Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers.

Zaman is the second conspirator in the TJX case to be charged. Former Morgan Stanley coder, Stephen Watt, was sentenced in December to two years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card data from the TJX network.

Once the card data was stolen, mules were used to siphon the money from ATMs and send the money electronically — either by a wire transfer or using digital currencies such as E-gold and Web Money — to a bank account in Latvia. Gonzalez’s portion of the booty was then transferred to other bank accounts, some of them opened under fictitious names. Zaman’s job in the United States was to withdraw funds from these accounts at ATMs in various locations across the country, and then send the cash to Gonzalez in Florida.

Zaman also traveled to San Francisco three times in late 2005 and early 2006 and met with “an unknown man of apparent Eastern European descent” who slipped him between $50,000 and $370,000 in cash each time. Zaman then shipped the money via Federal Express to Gonzalez. Zaman also picked up money in New York for Gonzalez. Each time, he earned 10 percent of the amount shipped.

In March 2008, two months before Gonzalez was arrested in Florida, Zaman sent him ATM system logs from Barclays, a bank where Zaman was working as manager of network perimeter security. Prosecutors said Gonzalez uploaded the logs to a Latvian server he controlled and shared with others, but there is no evidence that the logs were used for nefarious purposes before Gonzalez’s arrest or after.

In addition to the Barclays ATM logs, investigators found 16.3 million payment card numbers on the Latvian server and an additional 27.5 million card numbers on a server in the Ukraine.

Gonzalez is currently facing a minimum 17-year sentence in prison.

Prosecutors had sought only 46 months and a $75,000 fine for Zaman because his activities were limited solely to money laundering. The government said it had “no evidence that Zaman participated in, or reasonably foresaw the extent of, the intrusions and data thefts perpetrated by the Gonzalez organization.”

Prosecutors said Zaman did not provide “substantial assistance” in the investigation or prosecution of anyone else. He provided information about his own activities, the authorities said.

According to the prosecution’s sentencing memo (.pdf), Zaman was a popular kid with lots of friends. He was a member of chess, debate and math clubs and was on a successful career path, earning $130,000 plus bonuses from Barclays, where he worked for two years.

“But he enjoyed partying and using expensive recreational drugs when he wasn’t working,” prosecutors said. “So he needed cash beyond his six-figure legitimate income.”

Zaman told Threat Level that the government’s portrayal of him as a money launderer and drug addict is exaggerated, even though he pleaded guilty to the conspiracy charge. He says he just picked up the packages of money as a favor to Gonzalez, whom he met in 2004 through Stephen Watt, and didn’t know that the money came from carding.

“I asked [Gonzalez], ‘Is this illegal?’ And I was told that this was just money that was owed to him,” Zaman said.

He said he only picked up a few packages of money for Gonzalez, primarily in 2005, before he stopped.

Update: This story has been updated with comments from Zaman.

Photo: Refracted Moments/Flickr

See also:

• Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack
• TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison

Deadlocked jurors in the Hal Turner hate blogger case were excused late Wednesday after deliberating two days. It’s the second mistrial in the government’s case to prosecute the New Jersey man for allegedly threatening to kill judges.

Assistant U.S. Attorney William Hogan said a new trial was “highly likely.” A third trial was tentatively scheduled April 12 in New York federal court.

Turner, of New Jersey, blogged at turnerradionetwork.blogspot.com that the three judges of the Chicago-based 7th U.S. Circuit of Appeals should be “killed” for upholding a Chicago handgun ban in June.

“Let me be the first to say this plainly: These judges deserve to be killed. Their blood will replenish the tree of liberty. A small price to pay to assure freedom for millions,” the 47-year-old blogger wrote.

He also posted addresses, photos, maps and other identifying information about Chief Judge Frank Easterbrook and Judges Richard Posner and William Bauer.

The first mistrial in December was declared after jurors, deliberating two days, said they were hopelessly deadlocked. That happened again Wednesday with a new jury. That second jury, and not the first one, heard testimony from the three judges who said they felt threatened by Turner’s writings.

Turner, who remains free, claimed he was an Federal Bureau of Investigation informant paid to disseminate right-wing rhetoric. Facing up to a decade in prison if convicted, the 47-year-old maintained the First Amendment protected his speech.

See Also:

• Lawyer: FBI Paid Right-Wing Blogger Charged With Threats
• Lawyer: FBI Paid Right-Wing Blogger Charged With Threats
• Mistrial in Case of Hate Blogger Charged With Judge Threats …
• Palin Hacker Group’s All-Time Greatest Hits
• Blogger Threatened to Murder Judges, Feds Say

Pink Floyd prevailed Thursday in a legal brawl with its label when a British judge ordered EMI to stop selling individual downloads of the acid-inspired group’s songs without permission.

The artists behind The Dark Side of the Moon and The Wall, and other top sellers claimed its decade-old contract with EMI required the band’s music to be sold as an entire album, not as single tracks in which EMI has permitted iTunes to distribute.

High Court of Justice Judge Andrew Morritt of London agreed, ruling the 1999 agreement with EMI was crafted to “preserve the artistic integrity of the albums.”

Pink Floyd said its musical craft surrounding concept albums was being misrepresented when sold in singles. EMI claimed the contract allowed digital sales of Pink Floyd music, even one song at a time.

The Dark Side of the Moon turned 37 years old on Wednesday. Wired’s Underwire blog declared it “Earth’s reigning concept album.”

Photo: wonderferret/Flickr

See Also:

• Pink Floyd, EMI Brawl Over iTunes Royalties
• Pink Floyd’s Dark Side Eclipses Concept Album Classics
• May 12, 1967: Pink Floyd Astounds With ‘Sound in the Round’
• Pink Floyd’s ‘Echoes’ = 2001’s Space Baby?
• RIP: Pink Floyd’s Richard Wright
• Pink Floyd Wins A Polar! Wait, What’s A Polar?
• Pink Floyd’s Nick Mason on Formula 1 Tech

A former Transportation Security Administration contractor is being charged in Colorado for allegedly injecting malicious code into a government network used for screening airport security workers and others.

The malicious code, a logic bomb installed last October, was designed to cause damage and disrupt data on servers on an undisclosed date but was caught by other workers before it delivered its payload.

Douglas James Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center, or CSOC, since 2004. The CSOC is used to vet people who have “access to sensitive information and secure areas of the nation’s transportation network,” according to the indictment. A source involved in the case said this involved screening of both passengers and workers at airports and other transportation facilities.

He pleaded not guilty in a Denver federal court on Wednesday and was released on a $25,000 unsecured bond. The indictment did not say whether the malware was crafted to erase or alter data, or simply disable servers.

The CSOC network stores updated information from the government’s terrorist watchlist as well as criminal histories from the U.S. Marshal’s Service Warrant Information Network.

Duchak’s job was to update the CSOC database as new information arrived from these two sources. But on Oct. 15, he was given two weeks’ notice that his job would be terminated.

About a week later, on Oct. 22, Duchak allegedly transmitted the malicious code onto a CSOC server that stored data from the U.S. Marshal’s Service, according to the indictment (.pdf). The next day, he allegedly loaded malicious code to a server containing the Terrorist Screening Database. The source involved in the case said the servers “are part of the system that contains the no-fly list” and added that the code, if it had gone undetected, could have traveled to a facility in another state that uses a similar computer system.

Duchak has been charged in the U.S. District of Colorado with two counts of attempting to cause damage to a protected computer. If convicted, he faces a possible prison sentence of 10 years and a $250,000 fine for each count.

