We all know that countries like China, Singapore, North Korea, as well as organizations such as the U.S. military, the State of Kentucky, and various corporations, local school districts and public libraries censor their Internet users’ web surfing. Bennett Haselton of Peacefire has a solution he calls the Circumventor.

And to bring in more Circumventor users, Peacefire is paying $10 per IP address to anyone who installs the anti-censorship software and leaves it running for at least a week.

Circumventor is a simple piece of software based on James Marshall’s CGIProxy script running under ActiveState Perl and the OpenSA web server on Windows 2000 or XP. (No word on whether it runs on Windows Vista, but I suspect it would.)

Once installed, the Circumventor creates a small Web service for which Peacefire then shares its URL with “people who need them, such as people serving in the U.S. military overseas, and victims of totalitarian dictatorships such as China, North Korea, and high school,” Haselton wrote on the Peacefire Web site.

It usually takes three or four days before Web filtering companies and national governments add new URLs to their blocking lists, Haselton said.

To get paid, you simply install the Circumventor software:

1. Download ActivePerl and install it. It must be installed to C:\Perl (this should be the default). Accept all of the default options.
2. Download OpenSA 2.0.2 beta and install it. Accept all of the default options. (If you get to a screen titled “Server Information” and it doesn’t have values filled in for “Network Domain”, “Server Name” and “Administrator’s Email Address”, just fill in these boxes with made-up random values — the Circumventor doesn’t use them.)
3. Download the circumventor-setup.exe program and pick “Save” — then once you have saved it on your computer, run the circumventor-setup.exe file that you saved.

Note that even if you have more than one computer in your home, you can only install it on one computer per external IP address (the address assigned by your ISP), you need a broadband connection where the IP address will remain the same for at least a week, and you may need to forward port 443 from your cable or DSL modem’s firewall to your computer.

Once you’ve installed it, e-mail bennett@peacefire.org with the URLs of the Circumventor scripts, which the program gives you during setup. After they’ve been up a week, he’ll send you $10 via PayPal or mail you a check.

And you’ll be helping people in less free countries bypass their national censorship filters, as well as helping U.S. servicemembers bypass their censorship filters.

(Hat tip: Electronic Frontier Foundation)

The U.S. Department of Agriculture said Wednesday that a hacker broke into one of its databases during the first week of June and may have accessed personal records for up to 26,000 Washington, D.C.-based USDA employees, former employees and contractors, about one fourth of the department’s work force.

Yes, that’s right, another one.

IT workers discovered the breach on June 5, and notified Secretary of Agriculture Mike Johanns the next day.

An initial forensic review indicated that no personal information had been accessed, but after further investigation, staff were unable to be certain of this, prompting Wednesday’s notification.

The USDA will offer free credit-monitoring services for one year to each of the affected people, Johanns said, and will notify the people affected by e-mail and by postal mail.

Government auditors have given the USDA an “F” on its computer security for the past several years. This shouldn’t surprise anyone: The database containing the personal information is on the same system as another database wide open to the public.

Earlier this month the National Nuclear Security Agency revealed that personal data for 1,500 Albuquerque, N.M., employees was stolen, and in May, a laptop assigned to a Veterans Administration employee containing personal information for over 26 million active duty and discharged veterans was stolen from his home.

People who believe they may be affected by the data breach can go to http://www.firstgov.gov/ or call 1-800-FED-INFO (1-800-333-4636) for more information.

I really should just write up a template for this, so the next time a government agency gets hacked, I can just drop in the name of the agency, the name of the head honcho, and post it. After all, government computer security sucks. At this rate I could start a Hacked Government Agency of the Month Club and never lack for an incident.

The Digital Millennium Copyright Act, passed in 1998 at the behest of the music and movie industries, has done little to benefit anyone except a select group of companies who have used its provisions to establish, maintain and expand a virtual stranglehold on the entertainment industry. The cartel which has arisen after this act does not benefit consumers at all; rather, it gouges them for as much money as they can possibly suck out, corrupts modern technology, and sets back the state of the art.

The remainder of this message is encrypted using an algorithm which provides virtually no security, but which (if I were so inclined) would open you up to lawsuits if you decrypted it without my permission.

