Macbook air hacked in just 2 minutes.

The ninth annual CanSecWest conference held, at the Mariott Renaissance Harbourside hotel in downtown Vancouver, British Columbia kicked off on March 26, offering a $10,000 reward for anyone hacking the new macbook air with an original zeroday attack. The Prize (put up by TippingPoint, the security division of networking giant 3Com) did not stand for long, being claimed within the first 2 minutes of the conference opening.

Well known security researcher Shane Macaulay claimed the prize, but it is believed Dino Dai Zovi was the real creater of the attack, and that he and Macaulay had some sort of deal over the competition entry. Dino Dai Zovi, has a strong track record with exposing flaws in Apple, Windows and other Networking software, having previously and somewhat famously exposed flaws in Safari and Quicktime.

While neither Shane Macaulay, Dino Dai Zovi made any statements about whether mac or pc were more secure (and both are users of both Macbooks and pc’s) they have previously been on record as saying that Mac are not as immune to attacks as many of their users may like to believe.

The 2 other note books, a sony vaio and a Fujitsu U810 were not successfully hacked during the expo and remained unclaimed.

A zero day attack is defined as an computer threat that tries to exploit unknown, undisclosed or unpatched vulnerabilities in a computer application.

The flaw in Safari, that was exploited during the expo was actually in the way QuickTime handles Java. This threatens everyone running the Mac OS X and may even expose pc users running Safari and quicktime. It is expected that a patch to protect users from this flaw will be released soon.

Macbook air hacked in just 2 minutes.

Search history Privacy

Thought that when you clicked on the Clear Private Data button that you were deleting your search history? Well if you have a seach tool bar you’d better think again.

Having recently blogged about the potential for Ip addresses to be considered personal data, i thought i’d take a look at how various search engines handle dealing with data about our searches. What i found was quite a surprise.

All of the major search engines have (and display on their sites) Privacy Policies detailing what data they collect , how they collect it and how they use it. While Yahoo and live search don’t allow you much control of this data, it would seem that Ask and Google have taken very different approaches.

Ask recently announced that they are adopting an 18 month data retention policy and will delete all data over that age. They also released AskEraser an option that allows you to opt out of having your data collected. This is a simple one click option on the home page of there search page. The data is actually captured, just not committed to their database (unless it meets certain legal requirements for data that has to be tracked).

Google on the other hand have created Google History (currently list listed as a BETA). To use the history services you’ll need a google account and the google toolbar (if you have the toolbar but not an account your details are recorded you just can’t access them).

The History services is split into search history, trends, interesting items and bookmarks. My history showed me details of each search i’d done going back to April 27th 2007. This information is sub divided into wen, images, news, products, sponsored links, video, blogs and books.

Trends shows your top queries, sites and clicks, interesting items predicts pages you might like related to your searches (so searches you havn’t done but others with searches like yours have) finally boomarks shows you all of the searches you have bookmarked. There is also a calendar showing your search colour coded with your search activity.

There is an option to delete all or some of your search history from the menu bar when you’re loggen in as a registed user, and the settings within the google bar appear to have options to turn off this feature.

Search history Privacy

Are IP addresses personal data?

.net this month (April) has an interesting piece about whether our ip addresses should be regarded as personal information and protected under the data protection act.

It would seem that this debate has been raging across Europe if not the world, with the German data protection commissioner (peter Scharr) telling the European Parliament that if a person can be identified from an IP address, then it has to be regarded as private. A recent French court, on the other hand argued that IP addresses relate to specific computers or networks and not specific users therefore they do not constitute personal data.

While it may seem an insignificant point, as to whether an IP should be classed as personal data or not, it has huge impact of the way search engines and webmasters collect data on who is accessing, and indeed how there sites are being used.

Googles spokes person told .net that it “depended on the context”, where an ISP assigns an IP address to a user, and knows that users name and address this may be considered personal data, but where an IP address is collected by a website simply as a statistic then it is not. Google store IP addresses for all users performing a search for at least 2 years to help improve their search statistics and accuracy.

