FCC can search homes without a warrant, agency says

Unlicensed advocates disagree

Have a Wi-Fi router? If you do — and it uses an unlicensed frequency — you could be subject to a warrantless search of your home.

Federal Communications Commission guidelines stipulate that the agency can enter property when it suspects radio frequency energy is being abused. The provision, which was originally intended to aid the monitoring of unlicensed radio and tv stations, now has a broader range of application as more consumers join the wi-fi ranks.

“Anything using RF energy — we have the right to inspect it to make sure it is not causing interference,” FCC spokesman David Fiske told Wired for an article Thursday. The FCC spokesman said the scope included Wi-Fi routers.

“The FCC claims it derives its warrantless search power from the Communications Act of 1934, though the constitutionality of the claim has gone untested in the courts,” Wired’s Ryan Singer wrote. “That’s largely because the FCC had little to do with average citizens for most of the last 75 years, when home transmitters were largely reserved to ham-radio operators and CB-radio aficionados. But in 2009, nearly every household in the United States has multiple devices that use radio waves and fall under the FCC’s purview, making the commission’s claimed authority ripe for a court challenge.”

The Electronic Frontier foundation, an online privacy group, called the FCC’s interpretation a “major stretch.”

“It is a major stretch beyond case law to assert that authority with respect to a private home, which is at the heart of the Fourth Amendment’s protection against unreasonable search and seizure,” Electronic Frontier Foundation lawyer Lee Tien was quoted as saying. “When it is a private home and when you are talking about an over-powered Wi-Fi antenna — the idea they could just go in is honestly quite bizarre.”

“The rules came to attention this month when an FCC agent investigating a pirate radio station in Boulder, Colorado, left a copy of a 2005 FCC inspection policy on the door of a residence hosting the unlicensed 100-watt transmitter,” Singer writes.

“Whether you operate an amateur station or any other radio device, your authorization from the Commission comes with the obligation to allow inspection,” the statement said.

Boulder Free Radio simply moved the transmitter to a new location. They say they’ll continue to do so in the future.

KBFR Boulder Free Radio offers a glimpse into the troubles encountered by pirate radio stations. It aired from 2000 to 2005 using an unlicensed broadband radio frequency. During that time, the station’s founders mounted a transmitter in a tree while connecting it to the station in a van and parked it in various locations in an effort to frustrate FCC inspectors.

Ultimately, the station shut down. It was reincarnated, however, in 2006 and again in 2008.

Not everyone agrees with the FCC’s interpretation of the 1934 law. Rogue Radio Research, a company that promotes unlicensed broadcasters, says on its website that agents of the FCC don’t have the right to search homes.

“If FCC agents knock on my door and say they want to talk with me, do I have to answer their questions?” the site asks rhetorically on its “Pamphlets and Practical Guides” page.

“No,” they say. “You have a right to say that you want a lawyer present when and if you speak with them, and that if they will give you their names, you will be back in touch with them. Unless you have been licensed to broadcast, the FCC has no right to ‘inspect’ your home.

“If they say they have a right to enter my house without a warrant to see if I have broadcasting equipment, do I have to let them in?” they continue.

“No,” the site replies. “Under Section 303(n) of Title 47 U.S.C., the FCC has a right to inspect any transmitting devices that must be licensed under the Act. Nonetheless, they must have permission to enter your home, or some other basis for entering beyond their mere supervisorial powers. With proper notice, they do have a right to inspect your communications devices. If they have given you notice of a pending investigation, contact a lawyer immediately.”

Outlaw Legends: Secrets of Russian Hackers

With cybercrime on the rise worldwide, hackers from Russia and China are called the most dangerous. Though several countries say Russian virtual terrorists threaten their security, they seem impossible to catch.

That mysterious Russian hacker – is he as scary as they say?

RT caught up with a professional hacker who, for obvious reasons, chose to remain anonymous.

“Everything is dependent on computers now,” he said.

“Bank cards, phones – everything functions through a computer, through an operating system. And all of it can be broken into and destroyed.”

