Cell phone apps like Loopt and the new Google Latitude allow you to track your friends' physical locations, and be tracked in return. That can be a huge boon for meeting up on a Friday night-and a real nightmare for privacy if proper safeguards aren't in place. (Read more on cell phone privacy.)
I checked out both applications. For starters, neither will share your location with anyone until you explicitly agree to such sharing with each individual friend. So you can install either one and see how it looks without divulging where you are.
Also, after inviting a friend to share his or her location, or being invited to do so yourself, you can go back and change the setting to stop sharing your location with a particular friend and continue sharing with others, or stop sharing with anyone.
But what happens if you set up either app to share with friends, and forget about it? Or what if someone else puts it on your phone, without your knowledge, to track you?
In what's usually seen as a limitation, the iPhone doesn't allow running programs in the background--so Loopt can't update your location unless you open the app (Google Latitude, when it becomes available for the iPhone, should work similarly).
But most other cell phone platforms allow background processes to run silently--a potential problem. Within a few days of installing Loopt, however, you'll get an SMS notice so you'll know it's there. Loopt CEO Sam Altman also says that if you don't use Loopt for a while it will automatically stop sharing your location-likely within a week of nonuse. Google Latitude will display a pop-up notification on all phones save Android-based devices (whose users will receive an e-mail, Google says), but it won't automatically shut off.
Google does let you limit sharing to only your city-level location, and in both apps you can enter a (possibly false) location for yourself.
Both Google and Loopt say they do not store historical locations, only your last location. That's important in case someone-the government, say, or a civil litigant-seeks that data. Loopt says it will share that info only under a wiretap or¬¬der. Google hasn't said it will do the same, but it does have a record of fighting government requests for its users' information.
My conclusions? Some things could be improved: First, you should be able to share your location only for a set amount of time-say, the next 2 hours, or from 6 to 9 p.m. on Fridays. Loopt says that ability will come in a future release, but Google isn't planning to announce anything along those lines.
Next, I think Google should have an auto-shutoff after a certain amount of time, in case you become forgetful. And it should explicitly declare it won't share your information without a wiretap order.
Of the two, you might try Loopt (ideally on an iPhone), since it has auto-off and will also come out with time-based controls.
But here's the kicker: As Kevin Bankston of the Electronic Frontier Foundation points out, the safeguards in place are only company policy, not a legal requirement. And policies can change.
Friday, March 27, 2009
IP Issues Could Be Slowing IBM-Sun Talks, Experts Say
If IBM is in the due diligence phase of acquisition talks with Sun Microsystems, as news reports suggest, then it has an awful lot to be diligent about.
In a merger of this scale, IBM would need to take a hard look not only at Sun's finances but also at any antitrust issues that may arise, as well as potential conflicts related to intellectual property. Those could include compatibility of software licenses and patent agreements with third parties.
"In a deal of this size, there are typically lots of moving parts," said Randall Bowen, an attorney at Grad, Logan and Klewans in Falls Church, Virginia. "Think of a kaleidoscope, where you turn it and everything comes together to form a nice symmetrical shape. Either that happens and everything falls into place, or else it shatters."
The Wall Street Journal reported last Friday that IBM was scouring Sun's business contracts for potential conflicts in a prelude to a possible merger, a process it said was expected to take "a number of days." With another week over and no word about a deal from the companies, some observers are starting to wonder if there's a holdup.
"It's impossible to know what it is they're looking at, but the fact that it's taking this long gives one pause to wonder whether there's just such a volume of contracts to look at that it's occupying all this time, or whether they've found some issues that they're busily chasing down," said Steven Frank, a partner with the law firm Goodwin Procter.
To be sure, the due diligence process for a merger this size could take months to complete. But companies often do a cursory review of the business they hope to acquire in order to announce a preliminary merger agreement. They then take several months before the deal is finalized to pore over the details.
If they do plan to merge, Sun and IBM may simply be haggling over price. But if the due diligence is holding them up, the thorny area of intellectual property could create some sticking points, said Frank, who spoke about IT industry mergers in general and not specifically this one.