Duchak’s attorney, David Lindsey, disputes the government’s charges and says that the system Duchak worked on was a beta system used for testing statistical analyses.

“It wasn’t connected to anything that had to do with security,” Lindsey said. “Before anything he had his hands on left, it went to another system before it got into any live system that did screening. As I understand it, it is a system that does statistical analyses on the systems that are up and running. And when the tests are run, those are done at one level and then [go to] a second level and then at a final level before the analyses are verified and passed onto anything you would call a live system.”

Lindsey said the CSOC servers that were allegedly targeted for sabotage were used for screening workers primarily and were only “remotely, remotely” related to passenger screening, though he could not elaborate.

“The government has been very misleading in the indictment and press release as to any potential harm [this might have caused] to the public,” he said, adding that the alleged malware was not a virus and will ultimately be shown to have been “nothing.”

Lindsey said that his client was not given a clear answer about why he was let go from his job.

Photo: ellenm1/Flickr

See also:

• 8-Year-Old on TSA Terrorist Watchlist Gets Frisked
• Former DOJ Official Caught on Terror Watchlist
• Threshold for Getting Onto No-Fly List Lowered
• FBI: 19,000 Matches to Terrorist Screening List in 2009

Josh Gerstein over at Politico sent Threat Level his piece underscoring once again President Barack Obama is not the civil-liberties knight in shining armor many were expecting.

Gerstein posts a televised interview of Obama and John Walsh of America’s Most Wanted. The nation’s chief executive extols the virtues of mandatory DNA testing of Americans upon arrest, even absent charges or a conviction. Obama said, “It’s the right thing to do” to “tighten the grip around folks” who commit crime.

When it comes to civil liberties, the Obama administration has come under fire for often mirroring his predecessor’s practices surrounding state secrets, the Patriot Act and domestic spying. There’s also Gitmo, Jay Bybee and John Yoo.

Now there’s DNA sampling. Obama told Walsh he supported the federal government, as well as the 18 states that have varying laws requiring compulsory DNA sampling of individuals upon an arrest for crimes ranging from misdemeanors to felonies. The data is lodged in state and federal databases, and has fostered as many as 200 arrests nationwide, Walsh said.

The American Civil Liberties Union claims DNA sampling is different from mandatory, upon-arrest fingerprinting that has been standard practice in the United States for decades.

A fingerprint, the group says, reveals nothing more than a person’s identity. But much can be learned from a DNA sample, which codes a person’s family ties, some health risks, and, according to some, can predict a propensity for violence.

The ACLU is suing California to block its voter-approved measure requiring saliva sampling of people picked up on felony charges. Authorities in the Golden State are allowed to conduct so-called “familial searching” — when a genetic sample does not directly match another, authorities start investigating people with closely matched DNA in hopes of finding leads to the perpetrator.

Do you wonder whether DNA sampling is legal?

The courts have already upheld DNA sampling of convicted felons, based on the theory that the convicted have fewer privacy rights. The U.S. Supreme Court has held that when conducting intrusions of the body during an investigation, the police need so-called “exigent circumstances” or a warrant. That alcohol evaporates in the blood stream is the exigent circumstance to draw blood from a suspected drunk driver without a warrant.

Illustration: hibiotech/Flickr

See Also:

• DNA Testing Firm Goes Bankrupt; Who Gets the Data?
• ACLU Says Extracting DNA From Suspects Unconstitutional
• NY Gov Spitzer Plans to Expand DNA Database
• Scotland Yard Investigator Wants to Collect DNA from School …
• Hacker Adrian Lamo Wins, Won’t Have to Give the FBI his Blood …
• Reiser Prosecution Wobbles Under Police Forensics Gaffe — Update …

The site set up to locate long lost pals, Classmates.com, has been hit with a class action privacy lawsuit. It alleges the company violated the law when it decided to make user profiles public to compete with Facebook.

The suit says Classmates.com duped its paying customers in late January when it sent them an e-mail telling members they’d have to opt out of new Facebook and iPhone apps to keep their data private. That’s a massive change to the site’s privacy policy and violates federal and Washington State privacy (.pdf) and fairness laws, according to the suit filed in a Washington State federal district court March 5.

Classmates.com has long kept user information non-public, and only paying members can read e-mails sent to them by others, see ‘old friends’ on a map, and see who’s been looking at their profile. While the site has 3 million paying users, it’s been eclipsed by sites like Facebook and MySpace, which have more members, more public profiles and don’t charge.

In order to keep up, Classmates.com decided to make “public Classmates content available to people using a variety of sites and devices, including Facebook and the iPhone,” according to a January 30 e-mail sent to users.

“This content can include your name, photos, community affiliations, and more,” the e-mail continued. “Of course, we care about your privacy as much as we do your ability to catch up with your past. We’re updating our privacy policy to make these new features possible, and you’re able to opt out.”

That’s a move not unlike one Facebook made in December, when it decided to make user profile information and friend’s list public by default (without the benefit of an opt-out). That landed Facebook with a decent-sized user revolt and a complaint to the FTC from privacy groups.

Building on that, the lawsuit argues that Classmates.com’s switch amounts to “unfair and deceptive practices,” and that having to choose to opt out is “well-known to be confusing to consumers, and is deceptive.” That amounts to a violation of the Washington State Consumer Protection Act, the suit contends.

The lawsuit, filed by Roger Townsend with Breskin Johnson & Townsend, also accuses Classmates.com of violating the federal “Electronic Data Privacy Act” or EDPA. Unfortunately for the plaintiffs (and the general public), no such law exists. One assumes the plaintiff’s lawyers meant to refer to the “Electronic Communications Privacy Act.” But because that real law is generally about protecting e-mails against eavesdropping, it’s not likely to be relevant in this case.

However, based on the complaint’s references to specific parts of the U.S. Code, the plaintiff’s lawyers clearly meant to refer to the “Electronic Communications Privacy Act.” The lawsuit argues that Classmates.com violated the portion of that law prohibiting online service providers disclosing customer content without consent.

The suit seeks an injunction against the new policy, damages and any profits made from the new apps. The putative class action suit seeks to cover all 40 million Classmates.com members.

Classmates.com did not return a call seeking comment. The site, which has been sued before for alleged deceptive marketing, is a frequent target of online complaints by users who say the site misleads them and makes it difficult to cancel a membership.

Via Courthouse News.  Screenshot: Flickr/Jason Walsh

Update: This story was corrected to reflect that the lawsuit’s reliance on ECPA is not without merit.

See Also:

• Classmates.com User Sues; Schoolmates Weren’t Really Looking for Him
• Classmates.com IPO: What Are These People Thinking?
• United Online Cans Classmates.com IPO
• Facebook’s Point of No Return - Webmonkey

The European Parliament delivered a political blow to Hollywood and the Obama administration, voting Wednesday 663 to 13 in opposition to a proposed and secret intellectual property agreement being negotiated by the European Union, United States and a handful of others.

Wednesday’s developments concerning the Anti-Counterfeiting and Trade Agreement are substantial because the European Union’s 27 countries vastly outnumber the remaining countries negotiating the deal. They are Australia, Canada, Japan, South Korea, Mexico, Morocco, New Zealand, Singapore, Switzerland and the United States. Ambassador Ron Kirk, the top U.S. trade official, is spearheading the deal that began being crafted under the George W. Bush administration.

Kirk’s office declined comment.

