The attacks, which began last week, exploit bugs in the Windows versions of Adobe Systems’ Reader and Acrobat software; Adobe patched the newest editions of those programs, but has not yet updated older variants.

According to Dunham and other researchers, the infamous Russian Business Network (RBN), a collective of cybercriminals, is behind the PDF assault. When recipients open an attack PDF, a combination of Trojan Horses, downloaders and rootkits strike, knocking out the Windows firewall and installing code that captures all information entered into any SSL-secured form on a Web page. That information is then transmitted back to RBN.

Microsoft updated its security advisory because it detected what it called “fairly limited” attacks using PDFs, said Bill Sisk, a member of the Microsoft security response team.

“This week we became aware of publicly disclosed exploit code being used in limited attacks on customers,” said Sisk in a posting to a Microsoft company blog. “This change in the threat landscape has triggered our Software Security Incident Response Plan.” Microsoft’s SSIRP coordinates its investigations with researchers from other vendors. Sisk said Microsoft had developers around the world “working around the clock” to devise a fix.

The reason Microsoft is involved is that while the current attacks are based on malformed PDFs, the real vulnerability lies in Windows XP and Windows Server 2003 code, not in Adobe’s, Sisk acknowledged. “The vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function,” he said. “These third-party updates [such as Adobe's fix] do not resolve the vulnerability, they just close an attack vector.”

His admission is the clearest yet from Microsoft that the updates produced by Adobe and similar fixes issued by Mozilla for Firefox and Skype for its flagship VoIP software would have been unnecessary if Windows had been patched against problems in URI protocol handlers, which let browsers run other programs via commands in a URL.

This northern summer, researchers argued over who was responsible for URI protocol handler vulnerabilities that were beginning to surface. Microsoft strenuously denied that its software was at fault until earlier this month, when it issued the advisory Sisk referenced, and said it would create a patch.

“This may be Microsoft’s first public acceptance that this bug is in fact a Microsoft vulnerability,” said Andrew Storms, director of security operations at nCircle Network Security. Although Microsoft has not set a timeline for rolling out a patch to plug the hole currently used by RBN’s PDFs, Storms bet it would be next month. “It’s safe to assume Microsoft will attempt to release a patch in time for the November regular patch cycle,” he said.

The next scheduled patch day for Microsoft is November 13, more than two weeks away.

The newest PDF-based exploits, said researchers, are using different subject headings in the spam that delivers the files, and new filenames for the PDF documents. According to F-Secure, the spam messages’ subjects now include “Your credit report,” “Your Credit File” and “Personal Finance Statement.”

Another researcher, Don Jackson of SecureWorks, said that the malware eventually planted on PCs by the RBN attacks is a new variant of Gozi, a Trojan he pegged in February as responsible for the theft of at least US$2 million from bank and credit card accounts.

Gozi then and now works much the same way, Jackson said. Any information entered into a Web page form secured by SSL is nabbed, then sent to the RBM hackers. Virtually every log-on for accessing online bank or brokerage accounts and every major e-tailer order form are secured with SSL, and thus in danger of being stolen by Gozi.

Unlike in February, when RBN carelessly exposed a server containing the stolen data — which Jackson discovered — the current attack results are unknown. “They’ve gotten smarter about where they store their data.”

If Jackson is right about the RBN hackers’ technical skills, the amount they’ll steal this time should prod Microsoft to push out a patch sooner rather than later.

“These guys are good,” said Jackson. “They’re right up there with the Windows kernel developers as far as programming goes. They’re very, very talented. And once they have a foot in the door, they can use that [talent] to force their way in.”

Safe as houses. Or not? Richard Rushing, chief security officer for US firm AirDefense, says people are leaving themselves open to fraudsters every day through insecure public wireless networks, which have transformed working practices.

Rushing, in Edinburgh to speak to Scottish business leaders about how to secure company data, believes groups of “bad guys” are targeting areas they know business people are likely to frequent, such as airports, or a cafĂŠ near financial institution headquarters.

He says most open networks, such as those offered for free in many public places, such as airports, coffee houses and even telephone booths, are insecure – and anyone with access to the same network could steal information just by logging on.

A former consultant for the CIA and the FBI, Rushing knows how important it is for companies – and individuals – to keep their data protected. “With more and more companies going to wireless now, it is a growing problem,” he says.

“If they supply laptops to their employees, they are at risk.

The people who are doing this are looking for company data, they’re looking for anything that is valuable, credit card details, even just knowing that people are there.”

Rushing’s firm, based in Georgia but with an operation in Basingstoke, can advise on how firms can make their computers more secure – by supplying software to encrypt data sent over the internet and also a package that can alert a PC user to someone trying to access information.

“A cafĂŠ owner doesn’t know what the situation is with his Wi-Fi – it’s not his responsibility,” says Rushing.

