The men, who had no specific computer training, are believed to have played a part in operating the command-and-control servers for the botnet, according to PandaLabs' technical director Luis Corrons, who spoke to ZDNet UK about Mariposa following the arrests.

When did security researchers start tracking the botnet?
Corrons: It started in May 2008. Defence Intelligence noticed companies were getting infected and found a new botnet, which was Mariposa. They started an investigation and found links to Spain. They found that some of the command-and-control servers were located in Spain.

Read more of 'How the butterfly botnet was broken' at ZDNet UK.

Source: Breaking the Ma...

Trend Micro is giving away $10,000 to best Internet safety video

(Credit: Trend Micro)

The deadline is April 30th and only residents of the U.S. and Canada who are 13 or older are eligible to win.

Entries must be about one of these four topics:

•Keeping a good rep online (avoiding embarrassing photos, videos, or postings)

•Staying clear of unwanted contact (including bullies)

•Accessing (legal) content that's age-appropriate (avoiding sites that are 'offensive, violent, pornographic, full of foul language, or inappropriate for certain ages)

•Keeping the cybercriminals out (computer security issues like identity theft, scams, spam, viruses, and other bad stuff)

You don't need a fancy video camera. A Webcam, a cell phone video camera, or something like the Cisco Flip Camera will do.

Although the contest is open to anyone over 13, I'm hoping there are lots of entries from teenagers. This is an opportunity for teens to share their own experiences and thoughts about Internet safety with their peers, which can be a lot more effective than lectures from adults. Still, parents, teachers, and older students are also encouraged to enter, though contributions from teens are strongly encouraged.

All submitted videos will be posted on the site after being checked for appropriateness. People who submit are encouraged to promote their own videos with links on their social-networking pages and blogs. Judges will take into account the number of views--not only as a way of promoting awareness but also giving filmmakers real-world experience in marketing and promotion.

The contest's website has sample videos to give contestants ideas.

Contest judges include representatives of nonprofit Internet safety organizations including Common Sense Media, Identify Theft Resource Center, and ConnectSafely.org, where I serve as co-director. And yes, I'll be one of the judges. (Trend Micro provides financial support to ConnectSafely.org.)

ConnectSafely can't enter the contest, but here's one we commissioned that I think is pretty funny:

Source: Internet safety...

Clay Shirky believes we're biased both to share and to like sharing digital information. Given the rate at which we create, share, and then discard digital goods, he may be right. The problem is that we're now wading through digital debris, and there may be hard costs associated with our wastefulness.

No, I'm not talking about Nick Carr's 'Google makes us stupid' argument, though I think he raises a host of valid points.

Rather, I'm talking about the hard and soft costs associated with massive 'landfills' of digital information which never get used, but take up space, all the same.

There was a time when storing information was an arduous task, which is one reason the Dead Sea Scrolls remain with us while the shopping lists of the Essenes have long been forgotten. Few knew how to write, and those who did found the job hard enough that they chose to only record the essentials of life (and religion).

We don't live in that time. For us, creating a blog takes seconds, which is just a few seconds short of how long the typical blog (or Facebook page, Twitter account, etc.) endures. Starting an open-source project should be more time consuming and, hence, enduring, but of the hundreds of thousands of projects on Sourceforge.net, Google Code, and other repositories, most are abandoned.

Call it the detritus of our digital lives. Easy to create. Easy to forget.

Unfortunately, the Web doesn't forget all the digital debris. In fact, it's hard-wired to do the exact opposite: to remember and to accumulate. This isn't without cost, even if the 1s and 0s themselves are free.

After all, Google has to wade through it when indexing and searching the Web. Spam (arguably a symptom of our digital abundance) may be trash, but it's 90 percent of the e-mail sent, which adds up to bandwidth, storage, and personal productivity costs.

But storage is cheap, goes the popular refrain. Well, yes. Sort of. The cost of the hardware is going down, but the cost of managing it all is not. If anything, it's going up.

There's also the concern that the more code lying dormant on the Web, the more we strew pieces of our lives across the wasteland that is the Web, the less secure we become. Gartner projects that 60 percent of virtual servers will be less secure than the physical servers they replace, at least through 2012, but of greater concern is all of the information about ourselves we're casting into the digital dustbin...possibly to be retrieved and used against us at a later date.