To be sure, there is a dispute and heavy confusion concerning whether internet service providers under ACTA would be forced to punish customers deemed copyright scofflaws by reducing or eliminating service, according to a string of leaked documents. So parliament members also agreed Wednesday to oppose the measure if it contains so-called “three strikes” or “graduated response” policies — regardless of whether that’s now in the text.

And because of the text’s secrecy, parliament on Wednesday also demanded (.pdf) that the private agreement still under negotiation be publicly released.

Whether parliament’s action scuttles ACTA is another matter.

Michael Geist, a law professor at the University of Ottawa, said in a telephone interview that Wednesday’s resolution also OKs more ACTA global negotiations on behalf of the European Union.

Geist said he expects Europe to participate in the next round of ACTA negotiations to get underway April 12 in New Zealand.

European Union leaks months ago portended Wednesday’s vote.

The leaks underscored that European officials were concerned about the ever-changing pact and were unhappy that the United States’ “overarching objective” was to “facilitate the continued development of industry.” European drafters had said the document needed to “mention culture and individual creators and not only industry.”

In November, meanwhile, the Motion Picture Association of America told the Senate that opponents of ACTA are “actively hostile toward efforts to improve copyright enforcement worldwide.”

(The United States has shown working drafts of the accord to representatives from the MPAA, Recording Industry Association of America, Google and the major software players and even the digital-rights group Public Knowledge. They all are forbidden from disclosing any information about what they saw.)

For its part, the Obama administration, which has five former Recording Industry Association of America lawyers in the Justice Department, has declared ACTA negotiations a national security secret and has refused to publicly divulge the treaty’s contents.

See Also:

• Europe Worries U.S. Bowing to ‘Industry’ in ACTA Talks
• Obama Administration Declares Proposed IP Treaty a ‘National Security’ Secret
• Report: U.S. Fears Public Scrutiny Would Scuttle IP Treaty Talks
• Copyright Treaty Is Policy Laundering at Its Finest
• Details Lacking in Counterfeiting Treaty Paper
• MPAA Says Copyright-Treaty Critics Hate Hollywood
• The Heat Is On for Details of Anti-Counterfeiting Trade Agreement

You may be dying, figuratively, to get off the government’s no-fly list, but death won’t guarantee removal.

The government’s no-fly list includes the names of dead suspects to help catch people who may try to assume the suspect’s identity, according to government officials who spoke with The Associated Press.

The no-fly list has been shrouded in mystery since it was first developed after the 9/11 attacks. How people get on the list or get off it has been a closely guarded secret, with only bits of information made public during congressional hearings.

The AP has pieced together the broad steps it takes for someone to get on the list, and some of the changes the list has undergone since it was created nine years ago.

The no-fly list has grown from 3,400 people to about 6,000 since last December, but it did not contain the name of airline passenger Umar Farouk Abdulmuttalab, the AP said. The Nigerian tried to bomb a Detroit-bound Northwest airlines flight on Christmas Day using explosives packed in his underwear.

Abdulmuttalab’s name appeared in a terrorism database after his father tipped off U.S. embassy officials in Nigeria that his son might be involved in extremist activity. The government determined that the information did not meet the standard for placing him on the list or for revoking his U.S. visa.

The new names added to the list since his bombing attempt include people associated with al-Qaida’s Yemen branch (with whom Abdulmuttalab had ties), as well as other people from Nigeria and Yemen who might be connected to Abdulmuttalab, the AP said.

The current number on the no-fly list represents a pared down version of the list in 2004 when 20,000 people were on it. Those numbers were culled in 2007, and people who were no longer considered a threat were removed. These included, for example, some former members of the Irish Republican Army who were considered no longer active in terrorist activity.

As AP notes, sometimes it takes just minutes to get on the no-fly list; other times it takes days or months, depending on the information amassed on a subject.

The first step might be a simple tip to law enforcement or an intelligence agent or may come from information gleaned from a wiretapped conversation. The tip is submitted to the National Counterterrorism Center in Virginia, where it’s entered into a classified database known as Terrorist Identities Datamart Enterprise, or TIDE. The database might include a suspect’s name and relatives and associates. About 2 percent of the names in the database belong to Americans.

Here information is data-mined to connect dots and flesh out partial names and identities. If enough information can be connected to a Terrorist Watchlist target, it’s escalated to the Terrorist Screening Center, also in Virginia, for more analysis. About 350 names are sent to the screening center daily.

Depending on what the analysis turns up, a suspect might wind up on the FBI’s terror watchlist, which includes the names of about 418,000 people — including a New Jersey eight-year-old who regularly gets frisked at the airport. Airport security personnel use the list to single out some travelers for extra screening or interrogation, and the watchlist is also used for screening U.S. visa applicants and gun buyers, as well as suspects stopped by local police.

To get on this list, there must be “reasonable suspicion” that the person is involved in terrorism, according to the AP. People whose names are on this list are singled out for questioning at U.S. borders, but they can still fly. A Justice Department inspector general report last year found that the FBI was mishandling the watch list and failing to add legitimate suspects under terrorist investigation to the list; at the same time not properly updating and removing records from the list so some U.S. citizens are subjected to unjustified scrutiny.

In order to get on the no-fly list, authorities must have the suspect’s full name and age and have information indicating that the suspect is a threat to aviation or national security. The final decision for adding a name to the no-fly list rests in the hands of about six people from the TSA, the AP said.

At this point, a suspect can either be added to a “selectee list,” a list of about 18,000 people who are singled out for extra screening at airports or be put on the no-fly list. Not all people on the no-fly list are prevented from flying, however. Sometimes authorities allow them to travel unimpeded, but place a tail on them to monitor their activity, the AP said.

Photo: Dan Paluska/Flickr

See also:

• Eight-Year-Old on TSA Terrorist Watchlist Gets Frisked
• Former DOJ Official Caught on Terror Watchlist
• Threshold for Getting onto No-Fly List Lowered
• FBI: 19,000 Matches to Terrorist Screening List in 2009

The U.S. Supreme Court is agreeing to decide how much personal information the federal bureaucracy may acquire on its workers.

The justices, without comment, decided Monday to review a lower-court decision surrounding the concept of so-called “informational privacy.” The 9th U.S. Circuit Court of Appeals in San Francisco struck down intrusive background checks last year on nearly three dozen National Aeronautics and Space Administration contractors as being too invasive — calling them an unconstitutional, “broad inquisition.”

The checks sought information from any source surrounding their sex lives, finances and even drug use. The contractors being investigated were not privy to classified information.

The Obama administration, in seeking review of the lower-court decision, told the justices the checks were the same type conducted on all federal government workers -– now numbering about 14 million. The background checks are part of a 2004 security directive from President George W. Bush.

“The ramifications of the decision below are potentially dramatic,” the Obama administration told the justices in its petition to the court. The justices likely will hear the case this fall.

The NASA contractors worked at the Jet Propulsion Laboratory in Southern California, which generally engages in the scientific study of the earth and solar system. They sued, successfully stopping the government from delving so extensively into their backgrounds.

The administration said collecting the information, as opposed to disseminating it, was constitutionally acceptable.

See Also:

• Court’s Steroid Ruling Pumps Up Computer Privacy
• Google Book Plan Hits Privacy Snag
• VeriChip’s Merger With Credit Monitoring Firm Worries Privacy Activists
• Airport Scanners Can Store, Transmit Images
• Court Stiffs Veterans Caught in Privacy Breach

The CEO of Lifelock, Todd Davis, became famous for advertising his Social Security number on television ads and billboards promising his $10 monthly service would protect consumers from identity theft.