Both companies have vast product portfolios governed by a mix of open-source and commercial licenses. They also have numerous patent and cross-licensing deals with third parties, including a byzantine agreement that Sun forged with Microsoft in 2004 that ended a lawsuit between them over the Java software technology.
Sun may be licensing a technology from a third party that is vital to one of its products, for example, and such agreements sometimes have clauses stipulating that the license can't be transferred if the licensee is acquired. IBM would need to approach the third party to extend the license, or decide whether to go ahead with the merger even if it has to find another way to build the product.
That's the issue Intel raised about Advanced Micro Devices' sale of its manufacturing operations to an Abu Dhabi investment group. Intel accused AMD of violating a cross-patent agreement on x86 processors that could not be transferred to a third party, and the companies are in talks with a mediator to resolve the dispute.
Conflicting software licenses can also be a problem. Dozens of Sun's products, including OpenSolaris, NetBeans and its GlassFish Web software, use its Common Development and Distribution License, which is based on the open-source Mozilla Public License. Its MySQL database is offered under the GPL or a Sun commercial license, while still other products use different licenses.
Depending on what IBM has planned for Sun's technologies, the mix of licenses could be a challenge, said Randall Colson, a partner at Haynes and Boone. For example, some industry analysts speculate that IBM wants to merge the best of Solaris into IBM's AIX Unix, which is offered under an IBM commercial license. If Sun has merged a third party's open-source code into Solaris, IBM may find barriers to merging Solaris with its proprietary AIX software.
Perhaps most complex for IBM would be the intricate deal that Sun entered into with Microsoft, which ended a long-standing lawsuit between them over Microsoft's alleged attempts to undermine Java.
The deal netted Sun almost $2 billion from Microsoft, including payments of $700 million for Sun to drop its Java lawsuit, and a further $900 million for a patent-sharing agreement that could be extended for as long as 10 years. IBM, whose software business depends heavily on Java, would need to pull those agreements apart to ensure nothing could interfere with its business or expose it to legal risk from Microsoft.
With reports of the due diligence work only a week old, it would be premature to assume that any talks under way have run into trouble, Bowen said. But the longer they take, the more uncertainty it creates for the customers and investors.
"It's fair to say that with every day that passes, it makes it seem a little less likely that this deal is going to happen," he said.
In a merger of this scale, IBM would need to take a hard look not only at Sun's finances but also at any antitrust issues that may arise, as well as potential conflicts related to intellectual property. Those could include compatibility of software licenses and patent agreements with third parties.
"In a deal of this size, there are typically lots of moving parts," said Randall Bowen, an attorney at Grad, Logan and Klewans in Falls Church, Virginia. "Think of a kaleidoscope, where you turn it and everything comes together to form a nice symmetrical shape. Either that happens and everything falls into place, or else it shatters."
The Wall Street Journal reported last Friday that IBM was scouring Sun's business contracts for potential conflicts in a prelude to a possible merger, a process it said was expected to take "a number of days." With another week over and no word about a deal from the companies, some observers are starting to wonder if there's a holdup.
"It's impossible to know what it is they're looking at, but the fact that it's taking this long gives one pause to wonder whether there's just such a volume of contracts to look at that it's occupying all this time, or whether they've found some issues that they're busily chasing down," said Steven Frank, a partner with the law firm Goodwin Procter.
To be sure, the due diligence process for a merger this size could take months to complete. But companies often do a cursory review of the business they hope to acquire in order to announce a preliminary merger agreement. They then take several months before the deal is finalized to pore over the details.
If they do plan to merge, Sun and IBM may simply be haggling over price. But if the due diligence is holding them up, the thorny area of intellectual property could create some sticking points, said Frank, who spoke about IT industry mergers in general and not specifically this one.
Both companies have vast product portfolios governed by a mix of open-source and commercial licenses. They also have numerous patent and cross-licensing deals with third parties, including a byzantine agreement that Sun forged with Microsoft in 2004 that ended a lawsuit between them over the Java software technology.
Sun may be licensing a technology from a third party that is vital to one of its products, for example, and such agreements sometimes have clauses stipulating that the license can't be transferred if the licensee is acquired. IBM would need to approach the third party to extend the license, or decide whether to go ahead with the merger even if it has to find another way to build the product.
