Salon’s Six States Story

Salon has an interesting article on the methods used by some to control citizens’ identity and their voting systems in order to influence elections in America:

Under a draconian new Arizona law that supposedly targets illegal immigrants, she needs proof of citizenship and a state-issued driver’s license or photo I.D. to register. […] She’s unable to overcome the hurdles thrown in her way — and in the way of as many as 500,000 other Arizona residents — by the state’s Republican politicians.

Recent IE patch leads to buffer overflow

eEye has reported that the August 8th cumulative patch for Internet Explorer 6 SP1 (MS06-042) actually creates another serious exploit vector on Windows 2000 and Windows XP SP1:

This information is already known in various research circles and also with exploit writers. So it is important that IT administrators understand the true threat of this problem that this is not simply a crashing bug as Microsoft has been incorrectly misrepresenting it but in fact that it is an exploitable security bug. Researchers and exploit developers know this, therefore it is extremely important that IT administrators are told what really is going on.

The current recommendation is a workaround for Windows 2000 (disable HTTP 1.1) and to upgrade Windows XP to SP2. Although if you are not on SP2 by now already, you also probably want to check out the workaround.

Stupid Security Awards

This is kind of funny and sad at the same time:

A civil rights organisation wants to hear examples of security measures that are so ill-advised, impotent or irritating that they should be named and shamed.

Privacy International (PI) announced on Monday that it is holding the “Stupid Security Awards” in an attempt to highlight the absurdities of the security industry.

I guess the positive aspect of this is that it brings security into a sphere of communication and discussion that could lead to improvements, if improvements are really the desired outcome. I worry that the trade-offs will not be discussed in a fair light, since it could easily become a “we hate helmets and we’re louder than you so repeal the law now” festival.

Does it count if you are in the security industry and create an ill-advised measure just to win the award? That would be sooo fitting if someone were to game a system meant to highlight stupidity in security measures.

FCC (still) investigating fake news

The Center for Media and Democracy (CMD) did a study of news stations in America and documented many cases where the true source of video news releases (VNR) was not clearly disclosed:

KOKH-25 in Oklahoma City, OK, a FOX station owned by Sinclair, aired six of the VNRs tracked by CMD, making it this report’s top repeat offender. Consistently, KOKH-25 failed to provide any disclosure to news audiences. The station also aired five of the six VNRs in their entirety, and kept the publicist’s original narration each time.

The FCC responded by announcing an investigation of their own, as noted by the CMD:

If the Commission determines after investigation that a licensee has violated sponsorship identification rules, the FCC may impose monetary fines of up to $32,500 per violation, and initiate license revocation proceedings against licensees. Section 507 of the Communications Act establishes civil and criminal penalties for violation of disclosure requirements, with the possibility of a fine of up to $10,000 and as much as a year of imprisonment.

The fines go higher for repeat offenses but there appears to be a maximum of less than $500,000. The CMD report highlighted over seventy stations, including more than twenty from Walt Disney Company’s ABC network and seven from the Sinclair Broadcast Group Inc.. Wonder if the FCC will find more and how far back in time they will consider, now that video archives are available almost anywhere.

The Independent has a story that the FCC investigations started almost immediately after the CMD report was published last April:

Federal authorities are actively investigating dozens of American television stations for broadcasting items produced by the Bush administration and major corporations, and passing them off as normal news. Some of the fake news segments talked up success in the war in Iraq, or promoted the companies’ products.

Fake news segments talked up success? Sounds like politics as usual, and why Roosevelt created the FCC in the first place.

the poetry of information security