Racial profiling no better than random screening
While the TSA alway seem to be trying to cover every eventuality, even warning me about my 6 oz. tube of hair gel last week in Rhode Island, statistical studies are showing that racial profiling is no better than radom screening in finding terrorist suspects. Just as people with the same names as potential suspects are showing up on watchlists, this is not a good way to determine their threat level. While there certainly are many challenges to generating profiles of potential terrorists, this study released by the Proceedings of the National Academies of Science does a mathematical analysis how we’re deploying the profiles we do have, and suggests we may not be using them wisely.
The study was performed by William Press, who does bioinformatics research at the University of Texas, Austin, with a joint appointment at Los Alamos National Labs. His background in statistics is apparent in his ability to handle various mathematical formulae with aplomb, but he’s apparently used to explaining his work to biologists, since the descriptions that surround those formulae make the general outlines of the paper fairly accessible.
Press starts by examining what could be viewed as an idealized situation, at least from the screening perspective: a single perpetrator living under an authoritarian government that has perfect records on its citizens. Applying a profile to those records should allow the government to rank those citizens in order of risk, and it can screen them one-by-one until it identifies the actual perpetrator. Those circumstances lead to a pretty rapid screening process, and they can be generalized out to a situation where there are multiple likely perpetrators.
Things go rapidly sour for this system, however, as soon as you have an imperfect profile. In that case, which is more likely to reflect reality, there’s a finite chance that the screening process misses a likely security risk. Since it works its way through the list of individuals iteratively, it never goes back to rescreen someone that’s made it through the first pass. The impact of this flaw grows rapidly as the ability to accurately match the profile to the data available on an individual gets worse. Since we’ve already said that making a profile is challenging, and we know that even authoritarian governments don’t have perfect information on their citizens, this system is probably worse than random screening in the real world.
Many say racial profiling is just another form of racism, but is it an effect of the TSA in picking out possible suspects, or a reflection on what our society sees as a threat? Either way, just as our not being able to take a big bottle of shampoo on a plane, it’s not making us any safer.
HOWTO: disable IPv6 networking in Debian
IPv6 is ready?
Tonight I did ran netstat (`netstat -plunt`) on my Debian server and saw that I had some ports listening via IPv6. It’s a shame IPv6 hasn’t caught on as it’s better than IPv4 in virtually every way, and it should, especially since TCP/IPv4 was standardized in ARPANET RFC’s… in 1981! Also, IPv6 provides network level security via IPSec, which enables authentication of sender and encryption of communication path, to secure communications, all fun stuff, but while some point to the fact that the Beijing Olympics used IPv6 exclusively as a point in how far it’s come, that’s hardly saying much when the protocol went Alpha… in 1996! I mean I put things off and get distracted, sure, but come on! So while its adoption can be argued to be a case of the chicken before the egg, since I’m not using anything IPv6, nor do I or my ISP even have the capability to use it, it’s silly and perhaps dangerous to leave it running with open ports. So, if you’re not using it, disable it – it’s easy, just put on your pointy hat and follow along… (more…)
Citizen’s laptops may be detained at border: no suspicion required
Ok, I’ve read this a few times, but I still cannot believe it. Yesterday the Department of Homeland Security disclosed that traveler’s laptop computers “or other electronic devices” can be confiscated, without any suspicion of a crime! Better yet, they can make and share copies of your data, have the data translated, unencrypted, etc. This is especially topical for me since I’ll be leaving the country on Sunday with the laptop that I’m typing this on. “Federal agents may take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.” Now I ask you, how fucked is that? “”The policies . . . are truly alarming,” said Sen. Russell Feingold (D-Wis.), who is probing the government’s border search practices. He said he intends to introduce legislation soon that would require reasonable suspicion for border searches, as well as prohibit profiling on race, religion or national origin.” So while congress is now looking at it, the article points out that these procedures have been in place for a long time, but only revealed last month, “…because of public interest in this matter.” So this makes me ask, what else should we be interested in that our government is doing so we can discover other ways our rights are being shoved aside? These tactics are excessive and a violation of individual rights, could at least can cause an interruption of business, but at most are a direct invastion of privacy and a violation of civil rights. And if they can do this, I think the next obvious step would be for them to check on incoming data into the country, why not? What’s the difference if I carry a laptop with data on it into the country versus emailing it into the country? I don’t think it would be that big of a leap; we need to keep up the ‘public interest’ in this matter else we lose more freedoms we didn’t know we had. Go to EFF today to learn what they’re doing to fight for our digitial rights and privacy, because the laws are being (re)written NOW!
