Citing anti-competitive concerns, the Justice Department sued Election Systems & Software in order to force the company to divest itself of the voting machine assets it obtained from Premier Election Solutions last year.

The department’s antitrust division, along with nine state attorneys general, filed the civil antitrust lawsuit (.pdf) in U.S. District Court in Washington, D.C., charging that the acquisition threatened competition. The department proposed a settlement that, if accepted, would dissolve the merger and force ES&S to sell its Premier business to a buyer approved by the Justice Department.

“The proposed settlement (.pdf) will restore competition, provide a greater range of choices and create incentives to provide secure, accurate and reliable voting-equipment systems now and in the future,” said Molly S. Boast, deputy assistant attorney general for the antitrust division in a statement.

The nine states that joined the suit are Arizona, Colorado, Florida, Maine, Maryland, Massachusetts, New Mexico, Tennessee and Washington.

Last September, Premier (formerly Diebold Election Systems) announced that ES&S had purchased the company for $5 million in cash, plus 70 percent of revenue collected on existing accounts through the end of August 2009.

Even before the sale, ES&S, based in Omaha, Nebraska, was the nation’s largest voting-machine maker, with machines being used in 43 states. ES&S systems were “utilized in counting approximately 50 percent of the votes in the last four major U.S. elections,” according to the company’s website. The company also created statewide voter registration systems used in California, Maryland, Missouri, Nebraska and New Mexico.

Its acquisition of Premier, the second-largest voting machine maker with equipment used in 33 states, gave it a near monopoly on election gear and would have had the company providing 70 percent of voting equipment in the country. Premier was a division of Diebold, Inc, which is based in Canton, Oh.

Election integrity activists expressed concern at the time that the purchase would have a detrimental effect on competitive pricing for election districts and would also affect the development of accurate and secure voting systems, since ES&S would have little incentive to improve its voting systems without viable competitors. They were also concerned that ES&S would stop supporting the Premier equipment and try to pressure election officials who owned the equipment into purchasing ES&S machines.

Spokeswomen for Verified Voting and Voter Action declined to comment on the lawsuit or proposed settlement until their organizations have a chance to review the documents and discuss them with the Justice Department.

The settlement would force ES&S to divest itself of all intellectual property and means associated with producing all versions of Premier’s software, firmware and hardware as well as all inventory of parts and components.

ES&S must also grant to whoever acquires the Premier business a “fully paid-up, irrevocable, perpetual license” to use ES&S’s own AutoMark system. The AutoMark is a ballot marking device for disabled voters. Premier had obtained a limited license to sell the device prior to the acquisition. The buyer of the Premier business will be able to modify both the Premier products and the AutoMark system.

The proposed settlement would also require ES&S customers who are currently under contract to use Premier systems the chance to switch to the new buyer or remain with ES&S and obtain ES&S equipment. ES&S would be prohibited from bidding on new contracts for Premier equipment.

To make the transition smooth and avoid disrupting upcoming elections, ES&S must provide existing Premier customers with access to employees who are knowledgeable about the Premier systems and work out a supply agreement until the new buyer is able to take over manufacturing of the equipment.

ES&S said in a statement that it recognized that the acquisition had caused concern.

“With that in mind, we fully cooperated and have been working closely with the antitrust division of
the Department of Justice to address those concerns,” the company said. “We look forward to a resolution of this matter that will allow jurisdictions to move forward immediately in planning for upcoming election events.”

The company added that since the merger, it had provided support for more than 1,000 election events administered by former Premier customers.

Photo: Ben Sutherland/Flickr

See also:

• Diebold Unloads Beleaguered Voting-Machine Division

The Supreme Court agreed Monday to delve into the sensitive question of whether the First Amendment protects anti-gay protesters carrying placards outside military funerals, bearing “America is Doomed,” “Thank God for 9/11″ and other volatile slogans, like “Thank God for dead soldiers.”

The messages and picketing are part of a Kansas church’s belief that the United States’ tolerance for homosexuality is cause for soldiers’ deaths in Iraq and Afghanistan.

The case the justices decided to review Monday tests the boundaries of free speech versus freedom of religion — doctrines both embodied in the First Amendment.

Without comment, the justices agreed to review last year’s federal appellate decision that overturned a $5 million verdict (.pdf) in favor of a Baltimore man who sued the Westboro Baptist Church of Topeka and its pastor, Fred Phelps, in 2006. The father of Marine Lance Cpl. Matthew Snyder was awarded damages for, among other things, invasion of privacy and emotional distress for the events that occurred outside his son’s funeral at a Catholic church in Maryland.

“Whether the freedom of religion and assembly is subordinate to the freedom of speech is an important question because by necessary implication, one of the tenets of the First Amendment is undermined,” (.pdf) lawyers for the soldier’s father, Albert Snyder, told the high court in a filing.

His lawyers told the justices that the presence of Phelps and a handful of others “created a negative and circus-like atmosphere during a solemn and religious occasion” and “added insult to injury during a time of grief and mourning.” The protesters also displayed a banner depicting two men engaging in anal sex.

Lawyers for Phelps, however, urged the court to stay out of the case, saying the deaths of U.S. soldiers are a matter of public concern and debate.

“How these soldiers are living and dying is a topic of substantial public interest and dialogue, at least nationwide, probably worldwide. The prevailing view is that the soldiers are heroes, and that God is obligated to bless America,” (.pdf) Phelps’ lawyers wrote. “Those views clash with the Bible, in respondents’ sincerely held religious opinion, and when these funerals are used to express those viewpoints, respondents feel duty-bound to provide a countervailing message, to wit, if you want God’s blessings, you have to obey him, and if you want the soldiers to stop dying, you have to stop sinning in this nation.”

Photo: The Rev. Fred Phelps prepares to protest outside the Kansas Statehouse in Topeka in 2006./Associated Press

Transportation officials announced Friday 11 more United States airports will begin receiving full-body imaging machines

“By accelerating the deployment of this technology, we are enhancing our capability to detect and disrupt threats of terrorism across the nation,” Homeland Security Secretary Janet Napolitano said in a statement.

Despite concerns of privacy and their effectiveness, the 11 airports are to get the 150 machines beginning Monday at Boston’s Logan International Airport, and one at the O’Hare International Airport in Chicago. In all, 30 U.S. airports will employ the scanning devices.

Fliers declining to submit to the machines that create X-ray-like virtual images of the body may get intense pat-downs from Transportation Security Administration authorities. The combined 150 imaging machines are being bought, in part, by $1 billion the government set aside from its $787 billion federal bailout bill.

The American Civil Liberties Union has decried the scanners as “virtual strip searchs.” The Electronic Privacy Information Center, in a Freedom of Information Act request, said the machines are capable of storing and transmitting images of passengers despite the government’s claim to the contrary.

A test-image shown to reporters Friday at Logan International “showed the blurry outline of a female volunteer. None of her clothing was visible, nor were her genitals, but the broad contours of her chest and buttocks were. Her face also was blurred,” The Associated Press said. “The image included the shadow of a cellphone purposely left on her belt, as well as the metal buttons on her pants. But overall, it looked like the outline of a ghost.”

The Amsterdam airport where suspected underwear bomber Umar Farouk Abdulmutallab boarded a Detroit-bound Christmas flight had the scanning machines. But they were not used to check the Nigerian.

The machines also cannot detect so-called “booty bombs” in which an explosive is inserted into the body.

By summer, TSA expects the units, made by California-based Rapiscan, to be deployed at airports in Fort Lauderdale, Florida; San Jose, San Diego, Los Angeles and Oakland, California; Columbus, Ohio; Charlotte, North Carolina; Cincinnati; and Kansas City.

See Also:

• Airport Scanners Can Store, Transmit Images
• Body Scanners Might Violate U.K. Child-Protection Laws
• German ‘Fleshmob’ Protests Airport Scanners
• Adding More Names to Watch Lists Isn’t Change, It’s a Step Back …
• TSA Nixes Flying Without ID

Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it.

Schmidt’s official title is cyber-security coordinator at the White House, a job he took over just before Christmas. Schmidt has no budgetary authority, but he said that doesn’t make him powerless, because his office is in the White House. He’s been there before as an adviser to President George W. Bush, and he’s been the president and board member of countless security associations.

One of his first moves in his new job was to publish an unclassified summary of the country’s 12-point cybersecurity plan, known as the Comprehensive National Cybersecurity Initiative, a move toward transparency that he announced Monday as the keynote speaker at the world’s premier security conference.

That plan was first formulated under a veil of secrecy in January 2008 by President Bush. He was prompted in no small part by McConnell, who was director of national intelligence and reportedly convinced the president that a cyberattack could cause more economic damage to the United States than the 9/11 terrorist attacks.

Much of the authority and the funds under that initiative fell to the National Security Agency, the military’s premier spying agency that also has responsibility for locking down the government’s classified networks. Not surprisingly, McConnell, as DNI, held power over the NSA.

McConnell rejoined Booz Allen Hamilton, a defense contractor who made more than $4 billion in 2008, mostly in government contracts, including secret ones. A former NSA director, McConnell now servers as the vice president for national security business at Booz Allen Hamilton. It was recently acquired by the powerful and politically connected Carlyle Group, the world’s largest private equity whose advisers and board members have included George Bush, George W. Bush, James Baker and former SEC chief Arthur Levitt.

In an op-ed in the Washington Post last weekend, McConnell called for a re-engineering of the internet and a return to a Cold War mentality of deterrence, based on the threat that the United States would massively retaliate against any perceived attack.