I'm not trying to be alarmist. I'm not suggesting that all of this waste necessarily will lead to increased personal and business costs.

But it does feel that all this waste will come back to bite us at some point, just as it has in the physical world, when we've discovered that oil, timber, and other natural resources have a finite limit. Perhaps digital goods do, too, though not in our ability to create them, but rather in our ability to consume them.

Disagree?

Source: Filling the dig...

Classified U.S. military information appearing on Wikileaks could 'influence operations against the U.S. Army by a variety of domestic and foreign actors,' says the report, prepared in 2008 by the Army Counterintelligence Center and apparently disclosed in its entirety on Monday.

The embarrassing twist: It was Wikileaks that published the 32-page document, but not before editor Julian Assange prepended a critique saying some details in the Army report were inaccurate and its recommendations flawed.

One section of the original document says 'criminal prosecution' of anyone leaking sensitive information could 'deter others considering similar actions from using the Wikileaks.org Web site.' Another speculates that Wikileaks--which boasts that it is 'uncensorable'--is 'knowingly encouraging criminal activities,' including violation of national security laws regarding sedition and espionage.

Lt. Col Lee Packnett, a spokesman for the U.S. Army on intelligence topics, said he was not familiar with the Wikileaks disclosure and would not immediately be able to comment. The National Ground Intelligence Center, which provides the Army with information about enemy weapons system and was mentioned in the report, did not immediately respond to a query from CNET.

Under the federal Espionage Act, it is a crime to disclose 'information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States' (18 USC 793(e)). Another section says even indirect disclosures of national defense information to foreign citizens can be punished, in certain cases, by death (18 USC 794(a)).

Some First Amendment scholars have argued that those portions of the federal code cannot survive legal scrutiny--otherwise, as a few conservative commentators have claimed, The New York Times' disclosure of Bush-era warrantless wiretapping would have been a crime. In a since-abandoned prosecution of two former pro-Israel lobbyists charged with disclosing classified U.S. defense information, however, a federal judge had ruled that the balance struck by the Espionage Act 'is constitutionally permissible.'

Wikileaks has disclosed classified U.S. Defense Department information before. A 2004 report about Fallujah also marked secret was highlighted repeatedly as an example of damaging disclosure in the document released Monday.

The document no longer appears to exist on Wikileaks' Web site. A previous location now returns the error message: 'The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.' (Wikileaks' Assange did not immediately reply when asked for an explanation.)

Wikileaks previously disclosed thousands of pages of pager logs from September 11, 2001, and won a case in federal court in San Francisco, after a Swiss bank attempted to pull the plug on the entire Web site. It shut down briefly last month because of lack of funds.

'While we will not comment on whether this is, in fact, an official document, we do consider the deliberate release of what Wikileaks believes to be a classified document is irresponsible and, if valid, could put U.S. military personnel at risk,' Rear Adm. Gregory J. Smith, a spokesman for American military command in Baghdad, told The New York Times after Wikileaks posted a classified 2005 document about rules of engagement in that country.

Source: U.S. Army worri...

Targeting Chatroulette, Facebook, and Google Buzz as examples, Boyd says consumers have no idea what they are sharing online, and that the businesses that build social networks don't either.

Facebook changed its privacy policies in December, requiring each user to sign off on new privacy settings. When offered this choice, 35 percent of users chose to make their profiles private. Boyd pointed out that that means 65 percent made their updates public. After conducting scores of interviews, Boyd doubts those users even read the privacy statement; they just clicked through as we have been conditioned to do.

"I have yet to find a single person who actually knew what their settings were," Boyd said. "When they don't know what the value proposition is, they just click through."

And that can lead to problems. Google Buzz had a difficult launch primarily because users didn't understand the service. By auto-picking user's friends on Buzz, users thought Google was sharing their information without their permission. Worse, users didn't understand how to opt out. "I kept meeting users that thought if they opted out, they would cancel their Gmail accounts," Boyd said.