Va 2001, gur pnegry vagebqhprq UQPC, be Uvtu-onaqjvqgu Qvtvgny Pbagrag Cebgrpgvba, n frphevgl zrnfher vagraqrq gb cebgrpg qvtvgny pbagrag nf vg’f genafzvggrq orgjrra UQ-pncnoyr qvtvgny qrivprf, fhpu nf arjre UQGI naq UQ-QIQ be Oyh-Enl cynlref. Gur ceboyrz vf gung vg vfa’g irel frpher ng nyy, naq va snpg vf snveyl rnfl gb oernx. Va snpg, vg jnfa’g vagraqrq nf erny frphevgl va gur svefg cynpr; vg jnf qrfvtarq gb nyybj gur zhfvp naq zbivr vaqhfgevrf gb svyr zber ynjfhvgf.

Rq Srygra bs Serrqbz gb Gvaxre unf na rkpryyrag sbhe-cneg frevrf cbfgrq guvf jrrx nobhg UQPC. (1, 2, 3, 4)

Gur synjf va UQPC frphevgl jrer npghnyyl qrfvtarq va gb gur flfgrz sebz gur fgneg. Gung’f evtug, Ubyyljbbq jnagrq gur flfgrz gb or vafrpher. Gurl jrer arire vagrerfgrq va cebivqvat erny cebgrpgvba sbe qvtvgny pbagrag, ohg vafgrnq gb cebgrpg gurve pnegry.

Haqre gur flfgrz nf qrfvtarq, nalobql jub jnagf gb ohvyq n gryrivfvba frg, QIQ cynlre, be nalguvat ryfr gung qbrf cerggl zhpu nalguvat jvgu qvtvgny ivqrb unf gb trg n yvprafr sbe UQPC. Vs gurl ohvyq na hayvprafrq qrivpr, gurl pna or fhrq haqre gur QZPN.

Gur boivbhf vzcyvpngvba bs guvf vf gung pbafhzre pubvpr vf yvzvgrq. Grpuabybtl juvpu jbhyq bgurejvfr rkvfg vf arire qrirybcrq orpnhfr bs gur yvprafvat erdhverq. Srjre cebqhpgf pbzr gb znexrg, naq gubfr gung qb pbzr gb znexrg ner zber rkcrafvir. UQPC nqqf nf zhpu nf $100 gb gur pbfg bs rnpu UQGI frg, sbe vafgnapr. Yrff vaabingvba gnxrf cynpr. Rira Zvpebfbsg zhfg obj, xvff gur evat, naq cnl hc, vs gurl jnag gb pbagvahr gb vapyhqr QIQ cynlonpx pncnovyvgl va Jvaqbjf.

Va gur zrnagvzr, UQPC vf rkcrpgrq gb or oebxra jvguva gur arkg lrne be gjb. Nyy gung’f arrqrq ner 40 qrivprf jvgu UQPC ohvyg va gb gurz naq n yvggyr ovg bs gvzr. Bapr gung unccraf, rirel UQPC rdhvccrq qrivpr vf creznaragyl pbzcebzvfrq. Fbzr frphevgl.

Ivn Ryrpgebavp Sebagvre Sbhaqngvba.

P.S. If you’re successful in decrypting the message, post the plaintext below.

Last August, Customs and Border Protection computers responsible for processing international travelers entering the U.S. failed for several hours due to a Windows computer virus, resulting in long delays in processing visitors. Now it comes out that the Department of Homeland Security could have prevented it, but decided to let it happen.

The Zotob virus attacked computers worldwide last August, causing failures for many news organizations, corporations and government agencies. One of the affected networks was the US-VISIT network, responsible for screening visitors to the U.S., which uses Windows 2000 workstations. On the evening of August 18, 2005, the system failed, and was restored in about six hours. Many thousands of visitors were delayed at airports and land crossings.

And the reason it failed, according to heavily redacted CBP documents (PDF) released under the Freedom of Information Act, was that the Department of Homeland Security deliberately held back the Microsoft software patch which would have protected the computers from the Zotob virus.

The disturbing part is that somehow that network is connected to the Internet, and if it could be infected with a virus propagating on the Internet, it may be open to hackers as well.

“That machine was reachable from some network, that was connected to some other network, that was connected to the internet,” says Tim Mullen, a Windows security expert and CIO of security firm AnchorIS. “There was some series of connections that manifested itself in those machines getting compromised.”

A September report by the DHS inspector general found computer security at CBP wanting. In a scan of 368 devices on CBP networks, investigators identified 906 security vulnerabilities rated as medium or high risk. They criticized CBP for failing to implement a comprehensive security testing program, among other issues.

“Our vulnerability assessments identified security concerns resulting from inadequate password controls, missing critical patches, vulnerable network devices and weaknesses in configuration management,” the report concludes. “These security concerns provide increased potential for unauthorized access to CBP resources and data.” — Wired News

Network security for the Department of Homeland Security is currently handled by Immigration and Customs Enforcement, but the department plans to transfer control of network security to CBP.

