New malware morphs into different shapes unattended by humans

Now this is quite a fascinating story, it seems the latest development is the accidental development of new super-malware strains created by viruses infecting executable files of worms. Worms are generally executable files and well, viruses infect executables – so you can imagine what happens.

Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on.

Now, another “practice” has silently emerged: the file infector that accidentally parasites another e-threat. A virus infects executable files; and a worm is an executable file. If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC – including the worm. When the worm spreads, it will carry the virus with it. Although this happens unintentionally, the combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware intended.

While most file infectors have inbuilt spreading mechanisms, just like Trojans and worms (spreading routines for RDP, USB, P2P, chat applications, or social networks), some cannot replicate or spread between computers. And it seems a great idea to “outsource” the transportation mechanism to a different piece of malware (i.e. by piggybacking a worm).

Most likely these Frankenmalware, or “malware sandwiches,” take place spontaneously. The virus actually infects by mistake another piece of malware and ends up using its capabilities to spread. Bitdefender’s Antimalware Lab identified no less than 40,000 such malware symbioses out of a sample pool of 10 million files. One such case is the Virtob file infector, whose malicious code has been found infecting worms like OnlineGames, the ancient Mydoom or the more advanced Bifrose backdoor Trojan.

Now the franken-worm has both the characteristics of the original worm and it also carries the virus – so when it spreads, the virus also spreads.

Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties.

The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers.

A study by antivirus outfit BitDefender found 40,000 such “Frankenmalware samples” in a study of 10 million infected files in early January, or 0.4 per cent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the Romanian antivirus firm warns.

“If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus,” said Loredana Botezatu, the BitDefender analyst who carried out the study. “The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict.”

BitDefender doesn’t have historical data to go on. Even so it posits that frankenmalware is likely to grow at the same rate as regular computer viruses, or about 17 per cent year on year.

There’s really unlimited possibilities with this, and the great thing (to me anyway) is that it occurred by complete accident. I guess the next step up would be virus authors purposely hunting down worm files and infecting them with additional capabilities.

There’s always been cases of malware in the past that hunt down other malware and remove them from the host machine.

All of the malware hybrids analysed by BitDefender so far have been created accidentally. However, the risk posed by these combos could increase dramatically as crooks latch onto the idea of deliberately splicing malware strains together to see what sticks. This is on top of efforts by blackhat coders to add extra features to others’ viruses and unleash the updated builds onto the unsuspecting public.

BitDefender carried out its study after finding a sample of the Rimecud worm that was infected by the Virtob file infector. Rimecud is designed to steal online passwords for e-banking or e-mail accounts, among other functions. Virtob creates a hacker-controlled backdoor on infected systems.

“Imagine these two pieces of malware working together – willingly or not – on the same compromised system,” Botezatu explains. “That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds.”

I wonder what will happen in the future with this and if the bad guys will really jump on this already sailing ship and use it to their advantage. The last computer I recently touched had over 30+ viruses and a boot-loader, took me 4-5 hours to make sure the system was clean, then I had to re-install Windows XP, jump through all the hoops, upgrades and drivers for the system. This is why I tell people about Linux Mint all the time.

What you typically have included with you computer, is a recovery CD (best case), perhaps a recovery partition that just re-images your partition setting everything back to the way it was originally or nothing at all (worst case), none of these truly do fix anything. Normally the best way to accomplish this feat is to boot from a Linux LiveCD to recover your files.

Microsoft recently filed a legal complaint against Comet, a UK retailer which the company alleges sold sets of recovery CDs without Microsoft’s blessing. While Microsoft called the CDs counterfeits, Comet says it was acting in good faith, supplying customers with recovery discs when Microsoft would not.

Microsoft noted that the recovery CDs were sold to customers who had purchased Windows-loaded PCs and laptops. Comet operates 248 stores as well as an online shopping site.

“As detailed in the complaint filed today, Comet produced and sold thousands of counterfeit Windows CDs to unsuspecting customers in the United Kingdom,” Microsoft associate general counsel David Finn said in a statement posted on Microsoft’s website.

Microsoft Corp. today issued proceedings against Comet Group PLC for allegedly creating and selling more than 94,000 sets of counterfeit Windows Vista and Windows XP recovery CDs. The alleged counterfeits were sold to customers who had purchased Windows-loaded PCs and laptops.

“As detailed in the complaint filed today, Comet produced and sold thousands of counterfeit Windows CDs to unsuspecting customers in the United Kingdom,” said David Finn, associate general counsel, Worldwide Anti-Piracy and Anti-Counterfeiting at Microsoft. “Comet’s actions were unfair to customers. We expect better from retailers of Microsoft products — and our customers deserve better, too.”

The suit charges Comet with producing the counterfeits in a factory in Hampshire and then selling the media to customers from its retail outlets across the U.K.