“More specifically, we need to re-engineer the internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable,” McConnell wrote.

Threat Level rebutted that notion Monday, in a post that called McConnell the greatest threat to the internet.

For his part, Schmidt said no re-engineering of the internet is in the plans under the Obama administration. And he re-emphasized the president’s promise — delivered in a May speech addressing cybersecurity — that the government would not monitor the internet at large.

“People have to recognize that when we close the door and go home, we are just normal netizens like anyone else,” Schmidt said. “I’ve been in the internet from the very beginning. We don’t want to see it changed to where it is no longer available and we don’t have the ability to do things anonymously as we choose to in certain realms.”

“But we also need to do our financial transactions securely and you need to be able to file your story online in a manner so that by the time you upload it, it doesn’t say ‘At noon, today San Francisco had a terrible earthquake’ when that didn’t happen,” Schmidt added.

But that commitment to keep the government’s monitoring equipment out of the commercial internet seems belied by a CNET interview at RSA with a Homeland Security cybersecurity official, who said that DHS was considering installing its classified “Einstein 3″ security technology to non-government infrastructure. UPDATE: DHS spokeswoman Amy Kudwa says that the “CNET story failed to include the vast majority of Greg Schaffer’s comments, which made clear that, consistent with all published Privacy Impact Assessments, the President’s remarks last May, and the declassified summary of the CNCI released this week, EINSTEIN is intended for government networks.”) Schaeffer “simply acknowledged that as we move forward, there may be opportunities to share capabilities with the private sector.”

Cyberwar advocates make their case for this in part by pointing to high-profile stories that hackers have penetrated the grid and, in some cases, caused massive blackouts including the 2003 cascading failure in the Northeast that affected some 50 million citizens. Those stories (on 60 Minutes, in the Wall Street Journal and the National Journal), relied nearly exclusively on anonymous defense intelligence officials or contractors, and are often easily debunked.

Schmidt said it’s possible that hackers have gotten into administrative computer systems of utility companies, but says those aren’t linked to the equipment controlling the grid, at least not in developed countries. He’s never heard that the grid itself has been hacked.

“As for getting into the power grid, I can’t see that that’s realistic,” Schmidt said.

There’s been much ink spilled in recent years over the turf battles in D.C. over whether the NSA (representing the military) or DHS (on the civilian side) takes the lead role in cybersecurity.

Rod Beckstrom, now the president of the International Corporation for Assigned Names and Numbers, resigned from his role heading cybersecurity for DHS last spring. He protested that the NSA was encroaching too far, and that the job of protecting non-military government websites should be handled by civilians — especially as the government pushes citizens to use those websites for more and more business.

But Schmidt said he hasn’t run into that problem and said government agencies are working together.

“I haven’t seen that tension,” Schmidt said.

As for which will take the cybersecurity lead, Schmidt simply says it’s a shared effort.

But that’s a very thorny issue — one that has dogged the government’s intrusion protection system Einstein and its successors, Einstein 2 and 3.

Why should U.S. citizens trust cybersecurity to the NSA? Under President Bush, it secretly turned its powerful spying apparatus inward in violation of U.S. law and its longstanding mantra to never spy on citizens.

Schmidt counters that the NSA has long had the job of protecting classified computers and has already become a participant in the wider security community. Among other things, it offers advice on how to secure computer systems, such as Linux and Windows. And more important, Schmidt said, the president maintains the NSA has to obey limits.

“When your boss, in our case the president, tells an agency not to do something and here are the controls put in place and here is the coordination put into place, that’s a pretty big commitment,” Schmidt said.

As for his priorities, Schmidt says education, information sharing and better defense systems rank high.

That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side.

“One thing we are looking at is how do we make sure that the private sector has the information it needs from the government,” Schmidt said, referring to what he called “some of the unique visibility the government has from the attacks on our systems.”

The government must also be active in reducing its own vulnerabilities, according to Schmidt.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

Schmidt, who has held cybersecurity positions inside the Air Force, the FBI and Microsoft, mentioned he’s part of a Facebook group of Wired magazine collectors. The oldest one he has, he said, had co-founder of the Electronic Frontier Foundation John Perry Barlow on the cover. Though the irascible Barlow never made the cover (other than a mock-up of the first edition), Schmidt could have been referring to Issue 2.04 which included a promo for an essay from Barlow.

Fittingly, that essay - about the failed effort to mandate government-accessible backdoors in encryption technology, was titled “Jackboots on the Infobahn.”

Photo: Howard Schmidt in a lonely RSA conference room Wednesday March 3. Credit: John Snyder/Wired.com

See Also:

• Cyberwar Hype Intended to Destroy the Open Internet
• NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven …
• Spy Chief Torpedos Government’s Lawyering in Spy Cases
• Nation’s Top Spy Retracts Politically-Convenient Exaggeration …
• Brazilian Blackout Traced to Sooty Insulators, Not Hackers …
• Did Hackers Cause the 2003 Northeast Blackout? Umm, No
• Put NSA in Charge of Cyber Security, Or the Power Grid Gets It …
• Is the Hacking Threat to National Security Overblown?

The country’s swift deployment of smart-grid technology has security professionals concerned that utilities and smart-meter vendors are repeating the mistakes made in the rollout of the public internet, when security became a priority only after malicious attacks had reached mass levels.

But when it comes to the power grid, the costs of remote hack attacks are potentially more dramatic.

“The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco this week.

The panel included Seth Bromberger, manager of information security at Pacific Gas and Electric, a San Francisco-based utility company that provides natural gas and electrical services to customers in Central and Northern California and is in the forefront of the smart-meter rollout; and Matt Franz, principal security engineer at Science Applications International Corporation.

Carpenter serves on the AMI-SEC Task Force, a group working on developing security guidelines and best practices for smart-meter infrastructure, and has done penetration testing on smart-meter systems to uncover security issues. He said the most common vulnerability he’s seen so far is susceptibility to “cross-site request forgery” on the control systems.

“That took me by surprise,” he said. “That’s not something that I would have imagined to be one of the greatest vulnerabilities found.”

Cross-site request forgery allows an attacker to hijack an authentication cookie stored in a user’s browser — to authenticate him, for example, to his bank or, in this case, a utility control system — and obtain access to the system as that user.

Last October, President Barack Obama announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the federal economic stimulus package.

Smart grids use digital meters and control mechanisms that allow utility companies to better control the flow of electricity remotely and promise to save energy and reduce utility costs. Smart meters installed in homes and businesses allow utility companies to remotely communicate with the devices to read usage levels and control the delivery of services.

But security research on the systems is lagging behind the deployment of smart meters, which has already occurred in some places in the United States. PG&E is in the lead with 5 million gas and electric smart meters deployed since 2006, which represents about half of its customer base. PG&E expects to deploy an additional 5 million smart meters by 2012.

Among the concerns Carpenter expressed was one related to vulnerabilities that could arise in the encryption schemes used in smart-grid systems, given that the systems are expected to have a lifespan of 15 to 20 years. Advances in encryption cracking that are likely to occur over that time period would make the encryption obsolete, he said.

He also discussed a need to examine the aggregation points that receive communication from the meters and have “an immense amount of control” in some cases.

“In some circumstances they’re simply going to give you a denial-of-service if you tamper with them because the crypto is done appropriately from the head-end control system down to the meters and the aggregation point really can’t tinker much with it,” Carpenter said. “But in other [cases] there’s a great deal of control that that aggregation point has, and they’re sitting on the top of a [utility] pole — not in a brick building [with] guard dogs and razor wire … and [they have] an ethernet cable.”

An attacker could sniff traffic going to the aggregation point or possibly send commands to the meters or inject code into the backend control system.

But even more pressing and immediate, in terms of vulnerabilities, is the remote shut-off capability in smart meters. Digital smart meters have an electronic disconnect switch that allows the utility company to shut down electricity remotely. Carpenter asked PG&E’s Bromberger directly, “Why not think about disconnecting the disconnect switch until we figure out more of what we’re dealing with?”

Bromberger responded that PG&E had in fact disabled the remote disconnect function in the first generation of electricity smart meters it deployed.

“We wanted to be sure that we had detection-response capabilities and security figured out before we started implementing that,” he said.

What he didn’t say was that this actually represents only a tiny portion of the meters PG&E has deployed.

A PG&E spokesman provided details to Threat Level after the panel discussion. Of the 5 million PG&E smart meters currently deployed, 2.5 million are electricity meters, with the remainder gas meters. Spokesman Paul Moreno confirmed that 300,000 of the electricity meters do have the remote disconnect function disabled, but he couldn’t say how many, if any, of the 2.2 million other meters have been disabled in the same manner. When asked if he could obtain the information, Moreno said the company had never been asked for it before and wasn’t sure if those figures existed. UPDATE: In a follow-up e-mail, Moreno said that “most of the 2.2 million second-generation electric SmartMeter meters are capable of remote connect/disconnect.”

The 300,000 meters that have the functionality disabled are mechanical meters that can be read remotely through the power line; the remaining 2.2 million are digital meters that use a radio frequency signal for remote communication.

The gas smart meters don’t allow for remote turnoff. They aren’t actually new meters but simply devices that go on top of existing gas meters to record the number of therms being used.

With regard to vulnerabilities in general, the panelists acknowledged that new vulnerabilities would always arise in smart systems no matter how well the systems are designed. The important thing is to make compromise as painful and time-consuming a process as possible to deter or delay an attacker and implement processes for adequate detection and response so that when a compromise does occur, utility companies can do something swiftly to limit the damage.