Generally I try to ignore President George W. Bush when he makes proclamations. But when he came out today and urged everyone to “use and regularly update their anti-virus software and firewall,” I felt I had to say something.

On Friday, Bush proclaimed the week of Feb. 5 through 11 as National Consumer Protection Week, urging “Government officials, industry leaders, and consumer advocates to provide citizens with information about how they can be responsible consumers, and I encourage all citizens to take an active role in protecting their personal information.”

As indeed they should. But I just wonder if he even knows what anti-virus and firewall software are? Or when is the last time he touched a computer?

During National Consumer Protection Week, we highlight the importance of consumer education in the ongoing fight against fraud and encourage consumers to make wise decisions.

Each year, nearly 25 million adults are victims of consumer fraud. These crimes damage lives and shake consumer confidence. The Federal Trade Commission (FTC) and other organizations recommend several steps that Americans can take to help protect themselves against fraud. First, consumers should be cautious about giving out personal information such as Social Security and account numbers. Second, they should be aware of the credentials of an organization before making a transaction, especially through the mail, over the phone, or on the Internet. Third, before finalizing a purchase or agreement, the FTC suggests considering offers with care, avoiding immediate decisions, and requesting to have information in writing. In addition, when using the Internet, the FTC recommends that consumers exercise caution in responding to solicitations and that consumers use and regularly update their anti virus software and firewall.

My Administration is committed to vigorous enforcement of the consumer protection statutes, and the Department of Justice’s Office of Consumer Litigation and other Federal agencies are working diligently to that end. The FTC is working to fight unsolicited e-mail under the Controlling the Assault of Non Solicited Pornography and Marketing Act and is establishing new rules under the Fair and Accurate Credit Transactions Act to further protect against identity theft. We are protecting American consumers through the National Do Not Call Registry.

Millions of Americans have registered already, and individuals may call 1 888 382 1222 or visit the Do Not Call website at www.donotcall.gov to have their number added to the list. Citizens can learn more about ways to fight fraud from the National Consumer Protection Week website at www.consumer.gov/ncpw. By actively guarding against fraud, consumers can protect themselves and enhance the strength and integrity of our Nation’s economy.

NOW, THEREFORE, I, GEORGE W. BUSH, President of the United States of America, by virtue of the authority vested in me by the Constitution and laws of the United States, do hereby proclaim February 5 through February 11, 2006, as National Consumer Protection Week. I call upon Government officials, industry leaders, and consumer advocates to provide citizens with information about how they can be responsible consumers, and I encourage all citizens to take an active role in protecting their personal information.

IN WITNESS WHEREOF, I have hereunto set my hand this third day of February, in the year of our Lord two thousand six, and of the Independence of the United States of America the two hundred and thirtieth. — George W. Bush

I try not to recommend particular brands of Internet security software, as they are generally for Windows, and Windows tends to be the source of computer security problems; the security suites are like plugging holes in your boat if you run Windows. That said, here’s my list of things you need to do to increase your security and avoid fraud:

• Add your telephone numbers to the National Do Not Call registry.
• Get your free credit report (this is the real deal).
• Don’t use Internet Explorer to browse Web sites. Use Firefox (or another browser) instead. Once you’ve installed Firefox, disable access to Internet Explorer (Windows 2000 SP4 and Windows XP).
• Ensure that your operating system and other software is kept up-to-date by visiting Microsoft Update regularly.
• Install personal firewall, anti-virus and anti-spyware software.
• Beware of offers you receive via e-mail. Some spammers send fake e-mail messages which appear to be from a legitimate company; this is called phishing. If you click a link in the e-mail message, you will be taken to a fake Web site where the criminal intends to capture your personal information and use it to commit identity theft. To avoid this, always type in the real Web site address yourself.
• In addition, never respond to any offer in e-mail which is of poor quality, has large numbers of misspelled words, etc. This is spam, and you’re likely to be a victim of fraud if you respond to these messages.

I’ve covered this issue in more depth: Is your computer endangering homeland security?

Two separate lawsuits filed in California and Texas on Monday allege that Sony BMG Music Entertainment distributed spyware on 52 music CD titles, which compromised the security of buyers’ computer systems when the CDs were inserted into Windows PCs, and transmitted data on the computer users’ listening habits back to the company.

