmakers do not have your interests at heart:

• the sudden loss of interest in the case against Microsoft when Bush took office;
• the new flurry of draconian laws against media file copiers at the behest of the *AA;
• the inappropriate extension of copyright terms;
• the recent ruling for industry and against residents in the "resident domain" thing;
• Bush's attempted sell-out of control of US ports to the UAE.

Your corrupt government is relentlessly extending its own powers to act against its citizens as it pleases, and using terrorism as an excuse. Much of the newly-acquired power is being used to support wealthy industries, not honest citizens. THIS is the real danger, and you are in support of it. I cannot begin to express how strongly I loathe your stupidity.

But, getting pissed because a German web server does not have English content is assine.

heise a german news site has just published an articles saying IBM denied the claims http://www.heise.de/newsticker/meldung/70532

I'd be disappointed if NSA ever resorted to anything so crude.

I hate to burst your bubble, but the NSA already *was* that crude, and IMHO they will be so crude again. And getting traffic data by asking carriers to hook the NSA up to billing records as they do now is crude... but not *that* crude.

You could ask yourself: "does anyone follow the same ingenuity standards when solving a math problem as when preventing people from blowing themselfs up in de subway?". (The same question works for groups that worked to prevent the Soviet union from nuking New York all together... along with the rest of the US.)

I dont think they would want to backdoor windows with a full covert channel though. They would get caught and China doesn`t trust US communication equipment anyway. (Though China must love equipment that comes with plenty of FBI and ETSI mandated "lawfull interception" functionality.) Ofcourse the US would be smart if more people cared even a tiny bit as much about who manufactures and operates their critical communications infrastructure as they do about who owns the companies that own the ports. (Not that I have anything against Israel, but lets say the 8200 branch isn`t as crude as the NSA once was.)

Maybe the NSA will have someone add an intentionally, but denyably, crappy random generator. (Kind of like the flawed stream crypto in the GSM specs.)

Read up on "the crypto wars" to see just how breathtakingly blunt the NSA is when it fights together with the FBI.

If you pick up body of secrets your disapointment might be mixed with exitement over how blunt tricks can be cool just the same. Cant crack soviets codes? sounds like a great reason to research TEMPEST and traffic analyses. Wanna know what soviet sigint people are up to? Parachute on a North Pole ice berg used as eavesdropping base after its abandoned by the Soviets... because the wheather is to dangerous.

On a good day, the NSA does what just works... on a bad day they spend billions trying to build something that just works ;-)

-FL

For at least Windows 95 OSR2, 98, NT, and 2000 Microsoft has included a secret cryptographic key owned by the U.S. National Security Agency (NSA). It's most likely that the NSA's key exists within Windows so U.S. government users of Windows can run classified cryptosystems on their computers. But it has been kept secret and it does provide the potential for abuse. "According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system 'is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system.'" Users of Windows outside the U.S. should be especially concerned that the U.S. government can possibly gain security control over their computers. Users within the U.S. should also be concerned that Microsoft has provided the government with a secret back door that they can exploit. (Campbell, Duncan. "How NSA access was built into Windows." Heise Online 4 Sept 1999)

SANS says it's an automatic download in Safari though it should still need the administrator password. I can't get the Mac away from my wife long enough to run the demo with an inert payload,

I see Apple's mistake as being to offer the "Open Safe Files After Download" feature. Do that, and you commit yourself to identifying safe files. It's not enough to have a robust algorithm. It's not enough to be foolproof. Not on a huge network full of clever and hostile people.

http://www.heise.de/ct/english/05/12/148/

There are two different types of DVI you see with computers. DVI-I and DVD-D. DVD-D connectors output digital only, DVI-I output analogue as well. GRaphics cards, at least all the ones you'll ever normally encounter, have DVI-I outputs. They are identifiable by the little 4-connector bisected connector on one end. You can see it noted in the picture here (http://www.heise.de/ct/04/26/224/bild.jpg). So, out of one port the card outputs both Digital data for DVI, and analogue data for RGB.

All the adapters do it take the analogue data and convert the pins to VGA format. This is not an actual converter, like the one you'd need for HDTV.

Your recommendation doesn't handle the sample exploit in Mail.app, unfortunately. Grab this (benign exploit, warning!). Unzip it and then mail the resulting file to yourself. Click the jpg you receive and you're nailed.

Because this was reported by Heise via Michael Lehm via mac-tv.

...and sending the resulting JPG to yourself in Mail.app.

This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.

I'd expect a security update that addresses this *very* soon. This is a bad one.

