This just in from a tech buddy of mine.

I'm not trying to cause alarm, but if you're running Windows, how about you kinda drop everything you're doing and install the latest Microsoft security updates real quick, so you'll be prepared when this latest security hole is inevitably exploited.

Microsoft has yet another very serious security flaw that give anyone with the right know how total ccess to your computer. I don't know all the details - but it might be the biggest one yet. If you remember the SoBig virus last fall - this one will similar in that it doesn't require you to get email for you to be attacked or hacked.

I say "will be" because right now there is no virus. But the flaw is there and it will be a matter of days before someone write a virus to take advantage of the flaw. And - your anti-virus software will have no effect. Microsoft has posted a patch and that is how you protect yourself - download and install that patch.

Here's the link to Microsoft's Windows Update:

http://windowsupdate.microsoft.com

I am also asking that those of you who have blogs and newsletters and high traffic web sites post this warning on your front page and include it in your newsletters. The best defense to this virus is to stop it before it begins. As you all know - this virus will affect non-windows users in that the new viruses turn windows computer into spam robots and we are still getting the bounce messages from the last virus. Let's see if we can stop this before it starts by first - patch your computer now - then - tell everyone to patch theirs. You can cut and paste this warning into your blog or newsletter.

Security God Bruce Schneier explains why computer profiling as a preventative measure for detecting potential terrorists just doesn't work. At all.

Terror Profiles By Computers Are Ineffective
By Bruce Schneier for Newsday.

Even those who say that terrorists are likely to be Arab males have it wrong. Richard Reid, the shoe bomber, was British. Jose Padilla, arrested in Chicago in 2002 as a "dirty bomb" suspect, was a Hispanic- American. The Unabomber had once taught mathematics at Berkeley. Terrorists can be male or female, European, Asian, African or Middle Eastern. Even grandmothers can be tricked into carrying bombs on board. One problem with profiling is that, by singling out one group, it ignores the other groups. Terrorists are a surprisingly diverse group of people.

There's also the other side of the trade-off: These kinds of "data mining" and profiling systems are expensive. They are expensive financially, and they're expensive in terms of privacy and liberty. The United States is a great country because people have the freedom to live their lives free from the gaze of government, because people are not deemed suspects for possible future crimes based on extensive surveillance sweeps. We as a people believe profiling is discriminatory and wrong.

I have an idea. Timothy McVeigh and John Allen Muhammad - one of the accused D.C. snipers - both served in the military. I think we need to put all U.S. ex-servicemen on a special watch list, because they obviously could be terrorists. I think we should flag them for "special screening" when they fly and think twice before allowing them to take scuba-diving lessons.

What do you think of my idea? I hope you're appalled, incensed and angry that I question the honesty and integrity of our military personnel based on the actions of just two people. That's exactly the right reaction. It's no different whether I suspect people based on military service, race, ethnicity, reading choices, scuba-diving ability or whether they're flying one way or round trip. It's profiling. It doesn't catch the few bad guys, and it causes undue hardship on the many good guys who are erroneously and repeatedly singled out. Security is always a trade-off, and in this case of "data mining" the trade-off is a lousy one.

Here is the full text of the article in case the link goes bad:

http://www.newsday.com/news/opinion/ny-vpsch213503428oct21,0,3927478.story

Terror Profiles By Computers Are Ineffective

Email this story
Printer friendly format

By Bruce Schneier
Bruce Schneier is chief technical officer of Counterpane Internet Security Inc. in Sunnyvale, Calif., and author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World."

October 21, 2003

In September 2002, JetBlue Airways secretly turned over data about 1.5 million of its passengers to a company called Torch Concepts, under contract with the Department of Defense.

Torch Concepts merged this data with Social Security numbers, home addresses, income levels and automobile records that it purchased from another company, Acxiom Corp. All this was to test an automatic profiling system to automatically give each person a terrorist threat ranking.

Many JetBlue customers feel angry and betrayed that their data was shared without their consent. JetBlue's privacy policy clearly states that "the financial and personal information collected on this site is not shared with any third parties." Several lawsuits against JetBlue are pending. CAPPS II is the new system designed to profile air passengers - a system that would eventually single out certain passengers for extra screening and other passengers who would not be permitted to fly. After this incident, Congress has delayed the entire CAPPS II air passenger profiling system pending further review.

There's a common belief - generally mistaken - that if we only had enough data we could pick terrorists out of crowds, and CAPPS II is just one example. In the months after 9/11, the FBI tried to collect information on people who took scuba-diving lessons. The Patriot Act gives the FBI the ability to collect information on what books people borrow from libraries.

The Total Information Awareness program was intended to be the mother of all "data-mining" programs. Renamed "Terrorism Information Awareness" after the American public learned that their personal data would be sucked into a giant computer system and searched for "patterns of terrorism," this program's funding was killed by Congress last month.

Security is always a trade-off: How much security am I getting, and what am I giving up to get it? These "data-mining" programs are not very effective. Identifiable future terrorists are rare, and innocents are common. No matter what patterns you're looking for, far more innocents will match the patterns than terrorists because innocents vastly outnumber terrorists. So many that you might as well not bother. And that assumes that you even can predict terrorist patterns. Sure, it's easy to create a pattern after the fact; if something identical to the 9/11 plot ever happens again, you can be sure we're ready. But tomorrow's attacks? That's much harder.

Even those who say that terrorists are likely to be Arab males have it wrong. Richard Reid, the shoe bomber, was British. Jose Padilla, arrested in Chicago in 2002 as a "dirty bomb" suspect, was a Hispanic- American. The Unabomber had once taught mathematics at Berkeley. Terrorists can be male or female, European, Asian, African or Middle Eastern. Even grandmothers can be tricked into carrying bombs on board. One problem with profiling is that, by singling out one group, it ignores the other groups. Terrorists are a surprisingly diverse group of people.

There's also the other side of the trade-off: These kinds of "data mining" and profiling systems are expensive. They are expensive financially, and they're expensive in terms of privacy and liberty. The United States is a great country because people have the freedom to live their lives free from the gaze of government, because people are not deemed suspects for possible future crimes based on extensive surveillance sweeps. We as a people believe profiling is discriminatory and wrong.

I have an idea. Timothy McVeigh and John Allen Muhammad - one of the accused D.C. snipers - both served in the military. I think we need to put all U.S. ex-servicemen on a special watch list, because they obviously could be terrorists. I think we should flag them for "special screening" when they fly and think twice before allowing them to take scuba-diving lessons.

What do you think of my idea? I hope you're appalled, incensed and angry that I question the honesty and integrity of our military personnel based on the actions of just two people. That's exactly the right reaction. It's no different whether I suspect people based on military service, race, ethnicity, reading choices, scuba-diving ability or whether they're flying one way or round trip. It's profiling. It doesn't catch the few bad guys, and it causes undue hardship on the many good guys who are erroneously and repeatedly singled out. Security is always a trade-off, and in this case of "data mining" the trade-off is a lousy one.