That's the issue Intel raised about Advanced Micro Devices' sale of its manufacturing operations to an Abu Dhabi investment group. Intel accused AMD of violating a cross-patent agreement on x86 processors that could not be transferred to a third party, and the companies are in talks with a mediator to resolve the dispute.
Conflicting software licenses can also be a problem. Dozens of Sun's products, including OpenSolaris, NetBeans and its GlassFish Web software, use its Common Development and Distribution License, which is based on the open-source Mozilla Public License. Its MySQL database is offered under the GPL or a Sun commercial license, while still other products use different licenses.
Depending on what IBM has planned for Sun's technologies, the mix of licenses could be a challenge, said Randall Colson, a partner at Haynes and Boone. For example, some industry analysts speculate that IBM wants to merge the best of Solaris into IBM's AIX Unix, which is offered under an IBM commercial license. If Sun has merged a third party's open-source code into Solaris, IBM may find barriers to merging Solaris with its proprietary AIX software.
Perhaps most complex for IBM would be the intricate deal that Sun entered into with Microsoft, which ended a long-standing lawsuit between them over Microsoft's alleged attempts to undermine Java.
The deal netted Sun almost $2 billion from Microsoft, including payments of $700 million for Sun to drop its Java lawsuit, and a further $900 million for a patent-sharing agreement that could be extended for as long as 10 years. IBM, whose software business depends heavily on Java, would need to pull those agreements apart to ensure nothing could interfere with its business or expose it to legal risk from Microsoft.
With reports of the due diligence work only a week old, it would be premature to assume that any talks under way have run into trouble, Bowen said. But the longer they take, the more uncertainty it creates for the customers and investors.
"It's fair to say that with every day that passes, it makes it seem a little less likely that this deal is going to happen," he said.
Fears of a Conficker Meltdown Greatly Exaggerated
Worries that the notorious Conficker worm will somehow rise up and devastate the Internet on April 1 are misplaced, security experts said Friday.
Conficker is thought to have infected more than 10 million PCs worldwide, and researchers estimate that several million of these machines remain infected. If the criminals who created the network wanted to, they could use this network to launch a very powerful distributed denial of service (DDOS) attack against other computers on the Internet.
April 1 is the day that the worm is set to change the way it updates itself, moving to a system that is much harder to combat, but most security experts say that this will have little effect on most computer users' lives.
Nevertheless, many people are worried, according to Richard Howard, director of iDefense Security Intelligence. "We have been walking customers down from the ledge all day," he said. Often, the problem has been that company executives have read reports of some April 1st incident and then proceed to "get their IT and security staffs spun up," Howard said in an e-mail interview.
That hype will probably intensify when the U.S. TV newsmagazine 60 Minutes airs a report Sunday on Conficker, entitled "The Internet is Infected."
Conficker "could be triggered, maybe on April 1st ... but no one knows whether on April 1st they'll just issue an instruction that says 'Just continue sitting there' or whether it will start stealing our money or creating a spam attack," CBS reporter Lesley Stahl said in a preview interview ahead of the show. "The truth is, nobody knows what it's doing there."
April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm.
"Technically, we will see a new capability, but it complements a capability that already exists," Porras said. Conficker is currently using peer-to-peer file sharing to download updates, he added.
The worm, which has been spreading since October of last year, uses a special algorithm to determine what Internet domains it will use to download instructions.
Security researchers had tried to clamp down on Conficker by blocking criminals from accessing the 250 Internet domains that Conficker was using each day to look for instructions, but starting April 1, the algorithm will generate 50,000 random domains per day -- far too many for researchers to connect with.
Gradually, the Conficker network will get updated, but this will take time, and nothing dramatic is expected to happen on April 1, according to Porras, Howard, and researchers at Secureworks and Panda Security.
"There is no clear evidence that the Conficker botnet will do anything dramatic," said Andre DiMino, cofounder of The Shadowserver Foundation, a volunteer security group. "It will change its domain usage to the larger pool and may attempt to drop another variant, but so far, that's about it."
"Regular users just need to be sure they are patched and be extra diligent about possible new methods of infection."