To be fair, Boyd noted that many of these privacy problems are created by people's desire to gain publicity and get famous. She pointed to Miley Cyrus, who accumulated 2 million followers on Twitter and then deleted her account for privacy reasons. What did she do then?

"She made a rap about quitting Twitter because she wanted privacy, which she then put up on YouTube." Boyd said. "That is celebrity culture."

If Miley Cyrus, with her legion of handlers and advisors, can't effectively manage publicity and privacy, what chance does the average online consumer have? Or worse, a 15-year-old kid with a Facebook page? Not much.

"Chatroulette may be a fad, but the idea that privacy and publicity is going to get mashed up is not," Boyd said. "Neither privacy nor publicity is dead, but technology will make a mess of both."

This post originally appeared on AppScout.

Source: Microsoft's...

China and Iran are among the world's top 'Internet enemies' tagged by Reporters Without Borders for restricting Internet freedom. But even democratic countries like Australia and South Korea are raising concerns.

The fight to restrict freedom is increasingly being fought on the Internet as certain governments continue to censor what content their citizens can see online and try to target those who resist such efforts. The current skirmish between Google and China over filtering search results is just one example.

But it's not only repressive regimes like China that are the culprits, according to a report (PDF) released Monday by Reporters Without Borders. The group, which fights for freedom of the press across the world, has cited several nations for their attempts to restrict freedom on the Net.

The list of Internet enemies includes what Reporters Without Borders calls 'the worst violators of freedom of expression on the Net.' Those nations are Saudi Arabia, Burma, China, North Korea, Cuba, Egypt, Iran, Uzbekistan, Syria, Tunisia, Turkmenistan, and Vietnam. This year's roster of Internet enemies is similar to 2008's roster, with China, Iran, Cuba, and North Korea among the usual list of suspects. But this year, Reporters Without Borders found 60 countries censoring the Internet, twice as many as last year.

A few of these countries isolate themselves from the rest of the world and so are particularly fearful of the open nature of the Internet. Others restrict development of their Internet or purposely shut or slow it down at times, says Reporters Without Borders.

But certain countries are on the list not only for repressing and restricting Web content but for harassing and arresting bloggers and Internet activists. Close to 120 bloggers, cyberdissidents, and others, are currently in jail for expressing their ideas online, says Reporters Without Borders. China is the worst offender, having put 72 people behind bars, according to the group, followed by Vietnam and Iran.

Turkey and Russia are also countries to watch--they're currently on Reporters Without Borders 'Under Surveillance' list. In Russia, the Kremlin has arrested and prosecuted bloggers and censored Web sites that it considers extremist, says the group. In Turkey, Web sites that discuss the army, the Kurds and Armenians, and other topics considered taboo are blocked.

Further, two democratic countries are on the 'Under Surveillance' watch list. Reporters Without Borders has cited Australia, which has been trying to push through an Internet filtering system, and South Korea, which sets up laws that are imposing too many restrictions on Internet users.

In authoritarian countries, traditional print and TV media are typically controlled by a government that restricts any open exchange of ideas and information. But since the Internet can't as easily be controlled, Reporters Without Borders sees it as a important medium for discussion and sharing information, and one in which 'repressed civil societies can revive and develop.'

Activists increasingly use sites such as Twitter, Facebook, and YouTube to get their messages across. That's why the group sees Internet freedom as a crucial outlet for repressed societies, and why certain countries see it as a medium that must be controlled.

But there is cause for optimism, says Reporters Without Borders. More Netizens in certain authoritarian countries are effectively using decryption tools and proxy setups to sneak past censorship. More bloggers and other users are organizing themselves into groups as a form of collective resistance. Finally, more pressure is being put on repressive regimes by the United States and other global powers to loosen the reins of censorship.

Source: Report names 'e...

The service, called Flashlight, is designed to enable banks security experts to quickly identify what types of malicious software programs customers are encountering in order to build better defenses, said Mickey Boodaei, Trusteer's CEO.

Now if a bank wants to see if a customer's computer is infected, the computer usually has to be either physically taken to a lab or the hard disk has to be copied, he said.

Flashlight detects malicious software programs on the computer and can send a report along with a copy of the suspicious program, Boodaei said.