Comet is currently owned by French retail company Kesa Electricals PLC, although it is reportedly being purchased by private equity firm OpCapita LLP later this year.

With an emphasis on education, engineering and enforcement, Microsoft seeks to protect its customers from counterfeiting and piracy — and ensure people get what they pay for. If customers ever question the legitimacy of their software, be it a shrink-wrapped product or recovery media, they are advised to visit http://www.howtotell.com to learn more and, if they have any doubt, report the suspicious software to Microsoft.

Comet responded with a statement of its own, saying it believes what it did was legal.

“Statement in respect of Microsoft litigation
Wednesday 4th January 2012

We note that proceedings have been issued by Microsoft Corporation against Comet relating to the creation of recovery discs by Comet on behalf of its customers.

Comet has sought and received legal advice from leading counsel to support its view that the production of recovery discs did not infringe Microsoft’s intellectual property.

Comet firmly believes that it acted in the very best interests of its customers. It believes its customers had been adversely affected by the decision to stop supplying recovery discs with each new Microsoft Operating System based computer.

Accordingly Comet is satisfied that it has a good defence to the claim and will defend its position vigorously.”

UPDATE: When Microsoft was asked for some more information on its complaint, which was filed in the High Court of Justice in London. We still don’t have a copy of the full complaint, but Microsoft’s expanded statement says the PCs Comet sold already included recovery software, making the discs unnecessary. “In 2008 and 2009, Comet approached tens of thousands of customers who had bought PCs with the necessary recovery software already on the hard drive, and offered to sell them unnecessary recovery discs for £14.99,” Microsoft said. “Not only was the recovery software already provided on the hard drive by the computer manufacturer but, if the customer so desired, a recovery disc could also have been obtained by the customer from the PC manufacturer for free or a minimal amount. Illegally replicating software and then selling it is counterfeiting.”

Ask yourself, “Would Comet dare to go to court over this without a strong legal opinion from their lawyer?”. The traditional obsequious behaviour of Microsoft’s clients is to fold promptly and send money, lots of it. Thank you, Microsoft, for promoting GNU/Linux. I appreciate it. In my opinion, this could be as much about killing XP as protecting “IP”… As with the Barnes & Noble Android patent suit, I imagine discovery will be interesting.

This is rather amusing to me, as one of the last barriers to the desktop space for Linux is the retail shelf space. It could be that Comet were charging for the disks rather than just including them with the PCs that caught MS’s attention. When a customer asks me to repair or rebuild their old XP/Vista/7 machines. The first question I have to ask is “Do you have the original OS CDs to hand?” “How about backups?” 90% of the time the answer is no.

This could all be avoided if Microsoft did the decent thing for consumers, and re-write it’s OEM License to stipulate either Windows media or recovery media is included with each license, but I think we all know the chances of that happening, mainly because that would help End Users and IT Shops service their own systems, keeping them running for longer.

Let’s get this right. A consumer can produce a backup/restoration CD by running the software on the PC but Microsoft thinks it’s illegal for Comet to provide that as a service to consumers? I don’t think so. I expect the courts will laugh Microsoft out the front door. I expect other retailers will finally understand that Microsoft is a liability, not their friend. I expect more retailers will give shelf-space to GNU/Linux. It’s just the right way to do IT-retailing. I recommend to customers Linux over Windows or Apple, as the huge repository of software and the package managing system, APT, make it easy for the end user to support their system.

If the drive is toast, then the only thing you can do is pay the expense of sending it out for recovery which tends to get VERY expensive. OEM’s like Dell, tend to install a recovery partition, but then that only works if the drive is functioning, see the problem? So by not having recovery disc, you are forced to call your OEM, for $5 – $40, on top of OS reinstall costs and a new hard drive.

So, Comet  is selling a Microsoft product that is not fit for purpose  (IE – selling a operating system, in a state that it could not be recovered as you had no media to do so!) Anybody else who has had to fix a friends computer, were they were not given any OS media, but the PC has a valid OS license will fully apprecieate Comet on this matter. Indeed, I recall a situation were I called Microsoft who were utterly useless, saying “yes” the PC has a legal operating system and “no” they couldn’t send me recovery disc’s as they never sold the PC. Too me, Microsoft selling PC’s directly or indirectly, without the ability to service them and maintain them to a fully working state (IE the Operating system disc) is in my opinion indeed selling a product not fit for purpose.

Usually there is a recovery partition, but often these are so complicated I wonder how the average user is supposed to use them. Some even need the PC to be properly working to actually recover from! If its a Dell that’s okay as I have a full selection of Dell recovery/OS disks to hand. If its an old XP Acer/Bizzaro brand then its pretty much tough luck as MS have tightened up the activation checking databases and unless you use the exact manufacturer OEM CD now you are screwed. They really don’t want you re-using that XP now, they want you to go out and spend money  needlessly on Windows 7.