Photo courtesy PG&E

See also:

• Feds’ Smart-Grid Race Leaves Cybersecurity in the Dust

Those awaiting a legitimate method to duplicate DVDs for personal use will likely have to wait even longer, perhaps forever, after RealNetworks tossed in the white towel and abandoned its litigation on the matter.

RealNetworks spent almost two years in a legal battle with the Motion Picture Association of America, which sued the Seattle company to block the sale of its DVD-copying software and hardware –- generally known as RealDVD. The company said late Wednesday it’s dropping its appeal of an August federal court decision that declared RealDVD an illegal violation of the Digital Millennium Copyright Act of 1998.

The act, which the Hollywood studios strongly lobbied for, prohibits the circumvention of encryption technology. DVDs are encrypted with what is known as the Content Scramble System, and DVD players must secure a license to play discs. RealDVD, U.S. District Judge Marilyn Hall Patel ruled, circumvents the CSS technology designed to prevent copying and is therefore a breach of the CSS license.

The litigation cost RealNetworks millions of dollars, including $4.5 million to reimburse the MPAA for its legal costs. The outcome cost Rob Glaser, RealNetworks’ CEO, his job.

Most important, RealNetworks’ admitted defeat solidifies the DMCA’s power –  and leaves in its wake a legal and political vacuum: There is no active movement to legalize the duplication of DVDs under the DMCA, and every attempt to do so has failed.

For the moment, consumers will have to opt for underground services like Handbreak and others to copy their DVDs — a practice whose legality is questionable under the Patel’s ruling. Pirating and sharing movies on illicit BitTorrent sites is also available, but clearly unlawful under the copyright act.

In the end, there is no legitimate method to copy ones DVD, even children’s DVDs that are often scratched by their juvenile owners.

Copying DVDs amounts to “theft,” the MPAA’s general counsel, Daniel Mandil, said Wednesday. And RealNetworks’ white flag has emboldened the movie studios’ litigation arm, which Mandil said would “vigorously pursue companies that attempt to bring these illegal circumvention products and devices to market.”

By suing RealNetworks in 2008, the Hollywood studios showed they feared losing control of the DVD as the music industry did with the CD.

It’s OK to copy music from CDs, for example, and place it in an iPod. Yet, it’s illegal to do the same with a DVD. When it comes to the DVD, there’s not even a question of fair use allowed under copyright law.

As it turns out, the DMCA protects the DVD but not the CD.

Hollywood lobbied hard for the DMCA, in part to produce the DVD. The studios were savvy enough to have seen how easy it was to duplicate the CD, which was not encrypted. Attempts to lace CDs with Digital Rights Management had failed.

But the DVD was different from the CD. It was born with encryption, now called the Content Scramble System. It is designed to prevent duplication. Under the DMCA, gadgets and software allowing duplication of encryption-protected works are prohibited.

Judge Patel, in her ruling in the RealNetworks case, said “while it may well be fair use for an individual consumer to store a backup copy of a personally owned DVD on that individual’s computer, a federal law has nonetheless made it illegal to manufacture or traffic in a device or tool that permits a consumer to make such copies.”

Patel, however, added some doublespeak: “Fair use can never be an affirmative defense to the act of gaining unauthorized access” — a simple way of saying it was illegal to hack into the encryption to make a copy.

Patel’s decision virtually mirrored the 2004 ruling by another federal judge declaring as illegal the DVD-copying software produced by 321 Studios. The difference between the two cases was that RealNetworks secured a Content Scramble System license, and claimed a loophole in the license allowed its RealDVD software to make hard-drive or thumb-drive backup copies of movies.

Judge Patel did not buy that argument.

That alleged loophole, however, is being litigated by Kaleidescape, a California company that sells high-end, home DVD-duplicating hardware that reached the market after a California judge ruled the CSS-licensing loophole indeed allowed a copying device.

But a California appeals court didn’t see it that way, and last year reversed the decision, which is on appeal to the California Supreme Court. Judging by RealNetworks’ white flag, the outcome is obvious.

Photo: john_a_ward/Flickr

See Also:

• DMCA Exemption Unlikely for iPad Jailbreak
• DMCA Coupon Flap Ends — Nobody ‘Won’
• Once Again, DMCA Protects Online Video Sites
• 10 Years Later, Misunderstood DMCA is the Law That Saved the Web
• Air Force Cyber Command’s New Weapon: DMCA Notices
• YouTube to McCain: You Made Your DMCA Bed, Lie in It
• Universal Says DMCA Takedown Notices Can Ignore ‘Fair Use’

Hackers who breached Google and other companies in January targeted source-code management systems, security firm McAfee asserted Wednesday. They manipulated a little-known trove of security flaws that would allow easy unauthorized access to the intellectual property the system is meant to protect.

The software-management systems, widely used at businesses unaware that the holes exist, were exploited by the Aurora hackers in a way that would have enabled them to siphon source code, as well as modify it to make customers of the software vulnerable to attack. It’s akin to making yourself a set of keys in advance for locks that are going to be sold far and wide.

A white paper released by security firm McAfee during this week’s RSA security conference in San Francisco provides a couple of new details about the Operation Aurora attacks (.pdf) that affected 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and provided information to Google about malware used in the attacks.

According to the paper, the hackers gained access to software-configuration management systems (SCM), which could have allowed them to steal proprietary source code or surreptitiously make changes to the code that could seep undetected into commercial versions of the company’s product. Stealing the code would allow attackers to examine the source code for vulnerabilities, in order to develop exploits to attack customers who use the software, such as Adobe Reader, for example.

“[The SCMs] were wide open,” says Dmitri Alperovitch, McAfee’s vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting.”

Many of the companies that were attacked used the same source-code management system made by Perforce, a California-based company that makes products used by many large companies. McAfee’s white paper focuses on the insecurities in the Perforce system and provides suggestions for securing it, but McAfee said it will look at other source-code management systems in the future. The paper doesn’t indicate which companies were using Perforce or had vulnerable configurations installed.

As previously reported, the attackers gained initial access by conducting a spear-phishing attack against specific targets within the company. The targets received an e-mail or instant message that appeared to come from someone they knew and trusted. The communication contained a link to a website hosted in Taiwan that downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser.

A binary disguised as a JPEG file then downloaded to the user’s system and opened a backdoor onto the computer and set up a connection to the attackers’ command-and-control servers, also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

According to the paper, many SCMs are not secured out of the box and also do not maintain sufficient logs to help forensic investigators examining an attack. McAfee says it discovered numerous design and implementation flaws in SCMs.

“Additionally, due to the open nature of most SCM systems today, much of the source code it is built to protect can be copied and managed on the endpoint developer system,” the paper states. “It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree…. As a result, attackers often don’t even need to target and hack the backend SCM systems; they can simply target the individual developer systems to harvest large amounts of source code rather quickly.”

Alperovitch told Threat Level his company has seen no evidence yet to indicate that source code at any of the hacked companies had been altered. But he said the only way to determine this would be to compare the software against backup versions saved over the last six months to when the attacks are believed to have begun.

“That’s an extremely laborious process, particularly when you are dealing with massive projects with millions of lines of code,” Alperovitch said.

Among the vulnerabilities found in Perforce:

• Perforce runs its software as “system” under Windows, giving malware the ability to inject itself into system-level processes and providing an attacker access to all administrative functions on the system. Although the Perforce documentation for UNIX tells the reader not to run the server service as root, it doesn’t suggest making the same alteration to the Windows service. As a result, the default installation on Windows runs as a local system, or as root.
• By default, unauthenticated anonymous users are allowed to create users in Perforce, and no user password is required to create a user.
• All information, including source code, that is communicated between the client system and the Perforce server is unencrypted and therefore easily sniffed and compromised by someone on the network.
• The Perforce tools use weak authentication, allowing any user to replay a request with a cookie value that is easy to guess and obtain authenticated access to the system to perform “powerful operations” on the Perforce server.
• The Perforce client and server store all files in cleartext, allowing easy compromise of all the code in the local cache or on the server.

The paper lists a number of additional vulnerabilities.

BOSTON (Reuters) — Spanish police have shut down a ring of computer hackers who infected more than 13 million PCs with a virus that stole credit card numbers and other valuable data in what may be the biggest cyber-raid to date.

Spain’s Civil Guard said on Tuesday that it arrested three men suspected of running the so-called Mariposa botnet, named after the Spanish word for butterfly. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in more than half of the world’s 1,000 largest companies and in at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring, Canada’s Defense Intelligence and Spain’s Panda Security.

“It was so nasty, we thought ‘We have to turn this off. We have to cut off the head,’” said Chris Davis, CEO of Defense Intelligence, which discovered the virus last year. He added that the ring was shut down on December 23.

The virus was programed to steal all login credentials and record every key stroke on an infected computer, then send the data back to a “command and control center,” where the ringleaders stored the data.

“Basically they were going after anything that would make them money,” Davis said.

Mariposa initially spread by exploiting a vulnerability in Microsoft Corp’s Internet Explorer Web browser. It also contaminated machines by infecting USB memory sticks, he said.

(Reporting by Jim Finkle, additional reporting by Madrid newsroom. Editing by Robert MacMillan)

Photo: Anvica/Flickr

See Also:

• Threat Level Privacy, Crime and Security Online - Wired News
• Citibank Hack Blamed for Alleged ATM Crime Spree
• RIAA Believes MP3s Are A Crime: Why This Matters
• Notorious Crime Forum DarkMarket Goes Dark
• Underground Crime Economy Healthy, Security Group Finds
• Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases

Flipping the bird, or sticking out the middle finger, is perhaps the oldest insulting gesture on earth. The move dates back to ancient Greece and was adopted by the Romans as digitus impudicus — the impudent finger.