“He doesn’t think about the wireless network unless a customer tells him it doesn’t work, then he unplugs it, plugs it back in and asks ‘Does it work now?’ That’s it. A lot of them, especially those which are cheap to use, or even free, are unlikely to have encrypting technology.”

With plans for Edinburgh to become a city-wide Wi-Fi hotspot underway and many Scottish cities already covered by BT’s service, businesses were keen to listen to his message, with representatives from Standard Life, ScottishPower and Royal Bank of Scotland signing up to Rushing’s seminar.

Rushing, who has worked as a computer security adviser for the likes of Siemens and General Electric, and most recently held the role of chief technical officer of VeriSign’s network security services division, adds: “People get excited by wireless networks, at home as well. They say ‘great – I can log on to my next door neighbour’s wireless!’ But that means their neighbour could possibly log on to theirs too – and potentially see all of their personal information.”

Hackers do not need special software to check on what their network co-users are up to. “It’s not like they can see your screen shot for shot,” says Rushing. “But they can see any data that is sent via the internet, on an e-mail, over a website form and so on.

“You wouldn’t put your bank details on a postcard and send it through the mail for everyone to see, so why would you send them through an insecure network?”

In addition to protecting sensitive business information, Rushing is also keen to educate workers on keeping personal data close to their chests.

“If you’re out, you have your laptop and find you’re in a Wi-Fi zone, it is fine to use the internet to do certain things like check the football scores,” he says. “But if you’re not sure the network is safe, leave checking your internet bank, or using your credit card for when you are somewhere where you know no-one can access what you are doing.”

Anna Steven, senior press officer at BT, says wireless security was a hot issue for both broadband providers and companies.

The firm, which already uses AirDefense’s systems for wireless intrusion detection in around a dozen BT buildings UK-wide, recently launched a high-security way of sharing wireless broadband with other people – by providing separate channels for different users.

Steven said: “Users need to assess what is at risk and then implement the appropriate technology to protect it.”

Appearing at a London Apple store for the UK launch of the iPod, Steve Jobs was asked about the rash of solutions for “unlocking” the iPhone, software and procedures that allow customers to use the device with a carrier other than AT&T.

“It’s a cat-and-mouse game,” he said. “We try to stay ahead. People will try to break in, and it’s our job to stop them breaking in.” Jobs brought down the hammer last week with firmware update 1.1.1, which turned cracked iPhones into very handsome bricks. More importantly, the upgrade disabled hundreds of third-party applications that users had downloaded.

Now the cat-and-mouse game is in full swing, as a team of hackers has posted several methods for downgrading the firmware back to version 1.0.2. The downgrade turns a bricked iPhone back into a useful device — essentially an iPod touch with iPod and Wi-Fi capabilities — but so far hackers have not figured out how to downgrade the phone’s “baseband” chip Relevant Products/Services, which controls the telephony Relevant Products/Services aspects of the device.

Update Blocked Third-Party Apps

One site posted three alternative methods of downgrading the firmware. The simplest is a four-step process of deleting iTunes 7.4, reinstalling iTunes 7.3 and restoring to firmware version 1.0.2. However, this, like all other methods, does not downgrade the baseband chip, the site said.

Apple spokesperson Jennifer Bowcock was quoted by the New York Times on Friday as saying, “If the damage was due to use of an unauthorized software application, voiding their warranty, they should purchase a new iPhone.”

Perhaps more important than the bricking of unlocked iPhones is the fact that the firmware blocked third-party application development. Apple has refused to open the iPhone platform to third-party developers, saying programmers should write Ajax-based applications that users can access through the Safari Web browser. (Ajax, which stands for asynchronous JavaScript and XML, has become a popular method for developing interactive, Web-based applications.)

But with application installers such as AppTap, users have been able to install and uninstall third-party programs on the iPhone. Clearly, with the latest firmware update, Apple means to control its platform.

“So long as Apple controls the platform, they can negotiate who gets their specialized applications native to the device,” Andrew Storms, director of security Relevant Products/Services operations, for nCircle, said in an e-mail. “One has to imagine that Apple has some of the brightest and dedicated programmers working on the iPhone. The downside is that most of them are probably right now working on further ways to keep control of the device in Apple’s hands.”

Still, over the past few months, Apple got a good look at the kinds of apps that users responded to. “I’ll place a wager that the iPhone product-management team is actively looking at those custom apps and making plans to integrate some of that creative inspiration in future iPhone updates,” he said.

‘We’re Just Heartbroken’

That’s little solace to folks like Damien Stolarz, author of the upcoming book “iPhone Hacks” and a software developer. Downloading applications on the iPhone was a “fully polished, Apple-like experience,” he said in a telephone interview. “This isn’t hacking; this is double-click installer app and download.” Over the EDGE network, he said, applications downloaded almost instantly.