The implications for all of the worlds websites and search engines that collect IP’s for statistical purposes having to treat these as confidential data, and go through the data protection procedures to protect them are huge.

Another huge implication will be to the peer to peer piracy police, where IP addresses are being used to identify, track and prosecute people illegally copying, sharing and publishing audio/video and software illegally.

This is a very grey area and I would imagine that the debate will go on for some time.

Are IP addresses personal data?

FBI protect us from terrorism by watching Warcraft?

It would seem that the anti terrorism authorities in the States are investigating running a data mining programme, to watch the popular role playing game “World of Warcraft”.

They currently regard this project as a seed, or pilot to see whether information gained from tracking behaviours of on line games can help identify risks to national security. With plans to investigate other forms of social networking and on-line behaviour if the project proves successful.

Known as “norming” there application would establish normal behaviour patterns of players and flag up players that deviate from those patterns.

It is not clear as to whether they are looking to identify the behaviour of the kind of person who may become a future terrorist or whether they are looking for people using these environments as a means of training or communication, but if it works it gets my vote.

FBI protect us from terrorism by watching Warcraft?

Using a neighbour’s wifi?

If you are one of the millions of UK internet users, that think because one of their neighbours has an unsecured wifi connections, then they can get free internet access. Then you’d better watch out.

Under the 2003 Communications Act it is illegal to use another person’s service provider to access the Internet. The offence, carries a maximum penalty of five years in jail or a fine.

Often refered to as “piggy backing” or “cyber squatting”, using open wifi networks illegally is quite common, and up until now there have been few if any prosecutions of offenders. But on sunday 17th Feb the police were called to a home in Tweedmouth, Berwick, Northumberland, after a woman had reported two men behaving suspiciously outside her home. The two men were arrested on suspicion of allegedly logging on to another person’s internet connection illegally.

Both men were believed to have been checking their emails using the womans wireless broadband and have been released on bail pending further enquiries.

Berwick Neighbourhood Inspector Sharon Stavers said “This is a very unusual offence and it appears the two men were doing nothing more sinister than checking their emails and getting some time on the internet for free. However, this is an offence and people pay good money to have the internet in their homes.”

If you have an unsecured open wifi connection, then my advice would be to secure it as quickly as possible, using the highest form of protection you can, and not to publish the connection unless you have to.

If you need access to wifi away from home then, my suggestion would be to use one of the thousands of legitimate “hotspots” across the country. There are now free hotspots, on many trains, cafes, and hotels. Fast food restaurant McDonald’s recently announced that its 1,200 UK outlets would soon get free wireless internet access, for customers.

Using a neighbour’s wifi?

Who’s responsability is policing content.

Recently there has been a lot of controversy over who’s job it is to police the internet. The basis for the current debate being that UK government is pushing to make it the of an ISP or webhost to control all content publish on its space. The police and other organisations finding it more and more difficult, if not impossible to control what individualspublishon the net. They are proposing to change the law to take responsibility away from the individual and placing it on the content provider.

It has been the case for many years that isp’s have been to some degree responsible for facilitating the illegal distribution of software and music, “napster” being a landmark case in the late 90’s. In some ways though this is a simple black and white case sharing of MP3 files is illegal, liable, slander and bad taste are not quite so clear cut. The BBC did a show about the displaying of bad taste on service like u-tube last year. U-Tubes comments were that they investigate all content reported to them as being in bad taste and that in some case they would remove this, but where that content was questionable they said that this was really a police matter and they would only do so if requested to by the police.
This has moved from ISP’s to individual webmasters. Recently a company in the UK took a blogger to court, over not the content of his blog but the content of a comment placed on that blog by a visitor. The company won and the blogger was made to pay damages and remove the comments.

There are now more people blogging than ever before and it is a fine line between freedom of speech and slander, and i’m not sure it’s a bloggers job to decide on freedoms of speech. Isn’t everyone entitled to their own opinion. In most situations where i have seen extreme comments posted, theblogger and other visitors have countered those statements with more moderate discussion.

Who’s responsability is policing content.