Texas Attorney General Greg Abbott filed a civil lawsuit on Monday against Sony BMG Music Entertainment for hiding “spyware” software on its compact discs in a bid to thwart music copying.

According to the lawsuit filed in Travis County, several of the company’s music compact discs require customers to download Sony’s media players if they want to listen to the CDs on a computer.

Software included with that media player “remains hidden and active” after installation, the Attorney General’s office said, and makes users vulnerable to security risks and possible identity theft.

Sony said on its Web site that it had recalled all CDs that were installed with its XCP technology designed to prevent illegal music copying, Abbott said, but Texas investigators were able to purchase several of the CDs at Austin retailers on Sunday.

Texas is seeking civil penalties of $100,000 per violation of the state’s Consumer Protection Against Computer Spyware Act, which was enacted earlier this year.

“Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” Abbott said.

Sony announced on Friday that customers could exchange CDs that contained XCP software for new copies without the spyware, and download software designed to fix the security vulnerabilities. — Reuters

Separately, the Electronic Frontier Foundation filed suit in California, not only over the XCP software, but over another piece of software Sony used, known as MediaMax, which is on many more CD titles and suffers from many of the same problems.

EFF is pleased that Sony BMG has taken steps in acknowledging the security risks caused by the XCP CDs, including a recall of the infected discs. However, these measures still fall short of what the company needs to do to fix the problems caused to customers by XCP, and Sony BMG has failed entirely to respond to concerns about MediaMax, which affects over 20 million CDs — ten times the number of CDs as the XCP software.

“Sony BMG is to be commended for its acknowledgment of the serious security problems caused by its XCP software, but it needs to go further to regain the public’s trust,” said Corynne McSherry, EFF Staff Attorney. “It is unconscionable for Sony BMG to refuse to respond to the privacy and other problems created by the over 20 million CDs containing the SunnComm software.”

The suit, to be filed in Los Angeles County Superior court, alleges that the XCP and SunnComm technologies have been installed on the computers of millions of unsuspecting music customers when they used their CDs on machines running the Windows operating system. Researchers have shown that the XCP technology was designed to have many of the qualities of a “rootkit.” It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG’s servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer’s hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users’ machines. Sony BMG has still refused to use its marketing prowess to widely publicize its recall program to reach the over 2 million XCP-infected customers, has failed to compensate users whose computers were affected and has not eliminated the outrageous terms found in its End User Licensing Agreement (EULA).

The MediaMax software installed on over 20 million CDs has different, but similarly troubling problems. It installs files on the users’ computers even if they click “no” on the EULA, and it does not include a way to fully uninstall the program. The software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits — even though the EULA states that the software will not be used to collect personal information and SunnComm’s website says “no information is ever collected about you or your computer.” If users repeatedly requested an uninstaller for the MediaMax software, they were eventually provided one, but they first had to provide more personally identifying information. Worse, security researchers recently determined that SunnComm’s uninstaller creates significant security risks for users, as the XCP uninstaller did.

“Music fans shouldn’t have to install potentially dangerous, privacy intrusive software on their computers just to listen to the music they’ve legitimately purchased,” said EFF Legal Director Cindy Cohn. “Regular CDs have a proven track record — no one has been exposed to viruses or spyware by playing a regular audio CD on a computer. Why should legitimate customers be guinea pigs for Sony BMG’s experiments?”

“Consumers have a right to listen to the music they have purchased in private, without record companies spying on their listening habits with surreptitiously-installed programs,” added EFF Staff Attorney Kurt Opsahl, “Between the privacy invasions and computer security issues inherent in these technologies, companies should consider whether the damage done to consumer trust and their own public image is worth its scant protection.”

Both the XCP and MediaMax CDs include outrageous, anti-consumer terms in their “clickwrap” EULAs. For example, if purchasers declare personal bankruptcy, the EULA requires them to delete any digital copies on their computers or portable music players. The same is true if a customer’s house gets burglarized and his CDs stolen, since the EULA allows purchasers to keep copies only so long as they retain physical possession of the original CD. EFF is demanding that Sony BMG remove these unconscionable terms from its EULAs. — Electronic Frontier Foundation

People have gotten years in prison for doing far less damage to people’s computers. Sony should be prosecuted to the fullest extent of the law, and perhaps its executives should face criminal charges over this.

To protect yourself against copy protection on CDs, hold down the Shift key while inserting the disc, or better yet, disable the Windows “autorun” feature. This prevents the illegal software from running on your computer, but the downside is you have to start your CD player — and applications on other CDs that you might use — manually.