A zillion middle fingers later, an Oregon man is suing suburban Portland cops (.pdf) over his use of the gesture, claiming civil rights violations. Twice he flipped them off for no apparent reason while driving and was pulled over each time — resulting in what he said was a “bogus” traffic citation that was later dismissed, and a tongue lashing he still remembers.

“The guy flew into a road rage,” Robert Ekas, a retired Silicon Valley systems analyst, said in a telephone interview Tuesday.

Lawrence Wolf, a Los Angeles criminal defense attorney, said there was no law against flipping off cops. And in most instances when it leads to an arrest or conviction, the charges are dismissed. But the gesture invites police confrontation, he said.

“It’s certainly not the smartest thing one can do,” Wolf said.

American University legal scholar Ira Robbins has written a definitive paper on flipping the bird: “Digitus Impudicus: The Middle Finger and the Law.” (.pdf)

“The pursuit of criminal sanctions for use of the middle finger infringes on First Amendment rights, violates fundamental principles of criminal justice, wastes valuable judicial resources, and defies good sense,” Robbins wrote.

In November, a Pittsburgh man was awarded $50,000 after he was wrongly cited for disorderly conduct after flipping off an officer.

Ekas, in both instances, flipped off officers while they were driving a Clackamas County patrol car. “It seemed like the right thing to do,” said the 46-year-old, who is seeking damages and police reform amid allegations he was unlawfully stopped. “The long and the short of it, I was pulled over because I gave them the finger.”

A federal judge will entertain Clackamas County’s motion on March 15 to have the civil rights lawsuit tossed. The county denies the allegations. (.pdf)

Ekas said his actions, which occurred with his teen-aged son in the car both times, were a form of protest against the agency he claims is abusing its citizenry. “That’s why they get the finger,” he said, noting he wants a jury trial.

Wolf, meanwhile, suggested if Ekas’ case makes it to trial, the officers are likely to testify that they were concerned “about his sanity.”

The jury, he said, is likely to say, “‘Give me a break’ and then go home.”

Photo: davidsonscott15/Flickr

See Also:

• Traffic Officer Says He Saw No Blood on Reiser’s Car Seat — Update …
• Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist …
• Cops Use Anti-Terror Funds to Buy Portable Fingerprint Scanners …
• Reporter Visits Terror Watch List Center, Prevented from Seeing …
• California Police Camera Surveillance Increasing
• Top Internet Threats: Censorship to Warrantless Surveillance …

The Obama administration declassified part of the government’s cybersecurity plan Tuesday, publishing parts of it that discuss intrusion detection systems for federal computer networks and the government’s role in securing critical infrastructure.

The declassification announcement was made by Howard A. Schmidt, a former Microsoft security executive who in December was appointed cybersecurity coordinator by President Barack Obama. Schmidt was speaking at the RSA Security Conference in San Francisco, an annual industry conference for computer security professionals.

The government’s Comprehensive National Cybersecurity Initiative was launched in 2008 by President George W. Bush under a shroud of secrecy. The plan has 12 directives that cover the government’s strategy to protect U.S. networks — including military, civilian, government networks and critical infrastructure systems — as well as the government’s offensive strategy to combat cyberwarfare.

Civil libertarians criticized the Bush administration for failing to disclose the contents of the plan or allowing independent oversight of its implementation. Schmidt said that Obama recognized the need for some transparency.

“There are a lot of legal issues about what we’re doing,” he told the 2,000-member audience, adding that the government was currently working on a list of about 40 legal questions related to the cybersecurity initiative.

Obama said last May that he planned to appoint a separate official to ensure that the implementation of the cybersecurity plan doesn’t violate privacy and civil liberties and insisted that the government’s plan would not include spying on the public.

“Our pursuit of cybersecurity will not include — I repeat, will not include — monitoring private sector networks or internet traffic,”he said. “We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.”

A White House spokesman said Tuesday that the administration had appointed Tim Edgar to oversee the privacy aspects of the cybersecurity initiative. Edgar, a former attorney for the American Civil Liberties Union, has been working as the deputy for civil liberties for the Civil Liberties and Privacy Office of the Office of the Director of National Intelligence.

The declassified portion of the plan published Tuesday includes information on only part of the initiative and does not discuss cyberwarfare. The plan instead discusses the deployment of Einstein 2 and Einstein 3, intrusion detection systems on federal networks designed to inspect internet traffic entering government networks to detect potential threats.

DHS (Department of Homeland Security) is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of inspecting Internet traffic entering Federal systems for unauthorized accesses and malicious content. The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology…. EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious or potentially harmful activity in federal network traffic and provides correlation and visualization of the derived data….

The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with Federal Departments and Agencies by giving DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions.

The Einstein programs have raised concerns among privacy and civil liberties groups, such as the Center for Democracy and Technology, because they involve scanning the content of communications to intercept malicious code before it reaches government networks.

In 2008, the Department of Homeland Security’s Privacy Office published a Privacy Impact Assessment on early versions of Einstein 2 (.pdf) but has not published one on Einstein 3. The assessment left many questions unanswered, such as how much of a role the National Security Agency will play in the programs and whether information obtained in scans be shared with law enforcement or intelligence agencies.

What may be the most controversial part of the declassified plan is a discussion of a need for the government to define its role in protecting private critical infrastructure networks. Critical infrastructure includes the electrical grid, telecommunication networks, internet service providers, the banking and financial industry, and others.

The document indicates that DHS and private-sector businesses have already “developed a plan of shared action with an aggressive series of milestones and activities” but doesn’t discuss the nature of those shared actions other than to say that the two sectors are focused on developing a “public-private sharing of information regarding cyberthreats and incidents.”

The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyberthreats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR)…. It addresses security and information assurance efforts across the cyberinfrastructure to increase resiliency and operational capabilities throughout the CIKR sectors.

Additionally, the plan calls for a strategy to increase the security of classified networks and to develop and implement a government-wide cybercounterintelligence (CI) plan, but provides little detail about what that would involve.

“A government-wide cybercounterintelligence plan is necessary to coordinate activities across all Federal Agencies to detect, deter, and mitigate the foreign-sponsored cyberintelligence threat to U.S. and private sector information systems,” the plan says. “To accomplish these goals, the plan establishes and expands cyber CI education and awareness programs and workforce development to integrate CI into all cyber operations and analysis, increase employee awareness of the cyber CI threat, and increase counterintelligence collaboration across the government.”

Photo: huertk/Flickr

See also:

• Cyberwar Hype Intended to Destroy the Open Internet
• Obama Says New Cyberczar Won’t Spy on the Net
• Obama Appoints Former Microsoft Security Chief New Cybersecurity Czar
• Obama Promises New Era of Openness
• Obama Cybersecurity Report Addresses Critical Infrastructure and Privacy Issues

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He’s the nice-seeming guy who’s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know.

When he was head of the country’s national intelligence, he scared President Bush with visions of e-doom, prompting the president to sign a comprehensive secret order that unleashed tens of billions of dollars into the military’s black budget so they could start making firewalls and building malware into military equipment.

And now McConnell is back in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton. He’s out in front of Congress and the media, peddling the same Cybaremaggedon! gloom.

And now he says we need to re-engineer the internet.

We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds. More specifically, we need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.

Re-read that sentence. He’s talking about changing the internet to make everything anyone does on the net traceable and geo-located so the National Security Agency can pinpoint users and their computers for retaliation if the U.S. government doesn’t like what’s written in an e-mail, what search terms were used, what movies were downloaded. Or the tech could be useful if a computer got hijacked without your knowledge and used as part of a botnet.

The Washington Post gave McConnell free space to declare that we are losing some sort of cyberwar. He argues that the country needs to get a Cold War strategy, one complete with the online equivalent of ICBMs and Eisenhower-era, secret-codenamed projects. Google’s allegation that Chinese hackers infiltrated its Gmail servers and targeted Chinese dissidents proves the United States is “losing” the cyberwar, according to McConnell.

But that’s not warfare. That’s espionage.

McConnell’s op-ed then pointed to breathless stories in The Washington Post and The Wall Street Journal about thousands of malware infections from the well-known Zeus virus. He intimated that the nation’s citizens and corporations were under unstoppable attack by this so-called new breed of hacker malware.

despite the masterful PR about the Zeus infections from security company NetWitness (run by a former Bush Administration cyberczar Amit Yoran), the world’s largest security companies McAfee and Symantec downplayed the story. But the message had already gotten out — the net was under attack.

Brian Krebs, one of the country’s most respected cybercrime journalists and occasional Threat Level contributor, described that report: “Sadly, this botnet documented by NetWitness is neither unusual nor new.”

Those enamored with the idea of “cyberwar” aren’t dissuaded by fact-checking.

They like to point to Estonia, where a number of the government’s websites were rendered temporarily inaccessible by angry Russian citizens. They used a crude, remediable denial-of-service attack to temporarily keep users from viewing government websites. (This attack is akin to sending an army of robots to board a bus, so regular riders can’t get on. A website fixes this the same way a bus company would — by keeping the robots off by identifying the difference between them and humans.) Some like to say this was an act of cyberwar, but if it that was cyberwar, it’s pretty clear the net will be just fine.

In fact, none of these examples demonstrate the existence of a cyberwar, let alone that we are losing it.

But this battle isn’t about truth. It’s about power.

