Security

We don’t like to make political statements too often here at DLS. It just seems a lot less complicated to fight over software, or whether or not something is Web 2.0, or pirates and ninjas. Every once in a while, though, something comes up that’s just a little too out of line not to mention.

Wired reports that back in November, the FBI paid a visit to The Internet Archive and served founder Brewster Kahle with a National Security Letter. The NSL (.pdf link, be warned) is a funny sort of document. It is a subpoena that can be issued without a judge’s watchful eye. It usually comes with an order to not tell anyone that the person in question has received it, excepting, of course, their lawyer. So Kahle couldn’t tell board members, or his staff, or his teddy bear without legal repercussions.

NSLs aren’t really new, but they’ve blossomed since the USA Patriot Act was enacted. According to Wired, though the FBI guidelines don’t encourage frequent use, Congressional audits and the FBI itself reveal that it is likely that hundreds of thousands have been issued in the past seven years. It’s likely, because, you know, the FBI doesn’t actually seem to track how many they’ve used. Oh, whoops.

The other dimension to this drama is that the Internet Archive is more of a library than an ISP/communications provider. It seems, in light of that, that the NSL used was actually not the proper document to request the sort of things it was requesting from that institution. Whoops again.

This week, the government and The Internet Archive reached a settlement in regards to the NSL issue. The issued NSL is officially off the table. The Internet Archive can’t say anything about what the information was that got the FBI so riled up in the first place.

Seeing that the Internet Archive archives public information, that anonymous browsing is allowed, and all that’s required to sign up for an account is an email address, username and password (Kahle says IP addresses aren’t logged) it doesn’t seem as though the FBI will really find much helpful information. They will find a whole lot of Grateful Dead recordings, if that’s any consolation.

[via LISNews via Wired]

30 fateful years have passed since what is believed to be the first piece of spam has defiled the inboxes of unwitting victims. Since then things have gotten much worse, with Internet scams at an all time high and spam comprising up to 90% of all email.

Gary Thuerk, the only soul that can lay claim to the title “Father of Spam,” is the man who started it all, even if he’s not to blame for the monstrosity that all of this has evolved into. The enlightening moment in his mind was this: “It’s too much work to send everyone an e-mail,” … “So we’ll send one e-mail to everyone.” And thus the beast was born.

His email inviting people to come see a product presentation of the DECSYSTEM-20 FAMILY, which was written in all caps (setting the standard for years to come), was met with a very negative reaction foreshadowing how we still feel today about unsolicited emails. Interestingly enough, the email generated about $12 million in sales for Thuerk, which is probably why spam is still filling the inboxes of young and old alike: it works.

[via Geeks are Sexy]

Yahoo! has partnered with McAfee to integrated the security firm’s SiteAdvisor technology in Yahoo! search results. That means Yahoo! will remove some of the most dangerous sites from search results altogether, and will include highly visible warning messages on search listings that force downloads, include browser exploits, or sites that send unsolicited emails.

Google offers a similar service, through a partnership with Stop Badware. But Google doesn’t check for web sites that initiated automatic downloads when you load them, or sites that include links to harmful web pages. Yahoo!’s new SearchScan feature does.

SearchScan will be turned on by default for Yahoo! users in the US, Canada, the UK, Australia, France, Germany, Italy, New Zealand, and Spain. You can turn it off by visiting the SearchScan settings page.

The WordPress team has released version 2.5.1 of the blogging software. The new version, which comes nearly a month after the initial release fixes a slew of performance and interface bugs, but also includes a very important security update. It is highly reccommended that all WordPress 2.5 users update their installations as soon as possible, especially if you allow open-registration (for user comments or for multi-author blogs).

In addition to the aforementioned security patch, 2.5.1 contains a number of fixes to issues that have plagued some WordPress users for the last couple of weeks.

The highlights include

• Improvements to the Media Uploader
• Performance tweaks for the Dashboard and the Write and Comments pages
• TinyMCE has been updated
• Layout fixes for IE users

Download the latest version of WordPress from their site and update your installations accordingly.

A few months ago, Grisoft updated its AVG anti-virus suite to version 8 and bundled linkscanning, anti-spyware, and anti-rootkit software to boot. Now Grisoft’s popular freeware anti-virus application is getting some of the same features. AVG Free 8 is out, and not only does it protect your system from viruses, but you get spyware detection as well.

AVG Free 8 doesn’t have all of the features you get in the commercial version of the application. There’s no rootkit protection or linkscanner. And there’s no email or instant messaging integration. For those features you’ll have to shell out $35 or $55 for the standard or “internet security” versions. But as freeware antivirus applications go, AVG is packed with features like real-time protection, daily updates, and complete system scans at regularly scheduled intervals.