“When they said the iPhone ran OS X, they weren’t kidding,” he added. “If you know how to write for OS X you know how to write for iPhone. This is the most flexible development environment I’ve ever owned.” That makes it all the more galling that Apple just shut off third-party programs, he said. “We’re just heartbroken,” he added.

As for developing apps through Ajax, Stolarz said, “that’s really BS.” Apple doesn’t provide the hooks into the phone to allow online apps to create compelling experiences, he added. Ultimately, this cat-and-mouse game is a giant waste of brainpower, Stolarz suggested.

“If you just let them work on the platform,” he speculated, “what amazing things would the platform do? Some of these brilliant hackers are the ones who could write the next killer app.”

It’s annoying and time consuming and it increases the chance that we’ll miss or delete a legitimate email.

It also adds huge extra cost for service providers – extra bandwidth is needed to cope with traffic and extra staff are needed to combat spam and deal with spam-affected customers. These costs inevitably end up added to our end- user charges.

Spam is big business. Email is one of the most efficient communication methods available but it is misused on a huge scale by spammers. Why? Because it works.

Most of us ignore the products on offer, but if a spammer gets even a 0.01 percent response from 10 million emails, that’s 1000 sales – successful by any measure.

Most spam is sent from overseas on an indiscriminate and massive scale.

Here are some ways to keep spammers from adding your address to their lists:

* Be aware that harvesting software trawls through public websites looking for email addresses. If possible, don’t post your email address on any public site. Use a link, or type the email address with the word “at” instead of the symbol “@”.

* Software is also used to generate email spam that goes to common user names at valid domains.

If the spam email isn’t bounced back, the address is verified as legitimate. You can bounce emails back by blocking the sender.

* If you go to chat rooms, don’t use your usual address. Create one that you can just delete if it attracts too much spam.

* Unless you know the sender is safe, don’t click on “unsubscribe” links. Doing this confirms that your email address is active. Instead block the sender and delete the email.

* Read a site’s privacy policy before you provide any personal details including your email address – you may find the policy gives permission for your details to be passed on to who knows who.

* Don’t forward anything that looks like spam, even virus warnings. These could be hoaxes designed simply to harvest addresses.

Xtra, Paradise, Vodafone and other ISPs automatically filter out a huge number of spam emails before they reach your inbox.

Here are some ways to further control what does get through:

* Install software that lets you check emails before they come into your inbox (check out the free software at www.mailwasher.net).

* Check you are making the most of any anti- spam capabilities in your anti-virus software (and of course keep your antivirus, adware, and spyware software up to date as spam can contain harmful attachments).

* Set your email program up to automatically filter spam and use blocked senders and safe senders capabilities for further protection.

* Check the anti-spam services available from your ISP. Some such as Slingshot, provide additional personalised spam filtering.

Controlling spam takes a multi level approach and dedication to systematically eliminating or blocking spammer’s access to you.

Each time you create one of these blocks, congratulations, you’re taking a stand against spam!

Ask me anything Techie

Log-on to www.needanerd.co.nz and ask me anything techie.

* Adam Dunkerley is the general manager of Need A Nerd, a company that offers mobile technical support on all things computer related. Phone 0800 63-33-26.

Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, “Once you did manage to find a hole, you were in complete control.” The firm, based in Baltimore, alerted Apple about the vulnerability this week and recommended a software patch that could solve the problem.

A spokeswoman for Apple, Lynn Fox, said, “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.”

“We’re looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security,” she said.

There is no evidence that this flaw had been exploited or that users had been affected.

Dr. Miller, a former employee of the National Security Agency who has a doctorate in computer science, demonstrated the hack to a reporter by using his iPhone’s Web browser to visit a Web site of his own design.

Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages — including one that had been sent to the reporter’s cellphone moments before — as well as telephone contacts and e-mail addresses.

“We can get any file we want,” he said. Potentially, he added, the attack could be used to program the phone to make calls, running up large bills or even turning it into a portable bugging device.

Steven M. Bellovin, a professor of computer science at Columbia University, said, “This looks like a very genuine hack.” Mr. Bellovin, who was for many years a computer security expert at AT&T Labs Research, said the vulnerability of the iPhone was an inevitable result of the long-anticipated convergence of computing and telephony.

“We’ve been hearing for a few years now that viruses and worms were going to be a problem on cellphones as they became a little more powerful, and we’re there,” he said. The iPhone is a full-fledged computer, he noted, “and sure enough, it’s got computer-grade problems.”

He said he suspected that phones based on the Windows mobile operating system would be similarly “attackable,” though he had not yet heard of any attacks.

“It’s not the end of the world; it’s not the end of the iPhone,” he said, any more than the regular revelations of vulnerabilities in computer browser software have killed off computing. “It is a sign that you cannot let down your guard. It is a sign that we need to build software and systems better.”

Details on the vulnerability, but not a step-by-step guide to hacking the phone, can be found at www.exploitingiphone.com, which the researchers said would be unveiled today.