For years, McConnell has wanted the NSA (the ultra-secretive government spy agency responsible for listening in on other countries and for defending classified government computer systems) to take the lead in guarding all government and private networks. Not surprisingly, the contractor he works for has massive, secret contracts with the NSA in that very area. In fact, the company, owned by the shadowy Carlyle Group, is reported to pull in $5 billion a year in government contracts, many of them Top Secret.

Now the problem with developing cyberweapons — say a virus, or a massive botnet for denial-of-service attacks, is that you need to know where to point them. In the Cold War, it wasn’t that hard. In theory, you’d use radar to figure out where a nuclear attack was coming from and then you’d shoot your missiles in that general direction. But online, it’s extremely difficult to tell if an attack traced to a server in China was launched by someone Chinese, or whether it was actually a teenager in Iowa who used a proxy.

That’s why McConnell and others want to change the internet. The military needs targets.

But McConnell isn’t the only threat to the open internet.

Just last week the National Telecommunications and Information Administration — the portion of the Commerce Department that has long overseen the Internet Corporation for Assigned Names and Numbers — said it was time for it to revoke its hands-off-the-internet policy.

That’s according to a February 24 speech by Assistant Commerce Secretary Lawrence E. Strickling.

In fact, “leaving the Internet alone” has been the nation’s internet policy since the internet was first commercialized in the mid-1990s. The primary government imperative then was just to get out of the way to encourage its growth. And the policy set forth in the Telecommunications Act of 1996 was: “to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.”

This was the right policy for the United States in the early stages of the Internet, and the right message to send to the rest of the world. But that was then and this is now.

Now the NTIA needs to start being active to prevent cyberattacks, privacy intrusions and copyright violations, according to Strickling. And since NTIA serves as one of the top advisers to the president on the internet, that stance should not be underestimated.

Add to that — a bill looming in the Senate would hand the president emergency powers over the internet — and you can see where all this is headed. And let the past be our guide.

Following years of the NSA illegally spying on Americans’ e-mails and phone calls as part of a secret anti-terrorism project, Congress voted to legalize the program in July 2008. That vote allowed the NSA to legally turn America’s portion of the internet into a giant listening device for the nation’s intelligence services. The new law also gave legal immunity to the telecoms like AT&T that helped the government illegally spy on American’s e-mails and internet use. Then-Senator Barack Obama voted for this legislation, despite earlier campaign promises to oppose it.

As anyone slightly versed in the internet knows, the net has flourished because no government has control over it.

But there are creeping signs of danger.

Where can this lead? Well, consider England, where a new bill targeting online file sharing will outlaw open internet connections at cafes or at home, in a bid to track piracy.

To be sure, we could see more demands by the government for surveillance capabilities and backdoors in routers and operating systems. Already, the feds successfully turned the Communications Assistance for Law Enforcement Act (a law mandating surveillance capabilities in telephone switches) into a tool requiring ISPs to build similar government-specified eavesdropping capabilities into their networks.

The NSA dreams of “living in the network,” and that’s what McConnell is calling for in his editorial/advertisement for his company. The NSA lost any credibility it had when it secretly violated American law and its most central tenet: “We don’t spy on Americans.”

Unfortunately, the private sector is ignoring that tenet and is helping the NSA and contractors like Booz Allen Hamilton worm their way into the innards of the net. Security companies make no fuss, since a scared populace and fear-induced federal spending means big bucks in bloated contracts. Google is no help either, recently turning to the NSA for help with its rather routine infiltration by hackers.

Make no mistake, the military industrial complex now has its eye on the internet. Generals want to train crack squads of hackers and have wet dreams of cyberwarfare. Never shy of extending its power, the military industrial complex wants to turn the internet into yet another venue for an arms race.

And it’s waging a psychological warfare campaign on the American people to make that so. The military industrial complex is backed by sensationalism, and a gullible and pageview-hungry media. Notable examples include the New York Times’s John “We Need a New Internet” Markoff, 60 Minutes’ “Hackers Took Down Brazilian Power Grid,” and the WSJ’s Siobhan Gorman, who ominously warned in an a piece lacking any verifiable evidence, that Chinese and Russian hackers are already hiding inside the U.S. electrical grid.

Now the question is: Which of these events can be turned into a Gulf of Tonkin-like fakery that can create enough fear to let the military and the government turn the open internet into a controlled, surveillance-friendly net.

What do they dream of? Think of the internet turning into a tightly monitored AOL circa the early ’90s, run by CEO Big Brother and COO Dr. Strangelove.

That’s what McConnell has in mind, and shame on The Washington Post and the Senate Commerce, Science and Transportation Committee for giving McConnell venues to try to make that happen — without highlighting that McConnell has a serious financial stake in the outcome of this debate.

Of course, the net has security problems, and there are pirated movies and spam and botnets trying to steal credit card information.

But the online world mimics real life. Just as I know where online to buy a replica of a Coach handbag or watch a new release, I know exactly where I can go to find the same things in the city I live in. There are cons and rip-offs in the real world, just as there are online. I’m more likely to get ripped off by a restaurant server copying down the information on my credit card than I am having my card stolen and used for fraud while shopping online. “Top Secret” information is more likely to end up in the hands of a foreign government through an employee-turned-spy than from a hacker.

But cyber-anything is much scarier than the real world.

The NSA can help private companies and networks tighten up their security systems, as McConnell argues. In fact, they already do, and they should continue passing along advice and creating guides to locking down servers and releasing their own secure version of Linux. But companies like Google and AT&T have no business letting the NSA into their networks or giving the NSA information that they won’t share with the American people.

Security companies have long relied on creating fear in internet users by hyping the latest threat, whether that be Conficker or the latest PDF flaw. And now they are reaping billions of dollars in security contracts from the federal government for their PR efforts. But the industry and its most influential voices need to take a hard look at the consequences of that strategy and start talking truth to power’s claims that we are losing some non-existent cyberwar.

The internet is a hack that seems forever on the edge of falling apart. For awhile, spam looked like it was going to kill e-mail, the net’s first killer app. But smart filters have reduced the problem to a minor nuisance as anyone with a Gmail account can tell you. That’s how the internet survives. The apocalypse looks like it’s coming and it never does, but meanwhile, it becomes more and more useful to our everyday lives, spreading innovation, weird culture, news, commerce and healthy dissent.

But one thing it hasn’t spread is “cyberwar.” There is no cyberwar and we are not losing it. The only war going on is one for the soul of the internet. But if journalists, bloggers and the security industry continue to let self-interested exaggerators dominate our nation’s discourse about online security, we will lose that war — and the open internet will be its biggest casualty.

UPDATE: In an interesting coincidence, the Obama administration unclassified on Tuesday portions of the secret Comprehensive National Cybersecurity Initiative it inherited from President Bush, including unclassified summaries all of the 12 initiatives. Note the veiled references to deterrence. See Threat Level’s report from the RSA conference on the release.

Photo: Michael McConnell, then-Director of National Intelligence, watches on in 2008 as President Bush announced the Protect America Act. White House file photo.

See Also:

• Massive Wave of Estonia Cybarmageddon Debunking Begins
• Estonia DDoS Attacks Make Tech Reporters Into Daring War Correspondents
• ‘Cyberwar’ and Estonia’s Panic Attack
• Did Hackers Cause the 2003 Northeast Blackout? Umm, No
• No Chinese Hackers Found in Florida Outage Either
• Brazilian Blackout Traced to Sooty Insulators, Not Hackers …
• Conficker War Room! Your Front Row Seat For Cyber Armageddon
• NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven …
• Put NSA in Charge of Cyber Security, Or the Power Grid Gets It …
• Google Asks NSA to Help Secure Its Network

A ring of ticket brokers has been indicted in connection to an elaborate hacking scheme that used bots and other fraudulent means to purchase more than 1 million tickets for concerts, sporting events and other events.

The defendants made more than $25 million in profits from the resale of the tickets between 2002 and 2009.

According to the 43-count federal indictment (.pdf) unsealed Monday in New Jersey, the defendants set up a nationwide network through which they were able to impersonate thousands of individual ticket buyers, defeating the security and fraud measures that online ticket vendors such as Ticketmaster, Musictoday and Tickets.com put in place to thwart automated ticket buying.

The defendants did business as Wiseguy Tickets and Seats of San Francisco, and used two shell companies called Smaug and Platinum Technologies to purchase IP blocks and rent servers to conduct the attacks.

Wiseguy often obtained so many premium tickets for an event that it was the leading source for the best tickets to some of the most popular events, according to prosecutors. They allegedly purchased tickets to Miley Cyrus, Barbra Streisand, Bon Jovi and Bruce Springsteen concerts, as well as tickets to the Rose Bowl football game in 2006 and the 2007 Major League Baseball playoffs at Yankee Stadium.

In 2007, the owners offered employees a 100 percent salary bonus if the company met a goal of purchasing 1 million tickets of a certain value, the authorities said.

Wiseguy co-owner Kenneth Lowson allegedly boasted to one of his contractors in 2005 that Wiseguy had purchased 882 out of 1,000 Rose Bowl tickets that had gone on sale for the 2006 championship football game. On one June day in 2006, Wiseguy also purchased about 136 tickets for Barbra Streisand’s concert tour. And in September 2007, they snagged 229 premium tickets for Bruce Springsteen concerts in New Jersey, and ultimately ended up purchasing more than 11,700 Springsteen tickets that year worth about $1.3 million, the authorities said.

In 2007, they thwarted a ticket lottery set up to purchase tickets to the New York Yankee playoffs. The lottery limited purchases to two tickets per person, but Wiseguy was able to purchase 1,924 tickets worth about $159,000, the authorities said.