The EFF released the following advisory a while ago. The concerns still stand.
Check it out.

EFF Reports on Trusted Computing

San Francisco - The Electronic Frontier Foundation (EFF) on Thursday published a landmark report on trusted computing, a technology designed to improve security through hardware changes to the personal computer.

The report, entitled "Trusted Computing: Promise and Risk," maintains that computer owners themselves, rather than the companies that provide software and data for use on the computer, should retain control over the security measures installed on their computers. Any other approach, says the report's author Seth Schoen, carries the risk of anti-competitive behavior by which software providers may enforce "security measures" that prevent interoperability when using a competitor's software.

"Helping computer owners defend their computers against attacks is progress in computer security, but treating computer owners themselves as the bad guys is not," said Schoen. "Security architectures must be designed to put the computer owner's interests first, not to lock the owner into the plans of others."

Links:

For the full press release

EFF report: "Trusted Computing: Promise and Risk"

EFF companion commentary: "Meditations on Trusted Computing"

CNET story about the EFF report

A Safer System for Home PC's Feels Like Jail to Some Critics
By John Markoff for the NY Times.

In an effort to retain the original open PC environment, the Microsoft plan offers the computer user two separate computing partitions in a future version of Windows. Beyond changing the appearance and control of Windows, the system will also require a new generation of computer hardware, not only replacing the computer logic board but also peripherals like mice, keyboards and video cards...

"This will kill innovation," said Ross Anderson, a computer security expert at Cambridge University, who is organizing opposition to the industry plans. "They're doing this to increase customer lock-in. It will mean that fewer software businesses succeed and those who do succeed will be large companies."

Critics complain that the mainstream computer hardware and software designers, under pressure from Hollywood, are turning the PC into something that would resemble video game players, cable TV and cellphones, with manufacturers or service providers in control of which applications run on their systems.

In the new encrypted computing world, even the most mundane word-processing document or e-mail message would be accompanied by a software security guard controlling who can view it, where it can be sent and even when it will be erased. Also, the secure PC is specifically intended to protect digital movies and music from online piracy.

But while beneficial to the entertainment industry and corporate operations, the new systems will not necessarily be immune to computer viruses or unwanted spam e-mail messages, the two most severe irritants to PC users.

"Microsoft's use of the term `trusted computing' is a great piece of doublespeak," said Dan Sokol, a computer engineer based in San Jose, Calif., who was one of the original members of the Homebrew Computing Club, the pioneering PC group. "What they're really saying is, `We don't trust you, the user of this computer.' "

Here is the full text of the article in case the link goes bad:

http://www.nytimes.com/2003/06/30/technology/30SECU.html

June 30, 2003 A Safer System for Home PC's Feels Like Jail to Some Critics

By JOHN MARKOFF

SAN FRANCISCO, June 29 - Your next personal computer may well come with its own digital chaperon.

As PC makers prepare a new generation of desktop computers with built-in hardware controls to protect data and digital entertainment from illegal copying, the industry is also promising to keep information safe from tampering and help users avoid troublemakers in cyberspace.

Silicon Valley - led by Microsoft and Intel - calls the concept "trusted computing." The companies, joined by I.B.M., Hewlett-Packard, Advanced Micro Devices and others, argue that the new systems are necessary to protect entertainment content as well as safeguard corporate data and personal privacy against identity theft. Without such built-in controls, they say, Hollywood and the music business will refuse to make their products available online.

But by entwining PC software and data in an impenetrable layer of encryption, critics argue, the companies may be destroying the very openness that has been at the heart of computing in the three decades since the PC was introduced. There are simpler, less intrusive ways to prevent illicit file swapping over the Internet, they say, than girding software in so much armor that new types of programs from upstart companies may have trouble working with it.

"This will kill innovation," said Ross Anderson, a computer security expert at Cambridge University, who is organizing opposition to the industry plans. "They're doing this to increase customer lock-in. It will mean that fewer software businesses succeed and those who do succeed will be large companies."

Critics complain that the mainstream computer hardware and software designers, under pressure from Hollywood, are turning the PC into something that would resemble video game players, cable TV and cellphones, with manufacturers or service providers in control of which applications run on their systems.

In the new encrypted computing world, even the most mundane word-processing document or e-mail message would be accompanied by a software security guard controlling who can view it, where it can be sent and even when it will be erased. Also, the secure PC is specifically intended to protect digital movies and music from online piracy.

But while beneficial to the entertainment industry and corporate operations, the new systems will not necessarily be immune to computer viruses or unwanted spam e-mail messages, the two most severe irritants to PC users.

"Microsoft's use of the term `trusted computing' is a great piece of doublespeak," said Dan Sokol, a computer engineer based in San Jose, Calif., who was one of the original members of the Homebrew Computing Club, the pioneering PC group. "What they're really saying is, `We don't trust you, the user of this computer.' "

The advocates of trusted computing argue that the new technology is absolutely necessary to protect the privacy of users and to prevent the theft of valuable intellectual property, a reaction to the fact that making a perfect digital copy is almost as easy as clicking a mouse button.

"It's like having a little safe inside your computer," said Bob Meinschein, an Intel security architect. "On the corporate side the value is much clearer," he added, "but over time the consumer value of this technology will become clear as well" as more people shop and do other business transactions online.

Industry leaders also contend that none of this will stifle innovation. Instead, they say, it will help preserve and expand general-purpose computing in the Internet age.

"We think this is a huge innovation story," said Mario Juarez, Microsoft's group product manager for the company's security business unit. "This is just an extension of the way the current version of Windows has provided innovation for players up and down the broad landscape of computing."

The initiative is based on a new specification for personal computer hardware, first introduced in 2000 and backed by a group of companies called the Trusted Computing Group. It also revolves around a separate Microsoft plan, now called the Next Generation Secure Computing Base, that specifies a tamper-proof portion of the Windows operating system.

The hardware system is contained in a set of separate electronics that are linked to the personal computer's microprocessor chip, known as the Trusted Platform Module, or T.P.M. The device includes secret digital keys - large binary numbers - that cannot easily be altered. The Trusted Computing Group is attempting to persuade other industries, like the mobile phone industry and the makers of personal digital assistants, to standardize on the technology as well.

The plans reflect a shift by key elements of the personal computer industry, which in the past had resisted going along with the entertainment industry and what some said they feared would be draconian controls that would greatly curtail the power of digital consumer products.

Industry executives now argue that by embedding the digital keys directly in the hardware of the PC, tampering will be much more difficult. But they acknowledge that no security system is perfect.

The hardware standard is actually the second effort by Intel to build security directly into the circuitry of the PC. The first effort ended in a public relations disaster for Intel in 1999 when consumers and civil liberties groups revolted against the idea. The groups coined the slogan "Big Brother Inside," and charged that the technology could be used to violate user privacy.