Black Hat and Defcon: all the drama you’ve been craving
This is great, Defcon16 is a mere few days away, but already, the drama has started! Of course there’s the excitement about security guru/celebrity Dan Kaminsky discovering the DNS flaw a few months back that will be revealed this week (so that folks won’t be able to reverse-engineer them to exploit the vulnerability…ahead of time at least), but now there’s a reneg by Apple that’s sure to raise a few feathers, as well as highlight how they weren’t the most forthcoming with their DNS fix (which hasn’t hit yet even though all other vendors have released patches). In an interview, Kaminsky talks about the ‘bug’ he found in DNS, “We got lucky in this particular bug, because it’s a design flaw,” Kaminsky said in an interview. “It shows up in everyone’s network, but the fix is a design fix that doesn’t point directly at what we’re improving.” After peer review it was deemed this was indeed a huge deal, and even the original developer of BIND (the dns software in question) urged everyone to patch. “It took a couple of hours to find the bug,” said Kaminsky, “and a couple of months to fix it.” Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking “by complete and total accident.” Smaller DNS flaws have been used before to “poison” the servers that send people to the numerical address of the website name they enter. [...] “This is about the integrity of the Web, this is about the integrity of e-mail,” Kaminsky said. “It’s more, but I can’t talk about how much more.” So learning more about that exploit will be very interesting, and should lead to more people investigating and deploying DNSSEC, a DNS option built with security in mind from the ground up. So there’s that, but now there’s something even more fun because it deals with a companies lack of openness in regards to their security methods. A talk at Black Hat yesterday was scrubbed at the last minute by folks over in marketing at Apple. It seems that they blocked the scheduled presentation that was, “…to give an inside look at the ultra-secretive company’s security response team. “Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,” a Black Hat organizer told IDG News.” This is unfortunate for Apple, who are reeling after a week of beatings in the ‘blogosphere’ over their handling, or non-handling, of their update for the DNS flaw we mentioned above! “Apple’s policy of saying next to nothing about how it goes about protecting its users from escalating threats is, to say the least, unfortunate. Just last week, the company said it had patched its software from a serious flaw in the net’s address lookup system. Three days after two separate researchers warned Mac clients are still vulnerable to the flaw, Apple hasn’t uttered a word, an omission that generates confusion and doubt in those who depend on the vendor. Apple’s tight-lipped policy.” Come on Apple, you preach about how you’re ‘Open Source’, but then continue along the path of the old school hide and seek ways. Hell, people are already pointing out how their methods are less open than Microsoft’s in releasing information about security. What are they so afraid of? Ah, but we’ll learn more come Thursday, I’ll be in Vegas for my third Defcon and can’t wait. Watch for updates here, or more timely ones over at our Twitter profile.
Reasons to use a web proxy in a production environment
NOTE: at work I installed a web proxy to separate internal user traffic from external traffic hitting our production servers. While I’m not part of the network team, they asked me to do this because of my prior experience and interest in such things. The idea of this was to be a temporary fix until they get a new line installed providing greater bandwidth, but my argument is for the continuation of this segmentation even after the new line is installed. Below is a slightly sanitized version of my arguments for this. Note that my thoughts and comments are driven by years of running networks, thus it is something I care about and have spent years thinking about, so it is wordy. I’d be very happy to discuss this, or other solutions, via the comments below because I never want to stop learning.
I’d like to share my thoughts in as to why I think the network is better served with keeping internal traffic and public traffic separate. Regardless of if you use the existing web proxy server, or another one with different network topology, I care less about the tool, and more about making the network and user experience better for both internal and external users (more…)
Use a safer browser!