Not exact pricing but close enough

It can be so frustrating, especially when you are just trying to re-install a OS for a customer that the machine has a licence stuck to it for. At the end of the day there is no change, the user carries on using XP/Vista just as they paid for a few years back but oh no…..I now have to spend around 90 minutes for every laptop I buy in for customers creating the damn recovery DVDs. If I leave it to them then chances are a year later that it would never be done. People rarely backup their let alone create a recovery disk.

The Valuable bit of the Windows Product – the bit you pay money for, and the bit Microsoft care about in a software audit – is the COA – Certificate Of Authenticity – slapped on the side of OEM Machines. As long as you have a (Non-Counterfeit) one of those, that’s the license.

You can take any standard XP/Vista/7 Media, install it, and throw that key in, needing a telephone software activation at best, and end up with a genuine and licensed windows instance.

Without further details, it appears Comet did not include Microsoft Authorised Windows/Recovery media, which would need the legal COA to work (yes, ignoring BIOS Activation for the sake of clarity, here), a pragmatic, but illegal solution to the problem of failed customer PC’s, especially hard drive failures, which take the recovery partition.

So Yeah, Comet may be technically breaking their Microsoft contract, but it probably resulted in minimum illegal installs, especially if they checked you were entitled to order it before by having an applicable PC before selling it to you.

If Microsoft don’t want to do this themselves maybe they should provide it as a service to the OEMs. Then the OEM can advertise that as part of their product. I for one would make sure I only bought computers from an OEM that offered the service.

I think everyone realizes at this point that Microsoft (and some OEMs) doesn’t want you to recover your system. They want you to just buy a new computer. Otherwise they would make it much easier to get recovery CD’s — like making them downloadable from their web sites at no additional change like they do with drivers.

SOPA and PIPA…want to raise the cost of copyright compliance, to the point where people simply get out of the business of offering it as a capability to amateurs….

In order to fake the ability to sell uncopyable bits, the DMCA also made it legal to force you use systems that broke the copying function of your devices…they also made it illegal for you to try to re-set the copyability of that content. The DMCA marks the moment where the media industries gave up on distinguishing between legal and illegal copying, and simply tried to prevent copying through technical means….

PIPA and SOPA are round two. But where the DMCA was surgical – we want to go down into your computer, into your television set, your game machine, and prevent it from doing what they said it would do at the store – PIPA and SOPA are nuclear. They’re saying we want to go anywhere in the world and censor content. 

If you’re trying to explain the issues regarding SOPA to someone else, try showing them this. Yes, it’s 14 minutes, but still much more concise and comprehensible than anything I could accomplish in a much longer conversation.

Salman Khan even created a video as well explaining the issue.

“Those who count on quote ‘Hollywood’ for support need to understand that this industry is watching very carefully who’s going to stand up for them when their job is at stake. Don’t ask me to write a check for you when you think your job is at risk and then don’t pay any attention to me when my job is at stake,”

This certainly follows what many people assumed was happening, and fits with the anonymous comments from studio execs that they will stop contributing to Obama, but to be so blatant about this kind of corruption and money-for-laws politics in the face of an extremely angry public is a really tone deaf response from Dodd.

It shows, yet again, that he just doesn’t get it. People were protesting not just because of the content of these bills, but because of the corrupt process of big industries like Dodd’s “buying” politicians and “buying” laws. To then come out and make that threat explicit isn’t a way to fix things or win back the public. It’s just going to get them more upset, and to recognize just how corrupt this process is. If Dodd, as he said in yesterday’s NY Times, really wanted to turn things around and come to a more reasonable result, this is exactly how not to do it. It shows, yet again, a DC-insider’s mindset. He used Fox News to try to “send a message” to politicians. But the internet already sent a much louder message… and, even worse for Dodd, he bizarrely sent his message in a way that everyone who’s already fed up with this kind of corruption can see it too. It really makes you wonder what he’s thinking and how someone so incompetent at this could keep his job.

The MPAA doesn’t need a DC insider explicitly demanding the right to buy laws and buy politicians. The MPAA needs a reformer, one who helps guide Hollywood into the opportunities of a new market place. The MPAA needs someone who actually understands the internet, and helps lead the studios forward. That’s apparently not Chris Dodd.

Public Knowledge issued a fantastic statement that not only highlights the ridiculousness of Dodd’s threats, but also the hypocrisy of the Hollywood studios on this issue:

Public Knowledge welcomes constructive dialog with people from all affected sectors about issues surrounding copyright, the state of the movie industry and related concerns. Cybersecurity experts, Internet engineers, venture capitalists, artists, entrepreneurs, human rights advocates, law professors, consumers and public-interest organizations, among others should be included. They were shut out of the process for these bills.

