Snooping costs could put UK ISPs out of business
BBC Online story.
“Extensive snooping laws could put internet service providers out of business, an expert has warned.
Tim Snape, an influential member of the Internet Service Providers’ Association (ISPA), said the law would drive up costs.
He was speaking at ISPCON, a conference for the internet industry held in London this week.”
More extensions of the DMCA.
Wired story.
“The DMCA was intended to protect copyright owners who took technical steps to ‘lock up’ their content,” said von Lohmann. “But Sony PlayStation 1 games are not locked up. There is no encryption on these game CDs. That’s not stopping Sony from invoking the DMCA against PlayStation 1 mod chips. I guess when you’ve got the big hammer of the DMCA, everything starts looking like a nail.”
John Casey, writing in the Daily Telegraph about the late Princess Margaret, says: “There have been no really juicy royal scandals since the early 19th century and George IV, which is why the press has had to make what it could out of marriage break-ups – experienced by about a third of the married population anyway – occasional gaffes, and a few cases of minor royals exploiting their status to earn an honest thousand or two.”
Seems that the good Dr. Casey somehow missed out the Abdication of a reigning monarch in the 1930s, not to mention said ex-monarch’s infatuation with the Nazis.
Henry Jenkins of MIT has a good piece in Technology Review on the Blogging phenomenon.
Remember Oracle’s ludicrous ads about their ‘unbreakable’ database product? Bruce Schneier was predictably unimpressed:
‘Last November, Oracle started touting its security with an “Unbreakable” ad campaign and the slogan: “Oracle9i. Unbreakable. Can’t break it. Can’t break in.” This was a ludicrous claim then, but I decided to wait until it was actually broken before writing about it.
Well, it’s been broken. In several places. Using some pretty basic attacks. Unbreakable, it’s not.
On the one hand, I (and most people reading this newsletter) always knew that. We knew that the claims were exaggerated. We knew that the Oracle marketing department was lying. But it’s a sad commentary on the state of security discourse that Oracle wasn’t immediately laughed out of the room. Oracle9i won’t ever be unbreakable, unless the company makes some major changes in the way they design and develop software.
On the other hand, maybe it’s not just hubris. Maybe Oracle management actually believed that their product was unbreakable. Maybe they’re that clueless about security. If that’s the case, the problems run deeper than they look. The problem with believing your product is unbreakable is that you don’t bother to secure it in depth. If you think your walls are impenetrable, you’re not going to bother with guards and alarms and anything else. This is the case with Oracle9i. The attacks completely take over the database. Once the attacker has broken the “unbreakable” security, there’s nothing else to stop him.
In their backpedaling, Oracle has said that “unbreakable” didn’t mean what normal people take the word to mean. Oracle’s security chief, Mary Ann Davidson, claims that the campaign “speaks to” fourteen independent security evaluations that Oracle’s database server passed. This, to me, is the real story here. What good is a security evaluation, what good are FOURTEEN different security evaluations, if none of them can catch something as trivial as a buffer overflow? Security is hard. Think of a chain; any single weak link can break the chain. Buffer overflows are an obvious link: easy to avoid, easy to test for, easy to fix. Catching all buffer overflows doesn’t make your software secure; it’s the price of admission. The hard stuff is really hard.
So, I tried to find the fourteen independent security evaluations. I wanted to make fun of them: “Look at the fourteen security evaluations that don’t even guarantee buffer-overflow-free code.” Unfortunately, I could only find five: TCSEC, ITSEC, Common Criteria, Russian Criteria, and FIPS 140-1. Oracle marketing turned five into fourteen by counting multiple levels of TCSEC and ITSEC as independent security evaluations, and counting identical evaluations of different Oracle products as independent security evaluations. I don’t know about you, but when I hear “fourteen different,” I don’t think it means “five different, some of them multiple times with different products or different levels.” Seems like Oracle has trouble with math as well as with English.
“Unbreakable” has a meaning. It means that it can’t be broken. It doesn’t mean “Unbreakable, except by people who know how to break things.” It doesn’t mean “Passes five or so questionable security evaluations, but is still vulnerable to buffer overflows.” I don’t care who Larry Ellison is; he can’t rewrite the dictionary.’
Bill Gates did a cameo appearance in tonight’s Frasier. He comes on to Frasier’s radio show ostensibly to be interviewed by the host, but the switchboard is immediately deluged with callers wanting to talk to Gates about XP, multi-media players etc. — and of course Billg delightedly takes them on, leaving Frasier fuming at having been thus sidelined. Neat!
One of my favourite monthly reads is Bruce Schneier’s Newsletter. The current issue contains some robustly perceptive observations on what Microsoft needs to do if it really wants to take security seriously. For example:
“One of the simplest, strongest, and safest models is to enforce a rigid separation of data and code. The commingling of data and code is responsible for a great many security problems, and Microsoft has been the Internet’s worst offender. Here’s one example: Originally, e-mail was text only, and e-mail viruses were impossible. Microsoft changed that by having its mail clients automatically execute commands embedded in e-mail. This paved the way for e-mail viruses, like Melissa and LoveBug, that automatically spread to people in the victims’ address books. Microsoft must reverse the security damage by removing this functionality from its e-mail clients and many other of its products. This rigid separation of data from code needs to be applied to all products.”
Oh No! Someone else claiming to have invented the Hyperlink.. Wired story.
Oops — Safeweb’s got some security holes. Why is this a problem? Well, I’m on their Privacy Safety Board, and they haven’t informed me before the story hit the Web and I’m mightily pissed off.
Great column by Dan Gillmor on the way the entertainment industry is increasingly treating everyone as a thief.
“If the business people who rule the entertainment industry had been as powerful 25 years ago as they are today, you’d be breaking the law if you set your videocassette recorder to tape your favorite Olympic event for later viewing. The VCR, assuming the entertainment industry would have allowed a manufacturer to sell it, would not have a fast-forward button because it would let you skip through the commercials without viewing them.
As for tape recorders, you would not have been able to make a copy of the music you just bought so you could play it in your car.”