Hackers around the world have been trying to unveil the secrets of the iPhone since its release last month; most have focused their efforts on unlocking the phone from its sole wireless provider, AT&T, and getting unauthorized programs to run on it. The iPhone is a closed system that cannot accept outside programs and can be used only with the AT&T wireless network.

Some of those hackers have posted bulletins of their progress on the Web. A posting went up on Friday that a hacker going by the name of “Nightwatch” had created and started an independent program on the phone.

The Independent Security Evaluators researchers were able to crack the phone’s software in a week, said Aviel D. Rubin, the firm’s founder and the technical director of the Information Security Institute at Johns Hopkins University. Mr. Rubin, who bought an iPhone the day after the cellphone was released, said in an interview that he had approached three colleagues, Dr. Miller, Joshua Mason and Jake Honoroff, and offered them an enticing prize if they would try to crack the iPhone. “I told the guys I would buy them iPhones.”

Dr. Miller had already been exploring weaknesses in the computer versions of Safari, Apple’s Web browser, and was planning to reveal that vulnerability, a relatively common kind of flaw known as a buffer overflow, at the Black Hat computer security conference next month. Dr. Miller instantly thought to see whether the phone, which uses a version of Safari, would be as vulnerable.

Mr. Rubin said the research was not intended to show that the iPhone was necessarily more vulnerable to hacking than other phones, or that Apple products were less secure than those from other companies. “Anything as complex as a computer — which is what this phone is — is going to have vulnerabilities,” he said.

There are far more viruses, worms and other malicious software affecting Windows systems than Apple systems. But Mr. Rubin said that Apple products have drawn fewer attacks because the computers have fewer users, and hackers reach for the greatest impact.

“Windows gets hacked all the time not because it is more insecure than Apple, but because 95 percent of computer users are on Windows,” he said. “The other 5 percent have enjoyed a honeymoon that will eventually come to an end.”

The iPhone is becoming a victim of its own success, he said. “The irony is that the more popular something is, the more insecure it becomes, because popularity paints a large target on its back.”

Mr. Rubin said his goal was to discover vulnerabilities and warn of them so that companies would strengthen their products and consumers would not be lulled into thinking that the technology they use was completely secure.

Mr. Rubin said, “I will think twice before getting on a random public WiFi network now,” but his overall opinion of the phone has not changed.

“You’d have to pry it out of my cold, dead hands to get it away from me,” he said.

If you can’t prevent such an attack, what can you do to protect your organisation? You can better understand the threat by learning the three phases of a DDoS attack and learning how to quickly mitigate the attack’s effects.

Understand the attack
A DDoS attack usually entails three different phases. Target acquisition is the first phase: a black hat scouts or recons a network and picks a target IP address. The target can be a web server, DNS server, internet gateway, and so on. The reason for selection could be financial (someone is paying the attacker), or it could be just for malicious fun.

The next phase is the groundwork phase. During this phase, the attacker compromises a large number of unsecured machines — typically home user machines with DSL or cable connections. The attacker then installs software on each machine that will later be used to target your network.

The final phase is the actual attack. The attacker sends a command to each of the compromised hosts, or zombies, and commands them to flood the target with packets, overwhelming the service or choking the bandwidth to a crawl.

A really smart black hat will also command the zombies to forge the source address of their attack packets and insert the target’s IP address as the source — known as a reflector attack. Servers and routers that see these packets will forward, or reflect, replies directly to the source address of the packet — that is, straight to the target.

Again, you can’t prevent a DDoS attack, but understanding it better will help you mitigate the effects once one begins.

Mitigate the effects
“Ingress filtering” is a simple strategy that all networks — we hope ISPs are listening — should employ. At the border of your network — that is, every router that directly connects to an outside network — there should be a routing statement that directs all inbound traffic with a source IP address owned by that network to null. While ingress filtering won’t prevent a DDoS attack, it can prevent a DDoS reflector attack from overwhelming a machine or network.

However, large ISPs seem to be reluctant to implement ingress filtering for some reason. Because of that, you’ll need an alternative to help mitigate DDoS attacks. The current best strategy is the “backscatter traceback” method.

The first step to this strategy is to recognise that the problem is an external DDoS attack — not an internal network or routing problem. Next, configure all of the external interfaces on your routers to reject all traffic with a destination of the target for the DDoS attack.

In addition, you should already have configured your external router interface to route to null all inbound packets with an unallocated source address. For example:

|> 10.0.0.0 – 10.255.255.255
|> 172.16.0.0 – 172.31.255.255
|> 192.168.0.0 – 192.168.255.255

Each router configured to reject the packets will send an internet control message protocol (ICMP) “destination unreachable” error message packet back to the source IP address contained in the rejected packet.

Next, start sampling your router logs to determine which of your external routers is routing the most DDoS traffic. You also want to identify which IP blocks are your biggest offenders. On those routers, adjust the routing statements to “black hole” the IP blocks, and adjust the network masks to isolate only the offending IP addresses.