We suggest that in the meantime, if the MPAA is truly concerned about the jobs of truck drivers and others in the industry, then it can bring its overseas filming back to the U.S. and create more jobs. It could stop holding states hostage for millions of dollars in subsidies that strained state budgets can’t afford while pushing special-interest bills through state legislatures. While that happens, discussions could take place.

The Recording Industry Association of America (RIAA) of late has fooled Immigration and Customs Enforcement (ICE) to seize legal domain at their whim and despite the vast volume of lawful music supply, was a flop as most sites were back up withing hours. In doing so, this shows another problem with SOPA/Protect IP that hasn’t been mentioned before, no double jeopardy protection. There’s nothing to stop a bunch of copyright holders from getting together and one by one getting a site they all don’t like pulled/cut off from ad revenue for nonexistent infringement, then have another copyright holder falsely accuse once the previous charges are dismissed, and so on.

What is most concerning with this latest Mega case is that they shut down MegaBox. We may recall that Kim was offering artists 90% of the sales and setting himself up as direct competition of the RIAA. That service was announced during the Mega Song conflict when Universal Music Group (UMG) falsely took down this lawful independent site. The time between then and now is just long enough for the Feds to plan this massive raid! Having the power to take down content that is not even owned is incredible! So it all boils down to money, eh?
So let me get this straight, the RIAA used their private Governmental Police service to just close down a huge and dangerous market rival. I can promise you now that the Judge is going to take a very close look at that one and he won’t like what he sees, a clear pattern of the RIAA abusing the market, destroying independent channels, to protect is monopoly.

If someone sends you a DMCA takedown notice, you’re guilty until proven innocent. And if you buy a copyrighted work that includes DRM, and something goes wrong with the authentication, you’re not even guilty until proven innocent; you’re just plain *guilty*, and screw any relevant facts.

Until we manage to push back and overturn the DMCA, this will keep going on. Clay Shirky is quite right that the DMCA is at the root of all of this, and the only way to win any real, meaningful victory is to get it repealed or thrown out in court.

If you have missed out on this evolving story, here is a link to get up to speed.

Reasons Claimed by SOPA Proponents

The Great Firewall of America is being built by the people who would benefit most from its construction. Just take a look at the witness list at the House hearing for the Stop Online Piracy Act (SOPA or H.R. 3261). 5 of the 6 witness list are outspoken advocates for SOPA. Most notable is Michael O’Leary, Senior Executive Vice President of Global Policy and External Affairs for the MPAA (Motion Picture Association of America). During the course of the hearings, O’Leary made multiple fallacious claims that googling names of movies such as “J. Edgar” or “The Grinch Who Stole Christmas” would return pirated versions of the movie. According to O’Leary, this link will show you lists of pirated versions of the movie. I’ll let you judge for yourself the veracity of his claim.

Download (PDF, 160.48KB)

O’Leary’s statement must be made from either pure ignorance or to fallaciously support legislation that is not truly intended to protect against copyright infringement. When countries notorious for human rights abuse are held up as successful Internet models, it’s quite apparent that the Great Firewall of America is an apt name for the SOPA construct.

Let’s look at other potential motivations for SOPA. While the name of the bill certainly seems reasonable and desirable, how big of a problem is online piracy? The MPAA published this document about piracy in America.

Download (PDF, Unknown)

If you analyze their claim that there are $58 billion in losses per year from piracy and that 13% of all adults have pirated, you’ll find that the MPAA claims that your average downloader should be buying 200 more DVD’s a year. Lest we forget, the MPAA has a history of using hyperbole to defend its own interests. In his 1982 testimony, Jack Valenti, former President of the MPAA, stated the following to Congress,

“I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.”

Clearly the effects of the VCR on the media industry was poorly understood and greatly exaggerated by the MPAA. Videotape sales ended up being a significant new revenue stream for the MPAA for many years, even spawning the spinoff media rental industry which still exists today.

Failure to Understand the Internet as as Medium

During the hearing, it became painfully obvious that the proponents of SOPA simply do not understand the Internet as a medium. Representative Ben Quayle expressed concern that there were no successful business models that could survive without SOPA to prevent piracy. Yet services like iTunes, Netflix, and Amazon now represent some of the largest services in media representing billions in revenue every year. Furthermore, there have even recently been disruptive business models like Spotify which have been able to assert themselves in the environment that SOPA proponents claim is not possible to exist in.

It is apparent that proponents of SOPA like the MPAA are simply failing to adapt their business model as technology evolves. In the 1980′s, the MPAA fought against the VCR claiming concerns over about copyright violations. In the 2010′s, the MPAA is fighting against the Internet as a medium. The difference is, this time the stakes are much higher. SOPA’s scope extends far beyond alleged piracy. It creates a web environment almost identical to that of China that restricts internet access, which has recently been declared a human right by the United Nations.