Also in 2007, they purchased 11,984 tickets for various Miley Cyrus/Hanna Montana concerts around the country worth about $916,000, the authorities said.

Lowson, 40, and Wiseguy co-owner Kristofer Kirsch, 37, were indicted along with Chief Financial Officer Faisal Nahdi, 36, and programmer Joel Stevenson, 37, on various counts of unauthorized computer access and wire fraud. Stevenson, who earned $150,000 as the outfit’s chief computer programmer and system administrator, allegedly created significant parts of the code used to purchase the tickets and also oversaw a team of other programmers based in the United States and Bulgaria. The indictment lists the initials of three contract workers in Bulgaria who each earned between $1,000 and $1,500 a month writing code and managing the network.

Law-abiding online ticket vendors sell tickets on a first-come, first-served basis and have invested millions of dollars in architecture that queues up customers in the order they arrive to a site. This protocol reserves a ticket or block of tickets in the system for a limited time, such as 5 minutes, while the buyer decides whether to complete the purchase.

Premium tickets can sell out within 30 seconds for popular events, making it crucial where a buyer stands in the queue.

To prevent bots from purchasing tickets in bulk, online ticket vendors use CAPTCHA challenges and Proof of Work software that is designed to detect and slow down computers that are attempting to purchase large numbers of tickets. Online vendors also block IP addresses used to make bulk purchases.

According to the indictment, Lowson and Kirsch interviewed former employees of online ticket vendors to determine what measures they took to thwart automated buying and also obtained source code, in some cases through hacking. They then advertised for programmers who could bypass CAPTCHA challenges to get to the purchase page and figure out ways to defeat ticket queues to land coveted spots at the front of the line.

The perpetrators’ bots monitored ticket websites and sprang into action the minute tickets went on sale, opening thousands of internet connections simultaneously, defeating both visual CAPTCHAs and audio CAPTCHAs used for visually impaired customers. The bots also filled out purchase pages with customer credit card information and fake e-mail addresses.

Ticketmaster used various means to try to thwart Wiseguy’s operation, at one point switching to a service called reCAPTCHA, which is also used by Facebook. It’s a third-party CAPTCHA that feeds a CAPTCHA challenge to a site’s visitors. When a customer tries to purchase tickets, Ticketmaster’s network sends a unique code to reCAPTCHA, which then transmits a CAPTCHA challenge to the customer.

But the perpetrators were able to thwart this as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, the authorities said.

The perpetrators took orders from ticket brokers, who were required to provide credit card numbers and account holder names in advance of a purchase so they could be programmed into the bot. Once the account holders received the tickets, they’d send them to Wiseguy, which would refund their credit card account. Wiseguy also had a bank of about 1,000 phone numbers that the bot submitted as customer contact numbers.

The bot would seize a block of prize seats, from which Wiseguy employees would cull the best for clients, then release unwanted seats back to the system. A legitimate ticket buyer who tried to purchase the same seats during this time might find them unavailable one minute, then available the next minute.

Photo: ladybugbkt/Flickr

Congress is sending President Barack Obama legislation that extends three provisions of the Patriot Act — despite heated debate among lawmakers that the surveillance measure goes too far.

The act, hastily adopted six weeks after the 2001 terror attacks, greatly expands the government’s ability to spy on Americans in the name of national security. Three measures of the act were set to expire at the end of 2009, but in December lawmakers extended the deadline to the end of February in hopes of reaching a compromise.

But no deal was reached by the end of the new Feb. 28 deadline. Instead, the Senate and House of Representatives ditched their two conflicting measures and extended the Patriot Act for another year without any changes. The final package was sent to the president Thursday for his expected signature.

Lawmakers had taken the expiration as an opportunity to revisit a number of the act’s surveillance provisions, including elements of the Patriot Act that were not expiring. This included proposals to alter the standard by which so-called National Security Letters are issued.

The letters allow the FBI, without a court order, to obtain telecommunication, financial and credit records relevant to a government investigation. The FBI issues about 50,000 NSLs annually, and an internal watchdog has found repeated abuses of the NSL powers.

At one point last year, reforming the NSL took center stage during vigorous debate in committee hearings. The Senate had moved to make it more difficult for the FBI to issue NSLs, but caved after the administration argued NSLs were assisting the fight against terrorism. A House version granted the public greater protections.

The status quo, however, prevailed this week and the NSL structure was left intact, as were the three expiring provisions. They were extended on a 315-97 House vote Thursday and by a Senate voice vote the day before.

The three extended Patriot Act provisions are:

• The “roving wiretap” provision allows the FBI to obtain wiretaps from a secret intelligence court, known as the FISA court, without identifying the target or what method of communication is to be tapped.
• The “lone wolf” measure allows FISA court warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist. The government has said it has never invoked that provision, but the Obama administration said it wanted to retain the authority to do so.
• The “business records” provision allows FISA court warrants for any type of record, from banking to library to medical, without the government having to declare that the information sought is connected to a terrorism or espionage investigation.

Illustration: Chuckumentary/Flickr

See Also:

• Obama Backs Extending Patriot Act Spy Provisions
• Handy Chart Tracks Proposed Amendments to Patriot Act
• FBI Use of Patriot Act Authority Increased Dramatically in 2008
• Bloggers, TV, Go Nuts Over Misleading ‘Patriot Act’ Arrest Claim
• House Considers Limiting Patriot Act Spy Powers
• Lawmakers Cave to FBI in Patriot Act Debate
• Senators Vote to Renew Patriot Act Spy Powers

Whitney Harper must pay the RIAA $27,750 for file sharing that began when she was 14

A federal appeals court is ordering a university student to pay the Recording Industry Association of America $27,750 — $750 a track — for file sharing 37 songs when she was a high school cheerleader.

The decision Thursday by the 5th U.S. Circuit Court of Appeals reverses a Texas federal judge who had ordered defendant Whitney Harper to pay $7,400, or $200 per song. The lower court had granted her an “innocent infringer’s” exemption to the Copyright Act’s minimum of $750 per track because she said she didn’t know she was violating copyrights and thought file sharing was akin to internet radio streaming.

The appeals court, however, said the woman was not eligible for such a defense — even if it was true she was between 14 and 16 years old when the infringing activity occurred on Limewire. The reason, the court concluded, is that the Copyright Act precludes such a defense if the legitimate CDs of the music in question provide copyright notices.

“Harper cannot rely on her purported legal naivety [sic] to defeat the … bar to her innocent infringer defense,” the New Orleans-based appeals court ruled unanimously, 3-0.

Harper, now 22 and a Texas Tech senior, said in 2008 interview that she didn’t know what she did was wrong when she file shared Eminem, the Police, Mariah Carey and others as a teen.

“I knew I was listening to music. I didn’t have an understanding of file sharing,” she said.

Scott Mackenzie, the woman’s attorney, said Friday that “She’s going to graduate with a federal judgment against her.” The RIAA, which has sued thousands of people for infringement, labeled Harper as “vexatious” when she refused to settle the case.

Harper’s case moved up the judicial ladder without a trial. Mackenzie said he was mulling whether to appeal to the U.S. Supreme Court.

Only two RIAA cases against individuals have gone to trial, both of which earned the RIAA whopping verdicts.

Most of the thousands of RIAA file sharing cases have settled out of court for a few thousand dollars. The RIAA is winding down its 6-year-old litigation campaign targeting individual file sharers and instead is working with internet service providers to adopt rules that could cut off or hinder internet access to copyright scofflaws.

The first RIAA case to go to trial against an individual concerned Jammie Thomas. A Minnesota jury ordered the woman to pay $1.92 million for file sharing 24 songs. The judge in the case reduced the award to $54,000 — $2,250 a track.

The second case concerns Joel Tenenbaum, a Boston University grad student who a jury ordered to pay $675,000 for file sharing 30 tracks last year. Tenenbaum has asked the judge in the case to lower the award. A decision is pending.

See Also:

• Jury in RIAA Trial Slaps $2 Million Fine on Jammie Thomas
• $675000 RIAA File Sharing Verdict Is ‘Unreasonable’
• Anti-RIAA Site Folds
• Obama Taps 5th RIAA Lawyer to Justice Dept.
• Authors Guild: ‘To RIAA or Not to RIAA’
• Settlement Rejected in ‘Shocking’ RIAA File Sharing Verdict
• Judge Refuses to Punish Lawyer for Anti-RIAA Blogging
• Top Internet Providers Cool to RIAA 3-Strikes Plan

The U.S. military monitored Planned Parenthood and a white supremacist group as part of the government’s security preparations for the 2002 Olympics in Utah, according to new documents released by the Department of Defense.

The U.S. Joint Forces Command liaison collected and disseminated information on U.S. citizens who were members of Planned Parenthood and the white supremacist group National Alliance regarding their involvement in protests and distributing literature, according to an intelligence-oversight report released by the Pentagon. The documents indicate that the JFC liaison was working with the FBI’s Olympic Intelligence Center at the time.

This and other intelligence-activity disclosures appear in heavily redacted documents that were released to the Electronic Frontier Foundation. They came in response to an ongoing Freedom of Information Act project the organization is conducting to obtain oversight information from intelligence agencies.

EFF received more than 800 pages from intelligence oversight reports created by the Defense Department inspector general that examine actions, conducted by various branches of the department, that are believed to be illegal.

The reports cover the years 2001 to 2008 and were submitted to the Intelligence Oversight Board and cover the U.S. Army, the Joint Chiefs of Staff and other military entities. The board is composed of private citizens with security clearances who are supposed to submit to the office of the president any reports describing activities that are believed to be illegal.