Look up who owns that network block. Contact your ISP and the owner’s ISP to inform them of what’s going on and ask for assistance. They might help or they might not, but it only costs a phone call.

Network service should be available but congested for legitimate traffic. You can remove all of your router reject statements except the ones on the border routers facing the attacking networks. If your ISP and the upstream ISP from the attacking network put up any network blocks, your inbound traffic should normalise quickly.

Final thoughts
DDoS attacks may be nasty and unpreventable, but you can diminish their effects. You just need to act quickly and methodically to find the offending traffic and send it to the bit bucket.

Why does the average cell phone owner care about mobile keyloggers? The recent global consolidation of landline/mobile service providers is a good indicator of how many people are ditching their landline in favor of only having wireless service. For years now, I’ve personally only had a mobile phone without a second thought of a landline. The issue then becomes the information that we so willingly punch into our mobile phones. Consider that last call you made to your credit card company, chances are (if your experiences are anything like mine) you had to navigate through the seemingly endless queue where you were required to provide everything sacred from your card number to the blood type of your first-born before reaching a live representative. This act of providing your information could be one of the greatest mobile threats we face as a mobile community.

Every credit card type is identifiable by the first four digits making your credit card number the easiest data for mobile keyloggers to target. I don’t need to go into the havoc that having your credit card number in the wrong hands can cause as we’re all familiar with the world’s horror stories. If you are a skeptic that thinks this is an isolated thing that won’t get your phone, consider that a simple Google search I just did of “mobile keylogger” which yielded over 2.2 million results. Mobile keyloggers are readily available around the world and are already tracking millions of unsuspecting mobile users. I encourage you to start considering a mobile security solution such as MyMobiSafe® so that you can keep your mobile information private. The mobile environment is changing with the heavy migration of financial information for cell phones. Start protecting your phone and your information today. Keep following my blog for the latest mobile security developments/tips.

By: Eric Everson, Founder – MyMobiSafe.com

However though some may dress in black they are not ‘black hats’ as malicious hackers are known. Most put their hacking skills at the service of industry closing down security loopholes.

There are presentations about weaknesses in Vista, Microsoft’s new operating system due out early next year; ‘blue pill’ attacks that can create a virtual computer within your own without you knowing anything about it.

There are talks on the use of technology to track our every move and record our every written or even spoken thought and there are lectures about technical issues so dense just reading their titles makes my brain ache.

However if there’s a discernable thread running though many of this year’s presentations in Kuala Lumpur it’s the vulnerability of communications software and technology.

The term ‘phishing’ has entered the English lexicon, defined as an attempt to gain access to an individual’s bank or other sensitive personal details by using fraudulent e-mails or by diverting him or her to bogus websites.

Check your inbox and if it is like mine you’ll find dozens of security alerts purporting to be from banks.

This morning I had e-mails purporting to be from Barclays and Volksbanken Raiffeisenbanken. Both contained Trojans designed to phish for information.

You might think that your phone was secure but if you or the institution you are ringing uses Voip (internet telephony) you might have to think again.

Telecoms security specialists like “The Grugq”, who kept his school nickname as a cover for his hacking activities, are highly sceptical.

“Basically Voip is going to make telephony as secure as the internet,” he says. That’s about as damning as a hacker can be.

“What I expect we’re going to be seeing in a few months, and what’s already technically possible, is for an attacker to gain access to a call centre.”

The Grugq outlines a scenario in which “the customer does everything right,” rings his bank’s legitimate number, is put through to a call centre whether in the US, UK or even India and has their call hijacked.

“An attacker would be able to [hack] into the call centre. He could then set up a server that would monitor all of the traffic and during the hold music it would be possible for an attacker to inject content such as ‘In order for us to better serve you please enter your account number and PIN code’.”

If that were to happen, you have just handed over your bank details to someone who wants to empty out your accounts. And the Grugq has bad news for companies looking to save money through Voip.

“They need to make sure that everyone who has a Voip system that’s connected to the internet is secure otherwise the entire system falls apart. It’s basically a house of cards.”

And if internet usage and mobile Voip telephony takes off with the next generation of mobile phones (3.5 / 4G), experts say its coding, known as IPv6, will be open to the same sort of “man in the middle attacks” that The Grugq describes.

“The vulnerabilities that we have in our current internet protocol they still have similar vulnerabilities in the upcoming IP version 6,” says Van Hauser, a member of The Hacker’s Choice, a group of international network and system security experts.

“There are ways to secure it if implemented correctly, set up correctly, administered correctly which will be a big challenge but at least there is a chance and a hope.”

Triple Play, the term used for bundled internet telephony, data and TV services, is also open to hacking, says Yen-Ming Chen, who works for the Foundstone division of the McAfee security software company.