The True Intent of SOPA

If the most recent hearing was any indication, the proponents of SOPA are not interested in working with the technology and Internet industries to find solutions to stem online piracy. When has a fair and balanced discussion ever been held when the debate is stacked 5 to 1? Supporters of SOPA clearly do not understand the Internet as a medium and are constructing a system in which the deck is stacked in their favor. As many tech giants have pointed out, SOPA is devastating to the technology and Internet industries. How long will we suffer the claims that media giants cannot make enough money, even as they are increasing their own compensation?

The Stop Online Piracy Act is being constructed to allow a stranglehold on the American Internet. Make no mistake. Its constructors are building it with this intent in mind. Just like the Great Firewall of China, the Stop Online Piracy Act is a misnomer. Hidden behind an innocuous name, the bill’s intent is not to stem piracy as its proponents suggest, its true intent is to control the Internet itself.

Remember fondly the days when we were all tickled pink by our elected officials’ struggle to understand how the internet works. Whether it was George W. Bush referring to “the internets” or Senator Ted Stevens describing said internets as “a series of tubes,” we would sit back and chortle at our well-meaning but horribly uninformed representatives, confident that the right people would eventually steer them back on course. Well I have news for members of Congress: Those days are over.

We get it. You think you can be cute and old-fashioned by openly admitting that you don’t know what a DNS server is. You relish the opportunity to put on a half-cocked smile and ask to skip over the techno-jargon, conveniently masking your ignorance by making yourselves seem better aligned with the average American joe or jane — the “non-nerds” among us. But to anyone of moderate intelligence that tuned in to the Congressional mark-up of SOPA, the legislation that seeks to fundamentally change how the internet works, you kind of just looked like a bunch of jack-asses.

The White House responded to two petitions with a statement titled ‘Combating Online Piracy while Protecting an Open and Innovative Internet.’ They note that ‘We must avoid creating new cyber-security risks or disrupting the underlying architecture of the Internet.’ In particular, they cite manipulation of DNS as problematic. But overall the statement is clearly supportive of anti-piracy efforts and lays down this challenge: ‘So, rather than just look at how legislation can be stopped, ask yourself: Where do we go from here? Don’t limit your opinion to what’s the wrong thing to do, ask yourself what’s right.’ So, what’s right?

Some background: Since its introduction, SOPA and its Senate twin PROTECT-IP have been staunchly condemned by countless engineers, technologists and lawyers intimately familiar with the inner functioning of the internet. Completely beside the fact that these bills as they currently stand would stifle free speech and potentially cripple legitimate businesses by giving corporations extrajudicial censorial powers, they have found an even more insidious threat: The method of DNS filtering proposed to block supposed infringing sites opens up enormous security holes that threaten the stability of the internet itself.

The only problem: Key members of the House Judiciary Committee still don’t understand how the internet works, and worse yet, it’s not clear whether they even want to.

When the security issue was brought up, Rep. Mel Watt of North Carolina seemed particularly comfortable about his own lack of understanding. Grinningly admitting “I’m not a nerd” before the committee, he nevertheless went on to dismiss without facts or justification the very evidence he didn’t understand and then downplay the need for a panel of experts. Rep. Maxine Waters of California followed up by saying that any discussion of security concerns is “wasting time” and that the bill should move forward without question, busted internets be damned.

The fact that there was any debate over whether to call in experts on such a matter should tell you something about the integrity of Congress. It’d be one thing if legitimate technical questions directed at the bill’s supporters weren’t met with either silence or veiled accusations that the other side was sympathetic to piracy. Yet here we are with a group of elected officials openly supporting a bill they can’t explain, and having the temerity to suggest there’s no need to “bring in the nerds” to suss out what’s actually on it.

“No legislation is perfect,” Rep. Watt said at one point, continuing the insane notion that the goal of the House should be to pass anything, despite what consequences it may bring. Later, Iowa Representative Steve King tweeted, somewhat ironically, about surfing the internet on his phone because he was bored listening to his colleague Shiela Jackson speak about the bill. Then, even more ironically, another representative’s comments calling him out for it were asked to be stricken from the record.

This used to be funny, but now it’s really just terrifying. We’re dealing with legislation that will completely change the face of the internet and free speech for years to come. Yet here we are, still at the mercy of underachieving Congressional know-nothings that have more in common with the slacker students sitting in the back of math class than elected representatives. The fact that some of the people charged with representing us must be dragged kicking and screaming out of their complacency on such matters is no longer endearing — it’s just pathetic and sad.

Trusted ID technology is important because it can help improve consumer confidence in the Internet, said Gary Locke, secretary of the Commerce Department, during a speech at Stanford University in California. “The reality is that the Internet still faces something of a trust issue,” Locke said. “It will not reach its full potential until users and consumers feel more secure than they do today when they go online.”

Honestly, the BEST decision that I have made regarding computer security for myself, is doing complete away with Windows when I saw what a train-wreck that Vista was to become back in 2006. In doing so, I do not have suffer from the bane of Windows exploits and malware out on the web.