The company also offered a $1 million guarantee to compensate customers for losses incurred if they became a victim of identity theft after signing up for the service.

But the Federal Trade Commission said Tuesday that the claims were bogus (.pdf) and accused Lifelock, based in Arizona, of operating a scam and con operation. The commission announced, along with 35 state attorneys general, that it had levied a fine of $12 million against the company for deceptive business practices and for failing to secure sensitive customer data. Of that amount, $11 million will go to refund customers who subscribed to the service. Consumers will receive a letter from the FTC and their attorney general explaining how to take part in the settlement.

The FTC said that Lifelock, which advertises itself as “#1 In Identity Theft Protection,” engaged in false advertising by promising customers that if they signed up with its service their personal information would become useless to thieves.

“In truth, the protection they provided left such a large hole … that you could drive that truck through it,” said FTC Chairman Jon Leibowitz, referring to a Lifelock TV ad showing a truck painted with the CEO’s Social Security number driving around city streets.

The company, he said, used scare tactics to convince potential customers they would be unprotected from identity theft without its service, and of warning them in letters that they were at a high risk of identity theft.

“I was a recipient of one letter,” Illinois Attorney General Lisa Madigan said.

For the annual subscription fee, Lifelock promised customers that it would place fraud alerts on their credit accounts with the three credit reporting agencies. As a result, the company said, thieves would not be able to open unauthorized credit or bank accounts in their name.

But Leibowitz said the promises were deceptive because thieves could still rack up unauthorized charges on existing accounts — the most common type of identity theft. It also couldn’t protect thieves from obtaining a loan in a Lifelock customer’s name.

In fact, Lifelock CEO Davis was the victim of identity theft in 2007 when a thief used his widely advertised Social Security number to obtain a $500 loan in Davis’ name.

Lifelock also promised customers that sensitive data they provided the company to perform its protection services — such as their Social Security number, name and address and bank card information — would be encrypted and protected in other ways on Lifelock’s servers and accessed only by authorized employees on a need-to-know basis.

“Your documents, while in our care, will be treated as if they were cash,” the company promised.

In truth, the FTC said, until at least September 2007, the company failed to provide “reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network” either in transit through the network, stored in a database or transmitted over the internet.

None of the data was encrypted, said the FTC, either in storage or in transit. The company also had poor password management practices for employees and vendors who accessed the information. Lifelock also failed to limit access to sensitive data to only those people who needed access.

What’s more, the company failed to apply critical security patches and updates to its network and “failed to employ sufficient measures” to detect and prevent unauthorized access to its network, “such as by installing antivirus or antispyware programs on computers used by employees to remotely access the network or regularly recording and reviewing activity on the network,” the complaint said.

The latter is particularly ironic. Lifelock often promoted its services to companies that experienced data breaches, convincing them to offer a complimentary Lifelock subscription to people whose data was compromised in a breach. All the while, the FTC claims, Lifelock was making its own customer information vulnerable to a breach.

“As a result of these practices, an unauthorized person could obtain access to personal information stored on defendants’ corporate network, in transit through defendants’ corporate network or over the internet, or maintained in defendants’ offices,” according to the complaint.

According to the terms of an FTC settlement agreement with Lifelock to settle the allegations, the company must inform consumers about the limitations of its service. The company will also have to implement a data security program to protect the customer data it handles.

“As long as the company is honest and up front and lets consumers know what they’re getting and has adequate security safeguards for customer information, we wish them well,” said Leibowitz.

Lifelock said in a statement that, in October, it “rolled out the next generation of identity theft protection services that provide even better and broader protection to its valued members.” The company added that its new-and-improved service, which was not the subject of the FCC inquiry, has prevented more than 5,000 fraudulent credit applications.

The company and its owners have been at the center of controversy for a number of years. According to an investigative report by the Phoenix New Times in 2007, Lifelock co-founder Robert Maynard Jr., was suspected at one time of being an identity thief himself and stealing his father’s identity to obtain an American Express card. He had also been the target of another FTC investigation involving a previous business venture unrelated to Lifelock. Maynard resigned from the company after news of his past was published, but he continued to work for the firm as a contractor.

See also:

• Lifelock Sued for Corporate Identity Theft
• Police Say Lifelock Founder Coerced Unusable Confession From Identity Thief
• Lifelock Founder a Shady Identity Thief?
• Lifelock Founder Resigns Amid Controversy

Pink Floyd and its label, EMI, are battling over online royalties stemming from a contested clause in their decade-old contract.

The developer of The Dark Side of the Moon and other top-selling albums claims its contract with EMI requires its music to be sold as an entire album, not the single tracks that EMI has permitted iTunes to distribute.

The band’s attorney, Robert Howe, told a London court on Tuesday, “It’s a matter of fact that the defendant has been permitting individual tracks to be downloaded online and that therefore they have been allowing albums not to be sold in their original configuration,” Bloomberg News reported.

The case highlights the common dispute between rights holders and publishers over how to deal today with royalties for intellectual property born and contracted prior to the explosion of online digital sales.

Pink Floyd, however, said more was at stake than royalties in the internet age. The psychedelic-music band’s musical craft is being misrepresented when sold in singles, Howe said.

“Pink Floyd is well-known for performing seamless pieces. Many of the songs blend into each other,” Howe told the High Court of Justice, Chancery Division.

EMI told the court that the restrictions do not apply to online sales.

When Pink Floyd’s latest contract was crafted in 1999, “iTunes didn’t even exist,” EMI attorney Elizabeth Jones said.

Photo: oddstock/Flickr

See Also:

• May 12, 1967: Pink Floyd Astounds With ‘Sound in the Round’
• Pink Floyd’s ‘Echoes’ = 2001’s Space Baby?
• RIP: Pink Floyd’s Richard Wright
• Pink Floyd Wins A Polar! Wait, What’s A Polar?
• Pink Floyd’s Nick Mason on Formula 1 Tech
• Pink Floyd Makes Chickens Shiver With Pleasure
• Roger Waters to Israel: Tear Down the Wall
• See You On The Dark Side of the Boat

Citing anti-competitive concerns, the Justice Department sued Election Systems & Software in order to force the company to divest itself of the voting machine assets it obtained from Premier Election Solutions last year.

The department’s antitrust division, along with nine state attorneys general, filed the civil antitrust lawsuit (.pdf) in U.S. District Court in Washington, D.C., charging that the acquisition threatened competition. The department proposed a settlement that, if accepted, would dissolve the merger and force ES&S to sell its Premier business to a buyer approved by the Justice Department.

“The proposed settlement (.pdf) will restore competition, provide a greater range of choices and create incentives to provide secure, accurate and reliable voting-equipment systems now and in the future,” said Molly S. Boast, deputy assistant attorney general for the antitrust division in a statement.

The nine states that joined the suit are Arizona, Colorado, Florida, Maine, Maryland, Massachusetts, New Mexico, Tennessee and Washington.

Last September, Premier (formerly Diebold Election Systems) announced that ES&S had purchased the company for $5 million in cash, plus 70 percent of revenue collected on existing accounts through the end of August 2009.

Even before the sale, ES&S, based in Omaha, Nebraska, was the nation’s largest voting-machine maker, with machines being used in 43 states. ES&S systems were “utilized in counting approximately 50 percent of the votes in the last four major U.S. elections,” according to the company’s website. The company also created statewide voter registration systems used in California, Maryland, Missouri, Nebraska and New Mexico.