If anything, that should be the message to all Internet surfers out there. This graphic shows the danger, the percentage of users who have their browsers at their most secure, in regards to patches/updates being applied. Clearly people running IE aren’t going through the trouble of updating, while Firefox has updates built in that you can even automate. Another thing to keep in mind is plugins; Firefox has millions of those, and now it takes care of keeping those updated, and disabling ones that aren’t. So just from a software security point of view, Firefox is just a no-brainer. The report concludes with, “Although Web browser users wish perfect software that will never have any exploitable software vulnerabilities, the nearest they can realistically hope for is that any vulnerabilities are promptly fixed by the software vendors and instantly applied to their browser. Critical to this instantaneous patching process is the mechanism of auto-update. Our measurement confirmed that Web browsers which implement an internal autoupdate patching mechanism do much better in terms of faster update adoption rates than those without.”
The premature crowning of Hillary
Hillary is being crowned the ‘come from behind kid’ after ‘winning’ the New Hampshire primary; but this appears to be nothing but spin. First of all the results, Hillary took 39% of the popular vote to Barack ’s 37%, so Hillary wins, right? Not exactly, if you look at the delegate count you’ll see a different picture. Remember, people can win the popular vote and loose the election (Gore). From the article/discussion on CNN’s Political Ticker you’ll see the results: (more…)
Security researcher Dan Kaminsky
Dan Kaminsky is a 7 year veteran of Black Hat and Defcon in Vegas, and he was pretty much a fixture when I was there last year. His performance during Friday nights’ TCP/IP drinking game was hilarious, and his talk the next morning even more so. This year he’s presenting info on the under addressed issues dealing with Web 2.0 and its inherint in-security. “He’s looking at design bugs, which he cautions are not the same as pure vulnerabilities: “The system is doing exactly what it was built to do… People expect it to authenticate silently, and have a port open for everyone. But they don’t expect the bad guy to use it to do something malicious.” He worries about DNS rebinding, an example of a design flaw that can have serious consequences if manipulated nefariously. “I’m working on code that, if you come to my Website, I get to treat your browser as a VPN concentrator and browse your corporate network — with whatever magic IPsec credentials your machine has, incidentally.” Hmmm…interesting stuff for sure, and not something most web designers are thinking of as the write some more javascript to make a button draggable on the client’s homepage. I go to Defcon to hear thoughts and ideas like his, to learn from some very smart people that make me think in ways I never have before. I found a nice example on his site from a talk at Black Hat he did last year, taking a look at different ideas on how to rethink patterns in order to recognize data flows. He shows how different files, music, data and even written documents give up their internal stucture when viewed using DotPlots to visualize patterns within. Seeing how we can recognize patterns better than a string of HEX makes sense, but he presents very interesting/thought provoking examples. Very cool stuff, see ya tomorrow in Vegas.
Defcon15: new variant of Evil Twin to be revealed
Defcon is almost here, and now I have a highlight planned for Saturday: AirTight Networks will be revealing a new varient of Evil Twin. Evil Twin has been known about longer that I was aware; basically it’s someone running a laptop in a wifi hotspot (like a coffee shop) that impersonates the hotspot’s access point (AP) so that unknown customers connect there instead of the real hotspot. After that it’s up to the attackers imagination, but the best ploy would be to pass packets along to the real hotspot, while logging everything that the customer sends/receives via wifi. AirTight will, “…reveal the discovery of a more potent variant of Evil Twin (which Airtight has labeled MultiPot) against which the prevalent defenses, in particular deauth based session containment, are totally ineffective. A demonstration of MultiPot threat will be provided at the end of the presentation“. Wow, this is going to be cool, hopefully they’ll include some code for the ’sploit so I can do a proof of CONcept on it. Wifi security is going to become a bigger and bigger problem to focus on as more and more people get wireless (and leave their router unsecured at home…hello?)