"If they find a new piece of malware they haven't seen before on their customer's computer, this malware comes to us, we reverse engineer it and find out about its capabilities," Boodaei said.

The scenario under which Flashlight would be used is if a customer calls a bank to check on a possible fraud. The fraud investigation team would ask the person to install Flashlight, which can detect if the browser has been previously tampered with. The customer would be asked to send a log report, which can then be analyzed while the customer is on the phone, Boodaei said.

Flashlight can also send other data, such as details of a PC's operating system, version number of applications and whether antivirus software was up-to-date at the time of the infection.

Financial institutions also have the option of using their own analysts to inspect the malware. Flashlight is an add-on for Rapport, a widely deployed Trusteer product designed to harden browsers against malware, although both products can be used independently of one another. Rapport is a voluntary download, and users have the option of sending security events and error logs anonymously to Trusteer, or sending no information at all.

Rapport, which has about 4.5 million users in the U.K. and 3 million in the U.S., builds an access control layer between a Web browser and any other software on a user's computer, Boodaei said.

Rapport is designed to prevent interference from advanced malware programs such as Zeus that can inject HTML into Web pages, grab one-time passcodes and tamper with transactions. About 50 financial institutions have offered Rapport to their customers, including NatWest and HSBC in the U.K., Boodaei said.

Rapport has performed well but Trusteer does have to periodically update it to counter evolving attack methods, Boodaei said.

"We are being attacked all the time," Boodaei said. "Because of our significant presence, they [hackers] do see that as a threat. It's a constant battle."

Trusteer has a couple of pricing options for Flashlight. Banks can pay on a basis of how many times they initiate an investigation of a customer's computer, Boodaei said. The second option is a flat fee based on an institution's number of online banking customers, he said.

Last week the U.S. Federal Deposit Insurance Corporation said online banking fraud amounted to more than US$120 million for the third quarter of 2009.

Source: Trusteer Rolls ...

That was the message Saturday from Danah Boyd, a social-media expert who works for Microsoft Research and who was Saturday's keynote speaker at the South by Southwest Interactive (SXSWi) festival here.

SXSW's Saturday keynote speaker Danah Boyd.

(Credit: Danah Boyd)

Boyd is one of the original social-media researchers, having spent years studying the dynamics of how systems like MySpace and Facebook impact teens and youth culture, and how that culture is impacting such services. But she also has demonstrated over the years a keen sense of how people across all age groups use social networks, and her talk touched on many different communities.

To begin with, she said, privacy is by no means dead. 'People care very much about privacy, no matter how old they are,' Boyd said. 'The challenge is that what privacy means may not be what you think...Fundamentally, it's about having control over how information flows...When people feel they don't have control over their environment or their setting, they feel as though their privacy has been violated. And they cry foul.'

To begin with, Boyd used the recent Google Buzz debacle as an example of how people of all stripes demonstrated that they care deeply about their privacy. She explained that while there was nothing technically wrong with the way Google's new social-networking system integrated with Gmail, it nonetheless resulted in a PR nightmare for the search giant because 'they made nontechnical mistakes that ended up in social disruption.'

First, Boyd said, Google failed by interfacing Buzz, a public-facing system, with Gmail, 'one of the most private systems imaginable.' The problem with that, she explained, is that 'people genuinely believed that Google was exposing their private e-mails to the world.'

And while that widely held perception was not technically true, Boyd said, Google's lack of understanding about how people would react to the forced opt-out provisions of Buzz caused an unnecessary panic. And, she said, Google is hardly alone in what is, in the best case, a basic misunderstanding of what users want or, in the worst case, a new corporate strategy of trying to get as many users locked in right away, regardless of the consequences.

'More and more technology companies are thinking it's OK to expose people,' Boyd said, 'and then backtracking a couple weeks later, when people are flipping out.'

Her point was that people, as everyone knows, tend to simply click through the choices offered them in new software without fully investigating, most likely because they assume that all will be well. The problem is that in cases like that of Buzz, the automatic settings may well go against what people really want or understand they're getting.

'I kept meeting people thinking that if they opted out,' Boyd said, 'they would be canceling their Gmail accounts.'

