The controversy over Sony BMG Music Entertainment Inc.'s use of rootkit-based copyright protection software has faded from the headlines. But the story continues to play out in the background, where information security advocates are pushing for the right to let users remove Digital Rights Management (DRM) software from their computers when the software is deemed a threat to security and privacy.
This week, Ed Felten, a professor of computer science and public affairs at Princeton University, used his Freedom to Tinker blog to lash out against what he called an "utterly astonishing argument" copyright protection groups are making against that effort.
In the wake of the rootkit controversy, Felten and Princeton Ph.D student Alex Halderman asked the U.S. Copyright Office for an exemption allowing users to remove certain DRM software from their computers when it is found to cause "security and privacy harm." Felten said the Computer and Communications Industry Association (CCIA) and Open Source and Industry Alliance (OSAIA) made an "even simpler" (.pdf) request to exempt DRM systems that "employ access control measures which threaten critical infrastructure and potentially endanger lives."
"Who could oppose that?" Felten asked before answering the question himself: "The BSA (Business Software Alliance), RIAA (Recording Industry Association of America), MPAA (Motion Picture Association of America) and friends -- that's who."
What Felten finds "utterly astonishing" is a statement those organizations make in their (.pdf) written arguments against the DRM exemptions. Felten cited pages 22 and 23, where they said, "the claimed beneficial impact of recognition of the exemption -- that it would 'provide an incentive for the creation of protection measures that respect the security of consumers' computers while protecting the interests of the record labels' … would be fundamentally undermined if copyright owners -- and everyone else -- were left in such serious doubt about which measures were or were not subject to circumvention under the exemption."
The industry groups added, "This uncertainty would be even more severe under the formulations … in which the boundaries of the proposed exemption would turn on whether access controls 'threaten critical infrastructure and potentially endanger lives.'"
To that, Felten responded, "One would have thought they'd make awfully sure that a DRM measure didn't threaten critical infrastructure or endanger lives before they deployed that measure. But apparently they want to keep open the option of deploying DRM even when there are severe doubts about whether it threatens critical infrastructure and potentially endangers lives."
The truly amazing part, he said, is that in order to protect their ability to deploy this "dangerous" DRM, "they want the Copyright Office to withhold from users permission to uninstall DRM software that actually does threaten critical infrastructure and endanger lives."
He ended on a pessimistic note: "If past rulemakings are a good predictor, it's more likely than not that the Copyright Office will rule in their favor," he said.
Citibank under fraud attack
The BoingBoing blog, which prides itself on being "a directory of wonderful things," focused on something not so wonderful this week when it pointed out a fraud attack directed at Citibank.
The blog told the story of Citibank customer Jake Appelbaum, who tried to withdraw cash with his ATM card on a Saturday night in Toronto. "To my surprise," Appelbaum said, "the ATM machine rejected the transaction and urged me to contact my financial institution. The machine also reported on the receipt 'INELIGIBLE ACCOUNT.'"
He called Citibank's international customer support number, and soon realized the lockout was part of a bigger problem:
"I identified myself as an upset customer whose account was locked for some unknown reason," he said. "The service representative asked me a few questions about my location, my issue and then informed me that my card was suspected of fraud. Naturally, I perked my ears up and asked for details of any fraud."
The service representative told him there had been no direct fraudulent transactions on his account. "Rather, she informed me that the ATM networks of Canada, Russia and the United Kingdom have been compromised," he said.
In response to the compromise, Citibank issued a public statement saying it had recently been made aware of fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in the UK, Russia and Canada "on customer accounts that had been possibly compromised in previous retailer breaches in the US." To protect customer accounts that were affected, Citibank said, "We placed a special transaction block in those three countries on PIN-based transactions. We are currently reissuing cards, as appropriate, to affected customers."
BoingBoing worried the incident hasn't gotten the media attention it deserves: "It seems this incident is receiving little media attention, which begs the question: For each massive security breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness?"
Simple tips to thwart ID thieves
A couple blogs this week offered some good advice on steps people can take to protect themselves against identity theft when using credit cards and using airport Internet kiosks.
Data security expert Arjun Sen focused on credit cards in his Identity Theft Spy blog.
"A lot of times, we forget or overlook signing at the back of our credit card," he said. "This makes things even easier for an identity thief. If they get their hands on to a card like this, they don't even need to forge a signature."
Sen's advice: "When you get a new credit card, make it a point to sign at the back of the card. And if you want to protect yourself even better, you can simply write an instruction behind the card to ask for your photo ID."
Ravi Char, a Silicon Valley-based security professional, used his Musings on Information Security blog to offer some advice to business travelers and others who can't resist checking personal accounts from public airport Internet terminals.
"It is very tempting to use the terminals to access your personal accounts," he said. "This is not a good idea … what if someone has installed a keylogger on the terminal? Your log-in ID and the password can be easily captured."
He said people must remember that public access terminals are not guaranteed to safeguard personal transactions. "Moreover," he said, "someone waiting in the line to use the terminal can shoulder surf and capture what you are typing."
Limit the use of public Internet kiosks to casual Web surfing," he suggested.