Update: As several readers have pointed out in the comments, when you install AVG Free 8, you will likely find a bunch of advanced features like linkscanning and email protection. The AVG web site has a comparison chart showing that these features are included in the commercial version but not the free version. It’s not clear if Grisoft is including free trials of these functions or if the chart is wrong.

CAPTCHAs are becoming both ubiquitous and useless. When you visit many web sites, you have to decipher some tough-to-read text and enter it in a box before you can leave a comment or send an email. But hackers are getting better and better at developing automated systems to crack CAPTCHAs, which means that you have to squint at the screen for nothing.

But some researchers at Penn State University have developed a next generation CAPTCHA system that asks users to actually use their noggin a bit. There are two tests. The first requires you to click the center of a composite image, while the second presents you with a list of ten words and asks you to pick the right one to describe a randomly generated image.

The test is difficult for computers to solve because the images have a bunch of random colors, textures, and other features designed to confuse an automated program. But human being should have no problem deciphering the visual information in the images.

The test page is partially down today thanks to a Slashdot mention, but you can still see screenshots of the tests.

You know the federal Do Not Call registry that lets US telephone customers sign up for a list to avoid telemarketers? Two consumer advocacy groups are asking the Federal Trade Commission to basically create the same kind of registry — for the internet.

Now, let’s pretend that a US agency could regulate the way that internet companies track your data for advertising and other purposes. How exactly would that work? One way would be for the the FTC would have to require every advertising firm and web site that’s accessible in the US to use a potentially enormous list of consumers to figure which computers they can place cookies on and which computers they cannot.

Or the burden could be placed on consumers to sign up for a service like the Network Advertising Initiative, which places its own cookie on your computer to alert over a dozen major advertisers that you have chosen to opt-out of targeted ads. But if you happen to clean out your cookies accidentally, you’ll need to reinstall the software. or if you happen across a page from a company that hasn’t signed on, you could still be tracked.

We’re not saying that consumers shouldn’t be able to opt out of targeted advertising. We’re just saying that the people asking for federal regulation seem to be either incredibly ambitious or they lack a basic understanding of how the internet works.

[via Techdirt and CNet]

Avira has released AntiVir Personal 8.1, a free antivirus appliation. Like popular free antivirus applications from Grisoft and Avast!, Avira offers a free basic security suite in the hopes of convincing some users to spring for a commercial version. The main difference between Avira and the competition, as far as we’re concerned, is that Avira AntiVir will occasionally pop up nagware asking you to upgrade.

Pop ups aside, Avira AntiVir is pretty powerful, and the latest update brings a few improvements like increased scan speed and a redesigned visual interface. Another new feature, which isn’t available in the free version, is the ability to create a system rescue CD.

Unlike some other antivirus applications, you can install AntiVir without uninstalling or even turning off your current antivirus program, which is always a plus.

[via gHacks]

One of the first things Windows XP users will notice if and when they switch to Vista is the User Account Control, affectionately referred to as UAC or “Why the hell does this window keep popping up!” The UAC prompt is a security feature that will alert you if you are about to make changes to your computer that could technically expose it to some threats.

Some users get around this by disabling or modifying the UAC using programs like TweakUAC. Others insist that Microsoft put it there for a reason, and disabling will result in your computer bursting into a ball of flames. But if you’re tired of looking at UAC prompt after UAC prompt, here’s something that should give you a little comfort: Microsoft knew all along that the UAC prompt was annoying and designed it to be that way.

Microsoft product manager David Cross says the goal was to make users think twice about making changes to their system willy nilly. It’s also designed so that software developers will think of ways to write programs that don’t burrow too deeply into your operating system. The less system configuration changes a program makes, the less often you’re going to see a UAC prompt.

Cross says that 88% of Vista users have not disabled UAC, and 66% of Windows sessions do not lead to a UAC prompt showing up. And that makes sense if you’re someone who just runs the software that came with your computer and a handful of other applications. But if you’re constantly looking for cool new programs to add features to your computer — in other words, a typical Download Squad reader — we’re guessing you see the UAC prompt a lot more often than most users.

The internet is a scary place. No, we’re not talking about predators out to rob you or offer candy to your kids. We’re talking about malware like viruses, worms, and trojans. According to security company Symantec, the amount of malware on the internet has reached an all-time high, with over 1 million malicious programs in circulation.

A surprsingly large number of those threats were developed in the last year, with 711,912 new pieces of malware coming out in 2007 compared with 125,243 in 2006.

The good news for Linux and OS X users is that most of these threats are targeted at computers running Windows. And the good news for Windows users is that most of these applications are variations of older threats, which means if your anti-virus software is up to date, you should be relatively safe.

Of course, Symantec puts reports like this out there in order to sell its own security software. But there are several excellent free anti-virus suites that will also help protect your computer from most threats.

[via BBC News]