"We don't like to make the connection," said Mr. Meinschein. "But we did learn from it."

He said the new T.P.M. design requires the computer owner to switch on the new technology voluntarily and that it contains elaborate safeguards for protecting individual identity.

The first computers based on the hardware design have just begun to appear from I.B.M. and Hewlett-Packard for corporate customers. Consumer-oriented computer makers like Dell Computer and Gateway are being urged to go along but have not yet endorsed the new approach.

How consumers will react to the new technology is a thorny question for PC makers because the new industry design stands in striking contrast to the approach being taken by Apple Computer.

Apple has developed the popular iTunes digital music store relying exclusively on software to restrict the sharing of digital songs over the Internet. Apple's system, which has drawn the support of the recording industry, permits consumers to share songs freely among up to three Macintoshes and an iPod portable music player.

Apple only has a tiny share of the personal computer market. But it continues to tweak the industry leaders with its innovations; last week, Apple's chief executive, Steven P. Jobs, demonstrated a feature of the company's newest version of its OS X operating system called FileVault, designed to protect a user's documents without the need for modifying computer hardware.

Mr. Jobs argued that elaborate hardware-software schemes like the one being pursued by the Trusted Computing Group will not achieve their purpose.

"It's a falsehood," he said. "You can prove to yourself that that hardware doesn't make it more secure."

That is not Microsoft's view. The company has begun showing a test copy of a variation of its Windows operating system that was originally named Palladium. The name was changed last year after a trademark dispute.

In an effort to retain the original open PC environment, the Microsoft plan offers the computer user two separate computing partitions in a future version of Windows. Beyond changing the appearance and control of Windows, the system will also require a new generation of computer hardware, not only replacing the computer logic board but also peripherals like mice, keyboards and video cards.

Executives at Microsoft say they tentatively plan to include the technology in the next version of Windows - code-named Longhorn - now due in 2005.

The company is dealing with both technical and marketing challenges presented by the new software security system. For example, Mr. Juarez, the Microsoft executive, said that if the company created a more secure side to its operating system software, customers might draw the conclusion that its current software is not as safe to use.

Software developers and computer security experts, however, said they were not confident that Microsoft would retain its commitment to the open half of what is planned to be a two-sided operating system.

"My hackles went up when I read Microsoft describing the trusted part of the operating system as an option," said Mitchell D. Kapor, the founder of Lotus Development Corporation, and a longtime Microsoft competitor. "I don't think that's a trustworthy statement."

One possibility, Mr. Kapor argued, is that Microsoft could release versions of applications like its Office suite of programs that would only run on the secure part of the operating system, forcing users to do their work in the more restricted environment.

Microsoft denies that it is hatching an elaborate scheme to deploy an ultra-secret hardware system simply to protect its software and Hollywood's digital content. The company also says the new system can help counter global cybercrime without creating the repressive "Big Brother" society imagined by George Orwell in "1984."

Microsoft is committed to "working with the government and the entire industry to build a more secure computing infrastructure here and around the world," Bill Gates, Microsoft's chairman, told a technology conference in Washington on Wednesday. "This technology can make our country more secure and prevent the nightmare vision of George Orwell at the same time."

The critics are worried, however, that the rush to create more secure PC's may have unintended consequences. Paradoxically, they say, the efforts to lock up data safely against piracy could serve to make it easier for pirates to operate covertly.

Indeed, the effectiveness of the effort to protect intellectual property like music and movies has been challenged in two independent research papers. One was distributed last year by a group of Microsoft computer security researchers; a second paper was released last month by Harvard researchers.

The research papers state that computer users who share files might use the new hardware-based security systems to create a "Darknet," a secure, but illegal network for sharing digital movies and music or other illicit information that could be exceptionally hard for security experts to crack.

"This is a Pandora's box and I don't think there has been much thought about what can go wrong," said Stuart Schechter, a Harvard researcher who is an author of one of the papers. "This is one of those rare times we can prevent something that will do more harm than good."

Here's a nice article about the subject that isn't just trying to scare you, and actually tries to answer the question "What can really be done about it?":
Some Simple Solutions to Identity Theft
Credit agencies must be more vigilant. A first step: quickly and routinely alerting consumers that their credit histories have changed
By Alex Salkever for BusinessWeek.

Most of the damage could easily have been prevented if the credit agencies adopted the common-sense practice of directly notifying individuals whenever a change on his or her report occurs, and whenever a third party accesses their credit report. Yes, it might cost the credit agencies more in overhead. But credit agencies spread such costs around to customers, banks, car dealerships, and others that pay to access consumer credit ratings. How hard is that?

This criminal case has many security experts worried because it points up some glaring weaknesses in credit reporting. Your credit information -- in effect, your financial identity -- can easily be stolen by alert thieves with access to sensitive information. Yet, credit agencies don't share with individuals what's going on with their credit reports -- unless consumers ask. This anomaly will become a national economic issue as identity theft grows.

Here is the full text of the entire article in case the link goes bad:

http://www.businessweek.com/technology/content/nov2002/tc20021127_4748.htm

NOVEMBER 27, 2002

COMMENTARY
By Alex Salkever

Some Simple Solutions to Identity Theft
Credit agencies must be more vigilant. A first step: quickly and routinely alerting consumers that their credit histories have changed

So it has come to this. On Nov. 25, federal prosecutors charged three men with operating an identity-theft ring that had stolen credit reports of more than 30,000 people -- the largest case in history. The defendants include a computer help-desk employee at a Long Island software outfit who had access to sensitive passwords for banks and credit companies. The ring allegedly emptied bank accounts, took out loans with stolen identities, and ran up fraudulent charges on credit cards.

The most appalling part of the whole mess? Most of the damage could easily have been prevented if the credit agencies adopted the common-sense practice of directly notifying individuals whenever a change on his or her report occurs, and whenever a third party accesses their credit report. Yes, it might cost the credit agencies more in overhead. But credit agencies spread such costs around to customers, banks, car dealerships, and others that pay to access consumer credit ratings. How hard is that?

GLARING HOLES. This criminal case has many security experts worried because it points up some glaring weaknesses in credit reporting. Your credit information -- in effect, your financial identity -- can easily be stolen by alert thieves with access to sensitive information. Yet, credit agencies don't share with individuals what's going on with their credit reports -- unless consumers ask. This anomaly will become a national economic issue as identity theft grows.

That's the bad news. The good news is that the solution is pretty simple. Tighten up internal handling of credit information, while making individual reports even more transparent to consumers -- in real time if possible, with password-protected access, just like banks and other financial institutions.

