A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help.

As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said.

"The whole point was to show how scary cross-site scripting has become."

"Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."

There are already 50k hits for a Google search on "Jitko". A few comments from around the web: Jeremiah Grossman, of Whitehat Security, and "Pascal". Anurag Agarwal offered a Reflection on Billy Hoffman, along with a photo:

This week on Reflection we have a very young guy from the webappsec field.

Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time.

I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.

Billy got an amazing amount of press out of this one. Google is up to 74,000!

Billy Hoffman: 'Would you like a destoyed Internet with your JavaScript?'

Putting encryption into a hard drive is no mere security window-dressing. According to Seagate, any U.S. company that loses a laptop using the Seagate drive in conjunction with the launch security management system from Wave Systems, will not have to give public notification of the loss, even if the data is of a highly confidential nature.

A very interesting datapoint...

PC World - Seagate Ships Super-Secure Hard Disk Drive

Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, �ber-hacker HD Moore is building a tracking system capable of pinpointing specific workstations that searched for and downloaded sexual images and videos of kids.

He is embedding a web bug in certain tor requests that implements a javascript based check for local IP address and a udp query to get an external IP. This raises some interesting questions:

1. People running anti-tor servers can undermine the anonymity provided by tor unless users are serious enough not to have their DNS going out in the clear, and serious enough to have browser extensions disabled. None of these ideas are new.

2. This seems to suggest the idea that someone would go to the trouble of running a tor server because they want to protect anonymity but decide to run this because they are uncomfortable with some of the uses of that anonymity.

3. In this case the anonymity they are providing is undermined based on a keyword match which is unreliable at best.

4. H.D. Moore is pro full disclosure of exploit code but against anonymous web browsing?

5. Why go to a lot of trouble undermining your anonymity system in order to target people downloading child porn through your proxy when you can use the same filter script to identify the server if you are running an exit node? Servers are worse than users, targetting them doesn't undermine the purpose of the service you are running, and you don't need any javascript tricks to target them.

Bottom line: The goal here is to educate tor users, not to track them.

Hacker builds tracking system to nab Tor pedophiles | Zero Day | ZDNet.com

For the month of March 2007, we will not be releasing any new security updates on March 13, 2007.

Its amazing!

No Microsoft Patches for March!

HID Global did not threaten IOActive or Chris Paget, its Director of Research and Development, to stop its presentation at the Black Hat event being held in Washington, DC on Wednesday, February 28, 2007.

As with any company’s legal rights under patent laws, HID Global reminded IOActive about the intellectual property protection provided by these patents. HID Global has the right and responsibility to discourage the publication of any information regarding the improper use of HID’s intellectual property, including violations of HID’s intellectual property or inducing others to violate HID’s intellectual property.

Under no circumstance has HID asked IOActive or Mr. Paget to cancel their presentation. In fact, we were surprised by their decision to cancel the presentation and to attribute the cancellation to a threat from HID. This was not, and never was, HID’s position.

This is some serious weasel speak. IOActive has leaked HID's C&D:

We urge you to refrain from publishing any further information regarding the improper use of HID's intellectual property and hereby demand that you refrain from publishing any information at any public forum, including the upcoming Black Hat convention, that violates HID's intellectual property or induces others to do so.

You didn't remind, you demanded, and this vauge talk of inducement is highly suspect given that experiemental use exemption may apply to other experimenters. Technical presentations cannot violate patents.

HID Global statement on IOActive withdrawing their Black Hat presentation

HID knows this lawsuit increases the publicity about the issue. They want to. They want their customers to upgrade to the challenge response solution. It costs more money.

HID Shareholders: 2
The Progress of Science and the Useful Arts: -2
The integrity of our system of justice: -1000 or so, but hey, whose counting?

So, the deal is that by making the RFID reader while at work, he violated the patent. There is a common law exemption for experimental use, but it has been whittled down to almost nothing by the federal court system. The actual manufacturor can control or prevent any scientific inquiry into any patented device that occurs in any context from which the person engaged in the inquiry might benefit, such as when a University benefits from research by improving their reputation. So, basically, you can do research, but if you publish, you're fucked. This requires a legislative solution.

Under the common law "experimental use" defense, individuals who used a patented invention were free from infringement liability if the use was experimental.1 The experimental use defense originated in an 1813 Appeals Court opinion, Whittemore v. Cutter, 29 Fed. Cas. 1120 (C.C.D. Mass. 1813) (No. 17,600), in which Justice Storey stated that "It could never have been the intention of the legislature to punish a man who constructed such a machine merely for philosophical experiments, or for the purpose of ascertaining the sufficiency of the machine to produce its described effects." As used in the nineteenth century, "philosophical" use referred to scientific experimentation. In subsequent cases, courts distinguished between commercial versus non-commercial research for purposes of determining the type of experimental use entitled to exemption.

However, the recent decision of the Court of Appeals for the Federal Circuit in Madey v. Duke University significantly narrowed the experimental use doctrine, and is likely to influence significantly the way in which academic scientific research is conducted. The court held that the "very narrow and strictly limited experimental use defense" can be exercised only if the use of the patented invention is "solely for amusement, to satisfy idle curiosity, or for strictly philosophical inquiry." Further, the defense does not apply if the use is "in furtherance of the alleged infringer’s legitimate business," regardless of the "profit or non-profit" status of the user.

Another important right that has been interpreted away.

Save-the-Date: Madey v. Duke University: Federal Circuit Sets Limitations on the Common Law Experimental Use Exemption

I can copy a proximity card at least as easily as I can take an impression of a key.

Read all about prox card cloning! Without a patent!

Proximity Cards

A method is provided for operating an RF transponder system to detect the presence of an RFID device in the proximal space of an RF reader unit having an excitation signal generator circuit and an RFID device detection circuit.

Here is a HID patent! By blogging this patent I am teaching you about technology that is patented by HID. By hosting this patent Google is also teaching you about technology that is patented by HID. Hey, HID, why don't you sue me?

Detection of an RFID device by an RF reader... - Google Patents

HID has claimed that teaching others about the information violates two of the company's patents, IOActive's CEO Josh Pennell told reporters in a conference call on Tuesday. On the advice of lawyers, Pennell would not describe other details about the claims.

Teaching others cannot violate a patent!

"If I say anything, HID will sue us," he said. "Large companies have lots of resources, and small companies, such as IOActive, don't."

This is not acceptable.

RFID Demo PULLED!