The hackers often do it for the cash. But more often than not, the thrill and adrenaline is what drives their curious mind.

In the past few years, the US has often fallen victim to Russian hackers. They’ve broken into the systems of major companies and even the Pentagon. As a leader in computer technology, America is a juicy target for hackers.

“I don't know if Americans are afraid of us, but we’re definitely not afraid of them,” the interviewed hacker told RT.

“Half of our country is made up of hackers, why would we be afraid of the Americans? When we are the ones stealing their products and their software.”

Virtual ‘freedom fighter’

The Russian police’s cybercrime division named 'Department K' has warned many times that Russian hackers are the strongest in the world. And it’s extremely hard to catch a hacker red-handed.

“I was arrested, taken to three prisons in three weeks,” said Dmitry Sklyarov, programmer from Moscow.

“Then I was let out on bail and couldn’t return to Russia for six months because of the American justice system."

Dmitry Sklyarov’s arrest several years ago exploded into a frenzy of outrage among the public, both in the US and abroad.

At a computer conference in America several years ago, Dmitry showed how easy it is to break through the PDF format and was arrested by the FBI. He became a symbol of the fight for programmers’ freedom, and was soon released from an American prison.

Dmitry is now an IT professor at a prestigious Russian computer science university. The pro says he has never carried out any criminal activity using his knowledge.

“Thankfully, no one ever came to me and said ‘help us commit this crime or else,” said Sklyarov.

But Dmitry says, if he had, it would have been impossible to catch him.

Human lives in hackers’ hands

Nikita Sinitsyn, Editor-in-Chief of “Hacker” magazine – a how-to Russian publication – says it’s not true all hackers are criminals. He explained to RT the scale of what a hacker can do.

“The scariest thing about what a hacker can do is not money loss, but human lives,” he said.

“Hypothetically, if a hacker broke into a system of satellite control, made satellites crash into each other and fall to Earth, let’s say, in Los Angeles, that's scary. Systems containg state secrets being broken into by hackers – maybe that’s not such a bad thing. This doesn’t influence individual human lives. That’s something that states and corporations should worry about”.

One of the problems with catching a hacker is that there is no unified international law for Internet crime. Bringing charges against someone based in another country is extremely hard to do. So until there is a strong legal mechanism against them, hackers have lots of time and opportunities to keep up the cyber attacks.

A guide to safer social networking

Just because that link was tweeted or messaged to you by a colleague doesn’t mean you should click it.

Just because your friend published a list of 25 previously unknown things about themselves doesn’t mean you need to reciprocate. Just because a celebrity you respect tweeted a link, it doesn’t mean it’s safe to follow it, particularly when the real destination is obscured through a URL shortening service.

Social networking has rapidly gained acceptance in all walks of life. Facebook boasts close to 200 million users. MySpace doesn’t advertise its figures but it is certainly Facebook’s closest competitor in terms of user numbers. Bebo can count in excess of 40 million users.

The customers of these social networking providers are not exclusively the school- or university-aged either. In fact, two-thirds of the world’s internet population now visit social networking or blogging sites, accounting for almost 10% of all internet time, according to a March 2009 Nielsen report.

It’s not just about social networking sites though. The professional networking site LinkedIn has a new member joining almost every second and will soon hit 40 million members, while micro-blogging service Twitter grew a staggering 1382% year on year in February 2009.

Explosive growth
With explosive growth and user populations of this order it’s hardly surprising that these services also appear to be coming of age as attack platforms for cybercriminals.

Among the more traditional attacks, facilitated through social networking, that we have seen over the past few months through social networking sites you can count the following.

• Several outbreaks of (so far) non-malicious worms on Twitter, using cross-site scripting vulnerabilities or clickjacking.
• Fake Bebo and LinkedIn profiles containing links that lead to malicious downloads.
• Rogue applications that appear to be designed for information harvesting and the infamous Koobface worm on Facebook.
• Hijacked profiles being used for 419 scams direct from one friend to another.
• Scam advertisements leading to bogus multi-level marketing schemes, or worse.