Truth is, identity theft remains more an offline problem. Someone steals your mail. A restaurant worker double-swipes your credit card. That's theft, pure and simple, and not the stuff of a national crisis. But when identity thieves get sophisticated and use the power of the digital revolution to leverage their operations, such fraud could become massive. Many financial institutions pull thousands of credit reports each day. And most of them have Web access to credit reports. So if a thief were able to score a password from a big bank, it would be fairly simple to write a computer program allowing someone to log in with the bank's ID and download thousands of these reports in a heartbeat.

INEXCUSABLE RESISTANCE. Identity theft's direct cost is already considerable -- police estimated that the latest ring defrauded victims of at least $2.7 million, and investigators aren't done counting. Indirect costs could be even higher in lost productivity. If the problem isn't checked, many thousands of victims over the next decade will have to take on the equivalent of a second full-time job cleaning up their credit histories. This latest case had 30,000 victims -- that's the size of Cisco Systems' workforce.

Consumers can now pay between $70 and $80 a year to receive timely e-mail updates of any activity on their credit report. An important step toward fuller disclosure, yes, but more should be done. There are three main credit agencies today -- TransUnion, Equifax, and Experian. As anyone trying to get a credit card these days can attest, credit approvals and denials are coming faster and faster thanks to high-speed data links.

A savvy thief could do a lot of damage by applying for a credit card or loan and using a report through, say, TransUnion, but not Equifax or Experian. Even if you're paying Equifax for the updates, you might not find out until it's too late. Yet, the three credit agencies have resisted creating a unified format to allow consumers to easily observe changes in any of the three profiles. If credit agencies won't act, then the federal government should step in and mandate changes.

Then, there's the issue of snail mail vs. e-mail for notifying consumers of suspicious activity involving their credit history. More than half the U.S. population now has an e-mail address, and such correspondence is free. The rest of the country could be contacted via regular mail -- an expensive process, but one that should be considered a cost of doing business.

On their Web sites, each of the three credit-reporting agencies should offer to send consumers an e-mail notification whenever their credit reports change. They could even charge a nominal fee for the service. The fees that Equifax and Experian now charge for timely updates are way too high. This shouldn't be a profit center. In the Digital Age, this should be a universally available service, just like a dial tone.

SECURING ACCESS. As I have pointed out in past columns, American Express provides an ideal model. Whenever someone makes an account change, Amex sends a letter informing its customer of it. If the customer changes address, Amex sends a letter to both the old and the new addresses. That would tip off a customer to any untoward changes. Applied to e-mail, the same principle works beautifully. Yet credit agencies don't collect e-mail addresses. That, too, should change. All credit agencies would have to do is send out letters to consumers requesting their e-mail address. A consumer response would be voluntary.

None of this is to say the credit-reporting outfits aren't concerned. Equifax played a major role in helping to break up the Long Island identity-theft ring. After years of consumer complaints and government prodding, they're allowing individuals easier access to their credit histories than ever before. But the age of ubiquitous connectivity and high-speed information movement means high-speed identity crime will likely become more damaging. The best way to combat this scourge is by making access to credit histories tougher for thieves -- and easier for individuals.

Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column
Edited by Douglas Harbrecht

How nice to see an article come clean with the real reason for all this fuss about Wardriving: to sell people an overpriced solution.

But to computer-security experts, "war-driving" has turned into a marketing opportunity. Past war drives embarrassed a number of companies, and in preparation for the big event this weekend, some of these experts have been pitching their services.

This week, for example, International Business Machines Corp. has been urging sales representatives to warn corporate clients of the need to secure their wireless networks. The merchandising tie-in: Your network can be safeguarded by an IBM security service that goes for $15,000 to $30,000.

However, it was still rather sad to see the rest of the usual inaccurate bullshit about Wardriving that is always included in these articles.

Hackers target wireless networks
By William M. Bulkeley

Hopefully I'll have time to clarify this puppy in greater detail over the weekend -- it really, really needs to be done. While explaining this whole concept of taking connectivity without asking for it -- they're leaving out the payback:
free universal connectivity!

So yeah, some guy walking down the street can get his email with his PDA while he walks by my house FOR FREE! And I can do the same while I'm walking by his house. How cool is that!?

Or how'd you like to check your email/surf the web while you're waiting for the Bus (that's always late), or waiting for that band to come on, or waiting to hear about that one business deal while you're in the waiting room about to make another. All that kind of stuff can happen cheaply -- in a way that everyone can afford -- using community wireless networks.

And your schools and libraries all have connectivity because it's just there.

This universal connectivity is what this kind of paranoid propaganda is fighting against. They want us to have to pay somebody for it somewhere, every time we connect, every time we use a different device, everytime we access an application even.

If we work together, we can just pay what we're already paying for at home and have easy wireless connectivity away from home, when we often need it most for whatever device we have around at the time, wherever we happen to find ourselves.

If big business wants to provide a wireless network that's cheaper and easier to use, let it. It will have to charge reasonable prices however, if it has community networks competing with it.

We don't need a World Wide Wardriving day -- every day is World Wide Wardriving Day. We need a better word for it -- one without "war" in it.
Perhaps that was the first mistake.

Or perhaps a community-based movement has evolved since then --
a Peace Driving movement.

Perhaps I've said to much :-)

Here is the text of the article in case the link goes bye bye:

http://www.msnbc.com/news/824622.asp?cp1=1
Hackers target wireless networks
Worldwide 'war drive' set for Saturday
By William M. Bulkeley

Oct. 23 - Technology sophisticates who specialize in exposing corporate-security lapses will orchestrate a world-wide "war drive" to strut their stuff Saturday.

IN 25 LOCALES in seven countries from Alberta, Canada, to New Zealand, they plan office-building drive-bys armed with laptops, radio scanners and antennas, aiming to intercept signals from the ever-spreading wireless networks used to connect corporate computers with each other and the Internet.

For many of the hacker types who will participate, war driving is a benign electronic scavenger hunt meant to alert companies and others to unprotected wireless access points that can leave owners vulnerable to spying or sabotage.

MARKETING OPPORTUNITY

But to computer-security experts, "war-driving" has turned into a marketing opportunity. Past war drives embarrassed a number of companies, and in preparation for the big event this weekend, some of these experts have been pitching their services.

This week, for example, International Business Machines Corp. has been urging sales representatives to warn corporate clients of the need to secure their wireless networks. The merchandising tie-in: Your network can be safeguarded by an IBM security service that goes for $15,000 to $30,000.

In London, risk experts at the British affiliate of accountants KPMG LLP have developed a fake wireless network called a "honeypot" that was announced at a security conference in Paris last week. It's a countermeasure designed to attract and record unauthorized wireless-access efforts-in effect, alerting network owners that they are being homed in on by war drivers or other unauthorized people. The firm hopes that the honeypot will enable it to sell more of the security services it offers through its consulting arm. Among the services: a team of "tame hackers" who attempt, under contract with the owners, to break into financial-service-company networks to expose risks.