“Right now we see vulnerabilities in different components in this whole architecture so we categorise them into home networks, delivery and management network and also the back end and content source.

“What that could mean in practice is that rather than storming the local TV station political hackers could take control from the comfort of their own bedrooms.

“In this case the goal of the attackers would be taking control of a lot of home users set top boxes or just computers,” says Chen, “and then to broadcast whatever content they want to. That’s the worst scenario, for whatever political motivation or anything like that.”

But perhaps the most intriguing possibility is that of hackers hijacking satellites.

Jim Geovedi, a Jakarta based information security consultant with Bellua Asia Pacific doesn’t look like a Bond villain. But he possesses secrets that some of them might kill for.

“There’s a theory that if somebody can control one satellite they can cross to the next satellite and create a chain of destruction because everything is around the equator. If everything is destroyed so you don’t have any communication, any TV any data transfer’.”

It is just a theory, but can someone actually do it?

“Hacking satellites is not as easy as hacking kids’ toys,” he says.

“It’s very difficult. Every manufacturer has their own kind of technology. You have to understand everything.

“But, hacking a commercial satellite that’s been up there more than 10 years is very easy for some people, if you have the right equipment.”

“In my experience telecoms companies and lots of other companies only do what is absolutely necessary and hope that the rest will not fall apart,” says Van Hauser.

It is a view echoed by The Grugq: “When they [banks] really start losing money on it they’ll have the motivation to come up with some way of fixing it.”

Yet such setbacks aren’t deterring the industry from trying to make copy protection work. Worried by the fresh opportunities that digital broadcasting creates for pirates to copy and swap films and videos on the internet, the industry along with a conglomeration of TV studios, broadcasters and consumer electronics manufacturers is quietly pressing ahead with plans that could transform the way we watch TV.

Their idea is to add a hidden label to every digital TV broadcast. This will be read by a secure chip in the TV receiver in your living room and place restrictions on what you can do with a programme whether it can be copied, say, or even recorded in the first place. The studios or broadcasters will control these restrictions.

If the technology works as planned, it should help prevent pirates from making illegal copies of movies or TV shows and distributing them on the web. Innocent viewers will be affected too, however, according to US-based campaign group the Electronic Frontier Foundation (EFF). The system could prevent you recording your favourite soap or pausing live TV, or stop you watching a recorded movie because you’ve already seen it once. “Worse, the restrictions can be changed at the whim of the rights holder,” says Ren Bucholz, EFF policy coordinator. “It may be that today you can record a programme and transfer it to DVD for long-term storage but next week you could be prevented from doing the same thing.”

In 2005 the courts blocked the introduction of a similar copy-protection system in the US. Yet the entertainment industry is determined to see the new technology operating in Europe, Australia, New Zealand and Asia. The final specifications are due for release by the end of 2007 and the system could be adopted soon after. If that happens, experts warn, the technology could be resurrected in the US.

It is hardly surprising that the major broadcasters and movie studios feel threatened. The internet has already made it simple to copy and share music tracks. Now, with high-speed broadband connections and powerful data-compression software, people can distribute video clips, films and TV programmes just as easily . This should become even simpler as TV broadcasters go digital before switching off analogue transmissions.

Just as record companies developed copy-protection software in an attempt to smash music piracy, the film and TV industry has long wanted a system that will thwart video pirates. In 2001, US-based Fox Broadcasting part of Rupert Murdoch’s News Corporation came up with technology it believed could do it. Prior to broadcast, each programme would be labelled with a digital code called a broadcast flag. If the flag was set “on”, digital TV receivers would encrypt the programme when it was received. The only way viewers could then watch it would be with an industry-authorised TV or computer which would prevent them making unlimited copies or uploading clips to the internet. Unauthorised devices, such as DVD burners that could be used to create unencrypted copies of a film, would not be able to read it.

The broadcast flag was backed by the Motion Picture Association of America (MPAA), which speaks for the Hollywood studios, as well as the US Federal Communications Commission and the “5C” group of electronics companies Panasonic, Sony, Intel, Toshiba and Hitachi. The scheme ran into trouble, however, largely due to opposition from campaign groups. The final blow came in May 2005 when the US Court of Appeals ruled that the Federal Communications Commission did not have the authority to force broadcast flag technology on consumers.

The MPAA was more successful in Europe. In 2003 a version of the broadcast flag system was adopted by the Swiss-based Digital Video Broadcasting Project (DVB), an industry-led consortium of over 250 broadcasters, manufacturers, network operators, software developers and regulatory bodies that was developing new digital TV standards for over 35 countries from Europe to Australia. The result is the Content Protection and Copy Management system (CPCM).

Until recently, very little was known about CPCM. The system has been developed in a series of international meetings held behind closed doors. The only non-industry participant was the EFF, which had to pay several hundred thousand dollars and sign a non-disclosure agreement to attend. Only in March, when the outline technical specification for CPCM was submitted to European regulators, did the EFF feel able to blow the whistle and publicise in plain English what CPCM would mean to viewers.