There are several entry points available for cybercriminals into the interactive playground of social networking; fake or compromised profiles, malicious applications, malvertisements, cybersquatting, spam and phish masquerading as legitimate notifications from social networks, information harvesting through group memberships, cross-site scripting vulnerabilities and direct messages just for starters.

Victims are at risk of identity theft, fraud, infection or simply of becoming an attack platform to infect or defraud their own friends and colleagues.

Bound by trust
The one thing that all of these attacks have in common, though, is the very thing that binds social networks together: trust. Because the attacks, messages and links come from friends or colleagues, they appear far more credible than the average spam email from a stranger.

Even the Koobface worm with its almost textbook standard spam messages such as “You are veryy ggood at pposing to a spy cameera!” becomes that little bit more believable when it comes from someone you know.

And, of course, when we choose to join a community, by default we naively choose to share all of our personal information with any other member of that community simply on the basis of a mutual shared interest.

Most of us are guilty of being far too trusting and far too free with our personal information online. We give away little snippets (or great chunks in some cases) of our personal lives in what is essentially a public or at best only semi-private forum, making the work of criminals such as carders and ID fraudsters far more simple.

More aware
In fact I have seen social networking sites spoken about in underground carding forums as a “free date of birth look-up service” along with a wealth of tips on how best to exploit these kinds of platforms.

We need to become far more aware of the value of our personal information and importantly the information we have about our friends. We also need to become far more conversant with the privacy controls available on social and professional networking sites and actually use them.


There is no need to fill out that questionnaire “25 Things About Me” and post it on your profile. There is no need to share your entire employment, educational or address history.

There is no need to share your “Porn Star Name” (first name = name of your first pet, family name = mother’s maiden name); isn’t that exactly the kind of information needed to reset your email account password, or access your financial data? And there is no need to volunteer the email addresses of friends and family when asked to recommend a “joke” website or application to 10 friends.

When your personal information becomes public it is out of your control and soon out of sight. Criminals can and do use this stuff to break into your online accounts. Just ask Sarah Palin.

Next time, before you hit “Post”, ask yourself this: “if a stranger called me on the telephone asking for this information, would I tell them?” If the answer is “No”, then step away from the mouse.
Rik Ferguson - Trend Micro

Graham: CIA Gave Me False Information About Interrogation Briefings

n testimony that could bolster Speaker Nancy Pelosi's claim that the CIA misled her during briefings on detainee interrogations, former Senator Bob Graham insisted on Thursday that he too was kept in the dark about the use of waterboarding, and called the agency's records on these briefings "suspect."

In an interview with the Huffington Post, the former Senate Intelligence Committee Chairman said that approximately a month ago, the CIA provided him with false information about how many times and when he was briefed on enhanced interrogations.

"When this issue started to resurface I called the appropriate people in the agency and said I would like to know the dates from your records that briefings were held," Graham recalled. "And they contacted me and gave me four dates -- two in April '02 and two in September '02. Now, one of the things I do, and for which I have taken some flack, is keep a spiral notebook of what I do throughout the day. And so I went through my records and through a combination of my daily schedule, which I keep, and my notebooks, I confirmed and the CIA agreed that my notes were accurate; that three of those four dates there had been no briefing. There was only one day that I had been briefed, which was September the 27th of 2002."

As for the one briefing he did attend, the Florida Democrat said that he had "no recollection that issues such as waterboarding were discussed." He was not, per the sensitive nature of the matters discussed, allowed to take notes at the time. But he did highlight what he considered to be pretty strong proof that the controversial technique was not discussed.

"What struck me...was the fact that in that briefing, there were also two staff members," he said. "As you know, the general rule is that the executive is to brief the full committees of the House and Senate Intelligence committees about any ongoing or proposed action. The exception to that is what is called "covert action," where the president...only briefs the Gang of Eight, which is the four congressional leaders and the four intelligence committee leaders. Those sessions are generally conducted at an executive site, primarily at the White House itself. And they are conducted with just the authorized personnel, not with any staff or any other member of the committee.... Which leads me to conclude that this was not considered by the CIA to be a Gang of Eight briefing. Otherwise they would not have had staff in the room. And that leads me to then believe that they didn't brief us on any of the sensitive programs such as the waterboarding or other forms of excessive interrogation."