Its acquisition of Premier, the second-largest voting machine maker with equipment used in 33 states, gave it a near monopoly on election gear and would have had the company providing 70 percent of voting equipment in the country. Premier was a division of Diebold, Inc, which is based in Canton, Oh.

Election integrity activists expressed concern at the time that the purchase would have a detrimental effect on competitive pricing for election districts and would also affect the development of accurate and secure voting systems, since ES&S would have little incentive to improve its voting systems without viable competitors. They were also concerned that ES&S would stop supporting the Premier equipment and try to pressure election officials who owned the equipment into purchasing ES&S machines.

Spokeswomen for Verified Voting and Voter Action declined to comment on the lawsuit or proposed settlement until their organizations have a chance to review the documents and discuss them with the Justice Department.

The settlement would force ES&S to divest itself of all intellectual property and means associated with producing all versions of Premier’s software, firmware and hardware as well as all inventory of parts and components.

ES&S must also grant to whoever acquires the Premier business a “fully paid-up, irrevocable, perpetual license” to use ES&S’s own AutoMark system. The AutoMark is a ballot marking device for disabled voters. Premier had obtained a limited license to sell the device prior to the acquisition. The buyer of the Premier business will be able to modify both the Premier products and the AutoMark system.

The proposed settlement would also require ES&S customers who are currently under contract to use Premier systems the chance to switch to the new buyer or remain with ES&S and obtain ES&S equipment. ES&S would be prohibited from bidding on new contracts for Premier equipment.

To make the transition smooth and avoid disrupting upcoming elections, ES&S must provide existing Premier customers with access to employees who are knowledgeable about the Premier systems and work out a supply agreement until the new buyer is able to take over manufacturing of the equipment.

ES&S said in a statement that it recognized that the acquisition had caused concern.

“With that in mind, we fully cooperated and have been working closely with the antitrust division of
the Department of Justice to address those concerns,” the company said. “We look forward to a resolution of this matter that will allow jurisdictions to move forward immediately in planning for upcoming election events.”

The company added that since the merger, it had provided support for more than 1,000 election events administered by former Premier customers.

Photo: Ben Sutherland/Flickr

See also:

• Diebold Unloads Beleaguered Voting-Machine Division

The Supreme Court agreed Monday to delve into the sensitive question of whether the First Amendment protects anti-gay protesters carrying placards outside military funerals, bearing “America is Doomed,” “Thank God for 9/11″ and other volatile slogans, like “Thank God for dead soldiers.”

The messages and picketing are part of a Kansas church’s belief that the United States’ tolerance for homosexuality is cause for soldiers’ deaths in Iraq and Afghanistan.

The case the justices decided to review Monday tests the boundaries of free speech versus freedom of religion — doctrines both embodied in the First Amendment.

Without comment, the justices agreed to review last year’s federal appellate decision that overturned a $5 million verdict (.pdf) in favor of a Baltimore man who sued the Westboro Baptist Church of Topeka and its pastor, Fred Phelps, in 2006. The father of Marine Lance Cpl. Matthew Snyder was awarded damages for, among other things, invasion of privacy and emotional distress for the events that occurred outside his son’s funeral at a Catholic church in Maryland.

“Whether the freedom of religion and assembly is subordinate to the freedom of speech is an important question because by necessary implication, one of the tenets of the First Amendment is undermined,” (.pdf) lawyers for the soldier’s father, Albert Snyder, told the high court in a filing.

His lawyers told the justices that the presence of Phelps and a handful of others “created a negative and circus-like atmosphere during a solemn and religious occasion” and “added insult to injury during a time of grief and mourning.” The protesters also displayed a banner depicting two men engaging in anal sex.

Lawyers for Phelps, however, urged the court to stay out of the case, saying the deaths of U.S. soldiers are a matter of public concern and debate.

“How these soldiers are living and dying is a topic of substantial public interest and dialogue, at least nationwide, probably worldwide. The prevailing view is that the soldiers are heroes, and that God is obligated to bless America,” (.pdf) Phelps’ lawyers wrote. “Those views clash with the Bible, in respondents’ sincerely held religious opinion, and when these funerals are used to express those viewpoints, respondents feel duty-bound to provide a countervailing message, to wit, if you want God’s blessings, you have to obey him, and if you want the soldiers to stop dying, you have to stop sinning in this nation.”

Photo: The Rev. Fred Phelps prepares to protest outside the Kansas Statehouse in Topeka in 2006./Associated Press

Transportation officials announced Friday 11 more United States airports will begin receiving full-body imaging machines

“By accelerating the deployment of this technology, we are enhancing our capability to detect and disrupt threats of terrorism across the nation,” Homeland Security Secretary Janet Napolitano said in a statement.

Despite concerns of privacy and their effectiveness, the 11 airports are to get the 150 machines beginning Monday at Boston’s Logan International Airport, and one at the O’Hare International Airport in Chicago. In all, 30 U.S. airports will employ the scanning devices.

Fliers declining to submit to the machines that create X-ray-like virtual images of the body may get intense pat-downs from Transportation Security Administration authorities. The combined 150 imaging machines are being bought, in part, by $1 billion the government set aside from its $787 billion federal bailout bill.

The American Civil Liberties Union has decried the scanners as “virtual strip searchs.” The Electronic Privacy Information Center, in a Freedom of Information Act request, said the machines are capable of storing and transmitting images of passengers despite the government’s claim to the contrary.

A test-image shown to reporters Friday at Logan International “showed the blurry outline of a female volunteer. None of her clothing was visible, nor were her genitals, but the broad contours of her chest and buttocks were. Her face also was blurred,” The Associated Press said. “The image included the shadow of a cellphone purposely left on her belt, as well as the metal buttons on her pants. But overall, it looked like the outline of a ghost.”

The Amsterdam airport where suspected underwear bomber Umar Farouk Abdulmutallab boarded a Detroit-bound Christmas flight had the scanning machines. But they were not used to check the Nigerian.

The machines also cannot detect so-called “booty bombs” in which an explosive is inserted into the body.

By summer, TSA expects the units, made by California-based Rapiscan, to be deployed at airports in Fort Lauderdale, Florida; San Jose, San Diego, Los Angeles and Oakland, California; Columbus, Ohio; Charlotte, North Carolina; Cincinnati; and Kansas City.

See Also:

• Airport Scanners Can Store, Transmit Images
• Body Scanners Might Violate U.K. Child-Protection Laws
• German ‘Fleshmob’ Protests Airport Scanners
• Adding More Names to Watch Lists Isn’t Change, It’s a Step Back …
• TSA Nixes Flying Without ID

Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it.

Schmidt’s official title is cyber-security coordinator at the White House, a job he took over just before Christmas. Schmidt has no budgetary authority, but he said that doesn’t make him powerless, because his office is in the White House. He’s been there before as an adviser to President George W. Bush, and he’s been the president and board member of countless security associations.

One of his first moves in his new job was to publish an unclassified summary of the country’s 12-point cybersecurity plan, known as the Comprehensive National Cybersecurity Initiative, a move toward transparency that he announced Monday as the keynote speaker at the world’s premier security conference.

That plan was first formulated under a veil of secrecy in January 2008 by President Bush. He was prompted in no small part by McConnell, who was director of national intelligence and reportedly convinced the president that a cyberattack could cause more economic damage to the United States than the 9/11 terrorist attacks.

Much of the authority and the funds under that initiative fell to the National Security Agency, the military’s premier spying agency that also has responsibility for locking down the government’s classified networks. Not surprisingly, McConnell, as DNI, held power over the NSA.