A while back I wrote about trusted computing and how Microsoft’s implementation, the Next Generation Secure Computing Base, was set to impose onerous restrictions on computer owners, such as preventing them from playing legally purchased media with a player not approved by Microsoft. The post got some scathing criticism from some trusted computing practitioners who missed the point. Trusted computing is not the problem; Microsoft is.

Recently the Trusted Computing Group released a best practices document, Design, Implementation and Usage Principles for TPM-Based Platforms. The document, which Bruce Schneier reviewed in detail, says, among other things, that implementations should give the owner ultimate control of their computers and not put up interoperability roadblocks.

Even if not perfect, it’s a good start. I would trust a trusted computing implementation that followed these guidelines. So what’s the problem? “Microsoft is doing its best to stall the document, and to ensure that it doesn’t apply to Vista (formerly known as Longhorn), Microsoft’s next-generation operating system,” said Schneier.

If the document applied to Windows Vista, Microsoft would not be able to implement several planned DRM features at the request of Hollywood, such as the Protected Media Path.

Microsoft appears to be abusing its monopoly position (again) to gain even greater control over users’ PCs. This time, they’ve got the Hollywood studios backing them.

Updated A U.S. Customs computer system used for processing passengers arriving on international flights shut down for several hours Thursday, resulting in lengthy delays for arriving travelers.

At one point Miami International Airport had over 2,000 passengers waiting to clear immigration. The airport, along with airports in the New York area, were clearing passengers by hand. Los Angeles International Airport was able to use a backup computer system to clear passengers.

“Unfortunately with technology you have periods where things happen,” said Zachary Mann, a U.S. Customs and Border Protection spokesman in southern Florida. The outage was caused by the failure of a central database in Virginia that lasted from about 6 p.m. to 11:30 p.m., according to Mann. He did not give any further details.

It wasn’t known at this time whether the computer system was hit by the Windows 2000 virus which has been making the rounds the last few days, but these incidents once again illustrate the importance of not using Windows for mission-critical tasks, as well as keeping systems up to date with security patches, when available.

To ensure that your Windows computer has received the latest security patches, turn on Automatic Updates, or visit Windows Update. And for everyone’s sake, including your own, start looking into alternatives such as Linux.

Update August 20: It appears that this disruption in service was caused by the Zotob virus, according to the Wall Street Journal.

The DRM (digital rights management) technology to be included in Microsoft’s Windows Vista is set to give Hollywood movie studios unprecedented level of control over consumers’ PCs, according to a Microsoft white paper.

According to the white paper, Hollywood movie studios will have veto power over certain parts of Windows Vista, including aspects of driver design and cryptography, in Windows’ Protected Media Path. Consider:

Other companies are free to invent their own [encryption for video output] … but security considerations mean that there is a high bar to meet before a new cipher can be approved for use….

The evidence must be presented to Hollywood and other content owners, and they must agree that it provides the required level of security. Written proof from at least three of the major Hollywood studios is required. — Microsoft (Microsoft Word)

The upshot of this is that not only will the movie studios have unprecedented control over your computer’s hardware and software, but other operating systems such as Mac OS and Linux could be locked out from playing legally purchased DVDs, for instance.

The details can be found over at Freedom to Tinker, and more background information is availble from the Electronic Frontier Foundation.

Hollywood has gone much too far. As copyright holders they certainly have the right to restrict distribution of their works, but they do not have the right to dictate how we, the people who purchase and enjoy those works, view them. Imagine a major book publisher requiring you to read their books using only approved light bulbs and approved light fixtures. This is exactly what’s going on, and it needs to be stopped.

Find out more about Microsoft’s Next-Generation Secure Computing Base, of which the Protected Media Path is a part.

Consumers rarely have a disaster recovery strategy for their computer systems, and the few who do find it a frustrating experience, according to Larry Seltzer. But why bother?

A disaster, says Seltzer, can be anything: “a fire, it could be a hard disk crash, the computer could fall off the table, or it could be a massive virus infection or some other software disaster.”

Then what happens to your files? Even if the computer manufacturer repairs or replaces your computer under warranty, you’re going to find it comes back with the hard drive reformatted and back to factory software. All of your files will be gone. Or a virus could take out all your files.

Seltzer argues that simply having security software is not enough. How important is your data to you? Read the complete article at eWEEK.

I would say preventing disaster is the first thing to do. Installing Linux or getting a Macintosh would be a great first step towards preventing the inevitable disasters that befall Windows PCs.

Thanks to Security Awareness for Ma, Pa and the Corporate Clueless.