Rossander’s Security Reader

Eric S Raymond (aka ESR, one of the founders of the Open Source software movement and outspoken computer advocate) wrote a scathing letter to former Senator and current Chairman of the MPAA, Chris Dodd over his claim that “Hollywood is pro-technology and pro-Internet.”

ESR’s letter is worth a read, especially if you care about copyright, privacy and the long-term function of the Internet. Read it here.

online.wsj.com/Dear Google User

Very funny. Depressing, but funny.

During a recent password audit by a company, they found that one employee was using the following password:

“MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento”

When asked why she had such a long password, she rolled her eyes and said: “Hello! It has to be at least 8 characters long and include at least one capital.”

Sounds like a pretty good password to me.

The Privacy Rights Clearinghouse launched a new online complaint form to give consumers a better way to speak out about privacy concerns.

The PRC is a non-profit, consumer advocacy and education organization established in 1992 to:

• Raise consumers’ awareness of how technology affects personal privacy.
• Provide practical tips on privacy protection.
• Respond to specific privacy-related complaints from consumers, and when appropriate, intercede on their behalf.
• Advocate for consumers’ privacy rights in local, state, and federal public policy proceedings, including legislative testimony, regulatory agency hearings, task forces, and study commissions.

The PRC has done some outstanding work in the past and I’ve written about them before but they’ve always been hampered by the fact that most consumers suffer in silence. When they don’t get data about privacy abuses, they can’t act to fix them.

The new online form should make it easier for customers to report infractions, bad corporate policies and other privacy problems. If you have a privacy concern, please don’t hesitate to report it and please give the PRC permission to include your complaint in their reports to the media and/or to the Federal Trade Commission.

It’s an interesting morning. I received three spam messages in rapid succession, each alleging to come from “NSA online security” and reporting a “critical vulnerability” in “a certain types of our token devices.” While I don’t expect perfect grammar from a government functionary, the mistakes in this email were pretty obvious. The alleged link to “fix” the problem point to “national-security-agency.com” which looks pretty plausible until you remember (or look up) that the real NSA uses the domain nsa.gov.

What’s interesting about this case is that it’s a fairly blatant example of an attempt to turn your computer into a zombie using the ZeuS Command&Control attack. If I had been stupid enough to click the link, I would have launched an executable program that would log every keystroke that I make on the machine and that would grab a copy of every form I fill out online. Since that would include my online banking login page, it would have given the hacker access to all my banking information.

ZeuS is a moderately old Trojan Horse but it is remarkably difficult for anti-virus programs to detect, even when kept completely up-to-date. ZeuS is alleged to be one of the largest botnets in the world, infecting some 3.6 million computers in the US alone.

The continued success of attacks like this show why you can never rely only on your anti-virus software. Read your email carefully, be suspicious and never click a link if you’re not sure that it’s safe to do so. Remember – it’s not paranoia when they really are out to get you.