The remarks made by Graham bolster the comments offered by Pelosi on Thursday. The Speaker told reporters that during her briefing session in the fall of 2002 she was not just kept in the dark about the issue of waterboarding, she was assured that it had not been used.

"Yes, I am saying that the CIA was misleading the Congress," she said.

However, records and testimony do show that high-ranking aides were present during a February 2003 briefing when waterboarding was discussed by the CIA with Reps. Porter Goss and Jane Harman.

Graham declined to speculate as to what took place during Pelosi's briefings, noting that the House and Senate had two entirely different sessions. But he did point out that, at the time, "the whole credibility of the intelligence committee, particularly the CIA, was pretty much in question" -- giving credence to Pelosi's claims that she was given faulty information.

"The irony," said Graham, "is that the whole series of events in late September of '02 were concurrent with the CIA's release of the first classified version of the National Intelligence Estimate, which was one of the key factors that led me to vote against the war in Iraq because I thought that their case was so weak. And they were making to the public these very bold statements about how we were in extreme danger if we didn't move quickly to eradicate Saddam Hussein. The whole, 'a smoking gun may appear in the form of a mushroom cloud' kind of argument."

French 'net piracy' bill passed

A controversial French bill which could disconnect people caught downloading content illegally three times has been passed by the National Assembly.

The legislation, backed by President Nicolas Sarkozy, was surprisingly voted down by the Assembly last month.

The bill sets a tough global precedent in cracking down on internet piracy, and is being closely watched by other governments as a potential deterrent.

The global music industry has been calling for tougher anti-piracy laws.

The Creation and Internet bill was passed by a vote of 296 to 233 by the lower house and will go before the Senate for final approval on Wednesday.

Three strikes

The new legislation operates under a "three strikes" system. A new state agency would first send illegal file-sharers a warning e-mail, then a letter, and finally cut off their connection for a year if they were caught a third time.

It has been backed by both the film and record industries.

But some consumer groups have warned that the wrong people might be punished, should hackers hijack their computers' identity, and that the scheme amounted to state surveillance.

The socialist parliamentarian Patrick Bloche said the bill was "dangerous, useless, inefficient, and very risky for us citizens".

John Kennedy, chairman of the IFPI, which represents the global music industry, has described the bill as "an effective and proportionate way of tackling online copyright infringement and migrating users to the wide variety of legal music services in France".

Q&A: FBI agent looks back on time posing as a cybercriminal

In September 2008 police began arresting alleged members of Dark Market, an underground Internet forum for buying and selling credit card data used for identity fraud. The sting wouldn't have been possible without the work of FBI agent J. Keith Mularski who spent two years infiltrating the group.

FBI Special Agent J. Keith Mularski spent two years posing as a cybercriminal as part of an undercover sting operation.
(Credit: U.S. Federal Bureau of Investigation)

Mularski became hacker "Master Splynter," a play on the name of the Teenage Mutant Ninja Turtle character called "Master Splinter," a rat who lives in New York City's sewers. He was so successful in his online disguise that he ended up running the server that hosted the Dark Market forum from his offices at the National Cyber Forensics Training Alliance in Pittsburgh.

Mularski, a supervisory special agent with the FBI's Cyber Initiative & Resource Fusion Unit, spoke about the Dark Market sting during a session at the RSA security conference last month. CNET News caught up with him this week on the telephone to find out what it was like hanging out with cybercriminals.