Conficker is thought to have infected more than 10 million PCs worldwide, and researchers estimate that several million of these machines remain infected. If the criminals who created the network wanted to, they could use this network to launch a very powerful distributed denial of service (DDOS) attack against other computers on the Internet.
April 1 is the day that the worm is set to change the way it updates itself, moving to a system that is much harder to combat, but most security experts say that this will have little effect on most computer users' lives.
Nevertheless, many people are worried, according to Richard Howard, director of iDefense Security Intelligence. "We have been walking customers down from the ledge all day," he said. Often, the problem has been that company executives have read reports of some April 1st incident and then proceed to "get their IT and security staffs spun up," Howard said in an e-mail interview.
That hype will probably intensify when the U.S. TV newsmagazine 60 Minutes airs a report Sunday on Conficker, entitled "The Internet is Infected."
Conficker "could be triggered, maybe on April 1st ... but no one knows whether on April 1st they'll just issue an instruction that says 'Just continue sitting there' or whether it will start stealing our money or creating a spam attack," CBS reporter Lesley Stahl said in a preview interview ahead of the show. "The truth is, nobody knows what it's doing there."
April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm.
"Technically, we will see a new capability, but it complements a capability that already exists," Porras said. Conficker is currently using peer-to-peer file sharing to download updates, he added.
The worm, which has been spreading since October of last year, uses a special algorithm to determine what Internet domains it will use to download instructions.
Security researchers had tried to clamp down on Conficker by blocking criminals from accessing the 250 Internet domains that Conficker was using each day to look for instructions, but starting April 1, the algorithm will generate 50,000 random domains per day -- far too many for researchers to connect with.
Gradually, the Conficker network will get updated, but this will take time, and nothing dramatic is expected to happen on April 1, according to Porras, Howard, and researchers at Secureworks and Panda Security.
"There is no clear evidence that the Conficker botnet will do anything dramatic," said Andre DiMino, cofounder of The Shadowserver Foundation, a volunteer security group. "It will change its domain usage to the larger pool and may attempt to drop another variant, but so far, that's about it."
"Regular users just need to be sure they are patched and be extra diligent about possible new methods of infection."
Friday, March 13, 2009
Microsoft Disputes Attempt to Reinstate Class in Vista Suit
Microsoft is disputing an attempt to reinstate class-action status to an ongoing lawsuit against its Windows Vista Capable sticker program, a case that threatens to drag on and is reflective of the difficulties Microsoft has encountered by releasing its disappointing Windows Vista OS.
In court papers filed in a U.S. District Court in Seattle this week, Microsoft asked the court not to reconsider applying class-action status to the suit because people knew exactly which version of Vista they would receive through a coupon program called Express Upgrade Guarantee. The program allowed customers to buy PCs with Windows XP installed on them but then upgrade to Vista when the OS was released.
Microsoft also said that the plaintiffs took too long to ask for a narrowing of the class, even based on "theories known to them for more than a year," according to court papers.
The TechFlash blog Thursday posted a link to a PDF of Microsoft's most recent filing in the case, first brought against the vendor by plaintiff Dianne L. Kelley in April 2007.
Late last month, attorneys in the case asked the court to re-establish class by narrowing the scope of who could participate in the suit. This came a week after the judge in the case granted Microsoft's motion to dismiss the suit's class-action status but allowed it to go forward with six plaintiffs.
Plaintiffs now want the judge to allow the suit to apply to anyone who purchased Windows Vista Capable PCs in Microsoft's Express Upgrade Guarantee program. The Express Upgrade Guarantee program provided coupons to people who purchased Windows Vista Capable PCs so they could upgrade to the appropriate version of Vista either for free or for little cost once the OS was made available.
The overarching claim in the suit is that Microsoft's Windows Vista Capable sticker program, which theoretically let customers know which PCs were capable of running Vista before the OS was made generally available, was an example of deceptive business practices and violated consumer protection laws.
Microsoft's hardware partners began shipping PCs with the "Windows Vista Capable" logo in April 2006. However, the designation was potentially confusing, because a PC with the label was only guaranteed to run the least expensive, most basic version of Vista.
The case is scheduled to go to trial April 13; however, in last month's filing plaintiffs asked that the judge push back the trial date in case class is reinstated to give others time to join the suit. The judge has yet to respond to that filing.
In court papers filed in a U.S. District Court in Seattle this week, Microsoft asked the court not to reconsider applying class-action status to the suit because people knew exactly which version of Vista they would receive through a coupon program called Express Upgrade Guarantee. The program allowed customers to buy PCs with Windows XP installed on them but then upgrade to Vista when the OS was released.
Microsoft also said that the plaintiffs took too long to ask for a narrowing of the class, even based on "theories known to them for more than a year," according to court papers.
The TechFlash blog Thursday posted a link to a PDF of Microsoft's most recent filing in the case, first brought against the vendor by plaintiff Dianne L. Kelley in April 2007.
Late last month, attorneys in the case asked the court to re-establish class by narrowing the scope of who could participate in the suit. This came a week after the judge in the case granted Microsoft's motion to dismiss the suit's class-action status but allowed it to go forward with six plaintiffs.
Plaintiffs now want the judge to allow the suit to apply to anyone who purchased Windows Vista Capable PCs in Microsoft's Express Upgrade Guarantee program. The Express Upgrade Guarantee program provided coupons to people who purchased Windows Vista Capable PCs so they could upgrade to the appropriate version of Vista either for free or for little cost once the OS was made available.
The overarching claim in the suit is that Microsoft's Windows Vista Capable sticker program, which theoretically let customers know which PCs were capable of running Vista before the OS was made generally available, was an example of deceptive business practices and violated consumer protection laws.
Microsoft's hardware partners began shipping PCs with the "Windows Vista Capable" logo in April 2006. However, the designation was potentially confusing, because a PC with the label was only guaranteed to run the least expensive, most basic version of Vista.
The case is scheduled to go to trial April 13; however, in last month's filing plaintiffs asked that the judge push back the trial date in case class is reinstated to give others time to join the suit. The judge has yet to respond to that filing.
Foreign Web Attacks Change Security Paradigm
Traditional security systems may be ineffective and become obsolete in warding off Web attacks launched by countries, according to Val Smith, founder of Attack Research. New attack trends include blog spam and SQL injections from Russia and China, Smith said during his talk at the Source Boston Security Showcase on Friday.
"Client-side attacks are where the paradigm is going," Smith said. "Monolithic security systems no longer work."
Hackers use Web browsers as exploitation tools to spread malware and collect sensitive information. Smith used examples from clients of his company, which analyzes and researches computer attacks, to demonstrate the threat posed by blog spam and SQL attacks.
Attackers targeted high-traffic sites with blog spam and posted comments on blogs, he said. The comments looked odd and tended to have non-English phrases placed in large blocks of text with random words hyperlinked, he said. Clicking on such links took users to sites that seemed like blogs but were pages loaded with malware, Smith said.
A Chinese bank owned the domains for each malware site, but the IP (Internet Protocol) addresses traced to Germany. Studying the links revealed that each one contained words in Russian or Romanian, said Smith. By placing an international spin on their nefarious activities, the hackers hoped to confuse anyone investigating their work, he said.
"How are you going to track these back to the bad guys?" he said, noting that tracking is complicated by language barriers, working with foreign law organizations and dealing with countries "that just may not want to talk to us."
While the goals of blog spam attacks remain unclear, Smith said financial incentives serve as motivation. Adware installed after a user visits an infected site nets a hacker money, as does clicking on an advertisement on the page. Other hackers are looking to expand their botnets, or networks of compromised machines used for malevolent purposes.
Smith's investigation traced the attacks to a home DSL account in Russia. The international nature of the incident made prosecution unlikely, he said.
The SQL injection attack Smith discussed originated in China and attempted to steal information on the businesses that visited the Web site of the company, which was Smith's client.
Hackers first launched a SQL injection and uploaded a back door that allowed them to take control of the system.
Additional SQL injections failed, so the hackers searched the system for another exploit. They found a library application that allows images to be uploaded. Hackers uploaded a GIF file with a line of code contained in the image. The computer system read the GIF tag and uploaded the photo and automatically executed the code.
Hackers "targeted an app that is custom-written, in-house, and launched a specific attack against that app," Smith said.
Hackers eventually placed "iFrame" HTML code on every page of the company's Web site. The iFrames redirected the victim's browser to a server that infects the computer using a tool called "MPack." This tool profiled a victim's OS and browser and launched attacks based on that information.
The result is that victims are getting hit with multiple attacks, said Smith.
Today, SQL injection attacks are the top threat to Web security, said Ryan Barnett, director of application security at Breach Security, in an interview separate from the conference.
Last year, cybercriminals began unleashing massive Web attacks that have compromised more than 500,000 Web sites, according to the security vendor.
"They started off in January and went through essentially the whole year," said Barnett. Previously, crafting a SQL injection attack took time, but last year attackers created worm code that could automatically seek out and break into hundreds of thousands of sites very quickly.
Now, instead of stealing data from the hacked Web sites, the bad guys are increasingly turning around and planting malicious scripts that attack the site's visitors. "Now the site is becoming a malware depot," he said.
(Bob McMillan in San Francisco contributed to this report.)
"Client-side attacks are where the paradigm is going," Smith said. "Monolithic security systems no longer work."
Hackers use Web browsers as exploitation tools to spread malware and collect sensitive information. Smith used examples from clients of his company, which analyzes and researches computer attacks, to demonstrate the threat posed by blog spam and SQL attacks.
Attackers targeted high-traffic sites with blog spam and posted comments on blogs, he said. The comments looked odd and tended to have non-English phrases placed in large blocks of text with random words hyperlinked, he said. Clicking on such links took users to sites that seemed like blogs but were pages loaded with malware, Smith said.
A Chinese bank owned the domains for each malware site, but the IP (Internet Protocol) addresses traced to Germany. Studying the links revealed that each one contained words in Russian or Romanian, said Smith. By placing an international spin on their nefarious activities, the hackers hoped to confuse anyone investigating their work, he said.
"How are you going to track these back to the bad guys?" he said, noting that tracking is complicated by language barriers, working with foreign law organizations and dealing with countries "that just may not want to talk to us."
While the goals of blog spam attacks remain unclear, Smith said financial incentives serve as motivation. Adware installed after a user visits an infected site nets a hacker money, as does clicking on an advertisement on the page. Other hackers are looking to expand their botnets, or networks of compromised machines used for malevolent purposes.
Smith's investigation traced the attacks to a home DSL account in Russia. The international nature of the incident made prosecution unlikely, he said.
The SQL injection attack Smith discussed originated in China and attempted to steal information on the businesses that visited the Web site of the company, which was Smith's client.
Hackers first launched a SQL injection and uploaded a back door that allowed them to take control of the system.
Additional SQL injections failed, so the hackers searched the system for another exploit. They found a library application that allows images to be uploaded. Hackers uploaded a GIF file with a line of code contained in the image. The computer system read the GIF tag and uploaded the photo and automatically executed the code.
Hackers "targeted an app that is custom-written, in-house, and launched a specific attack against that app," Smith said.
Hackers eventually placed "iFrame" HTML code on every page of the company's Web site. The iFrames redirected the victim's browser to a server that infects the computer using a tool called "MPack." This tool profiled a victim's OS and browser and launched attacks based on that information.
The result is that victims are getting hit with multiple attacks, said Smith.
Today, SQL injection attacks are the top threat to Web security, said Ryan Barnett, director of application security at Breach Security, in an interview separate from the conference.
Last year, cybercriminals began unleashing massive Web attacks that have compromised more than 500,000 Web sites, according to the security vendor.
"They started off in January and went through essentially the whole year," said Barnett. Previously, crafting a SQL injection attack took time, but last year attackers created worm code that could automatically seek out and break into hundreds of thousands of sites very quickly.
Now, instead of stealing data from the hacked Web sites, the bad guys are increasingly turning around and planting malicious scripts that attack the site's visitors. "Now the site is becoming a malware depot," he said.
(Bob McMillan in San Francisco contributed to this report.)
Subscribe to:
Posts (Atom)