Another company tuned into war driving is Guardent Inc., a Waltham, Mass., computer-security firm that offers monthly assessments of its customers' networks to spot rogue access points. "We make sure people are aware" of the war drive because it shows the need for vulnerability analysis, says Jonas Hellgren, director of product management at Guardent. But he adds that focusing only on the event isn't as valuable as a continuing sales effort.

War driving bedevils security types partly because it is so cheap and easy to do. Drivers amble around with a directional antenna sometimes fashioned from a coffee or potato-chip can. Their software of choice, called NetStumbler, comes free on the Web and detects the low-level radio waves coming out of wireless-network access points.

War drivers say their goal is to publicize the need for network owners to change their passwords. But people with knowledge of the location of an unprotected wireless network can also use it for free Web surfing, or to send out e-mail messages or junk mail known as spam without disclosing their identities. With more sophisticated hacking, people could use the wireless gateway as an entry point to corporate networks, security experts say.

In a related activity, called "war-chalking," participants make chalk marks on sidewalks or building fronts to signal the availability of access points. One widely used symbol for an open access point looks like this: )(. Knowing such locations permits people with laptops to avoid paying for Internet access.

In its letter to customers, IBM notes that "war driving participants generally map unsecured access points as a hobby." But it warns "since your company has a great deal invested in intellectual capital, reputation, and stakeholder trust, it makes sense to take appropriate steps to avoid unnecessary exposure."

'MORE PARANOID'

War driving was christened two years ago by Peter Shipley, a Berkeley, Calif., data-security consultant, who named it with a nod to the "war-dialing" exploits of hackers who use phone lines in their efforts to penetrate corporate computer networks. Mr. Shipley, who isn't involved in the current war drives, says that in urban areas there are now so many wireless access points that mapping them is almost irrelevant. Still, he says, war driving has been making companies "more paranoid, which is what they should be."

War drivers generally need to be within 1,500 feet or less of an access point to detect it. NetStumbler is designed to pick up wireless access points in which the owner has failed to change the default Service Set Identifier that broadcasts its location for others on the network to find. According to various Web sites, popular home wireless networks made by Linksys Inc. use the default "linksys." For Cisco Systems Inc.'s more expensive corporate networks, the default password is "tsunami." Cisco declined to comment but said that extensive security capabilities are built into its wireless equipment.

John Girard, a security consultant with Gartner Group, Stamford, Conn., says war driving "is easy to do because people don't turn on security. They leave themselves exposed." But he says vendors are partly to blame. "The documentation people get is generally poor, and they're not motivated to figure it out."

According to the Web site worldwidewardrive.org, organizers with screen names such as Roamer, Big Ezy and Tapper are helping coordinate Saturday's drive. They either declined to comment or didn't return e-mails for this story.

This will be the second such organized effort, following one in August. War-drive Web sites feature maps showing unsecured access points, denoted by green circles along highways in such technology centers as Boston; the Silicon Valley and Orange County in California; and Barcelona, Spain. According to a table of statistics, nearly 30% of the access points found were using the default passwords.

A week or two ago, the FBI got freaked out about wireless networks.

Their conclusions were confused, at best. Luckily Paul Holman, Theodore Pham,
Merin McDonell, and Skyler Fox had a nice mailing list thread to help put everything into perspective.

Thanks to Paul, Theodore, Merin, and Skyler for giving me permission to publish this email exchange in-tact.

(Theodore Pham) Say I forget my wallet containing my credit cards in a restaurant. Wardriving/warchalking is essentially posting a sign saying my wallet is sitting their out in the open and it contains credit cards. That signage in and of itself is NOT THEFT. But the moment someone uses my credit cards without my specific permission IS THEFT. My credit cards should NOT be
considered a public resource just because I FORGOT to put my wallet back in
my pocket out of public access.

(Merin McDonell) I think your wallet analogy is wrong. I think an apple tree is better. You have a nice big apple tree in your back yard and the apples fall in your neighbors yard and in the alley. Is it a crime if people eat the apples that
are on the ground and off your property? If you DON'T want anyone to eat any
of the apples that grew on your tree, if for some reason you need all 347
apples, you could trim your tree so that all the branches end right on your
property line and all of the apples would fall in your yard. Done.

Original letter sent out by FBI

From: Bill Shore [mailto:billshore@fbi.gov]
Sent: Monday, July 08, 2002 9:56 AM
To: billshore@fbi.gov
Subject: Wireless networks - Warchalking/Wardriving

It has recently been brought to my attention that
individuals/groups have been actively working in the Pittsburgh area as
well as other areas of the United States including Philadelphia, and
Boston, and the rest of the world for that matter, to identify locations
where wireless networks are implemented. This is done by a technique
identified as "Wardriving." Wardriving is accomplished by driving around
in a vehicle using a laptop computer equipped with appropriate hardware
and software http://www.netstumbler.com/ to identify wireless networks
used in commercial and/or residential areas. Upon identifying a wireless
network, the access point can be marked with a coded symbol, or
"warchalked." This symbol will alert others of the presence of a
wireless
network. The network can then be accessed with the proper equipment
and
utilized by the individual(s) to access the Internet, download email, and
potentially compromise your systems. In Pittsburgh, the individuals are
essentially attempting to map the entire city to identify the wireless
access points, see here,

http://mapserver.zhrodague.net/cgi-
bin/mapserv?mode=browse&layer=all&layer=q
uadsheets&layer=borough&layer=roads&layer=ap&zoomdir=1&zoomsize=2&imgxy=458+
165&imgext=-80.175489+40.268422+-79.733217+40.621536&map=%2Fmnt%2Fhog%2Fwebs
ites%2Fmapserver%2Fpublic_html%2Fpa%2Fpgh.map&savequery=true&program=%2Fcgi-
bin%2Fmapserv&map_web_imagepath=%2Fmnt%2Fhog%2Fwebsites%2Fmapserver%2Fpublic
_html%2Ftmp%2F&map_web_imageurl=%2Ftmp%2F&img.x=250&img.y=197.

Also, check this article from pghwireless.com,
http://www.pghwireless.com/modules.php?name=News&file=article&sid=19

Identifying the presence of a wireless network may not be a
criminal violation, however, there may be criminal violations if the
network is actually accessed including theft of services, interception of
communications, misuse of computing resources, up to and including
violations of the Federal Computer Fraud and Abuse Statute, Theft of
Trade
Secrets, and other federal violations. At this point, I am not aware of
any malicious activity that has been reported to the FBI here in
Pittsburgh, however, you are cautioned regarding this activity if you
have
implemented a wireless network in your business. You are also highly
encouraged to implement appropriate wireless security practices to
protect
your information assets,
http://www.cert.org/research/isw/isw2001/papers/Kabara-31-08.pdf

There are several articles available with additional details
including http://www.warchalking.org as well as
http://www.pghwireless.com. A copy of the coding symbols is
attached in .pdf format. If you notice these symbols at your place of
business, it is likely your network has been identified publicly.