Locke and Howard Schmidt, cybersecurity coordinator at the White House, announced a national program office in the Commerce Department for the National Strategy for Trusted Identities in Cyberspace (NSTIC). The upcoming NSTIC, released in draft form in June, will seek to create an “ecosystem” where Internet users can trust each others’ identities, but the U.S. government will not have a monopoly on issuing online credentials, Locke said.

Download (PDF, 1016.85KB)

“Let’s be clear: We’re not talking about a national ID card,” he said. “We’re not talking about a government-controlled system.”

The White House will need technology vendors to design, build and offer trusted ID technologies, Locke added. A trusted ID system will give online users options, Schmidt added. There should be a range of trusted ID providers and a range of credentials available, he said. People should be able to use pseudonyms to make comments online, and trusted IDs should be optional, he added.

“I don’t have to get a credential if I don’t want one,” he said. “If I want to get a credential, I don’t have to use it all the time. I can be selective where I use it and when I use it.”

A trusted ID system will not solve all cybersecurity problems, but it will be one tool to improve online security, Schmidt said. “Many of you who have been in security for years know that security is not a destination, it’s a journey,” he said. “As a consequence, this is one piece that we need to put together.”

Representatives of security vendor McAfee and tech trade group TechAmerica praised the White House for focusing on trusted IDs and for reaching out to tech vendors.

“The government has clearly recognized that the tech industry must drive implementation of the national strategy,” said Phil Bond, president and CEO of TechAmerica. Bond called on the Commerce Department to create a private-sector advisory committee for its new trusted ID office.

It’s important that private companies drive the trusted ID effort, added privacy advocate James Dempsey , vice president for public policy at the Center for Democracy and Technology. “The government cannot create that identity infrastructure,” he said. “If it tried to, it wouldn’t be trusted.”

With only six major corporations owning the media, The move to regulate the Internet under a new government-controlled system has once again reared it’s ugly head. The government’s cybersecurity ecosystem revolves around issuing Internet users with ID “tokens” without which they will not be able to visit websites, in combination with Senator Joe Lieberman’s ‘kill switch’ bill, will serve to eviscerate the free Internet as we know it, not to mention cramming SOPA/PIPA down our throats.

Under the guise of “cybersecurity,” the government is moving to discredit and shut down the existing Internet infrastructure in the pursuit of a new, centralized, regulated world wide web.

It is important to stress that “cybersecurity” has nothing to do with protecting the infrastructure of the United States and everything to do with taking over the Internet. Cybersecurity is about attacking non-compliant Internet users, not defending against hackers. Non-compliance equates as using the Internet as a political tool to dissent against the policies of the U.S. government.

We are constantly told that the Internet needs to be subject to government control because cyberterrorists could hack in and bring down the national power grid. However, the vast majority of the U.S. power infrastructure is not connected to the Internet. It will only be connected to the Internet if the government accelerates the implementation of “smart grid” technology, so in this sense, the government itself is leaving the power grid more vulnerable to hackers by its own programs.

Threats against computer networks in the United States are grossly exaggerated. The story regarding the attack on the Illinois water pumping station is a good example, there are people still writing about it as if it were true. Here are two reputable site, that explain the story.

http://www.pcworld.com/businesscenter/article/245277/critical_systems_at_risk_despite_water_utility_false_alarm.html

http://www.washingtonpost.com/world/national-security/water-pump-failure-in-illinois-wasnt-cyberattack-after-all/2011/11/25/gIQACgTewN_story.html

After a series of shutdowns, the government will simply demand that every corporation or individual who wants to operate a website first obtain a license and an individual Internet ID. Such licenses will be revoked for anyone who engages in “hate speech,” which is now so broad a term that it encompasses offending anyone on the Internet and of course these items will be voluntary in the beginning.

The result will be a sterile and regulated Internet which more closely resembles cable TV than the true open source, outpost of free speech that we have come to know and love.

Computer Tips

• Stay up-to-date. Use a firewall as well as cyber security software, such as antivirus and antispyware, that will scan for computer security threats and uninstall them. Ensure all of your protection measures, as well as your operating system and software, are up to date. Also, change your passwords every 90 days for better information security. You could also try out Linux, as Windows will never be secure.
• Shop with care. Before submitting credit card information online, look at the URL to ensure you’re on a HTTPS (Hypertext Transfer Protocol Secure) site. Be wary if a site requires information that isn’t necessary for a transaction. Information security is more important than anything you could buy.
• Laptop security. With the proper software installed, stolen laptops can be tracked to a physical location if they are connected to the Internet. Other software gives you remote access for computer security with the ability to erase your files or send them to a secure data center for recovery via the Web. I highly recommend a free solution called ‘Prey‘ that you can use on both your laptop and mobile devices.