Here's a german article on HDMI, the last paragraph of which mentions that spatz has ceased to sell both the DVIMagic and DVIHDCP. Both products were made in asia, and were also available with other badges. Anyone got links to those "clones" or similar devices?

Amazing that the /. community has become so patently biased against technology and its uses. ;-)

Also amazing that /. folks seem to have failed to research all that has happened in the past (you know those who fail to learn from the past are destined to relive it). If you are wondering how long we have known that the US (and other governments) have been engaged in quite an impressive searching for needles in a haystack exercise??.

Has anybody checked???

http://www.heise.de/tp/r4/artikel/6/6929/1.html
http://www.fas.org/irp/program/process/echelon.htm
http://en.wikipedia.org/wiki/ECHELON
http://fly.hiwaay.net/~pspoole/echelon.html

This information has been publicly available for more than a decade. I know for a fact I was reading about it on MOSAIC, the original browser, because I had some X screen captures of some of this same stuff from the early 1990's (yes pre Clinton). So, I would think it would be no surprise that we had the capability. So why all the "Ooooh evil big brother??" comments. Let alone blaming one administration 10-15 years later for deciding to use the capability.

Think about it geeksters. Now that a group of governments have cooperatively the capability to get ~90% all of communications on the earth, capture them, statistically analyze them, and escalate on some heuristic rule based basis to a human most of the electronic communications on the face of the earth, what does this cooperative do? They honestly wouldn't be able to avoid having the phone numbers on both ends, they in the case of modern cell technology even have the location on cells, certainly ANI info, certainly country codes, area codes, billing information, etc. They would also have a nicely digitized voice record of the conversation. And I would hazard could decode this speech > text and then keyword search the voice call to some reasonable degree of accuracy. The idea that they could do this for hundreds of languages, dialects, and accents, and even have some ability for voice printing is pretty no brainer. And further, I hope none of you believe that there are enough humans to work this without some massive filtering done totally automated.

Now, how do I determine the ruleset to abide by the law, in whose country (since it is a cooperative), and on what basis do I determine the relevance of the statistics used? How do I train my operators (the eavesdroppers) to ignore what calls (when a particular message is escalated) despite that parameters of it's content may have far exceeded some notional statistical threshhold for further examination of its content?

Is it the idea that they might listen to your conversations with a paramour the offensive part? Is the offensive part really that you may be reaching some other threshold? Is the offensive part that some of the posters might have some other guilt thing going on? Do those of you out there believe that FISA, or for that matter posse comatatis really means that National Technical Means cannot be used to find you to zero in on your potentially questionable behavior in some other way? Only the worst national security issues are ever going through FISA anyhow. Anything found by ECHELON of less serious character (but still reaching some threshhold) is most certainly, very quietly, and with multiple levels of indirection (never traceable back to ECHELON, it's called plausible deniability in the black world) passed to law enforcement as an anonymous tip from which to start an investigation (never as evidence). The thought that somehow you are safe from this kind of stuff is the worst kind of self denial. Members of congress found otherwise, and tried to protect themselves, NOT US, from faceless bureaucrats like J.

According to the 2nd paragraph (in German) the sender pays, although GPRS traffic is on both ends. The companys didn't say specifically what happens when the reciever is roaming in a foreign net.

"It's about raising the turnover and to prevent others from taking over the service of offering IM, Chat and Videoconferencing", said Wang Jianzhou, president of the world largest cellular service China Mobile.

So, another conglomerate of money grabbing companies that throw themself vigorously behind the train that already left the station.

They should have learnt from the movie/music industry. After a free service is already established, there is very little incentive for a customer to pay for the product.

For those of you who can read German (or don't fear babelfish):

The interesting part ist, that according to Heise News http://www.heise.de/newsticker/meldung/68760 (in German) the police raided the GVU offices in Hamburg. It is assumed that the GVU paid some people for administering warez-servers. Maybe they used it at a honey-pot, but is was illigeal participation, if it is true.

...with Nazi or some sites considered pornographic see http://www.heise.de/newsticker/meldung/67716 ( German) for an example, of course unlike Chinese users German users can still use google.com to get unfiltered results but it's still the same priciple.

(Original article is at http://www.heise.de/newsticker/meldung/68760)

GVU is reported to have sponsored piracy

    Of all things, the Organization for Prosecuting Copyright Infringements (GVU) was targeted in the large search action against the piracy scene. The state attorney's office of Ellwangen suspects the private tracking organization of the film and software industry of having actively supported the distribution of what are called "warez". On Tuesday, investigators of the state Office of Criminal Investigation searched the Hamburg offices and the apartment of a high-ranking employee.