McConnell rejoined Booz Allen Hamilton, a defense contractor who made more than $4 billion in 2008, mostly in government contracts, including secret ones. A former NSA director, McConnell now servers as the vice president for national security business at Booz Allen Hamilton. It was recently acquired by the powerful and politically connected Carlyle Group, the world’s largest private equity whose advisers and board members have included George Bush, George W. Bush, James Baker and former SEC chief Arthur Levitt.

In an op-ed in the Washington Post last weekend, McConnell called for a re-engineering of the internet and a return to a Cold War mentality of deterrence, based on the threat that the United States would massively retaliate against any perceived attack.

“More specifically, we need to re-engineer the internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable,” McConnell wrote.

Threat Level rebutted that notion Monday, in a post that called McConnell the greatest threat to the internet.

For his part, Schmidt said no re-engineering of the internet is in the plans under the Obama administration. And he re-emphasized the president’s promise — delivered in a May speech addressing cybersecurity — that the government would not monitor the internet at large.

“People have to recognize that when we close the door and go home, we are just normal netizens like anyone else,” Schmidt said. “I’ve been in the internet from the very beginning. We don’t want to see it changed to where it is no longer available and we don’t have the ability to do things anonymously as we choose to in certain realms.”

“But we also need to do our financial transactions securely and you need to be able to file your story online in a manner so that by the time you upload it, it doesn’t say ‘At noon, today San Francisco had a terrible earthquake’ when that didn’t happen,” Schmidt added.

But that commitment to keep the government’s monitoring equipment out of the commercial internet seems belied by a CNET interview at RSA with a Homeland Security cybersecurity official, who said that DHS was considering installing its classified “Einstein 3″ security technology to non-government infrastructure. UPDATE: DHS spokeswoman Amy Kudwa says that the “CNET story failed to include the vast majority of Greg Schaffer’s comments, which made clear that, consistent with all published Privacy Impact Assessments, the President’s remarks last May, and the declassified summary of the CNCI released this week, EINSTEIN is intended for government networks.”) Schaeffer “simply acknowledged that as we move forward, there may be opportunities to share capabilities with the private sector.”

Cyberwar advocates make their case for this in part by pointing to high-profile stories that hackers have penetrated the grid and, in some cases, caused massive blackouts including the 2003 cascading failure in the Northeast that affected some 50 million citizens. Those stories (on 60 Minutes, in the Wall Street Journal and the National Journal), relied nearly exclusively on anonymous defense intelligence officials or contractors, and are often easily debunked.

Schmidt said it’s possible that hackers have gotten into administrative computer systems of utility companies, but says those aren’t linked to the equipment controlling the grid, at least not in developed countries. He’s never heard that the grid itself has been hacked.

“As for getting into the power grid, I can’t see that that’s realistic,” Schmidt said.

There’s been much ink spilled in recent years over the turf battles in D.C. over whether the NSA (representing the military) or DHS (on the civilian side) takes the lead role in cybersecurity.

Rod Beckstrom, now the president of the International Corporation for Assigned Names and Numbers, resigned from his role heading cybersecurity for DHS last spring. He protested that the NSA was encroaching too far, and that the job of protecting non-military government websites should be handled by civilians — especially as the government pushes citizens to use those websites for more and more business.

But Schmidt said he hasn’t run into that problem and said government agencies are working together.

“I haven’t seen that tension,” Schmidt said.

As for which will take the cybersecurity lead, Schmidt simply says it’s a shared effort.

But that’s a very thorny issue — one that has dogged the government’s intrusion protection system Einstein and its successors, Einstein 2 and 3.

Why should U.S. citizens trust cybersecurity to the NSA? Under President Bush, it secretly turned its powerful spying apparatus inward in violation of U.S. law and its longstanding mantra to never spy on citizens.

Schmidt counters that the NSA has long had the job of protecting classified computers and has already become a participant in the wider security community. Among other things, it offers advice on how to secure computer systems, such as Linux and Windows. And more important, Schmidt said, the president maintains the NSA has to obey limits.

“When your boss, in our case the president, tells an agency not to do something and here are the controls put in place and here is the coordination put into place, that’s a pretty big commitment,” Schmidt said.

As for his priorities, Schmidt says education, information sharing and better defense systems rank high.

That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side.

“One thing we are looking at is how do we make sure that the private sector has the information it needs from the government,” Schmidt said, referring to what he called “some of the unique visibility the government has from the attacks on our systems.”

The government must also be active in reducing its own vulnerabilities, according to Schmidt.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

Schmidt, who has held cybersecurity positions inside the Air Force, the FBI and Microsoft, mentioned he’s part of a Facebook group of Wired magazine collectors. The oldest one he has, he said, had co-founder of the Electronic Frontier Foundation John Perry Barlow on the cover. Though the irascible Barlow never made the cover (other than a mock-up of the first edition), Schmidt could have been referring to Issue 2.04 which included a promo for an essay from Barlow.

Fittingly, that essay - about the failed effort to mandate government-accessible backdoors in encryption technology, was titled “Jackboots on the Infobahn.”

Photo: Howard Schmidt in a lonely RSA conference room Wednesday March 3. Credit: John Snyder/Wired.com

See Also:

• Cyberwar Hype Intended to Destroy the Open Internet
• NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven …
• Spy Chief Torpedos Government’s Lawyering in Spy Cases
• Nation’s Top Spy Retracts Politically-Convenient Exaggeration …
• Brazilian Blackout Traced to Sooty Insulators, Not Hackers …
• Did Hackers Cause the 2003 Northeast Blackout? Umm, No
• Put NSA in Charge of Cyber Security, Or the Power Grid Gets It …
• Is the Hacking Threat to National Security Overblown?

The country’s swift deployment of smart-grid technology has security professionals concerned that utilities and smart-meter vendors are repeating the mistakes made in the rollout of the public internet, when security became a priority only after malicious attacks had reached mass levels.

But when it comes to the power grid, the costs of remote hack attacks are potentially more dramatic.

“The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco this week.

The panel included Seth Bromberger, manager of information security at Pacific Gas and Electric, a San Francisco-based utility company that provides natural gas and electrical services to customers in Central and Northern California and is in the forefront of the smart-meter rollout; and Matt Franz, principal security engineer at Science Applications International Corporation.

Carpenter serves on the AMI-SEC Task Force, a group working on developing security guidelines and best practices for smart-meter infrastructure, and has done penetration testing on smart-meter systems to uncover security issues. He said the most common vulnerability he’s seen so far is susceptibility to “cross-site request forgery” on the control systems.

“That took me by surprise,” he said. “That’s not something that I would have imagined to be one of the greatest vulnerabilities found.”

Cross-site request forgery allows an attacker to hijack an authentication cookie stored in a user’s browser — to authenticate him, for example, to his bank or, in this case, a utility control system — and obtain access to the system as that user.

Last October, President Barack Obama announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the federal economic stimulus package.

Smart grids use digital meters and control mechanisms that allow utility companies to better control the flow of electricity remotely and promise to save energy and reduce utility costs. Smart meters installed in homes and businesses allow utility companies to remotely communicate with the devices to read usage levels and control the delivery of services.

But security research on the systems is lagging behind the deployment of smart meters, which has already occurred in some places in the United States. PG&E is in the lead with 5 million gas and electric smart meters deployed since 2006, which represents about half of its customer base. PG&E expects to deploy an additional 5 million smart meters by 2012.