Here is a security quiz for you to take, see how many you can get right.

Obviously and it is no secret, that the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA) and other pro-copyright groups, lobby politicians and law enforcers for this and continue pushing very hard. It seems to me, that the industries distribution model is not working anymore, or perhaps the movies they are making are just crap? I have not been to the theater in six years, I find the cost to exorbitant in my opinion.

What’s striking is when a column by a prominent Attorney General appears to be written directly by the entertainment industries, here are some examples. Feel free to Google them:

It will take a strong, sustained effort to stop Internet thieves and profiteers.

Congress can make a significant contribution to that effort with legislation to strengthen law enforcement tools. In the interests of American citizens and businesses, it is time for Congress to enact rogue sites legislation.

[Rogue sites legislation] cut off foreign pirates and counterfeiters from the U.S. market and deprives them of what they want most — our money. By disrupting the business models of these online criminals, this legislation would make it less profitable and more difficult for those who wish to engage in blatant intellectual property theft.

This is quite a concern coming from someone who is supposed to be objective, especially considering that this Attorney General will have the exclusive power to grant requests for domain seizures and DNS blockades if SOPA or PIPA passes. The way it may seem it now, this Attorney General is clearly in the pockets of the pro-copyright lobby.

If you are not freaked out by SOPA/PIPA, please: for the next four minutes, instead of checking Facebook statuses, watch this video (by Fight for the Future).

However, what the U.S. House of Representatives and the Senate have planned for their respective bills is not a way of just putting a halt on online piracy. Tech giants such as Mozilla and Google who once supported these bills, now are on the offensive in trying to ensure they never get passed. Before going any further into how this affects the everyday internet users, let’s first get a good understanding about both bills.

PIPA

Let’s begin by first breaking down the first of the two bills that were introduced, PIPA. PIPA is an acronym for the Protect IP Act, and was first introduced to the U.S. Senate on May 12, 2011 by Senators Patrick Leahy, Orrin Hatch, Chuck Grassley. It is also good to take note that PIPA is a re-written legislation, the original being the failed to pass Combating Online Infringement and Counterfeits Act (COICA) of 2010.

PIPA, if passed, will give  U.S. corporations and the government the right to seek affirmative legal action with any website that they see as enabling copyright infringement weather of U.S. origin or not. Here is a breakdown of all that they will have the power to do.

• Force U.S. internet providers to block access to websites deemed as enablers of copyright infringement
• Seek legal action by suing search engines, blog sites, directories, or any site in general to have the black listed sites removed from their website
• Will be able to force advertising services on infringing websites, and those supporting of them, to remove them from their advertising accounts
• Companies will also have the power to sue any new websites that get started after this bill is passed, if they believe that they are not doing a good job of preventing infringement on your website

SOPA

SOPA is an acronym for the Stop Online Piracy Act, and is a bill introduced to the U.S. House of Representatives by Represenative Lamar Smith on October 26, 2011. In similarity with PIPA, SOPA is a build on a previous legislation. This legislation being the PRO-IP Act of 2008.

SOPA, if passed, will work in conjunction with PIPA. As described by such entities as the Electronic Frontier Foundation, SOPA is nothing more so than the U.S. government and private corporations black list. Here is a breakdown of the power given to the government and private corporations.

• The U.S. Attorney General can now seek a court order that would force search engines, advertisers, DNS providers, servers, and payment processors from having any contact with allegedly infringing websites
• It will allow private corporations to create their own personal hit lists composed of websites they feel are breaking their copyright policies, ironically this doesn’t have any odd feelings of a legal mafia at all. These companies will be able to directly contact a website’s payment processors a notice to cut all off payment involvement with the targeted website. This payment processors and website of question will then have five days to act before it is simply taken down.
• Payment processors will have the power to cut off any website they work with, as long as they can provide a strong reason of why they believe this site is violating copyright.

Here is a nice graphic regarding SOPA.

In the patch are other various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The first six bulletins affect various versions of the Windows Operating System, from XP SP3 up to the newest versions Windows 7 and Windows 2008 R2. The seventh bulletin covers Microsoft Developer Tools.

The “important” rather than critical status for the Beast SSL issue is at least debatable. The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing. “Despite all of the hype over ‘The Beast’, attacks have simply never materialised and the issue has retained its ‘important’ classification from Microsoft,” notes Paul Henry, a security and forensic analyst at Lumension. Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching

What’s more, it’s not just the hardware of a system that has a tendency to degrade over time. Modern computers are complex, intricate pieces of technology- fifty years ago, people wouldn’t have even dreamed this sort of stuff existed. As with any complex system, sometimes things tend to go wrong. A glitch in the software here, a misplaced line of code there, and boom. What’s shocking isn’t the fact that there’s literally thousands of ways a computer could break down and simply stop working. No, what’s shocking is that most of these issues, most of these errors, are preventable. Windows users suffer through lot’s of problems, this is why I openly advocate Linux.

