Sunday, January 30, 2011

Facebook pwns Firesheep


Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the "Account Security" section of the Account Settings page.

There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future

House Considers Mandating Internet Data Retention For Crime Solving

ABC News' Mary Bruce reports:

Criminal investigations are “being frustrated” because internet providers are not required by law to retain information on what their customers are doing online, the Department of Justice testified before a House hearing today.

“The gap between providers retention practices and the needs of law enforcement can be extremely harmful to investigations that are critical to protecting the public from predators,” Justice Department Deputy Assistant Attorney General Jason Weinstein told a House Justice Committee hearing on “data retention as a tool for investigating internet child pornography and other internet crimes.”

“The lack of adequate, uniform and consistent data retention policies threatens our ability to use the legal tools Congress has provided to law enforcement to protect public safety,” he said.

While some internet providers voluntarily retain user data for months or years, others do not retain data at all. Under current law, officers can issue subpoenas, court orders and search warrants to require an internet service provider to hand over user data. The problem, Weinstein testified, is that “those authorities are only useful if the data is still in existence at the time the government seeks to obtain it.”

Judiciary Committee Chair Rep. Lamar Smith, R-Texas, agreed. “When law enforcement officers do develop leads that might ultimately result in saving a child or apprehending a pornographer, their efforts should not be frustrated because vital records were destroyed simply because there was no requirement to retain them. Every piece of discarded information could be the footprint of a child predator,” he said.

Other committee members and the Internet Service Provider Association expressed concern, however, that retaining internet data could infringe on users’ privacy.

“A data retention mandate would raise a number of serious privacy and free speech concerns… Congress should be very hesitant to require service providers to create databases to track the internet activities of 230 million innocent Americans,” said John Morris, General Counsel for the Center for Democracy and Technology.

Florida Democrat Rep. Debbie Wasserman Schultz reiterated “this is not about watching or tracking people’s behavior online… it’s about helping law enforcement connect the dots.”

Beyond privacy concerns, Morris argued that requiring internet providers to extend their data retention for longer periods would be so cost prohibitive that it would harm competition, innovation and ultimately internet users.

Kate Dean, the Executive Director of the Internet Service Provider Association, questioned how companies would keep track of a growing amount of personal user data.

“We’re dealing with people’s lives and liberty here and out of all of this data we have to make sure that, say 18 months down the road, that tiny particular piece of information is exactly the right information linking that exact target,” she said.

Looking ahead, Rep. Jim Sensenbrenner, R-Wis., asked Dean if, in place of a Congressional mandate, her member companies would be willing to come together and develop their own voluntary compliance order.

“I am a firm believer in carrots and sticks and I am tossing you a carrot now… If you aren’t a good rabbit and don’t start eating the carrot, I’m afraid that we’re all going to be throwing the stick at you. So this is an opportunity for you to come up with some kind of a solution,” Sensenbrenner said.

Dean said the Association would be willing to sit down with all parties involved and take an active role in a larger dialogue.

Egypt Disconnected

Image courtesy of Craig Labovitz - the chief scientist at Arbor Networks.

Egypt's ability to cut itself of from the Internet helps demonstrates that nation-states still do have some ability to control the free flow of information in the digital age.

Internet ‘Kill Switch’ Legislation Back in Play

From David Kravets at Wired's Threat Level Blog,

The resurgence of the so-called “kill switch” legislation came the same day Egyptians faced an internet blackout designed to counter massive demonstrations in that country.

The bill, which has bipartisan support, is being floated by Sen. Susan Collins, the Republican ranking member on the Homeland Security and Governmental Affairs Committee. The proposed legislation, which Collins said would not give the president the same power Egypt’s Hosni Mubarak is exercising to quell dissent, sailed through the Homeland Security Committee in December but expired with the new Congress weeks later.

The bill is designed to protect against “significant” cyber threats before they cause damage, Collins said.

“My legislation would provide a mechanism for the government to work with the private sector in the event of a true cyber emergency,” Collins said in an e-mail Friday. “It would give our nation the best tools available to swiftly respond to a significant threat.”

The timing of when the legislation would be re-introduced was not immediately clear, as kinks to it are being worked out.

An aide to the Homeland Security committee described the bill as one that does not mandate the shuttering of the entire internet. Instead, it would authorize the president to demand turning off access to so-called “critical infrastructure” where necessary.

An example, the aide said, would require infrastructure connected to “the system that controls the floodgates to the Hoover dam” to cut its connection to the net if the government detected an imminent cyber attack.

What’s unclear, however, is how the government would have any idea when a cyber attack was imminent or why the operator wouldn’t shutter itself if it detected a looming attack.

About two dozen groups, including the American Civil Liberties Union, the American Library Association, Electronic Frontier Foundation and Center for Democracy & Technology, were skeptical enough to file an open letter opposing the idea. They are concerned that the measure, if it became law, might be used to censor the internet.

“It is imperative that cyber-security legislation not erode our rights,” (.pdf) the groups wrote last year to Congress.

A congressional white paper (.pdf) on the measure said the proposal prohibits the government from targeting websites for censorship “based solely on activities protected by the First Amendment of the United States Constitution.”

Oddly, that’s exactly the same language in the Patriot Act used to test whether the government can wiretap or investigate a person based on their political beliefs or statements.

A couple thoughts on this bill:

- what are the implications for our digital privacy? in order to detect cyber threats is intrusive monitoring of the internet required?
- and why the *#$! would the hoover dam need to be connected to the Internet?