Ultimate controlCPCM is more sophisticated than the failed US broadcast flag. Each programme will contain a CPCM code that is read by a secure chip in the digital receiver. Rather than the simple “on” or “off” of the US version, however, CPCM allows broadcasters to impose a range of restrictions. If the programme is marked “not for recording”, say, any attempt to transfer it to a hard disc recorder or DVD burner will be blocked. Alternatively, the CPCM code might allow you to create a single copy, or allow you to record and view a programme for a limited time. It could prevent you storing a programme temporarily on a computer disc, which would disable the live-action pause facility on many digital recorders. CPCM can also stop video clips being uploaded onto the internet.

To work as intended, CPCM must establish a “secure” connection between receivers, TVs, recorders and computers in other words, a connection that can’t be hacked into to divert the content flowing through it and make an illicit copy. So the DVB project plans to use technology that is already built into many devices the high-density multimedia interface. This uses encryption to protect high-definition TV programmes and can even check if the connections between a digital receiver and TV screen are secure; if not, pictures will be blocked or deliberately degraded.

The restrictions that CPCM can create should make life difficult for video pirates. Innocent users will be affected too, though, warns Bucholz. “The system goes to some pretty dark places for consumers,” he says. “You won’t even know ahead of time whether and how you will be able to record and make use of particular programmes or devices.” Restrictions can be changed at will by the broadcasters, and without secure digital connections, TVs, digital or DVD recorders could turn into “oversized paperweights”, he says. If you take your equipment in for repair, the service engineer will tell you there is nothing wrong with it.

In contrast, Peter MacAvock, executive director of DVB, argues that CPCM will actually make things easier for consumers because it will harmonise video copy protection across different technologies, including TVs, computers, mobile phones and other hand-held devices. “Our aim remains to facilitate access to content in a converging digital television landscape,” he says. Information released by the DVB suggests that restrictions will be made clear to viewers, but does not say how and puts the burden of responsibility on the programme providers. Most likely viewers will get an error message on screen when they try to do something illegal. DVB also says there will only be a few types of broadcasts such as on-demand movies that viewers will not be able to record. If the EFF feels CPCM is flawed, says MacAvock, it should have addressed its concerns “using the DVB’s processes”.

Phil Laven, director of the technical department at the European Broadcasting Union (EBU), based in Geneva, Switzerland, believes that the protection offered by CPCM is important. “The threat of unauthorised redistribution over the internet is a real problem, both for pay TV and free-to-air broadcasters. If popular programmes are made available on the internet as they are being broadcast live, viewers elsewhere might opt to watch the illicit version thus reducing TV audiences and advertising revenue.”

Nevertheless, the EBU was unhappy with some aspects of CPCM, says Laven. For example, people in many European countries have a legal right to make a copy of broadcasts for personal use. Blocking this with CPCM could trigger lawsuits. What’s more, while Laven acknowledges that pay-TV broadcasters need to protect valuable content such as new movies, he believes there’s little point worrying about many programmes on free-to-air TV: “No commercial pirate is going to wait for free-to-air TV broadcasts of movies that have long been available on DVD. Although Hollywood might like us to take extraordinary measures to protect such movies against piracy, there really is no point.”

Will it even work? Copy protection on music downloads has caused so many headaches that some companies, including EMI and Linn Records, have removed protection from their tracks, arguing that it is simply not worth the bother. Copy protection on movie DVDs has also had a rough ride. A couple of years after the first DVDs appeared in 1997, their protection was unravelled by hackers a feat now repeated with the Advanced Access Content System (AACS) on new high-definition DVDs (New Scientist, 11 March 2006, p 42).

According to Ed Felten, a computer security expert at Princeton University, even if the entertainment industry changes the encryption keys, hackers will crack the fresh batch within weeks. Should CPCM prove more resilient than AACS, pirates could still make use of unrestricted analogue connections on digital recorders, or even simply film the screen with a digital video camera. “CPCM is happening just as the music industry is questioning the value of copy protection and hackers are proving just how ineffective it is,” says Bucholz.

This doesn’t seem to be putting DVB off. Its engineers are already building a “proof of concept” system to show that CPCM works, and the technology should be ready for ratification by the European Telecommunications Standards Institute later this year or early in 2008 and could be in operation soon after.

Is there an alternative? The EFF argues that rather than relying on protection that is easily defeated, the entertainment industry needs to move to a new kind of business model. “We do recognise that copyright infringement is a bad thing,” says Bucholz, “but there are other ways in which artists could be compensated without crippling new technologies or harming consumers.” Rather than adding copy protection to music tracks, for instance, the EFF advocates a voluntary collective licence in which consumers pay a small monthly fee that entitles them to unlimited downloads. A similar licence system has long worked for the radio industry, he says.