    According to the joint research of the computer magaine c't and the news portal onlinekosten.de, evidence indicates that the GVU went beyond the pale in their investigations against pirates. For a fairly long time, the editorial staffs had received leads from an informant close to the GVU that had been supported by a second source. According to this informant, the GVU is reported to have regularly paid at least one administrator of a central exchange server of the warez scene. It attained log files and with them access IP addresses of this "box" in this way. It is reported to additionally have contributed hardware to equip the platform.

    The server stood in a Frankfurt data center and was called IOH in the scene. It was confiscated today by the police. In a press release regarding the raid, today the GVU themselves emphasized that precisely this server in addition to one other had served "for mass distibution of pirated copies on the Internet".

    For months, multiple release groups copied pirated film copies from their own servers onto IOH via the File Exchange Protocol (FXP) in order to make them accessible for the purpose of faster distribution. From what are called flash servers such as IOH, the files also reach operators of pay servers, for example, where they can be downloaded for payment by consumers. Moreover, the servers act as a source for supplying file sharing services.

    Alongside many pirates, the GVU is reported to have also had access to IOH. Consequently, the private investigators could have had a large interest in ensuring that the "honeypot" remained attractive via a good Internet connection and powerful hardware. If it should be the case that the GVU helped finance the instrastructure of the pirates, this would establish a suspicion of criminally relevant aid to the distribution of warez material.

    The state attorney's office of Ellwangen is clearly entertaining precisely this suspicion. To all appearances, through the seizure today of files of the GVU it would like to glean whether the GVU actually used such questionable investigation methods. The state's attorneys will also have to resolve whether the GVU management and the members, primarily large corporations from the film and software industry, had knowledge of the supposed operations. The investigation results from c't and onlinekosten.de indicate that at least one member of the GVU management (which also once designated its organization as a "small BKA [Federal Criminal Police Office] for copyright infringements") was informed about the operations.

    In a comment, today at midday the GVU merely acknowledged that "the GVU center in Hamburg was also investigated". It was assumed that "it was presumably for the purpose of verifying the information that the GVU had surrendered to the authorities". That surely does not explain why the state attorney's office of Ellwangen required a judicial search warrant for an organization that, according to its own representation, cooperates particularly closely and well with the investigative authorities. The GVU did not comply with a request for a response to the investigation results by c't.

More facts and assumptions have been published here (heise and onlinekosten.de, both of them in German, sorry) and it seems like they copied Antipiratbyrån, paying an admin and probably one of the busiest servers themselves. Police seems to regard this as an possible criminal act and searched not only the office but also private rooms of an high ranking member of said GVU.

Unless your company is not a prison with letters and phone calls prohibited and all
employees are prisoners, it is impossible to prevent that data leaves Your company.

Examples:

- e-mail (encrypted, hidden in other "meaningless" data)
- paper sheets (carried away, not shreddered)
- disks, laptops, USB sticks
- peoples memory(!)

It is a mistake to believe that the amount of data (e.g. the 10GB mentioned in the article)
is equivalent to the importance of the data.

Leaking out a single number can be fatal for the whole company:
  "What will be the price your company is going to tell the customer?"
  "1.500.000"

The next day, the customer receives a similar offer stating 1.420.000 from a competitor.
About 10 Byte of data can change the direction of one and a half million dollars.

see also: http://www.heise.de/ct/english/99/04/174/

Apparently this day has some positive karma towards that kind of news. In Germany a similar thing happened, when the police raided about 20 FTP sites allegedly serving pirated movies. One of the sites taken down during that action was the office and servers of the GVU Gesellschaft zur Verfolgung von Urheberrechtsverletzungen, an office funded by the German content industry to investigate "pirating". Their website was down for half the day, too (GVU. More info to this, in German at heise. -- was ich selber denk und tu, das traue ich den andern zu

In Europe, there was a police raid on a couple of "Release Groups" today, supported by the the GVU (Geman leg of the MPA). Funny thing is, one of the places searched was the GVU's office, becasue they were actively involved in swapping the movies. Two stories about it (in German) one and two

Well, it turns out I was wrong. The first version of the first order was directed at Wikimedia Foundation, St Petersburg, Russia. Five days later they corrected it, and named Jimbo Wales as representative in St Pertersburg [sic!], Florida. German coverage.

no websites could say anything bad about the British Prime Minister, whether the dirt was true or not, do you really think the other E.U. countries would enforce this law against their websites?

