SOPA Backpedaling Has InfoSec Boffins Breathing Easier
The deflation of SOPA and PIPA last week was a relief to security gurus who foresaw major technical problems inherent in the bills' provisions. The bills themselves have been postponed, and their main sponsors have specifically disavowed the supposed security pain points they contained. Meanwhile, Anonymous seeks vengeance and a new trend among teens has security proponents rolling their eyes.
As far as SOPA's critics are concerned, "if something works, break it" seemed to be the motto of the U.S. Congress last week as it rushed to pass a controversial bill that security experts maintained could throw a bomb into the gearbox of the Internet.
The Stop Online Piracy Act (SOPA), filed in the U.S. House of Representatives, and its Senate counterpart, the Protect IP Act (PIPA), propose Internet Service Providers (ISPs) be called on to block the DNS addresses of websites suspected of violating the rights of copyright holders.
But after weeks of howling by opponents of the legislation, capped by a one-day blackout of Wikipedia and other sites in protest of the measure, the sponsors of the bills decided to strip out the DNS requirements in their measures.
"After consultation with industry groups across the country, I feel we should remove Domain Name System blocking from the Stop Online Piracy Act so that the [Judiciary] Committee can further examine the issues surrounding this provision," SOPA's sponsor Lamar Smith (R-Texas) said.
PIPA's sponsor, Patrick Leahy (D-Vermont), was skeptical of the critics of the DNS provisions in his bill, but also agreed to shelve the provision.
"I remain confident that the ISPs -- including the cable industry, which is the largest association of ISPs -- would not support the legislation if its enactment created the problems that opponents of this provision suggest," he said.
"Nonetheless," he continued, "this is in fact a highly technical issue, and I am prepared to recommend we give it more study before implementing it."
Smith's and Leahy's DNS concessions were good news for white hats like Dan Brown, a senior security researcher with Bit9. "Anyone who understands how the Internet works thinks it's a bad idea for Congress to fiddle with something they don't understand," he told TechNewsWorld.
"These bills are still bad because they will have a negative impact on free speech and free communication on the Internet," he asserted, "but they appear to be moving in the direction of not having any major technological impact on the Internet."
Hactivists Draft Unwary
Government and big business once again clashed with the anarchic hacker collective Anonymous last week. The sore point between the two this time was the FBI's shutdown of the alleged pirate haven Megaupload -- which has an Alexa global ranking of 72 -- and the arrest of its founder and other executives in the company.
Megaupload has been in and out of hot water since it was launched in March 2005. Since that time, according to the FBI, the site has produced US$175 million in "criminal proceeds" for its owners.
In retaliation for the government action, Anonymous launched a series of denial of service attacks against servers at the U.S. Department of Justice, the Motion Picture Association of America and Universal Recording. The attacks were able to cripple or stop operation of those sites temporarily. To do so, however, the hactivists had to resort to unusual tactics.
Through Twitter and the group's chat rooms, it spread a booby-trapped URL. Clicking on the Web address involuntarily made the clicker into one of Anonymous's attacking hordes.
After clicking on such a link, Gawker's Adrian Chen wrote, "[I] found myself instantly DDoSing Universalmusic.com, my computer rapidly pinging the page with no way to stop except quickly closing the window."
Those in love are known to be a bit irrational, and a current trend among adolescents sharing affections is another sign of it. The New York Times has reported that it has become fashionable for young lovers to express their undying allegiance to each other by sharing their passwords to email, Facebook and other personal websites.
"From an IT security standpoint, it's a nightmare," Morgan Slain, CEO of SplashData, which makes a password app for mobile devices, told TechNewsWorld.
"I can understand that there are passwords that couples want to share, like the ones to the PlayStation, xBox or "World of Warcraft" accounts, but when you get to something like email, it's a nightmare," he said. "You can use an email account to change the passwords at so many other sites. It's really risky."
He suggested that parents have a conversation with their kids about the dangers of password swapping. If that conversation proves ineffective and, given the shelf life of many youthful pairings, an acrimonious breakup should occur between password-sharing lovers, Slain recommends, "At first sign of trouble, you should change your password."