If you believe you may have been compromised or if you have any
questions regarding this activity, you are encouraged to contact the
appropriate law enforcement agency. The FBI office in Pittsburgh and
High
Tech Crimes Task Force can be contacted at 412-432-4000.

Bill Shore
Special Agent
FBI-Pittsburgh
3311 East Carson Street
Pittsburgh, PA 15203
412-432-4395
billshore@fbi.gov

Letter from Paul Holman to Bill Shore

To: billshore@fbi.gov
From: Paul Holman <pablos@shmoo.com>
Subject: [XGEEKS] Wireless networks - Warchalking/Wardriving

Bill,

Blocking public access to a wireless access point is a simple matter
of configuration. While this measure will not provide a great deal
of security, it is enough to stop casual surveillance and abuse of
resources.

As both an active member of community wireless networking
initiatives, and an expert on internet security, I would encourage
the FBI, and all other entities to consider open access points as a
shared resource available to all. Anyone not wishing to share their
resources can easily prevent it using the various controls built into
all wireless access points.

Drawing the line here is both practical and rational. It requires no
further legislation, no technical development, and affords the
greatest flexibility for innovation and exploration of how we can all
benefit from wireless networking technology.

Please feel free to contact me with any questions about this
approach. If you're interested, I'm happy to expand on any aspect of
wireless network security.

Thanks,

pablos.
--
Paul Holman
The Shmoo Group
pablos@shmoo.com
415.420.3806

From: "Theodore Pham" <telamon@roguesolutions.com>
To: <dev@seattlewireless.net>, <billshore@fbi.gov>
Cc: <xgeeks@lists.soma.net>, <tsg@shmoo.com>, <dev@seattlewireless.net>
Subject: [XGEEKS] Re: Wireless networks - Warchalking/Wardriving

With all due respect Paul, I think you are missing the point.

NOT everyone who owns and operates a wireless network has the technical
savvy to understand the implications of the way they configure their
wireless equipment. The rapid growth and popularity of wireless networks
has been a direct result of the dropping prices of equipment and the ease
with which this equipment can be installed.

Being a wireless networking consultant in the Pittsburgh area, and having
experimented with Netstumbler to map out channel usage (for the purposes of
evaluating the feasibility of a shared, potentially commercial, wireless
network) I find that the majority of networks are setup with NO type of
public access blocking AND with the DEFAULT out of the box parameters. As a
reseller of wireless networking equipment, I find most of my customers have
LITTLE TO NO idea that by just plugging one of these boxes into their DSL or
cable line they are making their networks open to the world. They choose
wireless networking for the simplicity and asthetic values.

The fact of the matter is that wireless equipment is connected to some type
of internet connection and that connection is paid for by the owner of the
wireless equipment. I have always been of the opinion that the use of any
resource I have NOT paid for or been given SPECIFIC PERMISSION to use is
THEFT.

Say I forget my wallet containing my credit cards in a restaurant.
Wardriving/warchalking is essentially posting a sign saying my wallet is
sitting their out in the open and it contains credit cards. That signage in
and of itself is NOT THEFT. But the moment someone uses my credit cards
without my specific permission IS THEFT. My credit cards should NOT be
considered a public resource just because I FORGOT to put my wallet back in
my pocket out of public access.

If you want to allow public access to your wireless network, then that is
your choice and I encourage you to post some signage indicating that fact.
And for your sake I would also post some terms of service for those who
would seek to use your wireless network for malicious purposes.

Sincerely,
Theodore Pham
Rogue Solutions

Subject: Re: [XGEEKS] Re: Wireless networks - Warchalking/Wardriving
From: "Merin McDonell" <merin@merin.net>
To: Theodore Pham <telamon@roguesolutions.com>
CC: xgeeks@soma.net

I'm not at all savvy about this kind of technical stuff, so in this case I
feel especially qualified to reply. I'm just a dumb user, however every
program I use has to be configured and you can choose whether or not you
have a password to access it. So...if I were to venture to set up a wireless
network, which I can't believe is so easy to install, I'd be sure to look at
the directions since it is, uh, wireless, and I get the concept that it
doesn't stop at the walls of my house.

I think your wallet analogy is wrong. I think an apple tree is better. You
have a nice big apple tree in your back yard and the apples fall in your
neighbors yard and in the alley. Is it a crime if people eat the apples that
are on the ground and off your property? If you DON'T want anyone to eat any
of the apples that grew on your tree, if for some reason you need all 347
apples, you could trim your tree so that all the branches end right on your
property line and all of the apples would fall in your yard. Done.
______________________________________________________________________
* Merin McDonell * Graphic Designer * 415-826-3500 * mm@merin.net*

From: "skyler fox" <skyler_fox@hotmail.com>
To: <billshore@fbi.gov>
Cc: <xgeeks@lists.soma.net>, <tsg@shmoo.com>
Subject: Re: [XGEEKS] Re: Wireless networks - Warchalking/Wardriving

I find the argument that digital access, and the access to your wallet are
similar, quite confusing. In one case we are talking about a resource that
exists in time(access to the network) and in the other, access to a limited
an irreplaceable resource (your cash). Only in the most remote circumstances
will someone surfing the net on your wireless network translate into any
loss that you would be cognizant of. I understand that people pay money to
have DSL access in their home, I pay the current exorbitant rate myself. But
it would take a herd of hackers to impact the usage I put on the line. In
fact most times during the day, the system is idle. You could make the
argument, which the Telco industry would hate, that communal use of a single
DSL line makes more sense than over-amping a single house.

There is certainly no excuse for a corporate network to be exposed. Any
company that does not control it's network, and computers is guilty of
malfeasance. It would be on the order of not locking the door.

You are right that most people are ignorant of what is necessary to protect
their line, but as we have seen all through the computer revolution, there
is a price to be paid for the power the computer gives you.
-----------------------------------------------------------------------------
This is the pho mailing list, managed by Majordomo 1.94.4.

To send a message to the list, email pho@onehouse.com.
To send a request to majordomo, email majordomo@onehouse.com and put your
request in the body of the message (use request "help" for help).
To unsubscribe from the list, email majordomo@onehouse.com and put
"unsubscribe pho" in the body of the message.

*****

Theodore,

I think you may have dropped this conversation already, but just in
case, I'll complete my discussion here. The crux of our disagreement is
where to draw the line on how you advertise/explain/discover/determine
policy. Based on the current state of the technology, and societal
issues in play, I'm suggesting that we draw the line where it is most
practical. If a wireless network is configured to allow association and
provide an internet connection, then it should be construed as something
intended to do that. You are actually advocating the same thing, but
with a "fail closed" social/legal policy rather than my "fail open"
approach. To make that happen, you want the burden to be on those
running free networks to advertise them as such. The current technology
doesn't cleanly support this, and I prefer the burden to be on those
running closed wireless networks to keep them that way. This is how it
works for web servers, and all the issues about what happens when things
go wrong are covered by legislation/policies/social norms that out of
band from this issue.