No they wouldn't (in fact they don't: animal porn is legal in the Netherlands, illegal in Germany), but that's not the current scenario. Jimbo is not being accused of having broken any German law. It's just a civil matter; the court ruled for this particular temporary injunction that the parents' privacy rights weigh more than Jimbo's right to free speech. Of course if Jimbo doesn't comply with the order it's a different matter, probably something akin to contempt of court. (BTW, in the US you can also get fined and arrested if you don't obey court orders.) Like I said before, I do not know whether but I wouldn't be surprised if the German court can make other EU countries cooperate in cases of contempt of court.

When they make things digitally restricted and quite literally "locked up in crypto bottles" (John Perry Barlow), the fallout (especially among all the tech-savvy that should be the earliest adopters at premium prices) tends to be the one that can be seen from the start of this discussion: an immediate association with practices perceived as "evil" (why would any company in their right mind want to match Microsoft on this one?!) that only billions in advertising (if anything) can make go away again...

Once they do get over their impulse to restrict and restrain, however, and simply sell the customer what the customer wants (cf. reprogrammable Aibos, MP3/4-capable players - and remember when everyone wanted a "Walkman(TM)"?), volume, clever additional applications, and the power of a premium brand more than make up for anything DRM (and lawsuits against tinkerers) could ever have earned them - and this improves rather than taints the image they enjoy in the public eye.

According to the Heise-Online Newsticker ( http://www.heise.de/newsticker/meldung/68586 ) the court has approved wikimedias request for enforcement protection. That means they are allowed to reestablish the redirect, at least until the court decides about their objection against the injunction.
The judge said at this point of time wikimedias interest in providing all articles seems more importand than the postmortal name rights.

Blueplane

Which is WHY China is and SHOULD be using Linux/FLOSS. I myself have said in the past:

If you have any value of your personal, business or governmental responsibility and desire self preservation and independence then you WILL consider microsoft (lower-casing/deprecation of ms' shoddy name intended) for what it is (by default or by intent) as a secret back door to the US NSA and other nations friendly to the USA.

But, don't forget: It's not just China in on Linux-- Japan and other nations in Asia (right or wrong, personal or business) are "collaborating" (in the Asian preservation sense, not the pejorative (aka, Western racist) sense) to make their own regional Linux. TurboLinux is hot in Japan. I've seen the boxes on the shelves in Akihabara. I saw them in Users Side (but not the one in San Jose) or other stores like Laox, and a few others, but some stores there, even in JAPAN, downright refuse to sell or speak Linux. They are far up mshaft's butt (or, each others') purely (I suppose) for profit.

But, back to security, even Lotus Development was found to

See:
TP: Only NSA can listen, so that's OK

http://www.heise.de/tp/r4/artikel/2/2898/1.html

Codename: Echelon: http://www.cybercitycafe.com/explore/echelon.html

But, as for mshaft:

http://www.whale.to/b/nsa3.html

These companies, and many other in the US, which create massively-deployed software that happens to have encryption capabilities MUST (read: are legally required or face jail and fines for failing to) supply the US-designated escrow company those keys, something like every quarter. I once saw some of those "men in black" wearing shades entering a building where I once worked. I quipped to a co-worker: "Who are they? NSA? Coming to pick up crypto?" The guy turned red and admonished me to not be so aloud saying that, and then went on to say that's EXACTLY who and why they were in the building.

ANY software company that ships products with crypto is definitely acting as an agent of the (pick your country) government, ostensibly so the government can track down and prosecute the bad guys. But it's gotta be and OUGHT to be frightening when mshaft's shit is de-facto on every friggin' system (93% or more, depending on the country) by default. Sometimes I think the anti-trust trials were just smoke and mirrors to distract the masses.

I read somewhere else its activated and can't be switched off. Thank you Apple!
Sources: http://www.heise.de/newsticker/meldung/68398 (in German, sorry)

Did you not even read your own article? It's not a registry key -- it's a signing key. Furthermore, the key exists and can be replaced with a known key-pair. You can't know it's "paranoid fantasy" or "urban legend" any more than a tinfoil hat can prove it isn't.

Therefore, any objective judgement must be based on the fact it exists, regardless of how it got there. Arguing about whether it was specifically for clandestine NSA activity is pointless, but I don't like the fact these sorts of things exist.

From this page linked from another comment:

The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's [extern] website.