All your data are belong to Microsoft
In another scary move, Microsoft is behind a recent patent for an “advertising framework” that appears to be little more than an adware application on steriods. Coupled with another patent that aims to use “context data” from your hard drive to show you advertisements and “apportion and credit advertising revenue” to ad suppliers in real time. … The application, filed in 2006, describes a multi-faceted, robust ad-delivering system that lives on a “user computer, whether it’s part of the OS, an application or integrated within applications.” “Applications, tools, or utilities may use an application program interface to report context data tags such as key words or other information that may be used to target advertisements,” says the filing. “The advertising framework may host several components for receiving and processing the context data, refining the data, requesting advertisements from an advertising supplier, for receiving and forwarding advertisements to a display client for presentation, and for providing data back to the advertising supplier.” The adware framework would leave almost no data untouched in its quest to sell you stuff. It would inspect “user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink),” and more.” If that’s not bad enough, read on… (more…)
Apache server lockdown challenge
One of my favorite things about being a Linux admin is the ability to specify how things are going to be executed on the servers. I’ve been running the Apache web server for over 10 years now (1997), so setting up a new environment is no big deal, but I wanted to take it farther and cut as much out of a base install as possible, which still having it do what I need. I started with a Google search and a blank file for my httpd.conf, and went from there. Some background, since this is a work project I have a few restraints. First, we’re running on Red Hat Enterprise Server 4 with some pretty beefy hardware. Also, currently we ARE NOT building from source (something I usually do on my own Apache instances) since we’re still working out support options, which limits what we can do down to the almighty httpd.conf. I’ve trimmed down my conf at home, but since we have a smaller and more specific set of tasks for Apache here, I wanted to trim it down to the bone. So far I’ve gone through the Apache Security site, where I found their chapter on Installation and configuration especially helpful. I followed their suggestion of starting httpd.conf as a blank file. Later I ran my newly created conf through an Apache 2.0 Hardening Guide, and even combed through the Apache HTTP Server Module guide to be sure I wasn’t using anything extraneous. Now I’m being a bit idealistic with this config I know, but again, it’s for a specific purpose, and I don’t need to worry about many other factors that would cloud the waters as far as providing more options. I’ve taken out any specific modules that need to be loaded as part of my work so as not to confuse things, but I’ve left in our token variables (those that start with a T_) that get substituted just before install, so the question is, is there anything else I could cut back on? Also, is there anything missing that could lock things down further that don’t need to be installed separately? (ie- I’m not going to be installing mod_security…yet, but I’d like to). Read on to see my current ‘locked down’ config, all suggestions and (constructive?) criticisms appreciated.
TJX breach total: over 45.7 million card numbers stolen
I reported on this earlier, but only now are we learning the scope of the breach. “At least 45.7 million credit and debit card numbers were stolen by hackers who broke into the computer systems at the TJX Cos. in Framingham and the United Kingdom and siphoned off data over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists. TJX, the Framingham discounter that operates the T.J. Maxx and Marshalls clothing chains, also reported in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers’ license numbers. ‘‘It’s the biggest card heist ever,’’ said 
Avivah Litan, vice president of Gartner Inc. ‘‘This was obviously done over a long period of time, in many locations. It’s done considerable damage.’’” There’s been news that the cards have been used for months now, and now Consumerist covers the ongoing *how did this happen* question. “TJMaxx computer system intruders who stole 45.7 million credit cards. The worm operated undetected for at least 18 months, capturing credit card numbers, then changing timelogs and moving data around to erase its tracks. Initial speculation suggested that the thieves had access to the retailer’s encryption key. Now it may be that the program captured data before it was encrypted. If the latter, the ramifications are immense, as it means every single retailer’s credit card processing system is at risk.“
mod_security rules to prevent Wordpress 2.1.1 attack
Anyone hosting a Wordpress 2.1.1 install should upgrade or immediately prevent access to certain queries to prevent an attack described here. If the server is running Apache with mod_security, simply update your httpd.conf with the following rules:
<IfModule mod_security.c>
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:412"
# RULES: Prevent Wordpress 2.1.1 attack
# http://wordpress.org/development/2007/03/upgrade-212/
SecFilter "ix="
SecFilter "iz="
[...]
</IfModule>
And then restart Apache. Note that while this is an effective temporary workaround, upgrading is recommended. Also, any install *other* than 2.1.1 is not effected.
