TechMiso

In what appears to be a complete reversal from previous rulings across the nation, a federal judge for the 5th Circuit Appeals Court in New Orleans has ruled that breaking digital rights management (DRM) is not considered a violation of the ban imposed by the Digital Millennium Copyright Act (DMCA) if it was not done in the pursuit of copyright infringing.

General Electric did not infringe on a power supplier’s digital copyrights when it used protected software unlocked through a hacked security key, the 5th Circuit ruled. “Merely bypassing a technological protection that restricts a user from viewing or using a work is insufficient to trigger the (Digital Millennium Copyright Act’s) anti-circumvention provision,” Judge Garza wrote for the New Orleans-based court. “The DMCA prohibits only forms of access that would violate or impinge on the protections that the Copyright Act otherwise affords copyright owners.”

The ruling by Judge Garza is a step in the right direction for opponents of DRM and the anti-circumvention ban written in to the DMCA. While the ruling will surely be appealed, since there has now been a split decision between the 5th circuit and the others around the nation there is a strong chance a Supreme Court challenge will be heard in the future. Equally as important, now that there is a precedent set in the 5th circuit, it will be interesting to see the impact this ruling has on upcoming cases in the same and other circuits. Will other courts adhere to the same line of reasoning offered by Judge Garza?

Just as Sony Corp. of America vs. Universal City Studios – the Betamax Case – opened the doors for the very fair use we pride ourselves on today, we can only hope for similar good things from whatever case does end up weaving its way through the court system up to the Supremes. It is inevitable that one case will end up deciding the future of DRM just as the Betamax Case did in the past. It will happen, it is just a matter of time.

Jeremiah Grossman has uncovered a fatal privacy flaw in Apple’s Safari Web Browser v4 and v5 which allows a malicious web site to surreptitiously extract data automatically filled Jeremiah Grossman by way of the “AutoFill” functionality.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

There is currently no fix available for this vulnerability. Until Apple does release a security update addressing this exploit, immediately turn off the AutoFill feature in Safari. Either that or modify your Address Book Card to something with innocuous data.

On a side note, according to Grossman he informed Apple over a month ago about the exploit but has yet to receive a response. No surprise there – Apple is renown for not responding to such submissions. This is not to say they will not provide a response, but rather to keep the issue on the down-low, which is really how Apple rolls when it comes to flaws with their products.

It’s said and done now, but really, shame on Twitter. These are just some painfully obvious and blatant information assurance mistakes. And to consider these security errors occurred on a massive lifestreaming site such as Twitter. Unthinkable.

The FTC:

According to the FTC’s complaint, Twitter was vulnerable to these attacks because it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:

requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;

prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;

suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;

providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;

enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;

restricting access to administrative controls to employees whose jobs required it; and

imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

It’s easy to overlook information security basics such as what the FTC found Twitter had done. But seriously, these steps listed above are not that painstaking to take care of. This should be a lesson-learned for all folks attached to the IT industry.

The Electronic Frontier Foundation (EFF) and the Tor Project have developed HTTPS Everywhere, a Firefox extension aimed at forcing the browser to use https on certain web sites, thus assuring the privacy offered by browsing securely.

This Firefox extension was inspired by the launch of Google’s encrypted search option. We wanted a way to ensure that every search our browsers sent was encrypted. At the same time, we were also able to encrypt most or all of the browser’s communications with some other sites:

• Google Search
• Wikipedia
• Twitter and Identi.ca
• Facebook
• EFF and Tor
• Ixquick, DuckDuckGo, Scroogle and other small search engines
• and lots more!

Firefox users can install HTTPS Everywhere by following this link.

If you value your privacy online, or if you would like to ensure the prying eyes of your ISP are unable to spy on your web browsing – whether to perform deep packet analysis for advertising or to see if you are potentially infringing on the copyright cartel’s products – then this is a must-have extension.

This extension will not automagically make your entire web surfing encrypted. HTTPS Everywhere is designed to initiate https sessions for those web sites explicitly configured. For example, TechMiso does not currently offer an https option therefore this extension will not secure your browsing session with our miso soup loving site. Make sure you understand how this extension works before you install.

Too bad HTTPS Everywhere is currently Firefox-only. Considering how popular Google Chrome is these days I certainly hope they plan to develop a Chrome extension.

Lifehacker’s Whitson Gordon:

You may be sick of hearing about the Facebook Privacy debacle, but your friends and family may still be in the dark. PrivacyDefender is a Facebook application that shows privacy settings in easy-to-read chart form, and provides three predefined settings to use.

This application takes the pain out of ensuring your Facebook data isn’t shared across the web through Facebook’s data groping ‘Facebook partner’ program. It also helps corral your data from being shared inadvertently by those in your friends list.

It’s not exactly the most granular Facebook security management app, but PrivacyDefender is a good start towards reeling in your Facebook privacy.

Google commits to security with its rollout of SSL encrypted search. This has nothing to do with how Google tracks your search habits.

From the Google Blog:

…today we’re gradually rolling out a new choice to search more securely at https://www.google.com.

Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it.