The first NSA-induced backdoor that was well documented was in Windows 95/98/ME and NT4 and later. A reasonably good writeup is found at http://www.heise.de/tp/r4/artikel/5/5263/1.html (english).

Needless to say, I am not at all surprised that there might be all sorts of backdoors in Windows that we may never know about. This is a really good reason *not* to use it in any environment requiring security.

This is amazingly stupid of Apple. Not only should they have people who check the local laws, they also burned a lot of trust here. It all comes from running around on stage with that creepy guy from Sony last year.

There are a few programs out there that will let you format a drive larger than 32GB in FAT32.

Here are some free ones:
SwissKnife
h2format (direct download link)

here you can see a picture of a fake usb bluetooth adapter. as you can see the antenna is a dummy, the only antenna it has is "drawn" on the pcb. also the bluetooth stack is a different one.

On the eve of a major attack to the windoze OS you tell us other OS' are 3 times worse, yeah right buddy... http://www.theregister.co.uk/2006/01/05/secfocus_z eroday/ http://www.heise.de/english/newsticker/news/68019 http://www.google.ca/search?hl=en&q=Sober.Z+worm&b tnG=Google+Search&meta=

Well, this article (in German) mentions a "privacy-cap" that blinds CCDs with the light of dozens of infrared-LEDs.

According to a heise article (in German only) Firefox is not installed instead of IE, but additionally. While Firefox is the only browser icon on the desktop, IE still is the default browser (that's a rather unusual setup ...).

Bye egghat.

Try the current (January 2006) special number of the german IT magazine iX ("Programmieren mit .Net 2.0") - it comes along with 3 CDs & 1 DVD with full (english) versions of Visual Web Developer 2005 Express, Visual C# 2005 Express and Visual Basic 2005 Express...

Try the current (January 2006) special number of the german IT magazine iX ("Programmieren mit .Net 2.0") - it comes along with 3 CDs & 1 DVD with full (english) versions of Visual Web Developer 2005 Express, Visual C# 2005 Express and Visual Basic 2005 Express...

Also they sold something between 41.817 and 62.000 units in Japan during the first 2 days while they sold 123.000 XBox1 unit in the first 2 days.

Seems like the XBox360 launch is even worse than that of XBox1.

Also they sold something between 41.817 and 62.000 units in Japan during the first 2 days while they sold 123.000 XBox1 unit in the first 2 days.

Seems like the XBox360 launch is even worse than that of XBox1.

According to this article (sorry, german only), the label apologised, but still considers the to be software illegal. From what I read from the article it appears that they consider software that searches for song lyrics illegal unless it includes a build-in lawyer that automatically purges unlicensed sites from the search results. I wonder how long it will take before they go after the big search engines.

It is estimated [german text] that the central german internet exchange DeCIX produces 639.000 CDs of Data per day!

The c't article along with Matsumoto et al's "gummy bear" paper indeed started much of the then-interesting biometric device testing, something which seemingly the makers of the equipment didn't think of themselves. Most biometric devices aimed at the SMB or home markets are of laughable quality, and should never be trusted. Seemingly, nothing has changed suring the past 2-3-4 years. Myself and others did a project on this when I was in college, and we managed to easily make moulds out of play-dough as the referenced article, along with other stuff. c't article in English: http://www.heise.de/ct/english/02/11/114/ Matsumoto et al: http://www.lfca.net/Fingerprint-System-Security-Is sues.pdf ours: http://my.opera.com/olekasper/homes/files/attackin g_fingerprint_sensors.pdf

On the german newsticker http://www.heise.de/newsticker/meldung/66829 it was stated that a "ADSL-Line with 512 kBit/s" is needed. everybody is wondering if they mean a ADSL with 512kBit/s downstream or if they realy need a bandwith of 512kBit/s. any clues? any official information on what bandwith is needed? anybody already tested it? cheers raudi

That's not possible for Diebold's machines, which use Microsoft Windows,

Interesting. Maybe it's not the Supreme Court deciding elections that we need to be worrying about... Maybe this is another reason why Diebold is so resistant to voter-verified paper trails.

You can find a somewhat more indepth article in English on this topic here:
http://www.heise.de/english/newsticker/news/66619

It is a translation of this German article
http://www.heise.de/newsticker/meldung/66530

Due to translation and re-translation, some of the quotes are not 100% original.

You can find a somewhat more indepth article in English on this topic here:
http://www.heise.de/english/newsticker/news/66619

It is a translation of this German article
http://www.heise.de/newsticker/meldung/66530

Due to translation and re-translation, some of the quotes are not 100% original.