Somebody set up us the bomb
In this day and age security is often OVER emphasised in the guise of erroring on the side of caution (cue to pictures of shoeless passengers muddling through security checkpoints). I know people will say ‘better safe than sorry’, but when things like this happen, it makes you question if any of this is making us any safer. “iPod prompts airport scare in Ottawa – A suspicious package found in an aircraft washroom on a flight from Chicago on Tuesday afternoon brought out Ottawa police canine and bomb-disposal units. [...] The plane landed safely and was isolated away from the terminal. Passengers were taken off the plane and questioned by police while experts investigated the ‘package.’ Police issued a statement Tuesday evening saying the suspicious package ‘has been identified as an electronic device commonly known as an iPod.’ ” That’s the brief overview, but the story gets much better since the suspect was a World Of Warcraft player who was on his way to meet a friend he had met in the game, but never in person; a facet that only servered to magnify his supicious behavior. I don’t want to spoil any of it, so for the full story you need to read the full/detailed forum post post from the ’suspect’ — which I’ve mirrored below. Enjoy.
FBI lost 160 laptops in last 44 months
A new report tells us that the FBI has lost 160 laptops in the last 44 months! “Perhaps most troubling,” says the report, “the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI operations.” Laptops can also contain goodies like the software that the FBI uses to make its identification badges, a copy of which was installed on a laptop stolen from the Boston Field Office in July 2002.“ If the FBI doesn’t keep records of what’s installed on their laptops, how can we expect or trust the private sector to secure customer data? Think about all the websites that have your name/address/etc, and then think of their employees taking their laptops home that may/may not have hooks in to ’secret’ data…
1-31-07 Never Forget!
UPDATE: goldenfiddle.com has great coverage of the image, and it’s use as a tshirt design; it looks like this is really going to happen!
“…Cause we are the Aqua Teen (Hunger Force)!” As for all of the knee-jerk reactionaries in Boston that brought on this craziness (which didn’t happen in the other 8 cities this PROMOTION, NOT HOAX was set up in), I only have to say this, “we are not bombs” (credit goes to some dude on Digg.com that proposed this for a tshirt – hey, I’d buy one). For the two that got caught in this dragnet, props for giving the best press conference on 70’s hairstyles I’ve ever seen. More on this as soon as soon I talk to Fry Lock, meatwad, Carl and Mastershake (in that order) to get their side of this. Oh, and you can see the trailer for the movie that this was supposed to promote, here.
Volume of spam increased 147% in 2006
These are just amazing statistics that the volume of spam increased 147% in 2006 and that 94% of all email in December was spam! The primary reasons are armies of zombie computers “botnets” (that are hijacked due to users inability to protect their systems from malware) all ready to send out a distributed attack from anywhere; mail servers are helpless. Plus the problem is going to get worse because not only, “…the rising volume of spam that’s a problem, but the size of the spam messages. Because botnets use stolen bandwidth, spammers can send files of any size at no cost. And that’s just what they’re doing. In order to defeat content filters that might block their messages, spammers are increasingly using images. The result is that unsolicited bulk e-mail is getting bulkier. The 147% increase in spam that Postini observed in 2006 resulted in a 334% increase in e-mail processing requirement for companies. “This is causing the e-mail infrastructure of many businesses to melt down,” says Druker. “Nobody budgeted for four-and-a-half times more infrastructure capacity in one year.“
stolen TJX data being used for fraud
As a follow up to TJX Companies data breach reveals credit card data, it’s now been confired that customer data stolen HAS been used to make fraudulent debit card and credit card purchases “…in the United States and overseas, the Massachusetts Bankers Association said Wednesday. The fraudulent purchases have been made in Florida, Georgia, and Louisiana, and overseas in Hong Kong and Sweden, the association said.“
TJX Companies data breach reveals credit card data
Ah, nothing new, just another big corporation leaking credit card and issuers personal data. “The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad. The company does not know the extent of the breach, which was first discovered in December 2006. However, hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico in 2003 as well as transactions between May and December 2006, according to a company statement. [...] In the end, the hack may affect a wide range of credit card companies and thousands of consumers in America and in countries like the United Kingdom and Ireland, experts say.” I fail to understand how this could have been happening since 2003 — and then again for half of this past year! We need more detail, but again, how could this go on for so long? Why is this happening? It’s always the weakest link in the chain, but we need to know what it is so it can be plugged (so a new breach can appear later). A losing battle? Me thinks online payment and CC only transactions are only making things worse thanks to security that is bought by a company, instead of developed and understood in house. Seems like a good time to check back in with our friendly updated list, A Chronology of Data Breaches, which has already been updated with this recent fun.