Thanks for the discussion, I had been meaning to bring this issue up.

pablos.

On Monday, August 5, 2002, at 09:58 PM, Theodore Pham wrote:
>
> Again, you are confusing access to a resource with LEGAL USE of a
> resource.
> Yes, most web servers are meant to be a public resource and yes some
> block
> access to only authorized individuals. But consider what happens if
> Microsoft tomorrow accidentally posts a portion of the Windows XP source
> code on their website? Are you allowed to use it? Are you allowed to
> incorporate it into your products because you just happen to have gotten
> access to the code? If you park your car on a public road and leave it
> unlocked accidentally, is it legal for me to jump in and drive away
> with it?
> If someone hacks into a online store and posts their credit card
> database on
> the front page of the store, am I allowed to use the credit card
> numbers?
> ACCESS DOES NOT ENTITLE AUTHORIZED USE.
>
> It costs me money to have a SDSL line run into my house. And that SDSL
> line
> and the associated wireless network are a resource I OWN. If I wish to
> leave the whole dang network open for my ease of use, does the network
> still
> belong to me? YES. Does that give you the right to use my property
> without
> first asking me? NO. I might say yes, I'll kindly let you use this.
> Or
> no, I don't want you using my network. But in the end that is my
> decision
> and I don't waive that right just because I choose or forget to put a
> lock
> on it.
>
>> On wireless security:
>>
>> A typical wired network is wildly insecure, adding a wireless access
>> point with all the security features enabled (WEP, MAC auth, etc.)
>> would
>> reduce security. So most APs are put outside a firewall. In this
>> case,
>> association with the AP would provide internet access and nothing more.
>> Surveillance of the network does not require association. In a typical
>> home or office network that has no firewall, adding a wireless AP for
>> convenience without thinking of security will be a liability. I
>> contend
>> that the security implications are not affected by whether users
>> associate and use the network connection. If the AP is unsecured, your
>> network is insecure, and no law can save you.
>
> Yes, not securing your network is a liability to the owner of the
> network.
> I'm not arguing that it isn't.
> I'm not arguing with you over security at all. But your statement is
> that
> ANY resource which IS NOT SPECIFICALLY restricted should become a public
> resource. This is where I think you miss the point. I believe the
> statement should be ANY resource SPECIFICALLY ADVERTISED as public
> should be
> considered a public resource. I don't think my attaching a wireless AP
> to
> my network and choosing NOT to secure or FORGETTING to secure it should
> be
> taken to mean I'm SPECIFICALLY ADVERTISING it as public.
>
>> On fixing security:
>>
>> Wireless networking equipment vendors should be lobbied to fix WEP,
>> implement captive portal (NoCatAuth) functionality, and enable these
>> features by default. Almost all of them have horrible management
>> tools,
>> these should be drastically improved for usability. Organizations
>> concerned about security should learn that the issues on wireless
>> networks are the same as for wired networks, just magnified. The same
>> approach needs to be taken in order to make significant security gains.
>> Use strong authentication and encrypted protocols. WEP doesn't count.
>> VPNs, SSH & SSL do. Anything less will only serve to give users a
>> false sense of security.
>
> I agree. Any organization worried about it's information should take
> the
> precautions to preserve and secure it comensurate with the value of the
> information. But again, I'm not arguing with you over how secure or
> insecure wireless is.
>
>> On free access:
>>
>> When you are walking or driving around, how often do you see a license
>> agreement posted to indicate where you can go? Probably never. You go
>> wherever you want because there are roads and paths that just happen to
>> be accessible. You don't know what is public and what is private land,
>> you just make reasonable guesses. If somebody doesn't want you on
>> their
>> roads, or their property, then they post signs telling you not to go
>> there. Or gates and fences, or walls, maybe even towers with machine
>> guns. It turns out you can drive coast to coast, on almost any
>> continent, without reading a single license agreement that tells you
>> where you can go. You just avoid the ones that tell you where you
>> can't
>> go. I'm fine with that. I'd like to have my internet access work the
>> same way.
>
> How often do you drive through someone's backyard on your way to work?
> Just
> because there isn't a fence there and just because your car is capable
> of
> driving over their lawn, do you? I don't see a sign that says DON'T
> DRIVE
> THROUGH MY LAWN posted, but I don't take that to mean that I can. In
> fact,
> I don't recall every driving on a private road where I haven't done so
> INTENTIONALLY without permission of the owner or without paying a toll.
>
>> Lastly, it is important to understand that the current wireless
>> protocols have no mechanism for communicating their usage policy. The
>> way it works today, you wave your laptop around, connect to a network
>> and see if it works. Prior to that it is impossible to know if it is a
>> free network. Wardriving and Warchalking are legitimate ways to
>> find/test/use free wireless networks and we should keep it that way.
>
> I agree that wardriving and warchalking can be legitimately used to
> find/test/use wireless networks. But I think there must be some
> protocol
> established to contact the owner of the network in question and ask
> their
> permission BEFORE you go and ADVERTISE their network as freely
> accessible.
> I don't own your house, but just because I can see it and take photos
> of it,
> does that mean I can rent it out for a party or place it on the market
> for
> sale? Basically, if you want to use what possibly could be a public
> resource, EXPEND THE EXTRA EFFORT TO FIND OUT IF IT IS REALLY PUBLIC.
>
>> Thanks, pablos.
>>
>> Paul Holman deployed the first SeattleWireless Community Network link
>> <http://www.seattlewireless.net> and is a member of The Shmoo Group of
>> security, crypto & privacy professionals <http://www.shmoo.com>. The
>> Shmoo Group builds AirSnort for demonstrating the limitations of WEP
>> security and created the Global Access Wireless Database (GAWD), the
>> first online database of open wireless access points.
>>
>> On Monday, August 5, 2002, at 06:09 PM, Theodore Pham wrote:
>>
>>> With all due respect Paul, I think you are missing the point.
>>>
>>> NOT everyone who owns and operates a wireless network has the
>>> technical
>>> savvy to understand the implications of the way they configure their
>>> wireless equipment. The rapid growth and popularity of wireless
>>> networks
>>> has been a direct result of the dropping prices of equipment and the
>>> ease
>>> with which this equipment can be installed.
>>>
>>> Being a wireless networking consultant in the Pittsburgh area, and
>>> having
>>> experimented with Netstumbler to map out channel usage (for the
>>> purposes of
>>> evaluating the feasibility of a shared, potentially commercial,
>>> wireless
>>> network) I find that the majority of networks are setup with NO type
>>> of
>>> public access blocking AND with the DEFAULT out of the box parameters.
>>> As a
>>> reseller of wireless networking equipment, I find most of my customers
>>> have
>>> LITTLE TO NO idea that by just plugging one of these boxes into their
>>> DSL or
>>> cable line they are making their networks open to the world. They
>>> choose
>>> wireless networking for the simplicity and asthetic values.
>>>
>>> The fact of the matter is that wireless equipment is connected to some
>>> type
>>> of internet connection and that connection is paid for by the owner of
>>> the
>>> wireless equipment. I have always been of the opinion that the use of
>>> any
>>> resource I have NOT paid for or been given SPECIFIC PERMISSION to use
>>> is
>>> THEFT.
>>>
>>> Say I forget my wallet containing my credit cards in a restaurant.
>>> Wardriving/warchalking is essentially posting a sign saying my wallet
>>> is
>>> sitting their out in the open and it contains credit cards. That
>>> signage in
>>> and of itself is NOT THEFT. But the moment someone uses my credit
>>> cards
>>> without my specific permission IS THEFT. My credit cards should NOT
>>> be
>>> considered a public resource just because I FORGOT to put my wallet
>>> back in
>>> my pocket out of public access.
>>>
>>> If you want to allow public access to your wireless network, then that
>>> is
>>> your choice and I encourage you to post some signage indicating that
>>> fact.
>>> And for your sake I would also post some terms of service for those
>>> who
>>> would seek to use your wireless network for malicious purposes.
>>>
>>> Sincerely,
>>> Theodore Pham
>>> Rogue Solutions
>>>
>>>
>>> ----- Original Message -----
>>> From: "Paul Holman" <pablos@shmoo.com>
>>> To: <billshore@fbi.gov>
>>> Cc: <xgeeks@lists.soma.net>; <tsg@shmoo.com>;
>>> <dev@seattlewireless.net>
>>> Sent: Monday, August 05, 2002 8:19 PM
>>> Subject: Wireless networks - Warchalking/Wardriving
>>>
>>>
>>>> Bill,
>>>>
>>>> Blocking public access to a wireless access point is a simple matter
>>>> of
>>>> configuration. While this measure will not provide a great deal of
>>>> security, it is enough to stop casual surveillance and abuse of
>>>> resources.
>>>>
>>>> As both an active member of community wireless networking
>>>> initiatives,
>>>> and an expert on internet security, I would encourage the FBI, and
>>>> all
>>>> other entities to consider open access points as a shared resource
>>>> available to all. Anyone not wishing to share their resources can
>>>> easily prevent it using the various controls built into all wireless
>>>> access points.
>>>>
>>>> Drawing the line here is both practical and rational. It requires no
>>>> further legislation, no technical development, and affords the
>>>> greatest
>>>> flexibility for innovation and exploration of how we can all benefit
>>>> from wireless networking technology.
>>>>
>>>> Please feel free to contact me with any questions about this
>>>> approach.
>>>> If you're interested, I'm happy to expand on any aspect of wireless
>>>> network security.
>>>>
>>>> Thanks,
>>>>
>>>> pablos.
--
Paul Holman
The Shmoo Group
pablos@shmoo.com
415.420.3806