Breaking the ice
For Boyd, her years of research have been eye-opening into the divergence between what users want--and their emergent behavior--and the ways tech companies interpret those desires. Often, she said, companies trying to build efficiencies into their systems profoundly misunderstand what they're trying to be efficient about.

One example, she said, comes from chat rooms. There, she said, she used to encounter people who would frequently be saying 'A/S/L' when newcomers showed up. That meant, she said, 'Age, sex, location,' a way for people to try to find things out about the people with whom they were sharing the spaces.

Chat room owners, however, saw an opportunity to help, and, thinking that people were simply trying to get the basic information about others in the chat rooms, began building in age, gender, and location information into users' profiles.

SXSW Interactive keynote speaker and social-media expert Danah Boyd during her talk Saturday.

(Credit: Daniel Terdiman/CNET)

Riffing off that example, Boyd then talked about the difference between what she called 'articulated networks' such as Facebook, Twitter, and MySpace, and 'behavior networks,' which are ones that form when people are physically in the same space. Google miscalculated with Buzz, she said, by collapsing articulated networks and behavioral networks, and assuming that was the same thing as someone's personal network. The search company, she said, assumed that people wanted different parts of their personal context to be integrated.

'Just because something is publicly accessible doesn't mean people want to be publicized,' she said.

It's all about context
For most people, participating in social networks of any kind is all about context. When we're sitting in a cafe, talking with a trusted friend, we are happy to share intimate thoughts, despite the fact that we have no real control over whether that person will then go behind our backs and tell others our secrets. Online, however, the social norms are fundamentally different.

Teenagers, she suggested, have proven to be an ideal testing ground for some of these dynamics, because young people have learned a lot about these differences. And while many teens are acutely interested in trying to get noticed, the reality is that most won't ever get attention beyond their closest circle of friends and family. Not in a world where there are 400 million Facebook users.

Security through obscurity, then, 'is not as ridiculous as it might seem,' Boyd said. 'Even if you want massive amounts of attention, it's often hard to try to achieve that.'

Still, Boyd said, people of all ages aren't good at adapting when the rules of the systems they participate in change around them, and they are constantly surprised when those rules shift. And that's why there is often so much dismay at unexpected technology changes in the systems we use the most.

For example, Boyd said, Facebook also had a major 'fail' last December, when it asked users to reconsider their privacy settings, and to choose whether to make their information available to everyone or to keep it private.

The default, she said, was to make information available to everyone and, as always, most people clicked right through. She noted that Facebook, in a bid to show how well its opt-in system worked, bragged that 35 percent of people proactively chose to make their information private. But that meant that fully 65 percent had chosen, deliberately or not, to have their information be public.

And, she said, her research has led her to conclude that nowhere near 65 percent of Facebook users actually wanted that choice. In fact, she said, in research where she has asked nontechies to explain their privacy settings, not a single person could do so accurately.

Some might argue that these are trivial matters, but Boyd would sternly disagree. She gave an example of a girl whose mother had moved her away from an abusive father. After being away for some time, the girl asked her mother to let her start a Facebook account. And when Facebook implemented its December settings changes, she clicked right on through with no idea that her information was now public.

Was the fear that her father will now be able to track her down 'an acceptable by-product of Facebook's changes? I don't think it is,' Boyd said.

'There's a big difference between publicly available data and publicized data,' she said, 'and I worry about this publication process, and who will be caught in the crossfire.'

Indeed, she said, many people face consequences because of the easily available collection of their personal data on social networks. While some of us have no problems with people being able to find things out about us, that is not true for others. Would someone in the country illegally feel comfortable with their profile being open to the world? Or would a battered wife be OK with her ex being able to find her? Not likely.

Chatroulette an interesting throwback
Later in her talk, Boyd touched on the newest online phenomenon, Chatroulette, the site that lets two random strangers see each other via their personal Webcams. In an age, she said, when most interaction online is between people who already know each other, Chatroulette is bringing back the randomness and the it's-all-strangers dynamic of the early days of the Web, and 'it's kind of delightful to see.'

And this is just the beginning. Boyd pointed out what is both obvious and sometimes obscured: that we are going to see a continued emergence of new tools that complicate the boundaries between the public and the private, and technology will continue to make a mess of it.