Among the concerns Carpenter expressed was one related to vulnerabilities that could arise in the encryption schemes used in smart-grid systems, given that the systems are expected to have a lifespan of 15 to 20 years. Advances in encryption cracking that are likely to occur over that time period would make the encryption obsolete, he said.

He also discussed a need to examine the aggregation points that receive communication from the meters and have “an immense amount of control” in some cases.

“In some circumstances they’re simply going to give you a denial-of-service if you tamper with them because the crypto is done appropriately from the head-end control system down to the meters and the aggregation point really can’t tinker much with it,” Carpenter said. “But in other [cases] there’s a great deal of control that that aggregation point has, and they’re sitting on the top of a [utility] pole — not in a brick building [with] guard dogs and razor wire … and [they have] an ethernet cable.”

An attacker could sniff traffic going to the aggregation point or possibly send commands to the meters or inject code into the backend control system.

But even more pressing and immediate, in terms of vulnerabilities, is the remote shut-off capability in smart meters. Digital smart meters have an electronic disconnect switch that allows the utility company to shut down electricity remotely. Carpenter asked PG&E’s Bromberger directly, “Why not think about disconnecting the disconnect switch until we figure out more of what we’re dealing with?”

Bromberger responded that PG&E had in fact disabled the remote disconnect function in the first generation of electricity smart meters it deployed.

“We wanted to be sure that we had detection-response capabilities and security figured out before we started implementing that,” he said.

What he didn’t say was that this actually represents only a tiny portion of the meters PG&E has deployed.

A PG&E spokesman provided details to Threat Level after the panel discussion. Of the 5 million PG&E smart meters currently deployed, 2.5 million are electricity meters, with the remainder gas meters. Spokesman Paul Moreno confirmed that 300,000 of the electricity meters do have the remote disconnect function disabled, but he couldn’t say how many, if any, of the 2.2 million other meters have been disabled in the same manner. When asked if he could obtain the information, Moreno said the company had never been asked for it before and wasn’t sure if those figures existed. UPDATE: In a follow-up e-mail, Moreno said that “most of the 2.2 million second-generation electric SmartMeter meters are capable of remote connect/disconnect.”

The 300,000 meters that have the functionality disabled are mechanical meters that can be read remotely through the power line; the remaining 2.2 million are digital meters that use a radio frequency signal for remote communication.

The gas smart meters don’t allow for remote turnoff. They aren’t actually new meters but simply devices that go on top of existing gas meters to record the number of therms being used.

With regard to vulnerabilities in general, the panelists acknowledged that new vulnerabilities would always arise in smart systems no matter how well the systems are designed. The important thing is to make compromise as painful and time-consuming a process as possible to deter or delay an attacker and implement processes for adequate detection and response so that when a compromise does occur, utility companies can do something swiftly to limit the damage.

Photo courtesy PG&E

See also:

• Feds’ Smart-Grid Race Leaves Cybersecurity in the Dust

Those awaiting a legitimate method to duplicate DVDs for personal use will likely have to wait even longer, perhaps forever, after RealNetworks tossed in the white towel and abandoned its litigation on the matter.

RealNetworks spent almost two years in a legal battle with the Motion Picture Association of America, which sued the Seattle company to block the sale of its DVD-copying software and hardware –- generally known as RealDVD. The company said late Wednesday it’s dropping its appeal of an August federal court decision that declared RealDVD an illegal violation of the Digital Millennium Copyright Act of 1998.

The act, which the Hollywood studios strongly lobbied for, prohibits the circumvention of encryption technology. DVDs are encrypted with what is known as the Content Scramble System, and DVD players must secure a license to play discs. RealDVD, U.S. District Judge Marilyn Hall Patel ruled, circumvents the CSS technology designed to prevent copying and is therefore a breach of the CSS license.

The litigation cost RealNetworks millions of dollars, including $4.5 million to reimburse the MPAA for its legal costs. The outcome cost Rob Glaser, RealNetworks’ CEO, his job.

Most important, RealNetworks’ admitted defeat solidifies the DMCA’s power –  and leaves in its wake a legal and political vacuum: There is no active movement to legalize the duplication of DVDs under the DMCA, and every attempt to do so has failed.

For the moment, consumers will have to opt for underground services like Handbreak and others to copy their DVDs — a practice whose legality is questionable under the Patel’s ruling. Pirating and sharing movies on illicit BitTorrent sites is also available, but clearly unlawful under the copyright act.

In the end, there is no legitimate method to copy ones DVD, even children’s DVDs that are often scratched by their juvenile owners.

Copying DVDs amounts to “theft,” the MPAA’s general counsel, Daniel Mandil, said Wednesday. And RealNetworks’ white flag has emboldened the movie studios’ litigation arm, which Mandil said would “vigorously pursue companies that attempt to bring these illegal circumvention products and devices to market.”

By suing RealNetworks in 2008, the Hollywood studios showed they feared losing control of the DVD as the music industry did with the CD.

It’s OK to copy music from CDs, for example, and place it in an iPod. Yet, it’s illegal to do the same with a DVD. When it comes to the DVD, there’s not even a question of fair use allowed under copyright law.

As it turns out, the DMCA protects the DVD but not the CD.

Hollywood lobbied hard for the DMCA, in part to produce the DVD. The studios were savvy enough to have seen how easy it was to duplicate the CD, which was not encrypted. Attempts to lace CDs with Digital Rights Management had failed.

But the DVD was different from the CD. It was born with encryption, now called the Content Scramble System. It is designed to prevent duplication. Under the DMCA, gadgets and software allowing duplication of encryption-protected works are prohibited.

Judge Patel, in her ruling in the RealNetworks case, said “while it may well be fair use for an individual consumer to store a backup copy of a personally owned DVD on that individual’s computer, a federal law has nonetheless made it illegal to manufacture or traffic in a device or tool that permits a consumer to make such copies.”

Patel, however, added some doublespeak: “Fair use can never be an affirmative defense to the act of gaining unauthorized access” — a simple way of saying it was illegal to hack into the encryption to make a copy.

Patel’s decision virtually mirrored the 2004 ruling by another federal judge declaring as illegal the DVD-copying software produced by 321 Studios. The difference between the two cases was that RealNetworks secured a Content Scramble System license, and claimed a loophole in the license allowed its RealDVD software to make hard-drive or thumb-drive backup copies of movies.

Judge Patel did not buy that argument.

That alleged loophole, however, is being litigated by Kaleidescape, a California company that sells high-end, home DVD-duplicating hardware that reached the market after a California judge ruled the CSS-licensing loophole indeed allowed a copying device.

But a California appeals court didn’t see it that way, and last year reversed the decision, which is on appeal to the California Supreme Court. Judging by RealNetworks’ white flag, the outcome is obvious.

Photo: john_a_ward/Flickr

See Also:

• DMCA Exemption Unlikely for iPad Jailbreak
• DMCA Coupon Flap Ends — Nobody ‘Won’
• Once Again, DMCA Protects Online Video Sites
• 10 Years Later, Misunderstood DMCA is the Law That Saved the Web
• Air Force Cyber Command’s New Weapon: DMCA Notices
• YouTube to McCain: You Made Your DMCA Bed, Lie in It
• Universal Says DMCA Takedown Notices Can Ignore ‘Fair Use’

Hackers who breached Google and other companies in January targeted source-code management systems, security firm McAfee asserted Wednesday. They manipulated a little-known trove of security flaws that would allow easy unauthorized access to the intellectual property the system is meant to protect.

