January 19, 2006

The node is the threat: Mozilla, the CIA, Skype, Symantec, Sony, .... and finally a WIRE THREAT: Bush

Firefox reaches around 20% market share in one "weekend" survey in Europe. Bull-rating! If this keeps going on, I'll run out of predictions by the end of January.

In other news, a Firefox developer caused a furore on slashdot by adding a URL tracking feature. Firefox needs to meet the interests of parties other than yourself in your browsing habits. In this case, it is probably Google; the fact that the developer put the feature in without any way to turn it off is telling.

Readers will recall a recent thread on governance in non-profits which goes some way to explaining this confusion (1, 2). Mozilla now has two interested groups - those that supply money and those that don't. How Mozilla brings itself to reconcile the conflicts between these two groups is worth watching - but also difficult to divine, as Mozilla have a fairly consistent policy of debating in secret and announcing later (the root list policy was a notable exception!).

The threats situation is daily growing more complex. Let's review more evidence (as if it is needed) on threat models. Over in Milan, prosecutors have revealed some details of the CIA kidnapping case. The alleged kidnappers left behind disk drives with emails that warned the agents to get out of Italy, as well as indicated who was the leader of the kidnapping crew.

On June 23, the day the warrants were issued, police searched the villa in the Italian wine region of Asti where Lady had retired with his wife at the end of 2003. From the hard drive of one of his computers police recovered the e-mail message, which someone had attempted to delete, plus other documents they say establish Lady as the organizer of the kidnapping.

The prosecutors have distributed 22 search warrants throughout Europe and intend to seek extradition from the US next. One of the alleged kidnappers was reached by reporters in Washington DC, but her name was not published at the request of the CIA, who say she is still active and undercover. (Which would then put the reporters in the curious position of obstructing justice if they ever travel to Europe!)

Back to threat models. That email on that drive! Darn it, the threat is on the node, says I. For a long time now I have been asserting that _the node is the threat_ and I've conducted a search for evidence that there is any threat to the wire. Long, boring, and ultimately futile was the quest! But now, I can at last reveal the quest may be over:

The Bush administration is engaged in the novel legal experiment of ordering illegal wiretaps so as to show why it needs the facility to harvest Americans' conversations without a court supervision. We now have an Executive Order, no less, mandating the NSA to threaten the wires of civilian America. Now, in times past one could have said that the NSA would have been strictly interested in bad guys outside the country, giving some protection to the populace who weren't plotting the overthrow of the USA. But those days are gone, even inside supporters of the administration are admitting that these extraordinary powers are desperately needed to get back at the internal enemies that made life so difficult for them in the past years. And I'm not just referring to the democrats or democracy. So this means we have bona fide evidence of a major eavesdropping threat to the wire - albeit one to Americans only.

Still, even with this stunning Executive Order, no less, the threat to the node remains more severe, I claim. News just in from Skype in China:

Skype had a dilemma. The Internet telephony and messaging service wanted to enter China with TOM Online (TOMO), a Beijing company controlled by Hong Kong billionaire Li Ka-shing. Li's people told their Skype Technologies (EBAY) partners that, to avoid problems with the Chinese leadership, they needed filters to screen out words in text messages deemed offensive by Beijing. No filtering, no service.

At first Skype executives resisted, says a source familiar with the venture. But after it became clear that Skype had no choice, the company relented: TOM and Skype now filter phrases such as "Falun Gong" and "Dalai Lama." Neither company would comment on the record.

First blood! This might be the first news that Skype is not protecting its users, which might explain why that other panda-shaped company, eBay, was ready to buy it. OTOH, the news comes from BusinessWeek, who aren't exactly above a hatchet job for political favours.

Either way, Skype was good while it lasted. In the department of corporate attackers it seems that Symantec has also been caught out installing root kits on Windows machines. They issued a patch, but not before saying that they were unaware of any hackers taking advantage... Oh, and poor old Sony, another corporate attacker caught with its hands in the root kit cookie jar has waved the white flag:

Federal judge Naomi Rice Buchwald gave tentative approval on Jan. 12th to a settlement in one of the many lawsuits filed against Sony over the rootkits. The settlement terms included offering cash payments or free music downloads to buyers of the affected CD's, and prevents Sony from selling any CD's with copy-protected software until 2008 at the earliest.

Lawsuits filed by Texas Attorney General Greg Abbott and the Electronic Frontier Foundation against Sony are still going ahead.

Thank heavens someone is taking on the attackers. Security observers (I no longer use the term 'security expert', a new year's resolution) scurried for cover in case they were asked to suggest whether a crime had been committed. Windows users may as well get used to it - with friends like that, they're not in dire need of new enemies.

Posted by iang at January 19, 2006 06:53 AM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.