Q: You were central to the Dark Market sting. Tell me what happened and what role you played.
Mularski: We kicked off an undercover operation to try to penetrate these underground crime groups that are running these forums on the Internet. We developed the persona of a spammer/hacker and I assumed that role. Our intention was to try to penetrate the groups and dismantle them like we would with organized crime. In this case we were very successful in getting to the upper echelons of the Dark Market group and we were actually able to run the server and host all the communications that were going on there to make our cases against the criminals. Worldwide we had 60 arrests. It was a two-year operation and we had arrests in the U.K., Germany, Turkey, and here in the U.S.

What measures did you take to try to prove you were legitimate?
I acquired the reputation of one of the world's top 5 spammers. The Spamhaus Project, which tracks spammers, made a listing for me as being a top spammer and that gave me credibility so that I didn't necessarily have to do any criminal activity. I could talk the talk. If someone wanted me to mail (send spam) for them I would (get out of it by giving them the excuse) that they were too small of a fish. If they were a big fish I'd just say I didn't have any openings or time to work with them.

What sorts of crimes were they doing on Dark Market?
They were doing all sorts of identity theft. They were hacking into companies and stealing credit card numbers and selling them. They were selling counterfeit drivers' licenses and other photo documentation, as well as manufacturing fake credit cards. They were selling harvested bank accounts and brokerage accounts and selling different types of malware or spyware programs or Trojan horses that you could infect peoples' computers with. The whole gamut of the cyber underground was available there. If you needed it you could get it there on the site.

How did being undercover interfere with your life? What extremes did you have to go to to keep up the facade?
I would have to be online all the time, basically, in case someone needed to get ahold of me. If I was at home I would always have a computer on, even while watching TV. If I went on vacation I took the computer with me to make sure I was able to log in. I would tell the (Dark Market) guys I was traveling to go surfing or something like that and I would tell them I'll be online at these times if you need to get me. I had a cell phone connected to a Gmail account and I would tell them if they had to get ahold of me to send an e-mail and it would ping me. It was like that for two solid years almost every day. My wife wasn't too happy about it (chuckling).

It was like a soap opera. There was constant drama going on. A lot of people were accusing one another of being cops.

No doubt! Was there ever a moment when you thought the jig was up and that they were on to you?
There were a couple of those. We had a problem with our backstopping right at the beginning of the operation when I took over the server. One of our rivals had hacked into the Dark Market server and was looking at who was logging in. He traced the IP address doing a "who is" (lookup) and the phone number connected to our covert IP address, which was supposed to be unlisted but instead it showed the address here at the National Cyber Forensics Training Alliance. By doing some research they determined that the IP address came from this building and they thought it came from me. I had to go on the offensive and say that it wasn't me and that it was already in the server. Eventually they believed me. There were a lot of wars between rival groups at the time. A lot of people were accusing each other of being "feds" and "cops" and I was able to use that to my advantage to create a smoke screen and create doubt.

How were you able to become administrator of the Dark Market server?
I had good relations with the administrator whose alias was "Jilsi." He wasn't a very technical guy and was having problems running the site because it was getting attacked by a rival group. So I told him about my background as a spammer and told him how good I was at setting up sites. I did some demonstrations and set up some test sites to show him I had the skills. Then there was just a lot of talk and rapport building. One night when Dark Market was getting attacked by a rival group I said I was ready and that I could secure the server for him and he said "let's move." That gave me full access to everyone using it and what they were doing.

Any anecdotes to tell about your dealings with these people?
It was like a soap opera. There was constant drama going on. A lot of people were accusing one another of being cops. It was funny being part of the discussion as people were talking about whether so and so was a cop or a fed and I was sitting there knowing full well that the person wasn't. There were a lot of egos, and a lot of funny stories where guys would brag about their close brushes with the law and how close they got to being arrested. You get 20-year-old guys, 30-year-old guys who are single and making a lot of money, so you hear a lot of stories of partying and things like that.

Did you get a sense of what these carders are like as people; what their characters are like?
There are a lot of guys who I think their curiosity just got the best of them and it led them down a dark path. One of the guys, Max Butler, who ran our rival site called Carders Market and used the hacker name Ice Man, was arrested in San Francisco. He was very intelligent. He could have been an excellent security expert. He could have given talks at RSA about vulnerabilities. A lot of these guys are just misguided. They get into a hotel and see that they have credit cards and one thing leads to another. I think that's how it all starts off and then they find they can make a lot of money and it becomes a business, a job. If you met them in person they were actually nice guys. I enjoyed a lot of my chat sessions when we were talking about other things, like traveling the world and things like that.

How old are they?
The average guy is in his mid-20s or so. We've seen guys in their 40s. Ages range from 17 to 40something, typically. A lot of the guys who we arrested were in their mid-30s.

How tied to organized crime are they?
One of the guys, "ChaO," kidnapped someone. He viewed himself as a traditional organized crime member. He was connected with organized crime groups in Turkey and they resorted to violence when they kidnapped someone who was talking too much about the operations. We're seeing more of that, especially in Romania. Also in Russia.

The attackers have changed with the emergence of organized crime into these cybercrimes...It's all about the money now and not just about how elite my hacking skills are to get into this Web site. Profit is driving these groups.

Did you hear from any of your former carder cohorts after the arrests?
I heard from sources that they couldn't believe I was an FBI agent. One of the guys whose house we raided wasn't at home and he sent me an expletive-filled message saying 'you're never going to catch me.' I told him he should give himself up rather than spend his life on the run and a week later he turned himself in.

This work sounds kind of dangerous. Did you ever feel you were in danger or are you worried now?
When you are an FBI agent there's always that threat of danger working crimes undercover. We never intended for my name to come out in this operation. But FBI agents' names are in affidavits. There was always that risk that my name could be exposed. It's always in the back of your mind but you try not to think about it.

What impact did the sting have?
It showed that we can get you no matter where you live. We were able to make internal relationships and work cases jointly with law enforcement in other countries. In the future there will be other joint cases in Europe and around the world. You don't necessarily have to be in the U.S. for us to bring you to justice. That is one of the most significant impacts it had. Another one is that it showed these guys that, yes, we do have a presence out there (on the Internet) and the U.S. is serious about targeting cybercrime. We are going to throw our resources at this problem.

How have things changed since you started the Dark Market operation in 2006?
With every operation the bad guys learn more of the undercover techniques that law enforcement is using. Everything that was successful for us in this operation would have to be tweaked because of that. The level of sophistication is so much higher. The days of a cyber investigation where you just track an IP address and that leads you to a hacker's house, those days are long gone. There are many different anonymization services the bad guys are using. The exploits and botnets they are using are so much more sophisticated than they were a couple of years ago. Just two years ago the majority of the botnets were IRC botnets, which are fairly simple. Now we're seeing botnets like the Storm worm that are very sophisticated and running peer-to-peer networks and that makes it harder for us to track down the command and control servers.

Have you been involved in any of the efforts to track down the people behind the Conficker worm?
I can't comment on that.

Anything else to add?
The message I'm trying to preach is that we have international cooperation and that other countries are starting to recognize this problem. Also, the attackers have changed with the emergence of organized crime into these cybercrimes. It's not just an 18-year-old pimply faced kid in his room committing these crimes. These are organized crime groups doing it. It's all about the money now and not just about how elite my hacking skills are to get into this Web site. Profit is driving these groups.

The stakes are higher now for everyone?
Definitely.

by Elinor Mills

Researchers hijack botnet, score 56,000 passwords in an hour

The Torpig botnet was hijacked by the good guys for ten days earlier this year before its controllers issued an update and took the botnet back. During that time, however, researchers were able to gain a glimpse into the kind of information the botnet gathers as well as the behavior of Internet users who are prone to malware infections.

Researchers at the University of California Santa Barbara have published a paper (PDF) detailing their findings after hijacking a botnet for ten days earlier this year. Among other things, the researchers were able to collect 70GB of data that the bots stole from users, including 56,000 passwords gathered within a single hour. The information not only gave them a look at the inner workings of the botnet, they also got to see how secure users really are when it comes to online activities. (Hint: they aren't.)

The botnet in question is controlled by Torpig (also known as Sinowal), a malware program that aims to gather personal and financial information from Windows users. The researchers gained control of the Torpig botnet by exploiting a weakness in the way the bots try to locate their commands and control servers—the bots would generate a list of domains that they planned to contact next, but not all of those domains were registered yet. The researchers then registered the domains that the bots would resolve, and then set up servers where the bots could connect to find their commands. This method lasted for a full ten days before the botnet's controllers updated the system and cut the observation short.

During that time, however, UCSB's researchers were able to gather massive amounts of information on how the botnet functions as well as what kind of information it's gathering. Almost 300,000 unique login credentials were gathered over the time the researchers controlled the botnet, including 56,000 passwords gathered in a single hour using "simple replacement rules" and a password cracker. They found that 28 percent of victims reused their credentials for accessing 368,501 websites, making it an easy task for scammers to gather further personal information. The researchers noted that they were able to read through hundreds of e-mail, forum, and chat messages gathered by Torpig that "often contain detailed (and private) descriptions of the lives of their authors."

(Comically, the report notes that 0.1 percent of Torpig victims love "exchanging insults" online, with another four percent spending their time looking for sex online. The rest are doing relatively mundane things like worrying about grades, looking for advice from doctors and lawyers, looking for jobs, and playing video games.)

Of course, the primary goal of Torpig is to steal financial information like credit card numbers and bank logins. In just ten days, Torpig apparently obtained credentials of 8,310 accounts at 410 financial institutions, including PayPal, Capital One, E*Trade, and Chase. The researchers noted, too, that nearly 40 percent of the credentials stolen by Torpig were from browser password managers, and not actual login sessions, and that the Torpig controllers may have exploited these credentials for between $83,000 and $8.3 million during that time period.

Interestingly, a large number of the financial institutions that had been breached required "monumental effort" in order to notify the victims, according to the report. In fact, financial institutions weren't the only ones—interacting with registrars, hosting facilities, and law enforcement were all "rather complicated," indicating that there's a long way to go in order to make notifying botnet victims easier.

Not becoming a victim in the first place is the most ideal situation, however. The researchers concluded that victims of botnets are usually those with poorly maintained machines and who choose "easily guessable" passwords. " This is evidence that the malware problem is fundamentally a cultural problem," reads the report. "Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer."

Israeli hacker to be extradited to US

Canadian media report Ehud Tenenbaum, dubbed 'the analyzer', to be transferred to United States on charges of hacking scheme spanning hundreds of companies

sraeli hacker Ehud Tenenbaum will be extradited to the United States despite his previous requests to be tried in Canada, where he was arrested, Canadian media reported over the weekend.
Case History
Canada: Israeli hacker suspected of involvement in major fraud case / Liron Sinai
Ehud Tenenbaum, who 10 years ago hacked Pentagon computers, detained on fraud charges
Full Story
Tenenbaum, who was dubbed "the analyzer" after it was discovered that he was the mastermind behind the hacking of the Pentagon computer systems in the late 1990s, has been in Canadian custody since August 2008, when he and three Canadian accomplices were arrested for hacking into the computers of Canadian company 'Direct Cash' and stealing CDN$1.8 million.

Ehud's mother, Malka, confirmed the extradition to Ynet and explained that it was "by agreement and there's something to the reports."
Shortly after his arrest, Tenenbaum was scheduled to be released on CDN$30,000 bail. The court later denied bail after the prosecution entered into evidence documentation suggesting he is the leading suspect in a US case investigating the hackings of hundreds of companies around the world, including some in the US, Russia, Turkey, Holland, Sweden and Belgium.

Due to the scope of the fraud and the involvement of US companies and the Pentagon, the United States' Federal Bureau of Investigation (FBI) is involved in the investigation against him.

Previously, Tenenbaum and his associates opposed extradition because the charges levied against them in the United States are much more severe than those in Canada. Now, however, Tenenbaum appears prepared to agree to comply with extradition and even decided to forego a preliminary hearing on the matter.