The software-management systems, widely used at businesses unaware that the holes exist, were exploited by the Aurora hackers in a way that would have enabled them to siphon source code, as well as modify it to make customers of the software vulnerable to attack. It’s akin to making yourself a set of keys in advance for locks that are going to be sold far and wide.

A white paper released by security firm McAfee during this week’s RSA security conference in San Francisco provides a couple of new details about the Operation Aurora attacks (.pdf) that affected 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and provided information to Google about malware used in the attacks.

According to the paper, the hackers gained access to software-configuration management systems (SCM), which could have allowed them to steal proprietary source code or surreptitiously make changes to the code that could seep undetected into commercial versions of the company’s product. Stealing the code would allow attackers to examine the source code for vulnerabilities, in order to develop exploits to attack customers who use the software, such as Adobe Reader, for example.

“[The SCMs] were wide open,” says Dmitri Alperovitch, McAfee’s vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting.”

Many of the companies that were attacked used the same source-code management system made by Perforce, a California-based company that makes products used by many large companies. McAfee’s white paper focuses on the insecurities in the Perforce system and provides suggestions for securing it, but McAfee said it will look at other source-code management systems in the future. The paper doesn’t indicate which companies were using Perforce or had vulnerable configurations installed.

As previously reported, the attackers gained initial access by conducting a spear-phishing attack against specific targets within the company. The targets received an e-mail or instant message that appeared to come from someone they knew and trusted. The communication contained a link to a website hosted in Taiwan that downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser.

A binary disguised as a JPEG file then downloaded to the user’s system and opened a backdoor onto the computer and set up a connection to the attackers’ command-and-control servers, also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

According to the paper, many SCMs are not secured out of the box and also do not maintain sufficient logs to help forensic investigators examining an attack. McAfee says it discovered numerous design and implementation flaws in SCMs.

“Additionally, due to the open nature of most SCM systems today, much of the source code it is built to protect can be copied and managed on the endpoint developer system,” the paper states. “It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree…. As a result, attackers often don’t even need to target and hack the backend SCM systems; they can simply target the individual developer systems to harvest large amounts of source code rather quickly.”

Alperovitch told Threat Level his company has seen no evidence yet to indicate that source code at any of the hacked companies had been altered. But he said the only way to determine this would be to compare the software against backup versions saved over the last six months to when the attacks are believed to have begun.

“That’s an extremely laborious process, particularly when you are dealing with massive projects with millions of lines of code,” Alperovitch said.

Among the vulnerabilities found in Perforce:

• Perforce runs its software as “system” under Windows, giving malware the ability to inject itself into system-level processes and providing an attacker access to all administrative functions on the system. Although the Perforce documentation for UNIX tells the reader not to run the server service as root, it doesn’t suggest making the same alteration to the Windows service. As a result, the default installation on Windows runs as a local system, or as root.
• By default, unauthenticated anonymous users are allowed to create users in Perforce, and no user password is required to create a user.
• All information, including source code, that is communicated between the client system and the Perforce server is unencrypted and therefore easily sniffed and compromised by someone on the network.
• The Perforce tools use weak authentication, allowing any user to replay a request with a cookie value that is easy to guess and obtain authenticated access to the system to perform “powerful operations” on the Perforce server.
• The Perforce client and server store all files in cleartext, allowing easy compromise of all the code in the local cache or on the server.

The paper lists a number of additional vulnerabilities.

BOSTON (Reuters) — Spanish police have shut down a ring of computer hackers who infected more than 13 million PCs with a virus that stole credit card numbers and other valuable data in what may be the biggest cyber-raid to date.

Spain’s Civil Guard said on Tuesday that it arrested three men suspected of running the so-called Mariposa botnet, named after the Spanish word for butterfly. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in more than half of the world’s 1,000 largest companies and in at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring, Canada’s Defense Intelligence and Spain’s Panda Security.

“It was so nasty, we thought ‘We have to turn this off. We have to cut off the head,’” said Chris Davis, CEO of Defense Intelligence, which discovered the virus last year. He added that the ring was shut down on December 23.

The virus was programed to steal all login credentials and record every key stroke on an infected computer, then send the data back to a “command and control center,” where the ringleaders stored the data.

“Basically they were going after anything that would make them money,” Davis said.

Mariposa initially spread by exploiting a vulnerability in Microsoft Corp’s Internet Explorer Web browser. It also contaminated machines by infecting USB memory sticks, he said.

(Reporting by Jim Finkle, additional reporting by Madrid newsroom. Editing by Robert MacMillan)

Photo: Anvica/Flickr

See Also:

• Threat Level Privacy, Crime and Security Online - Wired News
• Citibank Hack Blamed for Alleged ATM Crime Spree
• RIAA Believes MP3s Are A Crime: Why This Matters
• Notorious Crime Forum DarkMarket Goes Dark
• Underground Crime Economy Healthy, Security Group Finds
• Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases

Flipping the bird, or sticking out the middle finger, is perhaps the oldest insulting gesture on earth. The move dates back to ancient Greece and was adopted by the Romans as digitus impudicus — the impudent finger.

A zillion middle fingers later, an Oregon man is suing suburban Portland cops (.pdf) over his use of the gesture, claiming civil rights violations. Twice he flipped them off for no apparent reason while driving and was pulled over each time — resulting in what he said was a “bogus” traffic citation that was later dismissed, and a tongue lashing he still remembers.

“The guy flew into a road rage,” Robert Ekas, a retired Silicon Valley systems analyst, said in a telephone interview Tuesday.

Lawrence Wolf, a Los Angeles criminal defense attorney, said there was no law against flipping off cops. And in most instances when it leads to an arrest or conviction, the charges are dismissed. But the gesture invites police confrontation, he said.

“It’s certainly not the smartest thing one can do,” Wolf said.

American University legal scholar Ira Robbins has written a definitive paper on flipping the bird: “Digitus Impudicus: The Middle Finger and the Law.” (.pdf)

“The pursuit of criminal sanctions for use of the middle finger infringes on First Amendment rights, violates fundamental principles of criminal justice, wastes valuable judicial resources, and defies good sense,” Robbins wrote.

In November, a Pittsburgh man was awarded $50,000 after he was wrongly cited for disorderly conduct after flipping off an officer.

Ekas, in both instances, flipped off officers while they were driving a Clackamas County patrol car. “It seemed like the right thing to do,” said the 46-year-old, who is seeking damages and police reform amid allegations he was unlawfully stopped. “The long and the short of it, I was pulled over because I gave them the finger.”

A federal judge will entertain Clackamas County’s motion on March 15 to have the civil rights lawsuit tossed. The county denies the allegations. (.pdf)

Ekas said his actions, which occurred with his teen-aged son in the car both times, were a form of protest against the agency he claims is abusing its citizenry. “That’s why they get the finger,” he said, noting he wants a jury trial.

Wolf, meanwhile, suggested if Ekas’ case makes it to trial, the officers are likely to testify that they were concerned “about his sanity.”

The jury, he said, is likely to say, “‘Give me a break’ and then go home.”

Photo: davidsonscott15/Flickr

See Also:

• Traffic Officer Says He Saw No Blood on Reiser’s Car Seat — Update …
• Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist …
• Cops Use Anti-Terror Funds to Buy Portable Fingerprint Scanners …
• Reporter Visits Terror Watch List Center, Prevented from Seeing …
• California Police Camera Surveillance Increasing
• Top Internet Threats: Censorship to Warrantless Surveillance …