LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security quotes of the week

[Posted August 1, 2012 by jake]

Your silly post reminded me of something, while on vacation recently I bought a video game called "Assassin's Creed Revelations". I didn't have much of a chance to play it, but it seems fun so far. However, I noticed the installation procedure creates a browser plugin for it's accompanying uplay launcher, which grants unexpectedly (at least to me) wide access to websites.

I don't know if it's by design, but I thought I'd mention it here in case someone else wants to look into it (I'm not really interested in video game security, I air-gap the machine I use to play games).

-- Tavis Ormandy discovers a root kit disguised as DRM (more here)

You hereby grant Ninja Tel permission to listen to, read, view and/or record any and all communications sent via the network to which you are a party. [...] Before you get all upset about this, you already know full well that AT&T does this for the NSA. You understand that you have no reasonable expectation of privacy as to any on the Ninja Tel network. You grant Ninja Tel a worldwide, perpetual, assignable, royalty-free license to use any and all recorded or real-time communications sent via the Ninja Tel network to which you are a party. Don't worry, most of this is for the lulz.
-- Terms of service for Ninja Tel, Defcon's private cell network
(Log in to post comments)

Security quotes of the week

Posted Aug 2, 2012 19:39 UTC (Thu) by Thue (subscriber, #14277) [Link]

> - Tavis Ormandy discovers a root kit disguised as DRM

From what I have read, the plugin's function was to launch games from a web site. I don't think it was really DRM-related, or a root kit (since the plugin didn't really try to hide, it was just a security bug)

Security quotes of the week

Posted Aug 6, 2012 15:40 UTC (Mon) by xorbe (subscriber, #3165) [Link]

A little surprised that LWN parroted the root-kit thing. It was a buggy plug-in fixed quite quickly by the vendor.

Security quotes of the week

Posted Aug 6, 2012 16:41 UTC (Mon) by amonnet (subscriber, #54852) [Link]

It's not a feature, it's a bug.

What's the difference anyway ?

Security quotes of the week

Posted Aug 3, 2012 17:19 UTC (Fri) by dps (subscriber, #5725) [Link]

AFAIK BT, our equivalent of AT&T, do not routinely record the contents of calls but definitely do record who called who when. There is at least one high profile case when the police had the time and duration of calls, which were correlated with suspect payments, but not the contents of them.

I think the same applies to most of our cellular networks and alternative fixed line telephone services.

Of course in the land of the free, where sick people can't get affordable health insurance and sockets do not have switches, things could be different.

Security quotes of the week

Posted Aug 4, 2012 11:47 UTC (Sat) by nix (subscriber, #2304) [Link]

AFAIK BT, our equivalent of AT&T, do not routinely record the contents of calls but definitely do record who called who when.
Well, yeah. They need it for billing (both to distinguish local and long-distance calls, when BT made that distinction, and to enable itemized billing, which essentially everyone expects at this point). They didn't implement it because they were told to by a shadowy government conspiracy, though if a shadowy government conspiracy *needs* the information now it's there I'm sure they can get at it.

Security quotes of the week

Posted Aug 4, 2012 18:53 UTC (Sat) by Kwi (subscriber, #59584) [Link]

I'm surprised this isn't common knowledge in tech-circles yet.

Under the EU Data Retention Directive (2006/24/EC), all EU telecommunication providers must log the time, place, sender and receiver of every communication for every customer, for a period of at least six months.

The usual interpretation of "every communication" is "every text message, every phone call, every e-mail sent via SMTP, and every IP packet", though the IP logging is sometimes reduced to e.g. every TCP stream or every 500 IP packets, due to the massive amount of log data otherwise produced.

Information logged includes name and address of the subscriber, any internal user ID, phone number, IMEI (handset) and IMSI (SIM) numbers, cell tower ID and geographical location, IP address and email address, as applicable.

According to Wikipedia, only Sweden has not yet implemented the directive (apparently sticking to NSA-style secret network edge-surveillance for now), while the directive has been found unconstitutional in Romania, Germany and the Czech Republic. All other EU countries implement the directive.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds