Loopholes Closed by FTC in CAN-SPAM Act Rules

The U.S. FTC has updated its regulations regarding the CAN-SPAM Act (PDF) to require:

(1) an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender;

(2) the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements;

(3) a “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address”; and

(4) a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons.

— FTC Approves New Rule Provision Under The CAN-SPAM Act, Press Release, FTC, May 12, 2008

These changes appear to tighten up what is required of marketers; they have to say who they are and they can't weasel out by claiming a corporation is not a person.

However, it's not clear to me why it's opt-out that's required; why not opt-in? I never trust a spammer to process an opt-out; I assume they're just collecting more addresses. Plus the spammer still has ten days to process opt-out requests.

-jsq

Band Uses CCTV to make Music Video

This is clever:

Unable to afford a proper camera crew and equipment, The Get Out Clause, an unsigned band from the city, decided to make use of the cameras seen all over British streets.

With an estimated 13 million CCTV cameras in Britain, suitable locations were not hard to come by.

They set up their equipment, drum kit and all, in eighty locations around Manchester – including on a bus – and proceeded to play to the cameras.

— The Get Out Clause, Manchester stars of CCTV. By Tom Chivers, Telegraph.co.uk, Last Updated: 6:54PM BST 08/05/2008

Then they requested copies of the coverage from the various companies and law enforcement organizations owning the cameras through the British Data Protection Act, and got enough to use. They even managed closeups.

So maybe there is a use for CCTV, even though it's failed at crime prevention. It's a huge arts subsidy program!

-jsq

NSL: Internet Archive Exposes Lack of Security in National Security Letters

The Internet Archive has for a decade been a cornerstone of the Internet, and the FBI was foolish to try to break it:

The FBI has withdrawn an illegal National Security Letter seeking information from an online library and has lifted a gag order that until Wednesday prevented any discussion of the information request.

Lawyers from the American Civil Liberties Union and Electronic Frontier Foundation helped the Internet Archive push back against what they say was an overly broad and unlawful request for information on one of its users. The FBI issued its National Security Letter in November, but ACLU, EFF and Archive officials were precluded from discussing it with anyone because of a gag order they say was unconstitutional.

After nearly five months of haggling, the FBI eventually withdrew its NSL, which requested personal information about at least one user of the Internet Archive. Founded in 1996, the archive is recognized as a library by the state of California, and its collections include billions of Web records, documents, music and movies.

— Watchdogs prompt FBI to withdraw 'unconstitutional' National Security Letter, Nick Juliano, therawstory, Published: Wednesday May 7, 2008

The article goes on to say that the FBI has issued 200,000 National Security Letters, that almost none of those NSL have been challenged, yet every single time someone has challenged an NSL in court, the FBI has withdrawn it.

How do these NSL represent "Security"?

In any case, National Security Letters were authorized by the mis-named Patriot Act. Brewster Kahle has shown us how a real patriot acts:

CCTV Security Fad Fails

London probably has more security cameras per square inch than any other city, and:

The billions of pounds spent covering Britain with CCTV cameras has been an "utter fiasco" and failed to slash crime, Scotland Yard's surveillance chief has said.

Detective Chief Inspector Mick Neville said a Metropolitan Police pilot project found just three per cent of street robberies in London were solved using CCTV images.

He claimed the vast swathes of money spent on cameras had been wasted because criminals don't fear the cameras.

— Billions spent on CCTV have failed to cut crime and led to an 'utter fiasco', says Scotland Yard surveillance chief, Just 3% of street robberies in London solved, By DANIEL BATES, Daily Mail, Last updated at 13:48pm on 6th May 2008

Needless to say, there are numerous efforts planned to make the cameras pay anyway.

The basic problem is:

But Mr Neville also castigated the police and claimed officers can't be bothered to seek out CCTV images because it's "hard work".

CCTV is not the only security fad that hasn't panned out:

For every 800 DNA samples being added by the police - including those taken from innocent people - only one crime is being solved.

We'll see if either of these white elephant programs get terminated. I'm not holding my breath.

-jsq

Paypal Says Old IE is Like Car Without Seat Belt: EV SSL blocking

The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered "unsafe" for financial transactions.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts," said PayPal Chief Information Security Officer Michael Barrett.

...

Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of "unsafe browsers," but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.

— BPayPal Plans to Ban Unsafe Browsers, By Ryan Naraine, EWeek.com, 2008-04-17

Now on the one hand, I think EV SSL is color-coded checklist security candy:

Tokyo in May: CeCOS II

26-27 May 2008 in Tokyo:

The second annual Counter-eCrime Operations Summit (CeCOS II) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year's meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.

— Counter-eCrime Operations Summit II, APWG Japan, 2008

The Anti-Phishing Working Group continues to expand via national associates, and to put on good workshops.

-jsq

Class Action Coming for Identity Theft?

It wouldn't be a moment too soon:

I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn't happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

— Signs of Liability: 'Zero Day Threat' blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it's organized. And it gets it about perhaps a more important point:

OK Leaks Tens of Thousands of SSNs for Years

You'd think they'd know better:

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.

The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.

— Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data, by Alex Papadimoulis in Feature Articles, The Daily WTF, 2008-04-15

But the best part is what it took to get the state to fix it:

European Parliament Votes for Internet Freedom and Security

Sometimes a legislative body gets the picture and shows some spine:

Despite last minute attempts by the French government to divide them, European MEPs today voted decisively against "three strikes", the IFPI-promoted plan to create a class of digital outcasts, forbidden from accessing the Net if repeatedly accused by music companies of downloading infringing content.

In a vote held today, hundreds of MEPs supported language which declared termination of Internet access to be in conflict with "civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness", all core values of the European Union.

... And Guy Bono, the author of the report, had this to say in the plenary:

"On this subject, I am firmly opposed to the position of some Member States, whose repressive measures are dictated by industries that have been unable to change their business model to face necessities imposed by the information society. The cut of Internet access is a disproportionate measure regarding the objectives. It is a sanction with powerful effects, which could have profound repercussions in a society where access to the Internet is an imperative right for social inclusion."

— European Parliament to Sarkozy: No "Three Strikes" Here, Posted by Danny O'Brien, EFF, April 10th, 2008

The European Parliament voted for social inclusion, participation, and human rights over profits for a tiny group of companies. That wasn't hard. Even if the vote had gone the other way, it wouldn't have produced any real security for the tiny group, and the way it did go, it produces far more security for everyone else. Maybe the U.S. can get the message.

-jsq

Auditing Georgia Government Security

Georgia's governor wants to standardize information security reporting across the entire state government:

The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.

Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor's Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

— Gov. Perdue Signs Executive Order Strengthening Georgia's Information Technology Security, News Report, Government Technology, Mar 20, 2008

I think this is a good move. Now how about monthly reporting in a publicly visible web page.

-jsq