Ultimately, then, for the people who build these systems, Boyd said, it is imperative that they ask questions about what people really want and what people want to achieve. For marketers, it's essential to remember that the accessibility of people's information online doesn't necessarily indicate that they want to be seen by you. 'Just because you can interpret people,' Boyd said, 'doesn't mean you're going to get it right. Just because you see something doesn't mean you know what's going on.'

And to the systems designers on hand for her keynote, Boyd had one final message: 'As designers, you need to think through the implications and ethics of what you're doing,' she said. 'You are shaping the future. How you handle those challenges will shape the future.'

Source: Privacy is not ...

1. Zeus botnet dealt a blow as ISP Troyak knocked out, Shutdown of Zeus botnet controller has researchers wondering and After takedown, botnet-linked ISP Troyak resurfaces: The Troyak ISP (Internet service provider), which has been linked to the nasty Zeus botnet, was taken offline, which prompted sighs of relief that, alas, did not last long.

2. Security industry faces attacks it can't stop: Despite how hard security vendors are working to get next-generation products to market, those who seek to do us harm online are at least one step ahead.

3. ICANN boss slammed for DNS security warning: Things got a little testy at the Internet Corporation for Assigned Names and Numbers meeting in Nairobi this week.

4. Analysis: FCC's national broadband plan: What's in it? and FCC offers free broadband speed test: The U.S. Federal Communications Commission is set to officially unveil its national broadband plan next Wednesday. The FCC has been releasing bits of the plan for a while now, aiming to drum up support for it.

5. iPad now available for preorder, Apple dishes new iPad details on 3G, iBooks, more and Only a fool would pre-order an iPad: Apple opened up iPad pre-orders on Friday, and although the company won't say how many orders have been placed, we're quite sure that people have logged on in droves to be among the first iPad owners. InfoWorld's Galen Gruman has a name for them.

6. IBM stops disclosing U.S. headcount data: IBM claims it employs more people than any other IT company, but it has stopped providing U.S. headcount figures, giving a big dose of credence to those who are upset about apparent layoffs and moving of employees to India and other countries.

7. Cisco CEO Chambers: 'I did not want to compete against IBM and HP': John Chambers was talkative with Network World, which wrote up an interesting series of interviews with the Cisco Systems CEO.

8. The Internet is nominated for Nobel Peace Prize: Well, if Barack Obama can win the Nobel Peace Prize while the U.S. is embroiled in two wars, we suppose it's not entirely daft that the Internet has now been nominated for that same award.

9. Banish seven bad tech habits: It's nearly spring here in the Northern Hemisphere, so time for a little cleaning up, which in our world includes dealing with some bad habits related to technology use.

10. 12 types of cell phone users that drive us nuts: Particular cell phone users are giving CIO's Al Sacco fits, and we have to say that these particular cell phone (mis)users make us feel even nuttier than usual as well.

Source: Troyak Takedown...

(Credit: Microsoft )

Microsoft said on Friday it is testing a patch to fix a new hole in Internet Explorer 6 and IE 7 following the release of exploit code on the Internet.

With the announcement it seems increasingly likely that the company will be issuing a patch for the hole before the next Patch Tuesday in about four weeks, if the testing of the patch goes quickly.

Microsoft warned about the hole, which it said was being targeted in attacks and could allow an attacker to take control of a computer, in an advisory on Tuesday. The next day, Israeli researcher Moshe Ben Abu released exploit code for the vulnerability after using clues in a McAfee blog post to find existing exploit code and pinpointing the weakness from there.

'We have seen speculation that Microsoft might release an update for this issue out of band. I can tell you that we are working hard to produce an update which is now in testing,' Jerry Bryant, senior security communications manager lead at Microsoft, wrote in a post on the Microsoft Security Response Center blog.

'This is a critical and time-intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications,' he wrote. 'We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs.'

Microsoft included workaround information in its initial advisory on the hole, which does not affect IE 8, and on Friday updated Security Advisory 981374 to add more information on workarounds following Ben Abu's work.

'With today's update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers,' Bryant said. 'As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of Web folders, may be affected.'

Source: Microsoft races...