The reports provide little context for the information that’s disclosed, leaving the public to wonder about the nature and extent of the information and surveillance revealed in them.

Pertaining to the Planned Parenthood members, for example, the oversight report provides no explanation about how the information was collected. Nor does it indicate why the information was collected and notes only that military intelligence is not allowed to collect and disseminate information on U.S. persons unless the information constitutes “foreign intelligence.” The report indicates that the collection was therefore “clearly outside the purview of military intelligence” and should have been handled by law enforcement.

Another oversight document discusses an incident involving the interception of civilian cellphone conversations of U.S. persons in April 2007. During a field exercise at Fort Polk, Louisiana, a Signals Intelligence noncommissioned officer operating a SIGINT collection system intercepted the cell phone calls, though the document doesn’t indicate if they were intercepted on U.S. soil or outside U.S. borders.

Initial reports indicated that the noncommissioned officer listened to the conversations for entertainment purposes, and the incident was reported to the National Security Agency. But the inspector-general document indicates that the officer never admitted to this and indicates only that he may have listened to some conversations “longer than necessary to do his job.”

Five months after the incident, the SIGINT staff at Fort Polk was given a refresher on United States Signals Intelligence Directive 18, an NSA rule that bars overseas surveillance of Americans without authorization and probable cause and provides instructions for destroying incidental interceptions that are collected unintentionally.

Another document obtained by EFF reveals that the Air Force Office of Special Investigations set up a “honey-pot” website in May 2006 “to identify & exploit foreign threats to DoD” and only realized in October 2007 that it potentially violated a sealed Foreign Intelligence Surveillance Court order.

“[D]uring the course of coordinating the operation with another agency,” the document states, “it was realized that the collection of some information targeting non-U.S. persons may be incongruent with a Spring ‘07 classified Foreign Intelligence Surveillance Act Court (FISC) opinion which may require a FISA warrant for legal interception in such cyber operations.”

Because the court order was sealed, the AFOSI staff didn’t know about it and only realized it might be applicable to their honey-pot project when they read about the order in the press. The Air Force halted the honey-pot operation and its “potential questionable activity” and asked the Justice Department for a copy of the sealed FISA Court order, but was denied access to it. At the time of the oversight report in 2008, the AFOSI still had not obtained clarification about the contents of the FISAC order.

A document from a 2008 oversight report indicates that Army Cyber Counterintelligence officers attended a Black Hat security conference without disclosing their Army affiliation. The conference, held annually in Las Vegas and Washington, D.C., attracts hackers and security professionals from around the world. It’s also a hotbed gathering for undercover law enforcement and intelligence agents from around the world who come to learn about the latest computer security vulnerabilities and what specific hackers are up to. The documents don’t indicate if the officers collected any information on conference attendees.

EFF expects to receive additional documents from the Defense Department, as well as from the National Security Agency, Central Intelligence Agency and Office of the Director of National Intelligence.

Photo: PDX Pixels/Flickr

See Also:

• Inside Operation Highlander: The NSA’s Wiretapping of Americans Abroad

Cryptome, the secret-document-spilling site, is back online Thursday, after Microsoft withdrew a copyright complaint that shuttered the site the day before.

Microsoft’s efforts to suppress a document about how to subpoena online user data backfired, leading instead to widespread attention to (and republication of) the document it tried to suppress.

Microsoft did not apologize in its Thursday statement, and defended its use of copyright law to keep its law enforcement manual private.

Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.

Cryptome’s proprietor John Young published the 22-page document earlier this week. leading Microsoft to take legal action Tuesday. The document, which contains no trade secrets, advises law enforcement how to file subpoenas (.pdf), outlines what data Microsoft keeps on users of its online services such as Xbox Live and Hotmail, and explains how to parse the resulting user data.

Cryptome’s hosting provider, Network Solutions, chose to shutter the entire site and lock down the domain name, even before the Thursday deadline for Young to remove the document. Under the Digital Millennium Copyright Act, a U.S.-based host is immune to liability if it makes sure the allegedly offending content is taken down during the time that a counter-claim is being considered in court.

Similar manuals from other large service providers such as Yahoo and Facebook have also been leaked and published online recently. Yahoo also tried unsuccessfully to use the DMCA to suppress its document. However, there is a clear news value to publishing such documents, even if they’re copyrighted.

Microsoft took nearly 24 hours to respond to an inquiry for comment, losing the opportunity to quickly leapfrog to the forefront of transparency by understanding that such documents need not — and should not — be hidden from users (with the possible exception of the law enforcement hotline number).

Cox Communications, which runs the nation’s third largest ISP, has long made its law enforcement subpoena page — including prices — public.

But Microsoft, Google, Facebook and Yahoo do not follow that example, even though all of them want their users to trust them with their most sensitive data and communications. Nor do any of them publish the most basic statistics on how often law enforcement comes knocking with subpoenas and warrants.

In fact, the simplest lesson here is that none of the pixels published over this incident would have been necessary if Microsoft had just published this document in the first place, which few people would have ever bothered to go read. Instead, these companies prefer to worry about the sensitivities of corporate-ass-covering lawyers and law enforcement agencies instead of putting their users and transparency first.

Photo: Emma Swann, Front page photo: Robert Scoble

See Also:

• Microsoft Takes Down Whistleblower Site, Read the Secret Doc Here
• Yahoo, Verizon: Our Spy Capabilities Would ‘Shock’, ‘Confuse …
• Yahoo Issues Takedown Notice for Spying Price List
• Google Talks Transparency, But Hides Surveillance Stats

A Wisconsin teenager was sentenced to 15 years in prison Wednesday for an extortion scheme that had him tricking male classmates into sending them nude photos of themselves, then blackmailing them with exposure if they didn’t have sex with him.

In 2008, defendant Anthony Stancl, who was 18 at the time, posed as a girl on Facebook and tricked more than 30 male classmates into sending him photos of themselves. According to court documents (.pdf), authorities found 300 photos of underage males on his computer as well as video of some of the victims exposing their genitals and masturbating; some of the victims were 15 years old.

The photos were stored in 40 folders on Stancl’s computer, each of which was named after a victim whose photos were in the folder. In one case, police found 24 pictures of a single victim. The scheme occurred for about a year from November 2007 to November 2008, when victims came forward.

At least seven of the victims said that Stancl, posing as a girl, threatened to post their nude pictures on the internet or send them to their friends unless they engaged in sexual activity with a male friend of “hers.” When the victims met with the male friend, who was Stancl, the perpetrator performed oral sex on the victims and took a photo of the activity with his cellphone.

One of the victims, who was 16 at the time, reported that after allowing Stancl to perform oral sex on him, the girl “Kayla” said it wasn’t enough and threatened to post the oral sex pictures online if the victim didn’t have anal sex with Stancl. After this occurred on two occasions, “Kayla” demanded the victim send her a nude photo of his brother as well. The victim then went to his parents, who contacted police.

Stancl told the victims that he was an extortion victim himself and was being forced to have sex with them and photograph it in order to prevent other photos of himself from being exposed.

His attorney, Craig Kuhary, says that Stancl’s activity was prompted by anxiety over his sexual orientation and the alienation he felt after he was humiliated and outed by another student.

Stancl claimed he had been sexually assaulted by an upperclassman during his sophomore year. He’d been attracted to the student and when they met, Stancl says the student forced him to have oral sex. After this, other students began spreading rumors about him and doctoring photos of him to suggest he was gay. His attorney says he lost a number of friends over this and became a loner.

“He had a strong desire to fit in with everyone,” Kuhary told Threat Level. “I think that was why he went to the great length he did to appear that he wasn’t gay and was just a victim [of extortion] like they were…. He was never comfortable with the fact that he was bisexual so he came up with an elaborate scheme to cover that to appear to be a normal heterosexual teen.”

Stancl’s illegal activity, however, wasn’t limited to sex crimes. He was expelled from New Berlin Eisenhower High School for allegedly making a bomb threat in November 2008. On Nov. 12, two students found a note written on the wall of a men’s bathroom that read “Bomb 11/14/08.” Law enforcement conducted a sweep of the school but found no explosives. The next day, two school administrators and a science teacher received an e-mail that read in part: “Good luck tomorrow. Boom. It won’t be your average one either. It will be one that is manned. Not by me, but by those who follow me.”

Officials traced the e-mail to the New Berlin Public Library and ultimately to Stancl, who admitted he sent the e-mails. He denied writing the note on the bathroom wall, however, and said he sent the e-mails the next day only to “make it a better story.”

The sexual allegations only came to light after Stancl was already being investigated for the bomb threat.

Stancl was charged with soliciting sex from minors, possessing child pornography and making a bomb threat. He pleaded no contest in December to two Wisconsin felonies — repeated sexual assault of the same child and third-degree sexual assault. At his sentencing, according to the Associated Press, he apologized, saying he understood the distress his victims experienced.

Kuhary says the statement included an apology to each of the victims, the school district, Stancl’s classmates and his family.

He added that Stancl faced a possible sentence of 30 years but that the goal was to “attempt to salvage this young man’s life so that he would have a good number of years left whenever he completed his sentence.”

The district attorney in Waukesha County, where the case was brought, did not immediately respond to a call for comment.

See also:

• Man Charged in Facebook Sex-Extortion Plot

Yelp, the online review site, is being accused of extortion in a class-action lawsuit filed in Los Angeles this week.