Slashdot interviewed Ibiblio Director Paul Jones.

DRM is the general term for the groups of solutions to the need for creators to be compensated for their work while allowing their audience to easily access those works. Or at least that would be ideally what DRM should do.

When DRM goes wrong, it tramples on the rights of the citizens to have access to information that they have legally purchased, want to criticize, parody, legally reuse or share.

When DRM goes wrong, it creates barriers to innovation and creativity. It biases access and reproduction of information to only certain technologies.

When DRM goes wrong, it creates and perpetrates closed markets and monopolies.

When DRM goes wrong, everyone suffers. It takes us back to the Stationers Guild, a response to the printing press. "The Stationers Guild obtained monopoly rights in the printing and probably distribution of all books, a monopoly codified by the Tudors in a licensing system aimed at censoring religious dissent" which lasted until the early 1700s.

When DRM goes wrong, it is called Palladium.

The good news is that Palladium is vaporware - so far.

For "turning the most heads" at the Etech conference last week.

Why bother with all of the usual Double Agent hassles when you can just sit back and hack into the entire military industrial complex from the comfort of your own home?

See the LA Times story by Eric Lichtblau:
CIA Warns of Chinese Plans for Cyber-Attacks on U.S..

Israel's getting cyber-bullied while its busy bullying Palestine:
Israel under hack attack.

Major Security and Privacy Issues on the Morpheus Network

The Morpheus network underwent two serious attacks last week. Users have only recently been allowed to reconnect to the network using the new Morpheus Preview Edition.

The explanation below is made up of excerpts from the statement published on the MusicCity website from Steve Griffin, the StreamCast/Morpheus CEO:

This week MusicCity and Morpheus users suffered dual attacks. First, early this week MusicCity's servers were hit by a massive Denial of Service attack. Soon thereafter, Morpheus users found that a separate attack had been launched on their computers and their Morpheus software programs.

It appears that the attacks included an encrypted message being repeatedly sent directly to your computers that changed registry settings in your computer. Later, it appears our ad servers were attacked resulting in messages being sent to other sites without our knowledge, which threatened our most basic revenue model. We believe some of these attacks continue as Morpheus users attempt to connect to the old Morpheus User Network. This was why it is important to quickly deploy our new software product...

...These attacks have forced us to more quickly deploy our new software product in order to allow you to bring the largest p2p community back together. Since it appears that the attack on your computers came from the closed proprietary FastTrack-Kazaa software, we have opted not to continue with this p2p kernel. We believe it to have the ability to access your computer at will and change registry settings. In addition, we remain committed to NOT bundling any spy ware with our product.

We are pleased to migrate to an open Protocol product with the release of Morpheus Preview Edition, which is based on the very large network of Gnutella users...Since our company and your p2p network are being attacked, we would appreciate your constructive comments for improvement, not simply criticisms. With you help and input, we will continue to provide the pre-eminent p2p software product in the world.

Lastly, we want to address some of the misinformation we've seen recently. There have been many comments that we caused these problems intentionally. Let me assure you that we would NEVER treat the Morpheus users in this fashion...

But WAIT, there's MORE (also from the Morpheus website):

BE CAREFUL WHERE YOU CLICK A recent press statement announced that KAZAA/Sharman Networks has a new program that allows you to re-connect to the Kazaa/FastTrack Network. This new program is NOT endorsed by MusicCity and will NOT allow you to connect to the Morpheus/Gnutella P2P network. We find it interesting that someone sent a message to your computer earlier this week which prevented your Morpheus Software product from joining the network and now a new software installer suggests that it allows you to re-connect.

Meanwhile, according to LimeWire, unique users have reached an all time high that was most likely caused by all of the Morpheus network's part-time users briefly connecting to the network in the course of installing the new software.

Wow! Maybe security measures needed to be ramped up a little. Here's a piece from Michael Moore about the subject: Mike's Message 9/12/2001.