Ted Shapiro, a lawyer representing the MPAA says that this sort of licence is no alternative to CPCM. “The music sector producers and authors do not find the proposal workable either.” The EBU agrees.

Now Hollywood and the TV industry have come up with another strategy. In what it describes as a “bold new approach”, the Industry Trust for IP Awareness an alliance of 22 film and TV companies will spend 3m over the next year on TV and cinema adverts which try to stop illegal copying by making those who download pirated videos feel guilty. “We want to create a social stigma,” says Liz Bales, director general of the Industry Trust. “It has been done before,” says Johnny Fewings, joint managing director of Universal Pictures. “With drinking and driving, not smoking at football matches and picking up dog mess. We want to make people feel grubby.”

Streaming videoBarry Fox New businesses are springing up to make use of digital TV, video clips and movies. Some, including Joost, convert live TV pictures into digital data packets and stream them across the internet so they can be watched on computers anywhere in the world. Since many TV broadcasts are now digital rather than analogue, this is relatively simple.

Two popular consumer gadgets, Sony’s LocationFree and Sling Media’s Slingbox, even let you stream pictures from your home TV to a private website that you can access from anywhere in the world. Students living away from their parents for the first time use this technology to watch satellite or cable TV programmes from home, and lonely oil rig workers watch TV news sent direct from their home towns.

Is this legal? Like the situation with home copying of music, the laws differ from country to country and are nearly impossible to enforce using conventional techniques.

However the movie industry has pursued and shut down several websites that were hosting pirated movies, and in February, the media entertainment company Viacom began legal action against Google which owns video-hosting website YouTube claiming that some clips on YouTube are copyrighted. Others, including English football’s Premier League have followed suit, and both MySpace and YouTube say they will now remove copyrighted material on request.

Created by New Scientist Via Thomson Dialog NewsEdge

I’ve been an IT junkie for years, ever since building my first Heathkit computer back in college. Like so many of us, I’m irresistibly drawn to new stuff as it hits the markets. In all these years, I can’t remember one single product announcement that has had the same level of buzz as the iPhone does now. That’s likely to be a great thing for Apple’s shareholders, but there’s a side effect to it as well. Along with buzz comes a veritable “kick me” sticker on the iPhone’s back.

Oh yes, make no mistake about it. The moment the first iPhone ships off the assembly line, there’ll be a line of people who are going to want to be the first to break it.

But we shouldn’t be concerned, right? After all, the iPhone is built on Apple’s formidable OS X (and thus UNIX) operating system, which is pretty rock solid over all. Isn’t it?

I’m a big believer in UNIX in general, but even I want a solid mechanism for quickly and easily installing security patches and updates as they’re made available. Has there been any mention of an “iPhone Update” icon in all the functional discussions we’ve heard about in the iPhone? I must have missed that discussion.

I do hope, though, that there’s a quick and easy way of installing software updates in the device. Given Apple’s track record, I do expect that to be the case. But will it be opt-in or opt-out? Will it automatically run every night and keep my iPhone up to date with security patches or will I have to connect to some Apple website and download the latest firmware and install it – long the status quo among smart phones from other vendors.

If the latter is the case, how will the users find out about the security patches? From an email sent out by Apple? (I sure hope they digitally sign that email!) From a press release? And then, what percentage of the iPhone users do you think will actually read that email/release and go out and grab the patch? If history serves as an accurate predictor of the future, that percentage won’t be very high.

And then there’s the security configuration of the base operating system. In the desktop version of OS X, the user can turn on and off firewalling, for example. What’s the default configuration on the iPhone, and will the user have any ability to change it? Again, I’m hoping for an opt-out configuration that defaults to secure and requires the user to override if she chooses to.

After all, the iPhone speaks Wi-Fi and runs UNIX – it is an Internet-connected host just like any other when connected to a network at your favorite coffee shop or airport lounge. Many of the same issues regarding safely configuring a UNIX server on the Internet are entirely relevant to configuring this little hand-held device, but we know precious little so far about it.

By all accounts, the iPhone sure looks like it’s going to be an incredible device. Indeed, if it were available on my mobile provider, I’d be getting one myself. My concern, however, is that there are so many security unknowns here that there could be trouble ahead.

I should point out that, up until about a month ago, I was using a Linux-based smart phone for my own mobile needs. It seemed to me to be quite secure from a network standpoint, but lacked any consumer-level mechanism for installing security updates. That was one of the primary reasons why I moved to a different device. But in popularity terms, that phone paled in comparison to what the iPhone is likely to hit in its first week in the market.

I, for one, hope our security expectations are in line with our functional expectations. I also hope that the smart folks at Apple have thought these issues through thoroughly and they’re ready to knock our socks off on all fronts. It’ll be an important lesson for the entire mobile device community to learn from.

Created by: Kenneth van Wyk