mod_security for Apache
I’ve worked with mod_security before, but now it’s running on this webserver, as I’ve just seen a ton of crap being thrown at the server. Webservers are just a good target, they’re out there and they usually ‘just work’ so most people don’t keep on top of them. Plus, plenty of crafted URLs can do funny POST or GET commands and cause trouble, or worse, expose a system that is vulnerable to SQL injection attacks. Since I last looked into mod_security they’ve been acquired, which explains the marketing verbiage they list:
ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. It is also an open source project that aims to make the web application firewall technology available to everyone.
But yeah, as long as it stays Open Source, I won’t complain (that much). So this goes steps beyond earlier IDS (intrusion detection system) like Snort, since with mod_security it is set up to do one thing; to protect Apache from being attacked. Of course you can place rules to blocks all sorts of stuff, to redirect requests, to watch for malformed URLs and even run within a chrooted environment. This is good stuff, and it’s very simple to get the basics up and running via this howto. From there monitor your modsec.log file and adjust accordingly. I can see this being very useful to large environments that run Apache, hopefully I’ll be able to integrate some of this at my new position.
Choicepoint: lessons learned
I’m very interested in Data security, and with more and more information being collected daily, it’s going to be more of an issue in the future. Here, the name synonymous with data loss, Choicepoint, covers lessons learned since their big incident. Sounds like they have some good things in place, let’s hope this model is mirrored by others before breaches and not after. And speaking of, be sure to review the this great site at Privacy Rights, “A Chronology of data breaches since the Choicepoint incident”, an ongoing tally of loss of data. So much for not writing down your password…
Personal info more likely to be stolen from the Government than hacked
More Private Data Is Burgled From Government Than Hacked While the news aims to spread fear that ‘hackers’ are going to steal your identity, numbers show that they really should be fearful of our government. “America’s universities admit that, in the first half of 2006, they let a million Social Security numbers slip through their fingers. Accountants, banks and brokerages have proven themselves to be half as competent at protecting your critical data, conceding to more than 1.9 million lost SSNs. And the health care industry fares even worse: 2.4 million. But the King of Data Giveaways, with over 40 million Social Security numbers stolen in just six months, is your government… local, state and federal. The raw data from Privacy Rights Clearinghouse’s latest report bears me out.” I remember seeing that list sometime last year, but that it’s still out there, and being added to regularly, is proof that this is going to continue to get worse before it gets any better. Time for the government to take things a bit more seriously in terms of security.
‘Do not email’ registries for children
In July, two states will open up an ‘opt-out’ list to prohibit sending commercial email to children’s email addresses which are registered. ”New state laws in Michigan and Utah will prohibit sending commercial email to children’s email addresses which are registered with the states’ new ‘Do not email’ lists. Officials in both states have confirmed that their new registry web pages for parents — websites where parents and guardians can soon make their kids’ email addresses off limits to email marketers — will be activated this month. Michigan’s registry is scheduled to be available July 1 at Michigan.gov, and Utah’s website will debut its registry a few weeks later. These are the first states to start their own ‘Do not email’ registries. Nationally, the option of starting a national “Do not email” list was explored following the signing of the federal Can-Spam act in 2003, but such a list was deemed impractical and never materialized. … Michigan’s Darnoi is confident that his state’s child registry will survive initial criticism. The registry even has the endorsement of the state’s chapter of the American Civil Liberties Union.” It’s certainly a new reality for parents these days, how to control access to the unregulated internet. While this kind of protection is a good start, teaching them to be cautious by default is the long term solution. Time to create some more email aliases..
Hi, I'm fak3r and I've been online for over 15 years, blogging for 10. I work with open source software, various hardware and whatever else that I can hack on. I enjoy learning by doing, painting infrequently and listening to more music than the law allows. Feel free to follow me and comment on my thoughts and ideas; we're all in it together kid.
EFF’s SSD (Surveillance Self-Defense) Project
Know your rights!
Dec 02, 2009 | Categories: commentary, geek | Tags: digital rights, drm, eff, encryption, hacker, IP, law, online privacy, privacy, security | View Comments