The suit alleges that the site tried to get a Long Beach veterinary hospital named Cats and Dogs Animal Hospital to pay $300 a month — for a minimum 12-month commitment — to suppress or delete reviews that disparaged the hospital.

The popular San Francisco–based site Yelp is one of the leading sites for consumers to post reviews and comments about their local businesses and services. It touts its integrity with the slogan: “Real people. Real reviews.” The company was founded in 2004 and has spread throughout the Unitd States. It launched in the United Kingdom and Ireland last year.

But according to the complaint filed in U.S. District Court (.pdf) for the Central District of California, the site manipulates the reviews, and therefore a business’ ratings, through an extortion scheme that offers to remove a business’ negative reviews or relocate them to the bottom of a listing page where fewer visitors will see them, if the business purchases a monthly advertising subscription.

“Yelp thus capitalizes on the presumed integrity of the Yelp.com ratings system to extort business owners to purchase advertising,” says the complaint. “As a result, business listings on Yelp.com, contrary to the website’s ‘Real people. Real reviews.’ mantra, are in fact biased in favor of businesses that buy Yelp advertising.”

The suit alleges that last September, Cats and Dogs owner Dr. Gregory Perrault became aware of a negative review posted on Yelp by a user named Chris R. Perrault viewed it as defamatory and possibly false.

He researched the information in the review and discovered that it referred to a hospital visit that occurred more than 18 months prior to its posting. (Yelp’s policy allows reviews to be posted within 12 months of an experience with the business.) The hospital asked Yelp to remove the review for violating Yelp’s review guidelines, and the site complied. But a second negative review appeared five days later from a user identified as Kay K.

That review read in part:

Dr. Perrault is the rudest vet I’ve ever been to … probably one of the rudest people I’ve had the displeasure of meeting. I agree with the previous reviews about making you feel like an unfit mom. My pup had been sick and I had a theory on what the problem may have been and he wouldn’t even entertain the idea, but instead, made me feel bad because my dog got sick. And, my poor dog was terrified of him! He made me feel like I was 2 inches tall and repeatedly looked down his nose at me. Oh, and OVER PRICED! OMG! Who does he think he is??? I did not feel welcomed by him nor his staff. I paid you for a service! No need to treat me so bad!

The plaintiff claims that Yelp sales staff then began calling the hospital frequently with “high-pressure” tactics promising to move or delete negative reviews in exchange for purchasing a one-year advertising contract. The site also allegedly promised to ensure that negative reviews wouldn’t appear in Google or other search engine results. When the hospital declined, the negative review from “Chris R.” re-appeared on the site, followed by a second negative review from Kay K.

The latter review referred to Dr. Perrault as “an @$$” and “a jerk, a D-Bag, And so arrogant.”

I ran in to him in a neighborhood store right after he saw my poor sick dog at his clinic and he looked right at me, recognized me, rolled his eyes and looked away!!!! Seriously, someone needs to knock this guy down to the size he really is. He needs to drop his Napolean complex and be a professional. After my horrible experience with him, I took my sick dog to Bixby Animal Clinic and I have never had a more pleasant vet experience! Go there instead! My dog loved everyone there!

When the hospital complained to Yelp, the site sent a letter to the hospital saying it would be leaving the reviews in place.

“Because we don’t have firsthand knowledge of a reviewer’s identity or personal experience, we are not in a position to verify your claims that these reviewers are the same person, or that they are connected to the recent vandalism at your hospital,” the letter read. “If a review appears to reflect the personal opinion and experiences of the reviewer while adhering to our review guidelines [link], it is our policy to allow the reviewer to stand behind his or her review.”

The suit’s claims seemed to be backed up by an East Bay Express article published last year that also accused the site of running an extortion racket. In that piece, numerous business owners described similar scenarios to the one alleged by the plaintiff. The Oakland, California–based newspaper later reported that after its first story published, many more businesses from around the country contacted it to complain of similar experiences.

“Yelp’s sales tactics amount to high-tech extortion,” said plaintiff attorney Jared Beck in a press release. “The victims tend to be small businesses, such as our client, who often have no choice but to pay Yelp exorbitant sums in order to prevent further harm to their livelihoods.”

Yelp recently received a $25 million investment from Elevation Partners through the purchase of preferred stock with a plan to invest an additional $75 million through purchases of employee and shareholder stock. The site earns revenue from search and display ads.

The company claims that its site had more than 26 million unique visitors in December 2009 and that it has published more than 9 million reviews.

Yelp recently walked away from discussions with Google to buy the company for about $550 million.

Yelp released a written statement in response to the lawsuit.

“The allegations are demonstrably false, since many businesses that advertise on Yelp have both negative and positive reviews,” the statement read. “These businesses realize that both kinds of feedback provide authenticity and value. Running a good business is hard; filing a lawsuit is easy. While we haven’t seen the suit in question, we will dispute it aggressively.”

Microsoft has managed to do what a roomful of secretive, three-letter government agencies have wanted to do for years: get the whistleblowing, government-document sharing site Cryptome shut down.

Microsoft dropped a DMCA notice alleging copyright infringement on Cryptome’s proprietor John Young on Tuesday after he posted a Microsoft surveillance compliance document that the company gives to law enforcement agents seeking information on Microsoft users. Young filed a counterclaim on Wednesday — arguing he had a fair use to publishing the document, a full day before the Thursday deadline set by his hosting provider, Network Solutions.

Regardless, Cryptome was shut down by Network Solutions and its domain name locked on Wednesday — shuttering a site that thumbed its nose at the government since 1996 — posting thousands of documents that the feds would prefer never saw the light of day.

Microsoft did not return a call for comment by press time.

The 22-page document (.pdf) contains no trade secrets, but will tell Microsoft users things they didn’t know. (You can read it directly on your own computer from the above link, or read it inline below.)

For instance, Xbox Live records every IP address you ever use to login and stores them for perpetuity. While that’s going to be creepy for some, there’s an upside if your house gets robbed, according to the document: “If your investigation involves a stolen Xbox console, if the console serial number or Xbox LIVE user gamertag is provided and the console has been connected to the Internet, IP connection records may be available.”

The Microsoft® Online Services Global Criminal Compliance Handbook (.pdf) also goes so far as to provide sample language for subpoenas and diagrams on how to understand server logs.

Other things you might not know and which Microsoft (sometimes oddly) doesn’t want you to know?

Microsoft retains only the last 10 login records for Windows Live ID. As for your instant messages, it tells police that it keeps no record of what anyone says over Microsoft Messenger - though it will turn over who is on your buddy list.

And if you like to use Microsoft’s social networking products — like its old-school Group mailing list or its Facebook-like Spaces product, be aware that it’s very social when it comes to law enforcement or court subpoenas.

As Microsoft tells potential subpoenaees, “when you are looking for information on a specific incident like a photo posting or message posting, please request all group content and logs. We cannot retrieve single incident data.” The same holds for Spaces — if you are interested in a single picture, just request the entire thing. Call it Subpoena 2.0.

The compliance handbook is just the latest in a series of leaks of similar documents from other companies. Yahoo, like Microsoft, reacted as if its secret sauce had somehow been spilled by letting curious users know the hows and whys of how the companies deal with lawful surveillance requests. Google, for all its crusading for internet freedom, refuses to say how often law enforcement comes searching for user data.

The one company who has had a stand-up policy for years is the Cox Communications’ ISP, which has had this information and their price list public for years.

But hypocrisy is the name of the game for giant internet companies like Yahoo, Microsoft and Google that want us to entrust large portions of our lives to Gmail, Yahoo Mail, Buzz, Xbox, Hotmail, Messenger, Google Groups. When it comes to the most basic information about how, why and how often our data is subpoenaed and collected without our knowledge, these online innovators resort to lawyers, abusive legal process and double-talk.

Photo: Emma Swann

See Also:

• Yahoo, Verizon: Our Spy Capabilities Would ‘Shock’, ‘Confuse …
• Yahoo Issues Takedown Notice for Spying Price List
• Google Talks Transparency, But Hides Surveillance Stats

The Chinese government is imposing new internet restrictions demanding personal-website operators to acquire central-government permission to operate their sites.

The latest censorship measure, which covers .cn domestic domains, comes as Google is trying to convince Chinese censors to ease up. Google said 43 days ago it would undertake a self-imposed exile from China if the government does not back off from requiring it to censor search results.

The government said the latest move — which also requires site owners to submit a photograph and to show identification — was targeted at tackling pornography. Critics, though said it was based on silencing political dissent. China did not say when the rules would be enforced.

The plan underscores that China is not likely to blink in its confrontation with Google, at least not anytime soon. That leaves Google lingering in an ethical and business crossroads as the days tick from its Jan. 12 announcement that it would leave China if it has to continue censoring search results there.

Google declined Wednesday to directly address negotiations surrounding its China announcement.

“We are not commenting on what might or might not be happening,” Google spokesman Scott Rubin said in a telephone interview.

China is known for having some of the world’s strictest holds on the internet.

Last year, the Chinese government decided to mandate censorship software called Green Dam in all new PCs (to which manufacturers acquiesced). In March it blocked YouTube because of videos of anti-Tibetan violence, a block that remains. Then the government began hammering on Google, claiming the search engine was steering too many people to pornography.

Illustration: TheG

See Also:

• China Censors: The Tiananmen Square Anniversary Will Not Be Tweeted
• Google to Stop Censoring Search Results in China After Hack Attack
• Web Censor Seeks $2.2 Billion for China Hack
• China Blocks Wired.com With ‘Great Firewall’ - Updated
• China Stands Firm in Response to Google Threat