Recently in Security Category

For years, people have wondered if Microsoft has built in backdoors for law enforcement. China created their own Linux distribution for government use. There have been instances of police using off the shelf monitoring tools for investigations, installing them in court-sanctioned "black bag jobs."

Now, the good folks at Ars Technica reveal that Microsoft proudly crowing over their latest achievement, a (built-in) back door into Windows and the tools to open it!

 Microsoft revealed its development of a digital forensic analysis toolkit at a security conference yesterday as part of a wider discussion of how technology can be used to fight crime. The Computer Online Forensic Evidence Extractor, or COFEE for short, is a USB thumb drive that contains software capable of executing approximately 150 separate commands. Once plugged in, COFEE can be ordered to decrypt system passwords, display a history of internet activity, and search the system for evidence.

That loud anguished crying sound you heard is a million IT managers' heads exploding. Why? This thing has been available "to law enforcement" since last June.

Here's a question, what company in their right mind that has any requirement for confidentiality would buy software from a software company that sells decryption and password cracking tools for its' own operating system? Isn't that almost advertising how poor your software's built-in security is? Security extends beyond malware protection. It also means that if you build doors and install locks, you should install a good lock. In this case, you're being sold a foam core with a skeleton key.

I would expect a surge in Apple enterprise sales. In their zeal to be helpful and combat computer crime, this may be a shocking case of corporate suicide. They thought people were reluctant to buy Vista now? They'll be shipping XP for a very, very long time, I believe.

The Washington Post reports today that a laptop containing "sensitive medical information" on more than 2,500 patients in a NIH study was stolen last month, potentially exposing seven years worth of data, including names, diagnoses and heart scans to...people who would want to bore themselves to death reading that kind of thing.

What is more interesting is that the Post reports that the data on the laptop was not encrypted, a clear violation of Government security policies. And to think I was worried about Google Health. 

Here's a question. Why is this data, which is supposed to be encrypted and kept under the highest confidentiality and security, kept on a laptop computer which any bloke could simply walk away with? I don't know about you, but if I wanted to keep data secure, I'd keep it on an encrypted external hard disk, which I'd disconnect and keep under lock and key when not in use, with the keys on a separate flash drive under separate lock and key.

It's great that the Government requires patient data to be encrypted, but that doesn't do me much good if the machine it is encrypted on is readily accessable, and the keys aren't secured somewhere else.

At least they're learning...

Nabel, in her statement, said that since the NIH incident, "we are ensuring" that all the institute's laptop computers are encrypted and that staff members will be required to take regular computer security training. She also said "patient names, other identifying information, or identifiable medical information" will no longer be stored on laptop computers

Some quick dispatches from Congress Daily PM:

The European Union threatened to lodge a complaint at the World Trade Organization over U.S. laws that prohibit gambling Web sites, saying the rules may break global rules by discriminating against companies based in the bloc, Bloomberg News reported. U.S. authorities have targeted European companies for operating gaming sites, said the European Commission, which today announced an investigation into the U.S. practice. The United States has not taken action against domestic companies that offer similar services, said the commission, the European Union's executive arm. "The U.S. has the right to address legitimate public policy concerns relating to Internet gambling, but discrimination against EU companies cannot be part of the policy mix," EU Trade Commissioner Peter Mandelson said in a statement. The U.S. law banning Americans from wagering on gaming Web sites was ruled illegal by the WTO in 2004.

Next, Joe Barton (R-TX) along with John McCain (R-AZ) are quietly trying to kill off the Universal Service Fund, which provides phone service to all Americans, by "capping" the amount it can raise from long distance access fees, as well as changing the source of its' funding to individual consumers, making it a political hot potato. CongressDaily's David Hatch reports:

House Energy and Commerce ranking member Joe Barton, R-Texas, one of the fiercest critics of the $7 billion universal service program, is quietly drafting legislation to permanently cap the federal fund, which subsidizes telecom and Internet connections for citizens, hospitals, libraries and schools in rural- and low-income areas. Committee staffers said the bill is intended to spark debate and influence any legislative action on the topic in 2009 after a new administration takes control. They did not provide a timeframe for the measure's introduction. Barton is preparing his bill as the FCC grapples over revisions to the fund and Energy and Commerce Telecommunications and the Internet Subcommittee Chairman Edward Markey, D-Mass., plans hearings later this year on revamping universal service.

The FCC is seeking to impose a temporary cap, but Barton would go further with a permanent ceiling, a move certain to draw the ire of the fund's many proponents on Capitol Hill, particularly on the Senate Commerce Committee. Nevertheless, some prominent lawmakers have championed the idea. In 2006, Sen. John McCain, R-Ariz., a former Senate Commerce chairman and now the presumptive GOP presidential nominee, co-authored an amendment that would have capped a key portion of the fund assisting rural carriers. It was eventually withdrawn amid wrangling over the issue.

Get Angry.

I have an RFID keyfob to get into my office. My apartment just installed them. Pretty soon, I'll need one to leave the country.

New passports issued by the United States have an electronic Radio Frequency ID chip in them containing well, exactly what the passport says. This is supposedly to help prevent forgeries and keep customs lines moving, since it's easier to hold an RFID to a reader than scan a barcode. Really.

Naturally, privacy advocates are still outraged, because with the right technology, any idiot can sit on top of a building in a foreign country with a high-powered RFID reader, a sniper rifle, and start picking off Americans one by one. Or, he could just steal your identity.

The Government has responded by including some metal in the passport cover so it can't be read while closed. Still, some are wrapping theirs in foil. What's even more troubling is that under new "security" procedures, you'll need a passport to enter the country by land if you're driving in from Canada. More links on this later, but I had so much trouble getting my building's front door to unlock with our new RFID tokens that I felt I had to say something about it.