In the past, Tenenbaum's mother told Ynet she objected to the extradition because it involved charges that had taken place over a decade ago. Regarding the recent decision, she said "I don't want to talk so that I don't ruin anything and you'll understand what I mean when the time comes. Any superfluous talk will harm my son."

by Daniel Edelson
Published: 05.03.09, 10:49 / Israel News

New Jersey Case Looks At Whether Bloggers Can Protect Sources

There have been a number of cases recently that have tested whether various laws that protect journalists from having to give up their sources also apply to people publishing content online in forums, email groups or blogs. The latest, sent in by someone Anonymous, is taking place in New Jersey, where a woman who revealed a security breach in the software of a company called Too Much Media is being sued for slander in revealing the breach. There are numerous issues with the lawsuit, including the oddity that they're suing for slander for online comments, since slander is for spoken words, whereas libel is normally applied to the written word. It's also odd that they're suing considering the fact that they don't deny the security breach existed, but dispute the claim that customer info (including credit card details) were exposed, because they claim the security breach was brief and no info was compromised. That seems like a pretty weak defense.

However, the real battle seems to be over the attempt to determine how the woman, Shellee Hale, found out about the breach in the first place. She's refusing to give that up, claiming that she has a right to protect her sources, just like any journalist. And while Hale writes multiple different blogs, and has written for many mainstream publications (including the Wall Street Journal and Business Week), Too Much Media claims that she doesn't deserve protections afforded to journalists because she wasn't working for any real publication and is just a blogger. The article quotes someone who says that if the court sides with Hale:

"then everyone is a journalist and the privilege becomes meaningless."

I don't see how that's actually true. In fact, I'd argue the other way. It's not that it becomes meaningless, but that it becomes very, very meaningful -- especially in an era where we're looking for new ways to prop up investigative journalism. If everyone's a journalist, and everyone has a reasonable expectation that their sources are shielded, then we're much more likely to continue to root out corruption. If this protection is somehow reserved for some "special" credentialed people, then it becomes that much harder to expose corruption.

Unfortunately, it appears that the judge in the case is almost entirely computer and internet illiterate, needing to ask for explanations for a variety of things during the court proceedings. He seemed entirely confused by the very concept of people blogging for personal interest:

"Why would a guy put all this stuff on a blog? Does he have nothing better to do?" Locasio asked. "Does he get paid?"

The judge, who apparently is about to retire in a couple months, also didn't understand the difference between blogs, message boards and forums, and was apparently unfamiliar with instant messaging. It's difficult to see why someone entirely unfamiliar with the technology should be able to judge a case like this, where understanding what's happening online is crucial to understanding what the case is really about.

New Zealand Officials To Scrap Copyright Law; Start From Scratch

There was a lot of controversy over the past few months concerning an attempt to change copyright law in New Zealand. After tremendous uproar over the fact that the law (a version of three strikes) basically would declare people guilty based on accusations, rather than proof or conviction, the government finally agreed to dump the plan with plans to revisit it. However, it looks like now the government has decided to completely start from scratch, and to recreate copyright law anew. This is quite surprising. Historically, changes in copyright law tend to be patches. Every time a new technology changes things such that copyright law doesn't make sense, regulators duct tape on some "patch" that tries to deal with that new situation. Yet, New Zealand officials seem to be recognizing this, and want to see about rewriting copyright law from scratch:

The Copyright Act was written in the pre-internet age, and does not address any of the complexities surrounding file sharing, format shifting, and other modern issues such as DVD copying -- problems the last government was attempting to fix in a piecemeal fashion.

Of course, the real question is who will rewrite the law and how the process will work. If it's the industry, then you can expect the law to be much worse. But if it's designed with the full spectrum of interests taken into account, New Zealand could represent a useful sandbox for really (finally) rethinking some of the myths and talismans that some copyright maximalists insist are true, but for which no evidence exists. Hopefully, the government will consider ideas from outside the industry, and recognize both the public interest and the intention of copyright law.