Here’s a few exercises (primarily meant for Windows users) that you should do, to ensure that your computer is in top working condition.

Regularly Defragment Your System

If you’ve never done it before…it might take a while. Now, the tech savvy among you are probably snorting derisively here, right? I’m starting off with something so obvious, after all. You’re
probably thinking “who doesn’t do that?” Oh, you’d be surprised. I can name about six people off the top of my head that I know of who barely even know what the term ‘defragment’ means, much less how to do it. See, as your computer operates, sometimes files tend to become ‘fragmented.’ Basically, they’re too big to store in one single area of the hard disc, so the OS breaks them apart, storing part of the file here, part of it there, and so on and so forth. As a result, the file takes a lot longer to load than it ordinarily would, and tends to slow the hard drive down considerably.

Defragmenting replaces these broken up files into singular, cohesive elements. They’re easier to access. and as a result, your hard drive has to do less work as the day-to-day operations are concerned. In Windows, you can usually access the defragmentation tool by either right clicking on the drive you want to defragment and going to ‘properties’ then clicking on the ‘tools’ tab, or finding it in the start menu under accessories-system tools. Far as I know, Windows is the only OS that really suffers a great deal from degrading performance as a result of file fragmentation. A lot of people run a defrag daily, making it part of their computer’s daily ‘wellness regimen’. Note: DO NOT do this if your using a solid state drive (SDD). You should not defrag a SSD hard drive on a regular basis. SSD drives have limited write cycles and even though it may be rare to hit one, defragging is just asking for a dead SSD drive. Also, with the speed increase from a SSD drive, the performance hit from fragmentation is rarely, if ever, noticeable.

Clear off Your Hard Drive

Again, this one should also be incredibly obvious…but the thing is, it’s not. Not as much as one would think, anyway. When your hard drive starts to get too full (somewhere over 90% or so) your system’s performance starts to go down into the toilet. You don’t really need to know more than that. Think about what programs or files you don’t really need, or aren’t using, and get rid of them. If you’ve a lot of files you simply cannot part with, it might be worth investing in an external hard drive for some extra storage space.

Clean Up The System Registry

Glitches in the system registry can have a lot of adverse effects- anywhere from your system running a bit slower to the dreaded blue screen of death. And the thing is, scanning for errors (coincidentally, the next step) won’t always catch all of the registry errors.

Regularly Scan For Errors

If I haven’t made it obvious already, sometimes computers tend to screw up. System errors can cause and stem from a plethora of different problems- what caused the error isn’t generally as relevant as the fact that, unless it’s taken care of, it’s likely just going to cause more and more problems for you, the user. As a general rule, I like to run an error scan at least once a week, if not more often. To do this, go to your C drive, right click, and select ‘properties.’ You’ll find the option for error checking there. Click all the check boxes, and then click ‘check now.’ Then restart your
computer, and wait. It might be a while, depending on the size of your hard drive.

Run Regular Virus/Spyware Scans

Yes, both virus and spyware. And to be safe, it’s usually best to download several different programs to that effect. I find that ESET NOD32 used in conjunction with HitmanPro to be effective and are some of the more effective antivirus programs (Stay the hell away from Norton, that’s all I can say- unless you fancy your computer walking instead of running. As anyone who’s used the program can attest, that’s a fitting metaphor) Why do I advocate running more than one scanner? Because the fact is; sometimes a particularly nasty file might be missed by one virus scanner, but picked up by another. No security software is completely bulletproof, so it’s usually best to have a few alternatives, just to be safe. That said, a lot of malware/spyware can be avoided simply by practicing safe browsing practices. Yeah, yeah, I know. You already know all of this, right?

Ensure Your OS Is Up To Date

Usually your system will sort this one out by yourself. But if you’re like me, and didn’t want to deal with the ever-intrusive automatic updates system, you’ll need to remember every now and then to run through the process of patching your operating system. What’s more, automatic updates usually only brings you the ‘vital’ changes to the OS. A lot of times, there’ll still be a great many updates that are worth installing on the developer’s website. It’s worth looking.

Regularly Clean Your Computer’s Interior Components

Computers tend to gather a pretty considerable collection of dust and grime over their operating life. That dust will often interfere with components, causing them to retain a lot more heat than they ordinarily would. That, in turn, shortens their life cycle. Every few months(probably somewhere around four to six), as a general rule, it’s a good idea to pop open your system and gently clean the components. I typically use compressed air and a vacuum to collect the dust. Much simpler, more effective, more thorough, and safer than a cloth. I cringe to think of a newbie wiping a cloth across the motherboard (or any other PCB board in the system for that matter). Not to mention there’s no way to get a cloth into the the CPU (and other) heatsink and fans, which are the most important parts to keep dust-free.