The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

Freedom to Tinker - Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs

Stewart Baker, assistant secretary for policy at DHS, did not cite Sony by name in his remarks Thursday but described industry efforts to install hidden files on consumers' computers.
"It's very important to remember that it's your intellectual property, it's not your computer," Baker said at a trade conference on piracy. "And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Sony to Suspend Making Antipiracy CDs - Yahoo! News

The Department will also implement Basic Access Control (BAC) to mitigate further any potential threat of skimming or eavesdropping. BAC recently has been adopted as a best practice by the ICAO New Technologies Working Group and will soon be formally added to the ICAO specifications. BAC utilizes a form of Personal Identification Number (PIN) that must be physically read in order to unlock the data on the chip. In this case, the PIN will be derived from the printed characters from the second line of data on the Machine-Readable Zone that is visibly printed on the passport data page. The BAC also results in the communication between the chip and the reader being encrypted, providing further protection.

Most of the folks commenting on the new RFID rule didn't mention this. This will satisfy most of the security concerns.

Anti-skimming covers are not the only feature in new passports.

This component is not malicious and does not compromise security.

A compenent that enables people to hide files from me on my computer compromises security. Who do they think they're kidding!?

Boing Boing: Sony releases de-rootkit-ifier, lies about risks from rootkits -- UPDATED

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

I smell a lawsuit.

Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far

One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.

BetaNews | Cross-Site Scripting Worm Hits MySpace

Acidus says:

I've be doing quite a bit of work on anonymously and permanently publishing information on top of existing webservices (often without the service's knowledge/consent).

I thought I'd meme the grand daddy work on the subject Ross Anderson's Eternity Service paper. A must read about using the fragmented nature of USENET to overlay a hypertext-based layer where thing can never be unsaid.

One of the best computer security papers of all time...

The Eternity Service

The tester places a crystal of lithium niobate over the feature whose voltage is to be monitored. The refractive index of this substance varies with the applied electric field, and the potential of the underlying silicon can be read out using an ultraviolet laser beam passed through the crystal at grazing incidence. The sensitivity of this technique is such that a 5 V signal of up to 25 MHz can be read [Wie90], and we understand that it is a standard way for well funded laboratories to recover crypto keys from chips of known layout. When attacking a smartcard, for example, we would read the EEPROM output amplifiers.

Apparently I've never memed this paper before. Its dated now, but a really interesting take on hardware reverse engineering.

Tamper Resistance - a Cautionary Note

Thomas E. Noonan
Chairman, President and Chief Executive Officer, Internet Security Systems
The Cyber Security Paradox: National Security, Economics and Privacy in the 21st Century

The video is an hour long. Its the first time I've heard a credible connection made between Al'Q and computer crime, specifically phishing scams. Noonan also says that "privacy is dead" which reminds me of Scott McNealy. I don't think privacy is dead. I think there is a massive backlash in the works, but its going to take a disaster before people do something about the problem.

Tom Noonan on Computer Security

Dagmar wrote: It is Clue.

Argh. Why'd you have to post something so inflamitory on a day when I have movers in my apartment? I must respectfully disagree. The number one most destructive idea in computer security is that its a good thing to write quazi-utopian "everyone in the entire industry is crazy except me" essays that give clueless people the belief that they are privy to THE answer. I'm sure it works wonders for Ranum's business. However, it is neither constructive nor useful.

1. Default Permit. It depends on the context. I think that default permit is a bad idea in the email world, for example, but most people are, for some reason, far more interested in getting the odd unsolicited communique then they are in living without spam. This is, perhaps, because the whole idea of the internet is to enable people to easily communicate. Its possible that overtime people will tire of all the opennness, and if they do, no one will be happier then computer security people, but for the time being some applications are going to be default permit, and its not the computer security community that drives that.

2. Enumerating Badness. He argues in the default permit section that "It takes dedication, thought, and understanding to implement a 'Default Deny' policy" and then immediately proceeds to argue that its less expensive to implement a Default Deny policy then to enumerate badness and that most of the computer security industry is a sham!

He is, of course, wrong (why did we write NFR?!). While you might have to pay $30 to buy a product that enumerates badness, in general, that badness is the same for everyone. Your goodness is specific to you, and so you're going to have to hire someone to custom configure it for you, and they are going to charge you a hell of a lot more then $30.

His Enumerate Goodness anti-virus system sounds somewhat reasonable until you realize that decent worms and viruses disable things like that, but if you want to live in a world where you absolutely must get permission from the IT department in order to run anything, its coming, and its called palladium, and I will conceed that people are going to do it, and it will prevent some security woes. It will also prevent a lot of work from getting done, and smart people won't use it.

3. Penetrate and Patch. If people simply wrote software that didn't have vulnerabilities, there wouldn't be any need to patch things! WOW! Brilliant! The inevitable result is going to be that some hapless admin somewhere is going to need to patch a critical flaw and he'll be told by his boss's boss that he has a "penetrate and patch" mentality. Wonderful. The fact is that no one has designed a vulnerability free computer, and while we do appreciate systems that are more failure tolerant, such as OpenBSD, and wish businesses adopted them more often, until such time it is foolish to fault researchers for continuing to look for flaws and ... [ Read More (0.1k in body) ]

RE: The Six Dumbest Ideas in Computer Security