Haystack Plays With Fire, Gets Badly Burned

This post is by from GigaOM

Click here to view on the original site: Original Post

It sounded like such a heroic tale: A 25-year-old programmer decides to take on the despots in Iran and creates a miraculous software tool that allows dissidents in the country to surf anonymously by encrypting their activity and hiding it inside a stream of innocuous-looking Internet traffic. It even had a cool name: Haystack. Unfortunately, it appears to have been too good to be true. The project has been shut down, and one of the lead developers of the software has reportedly quit, after concerns were raised about the truth of the claims that Haystack was making, and founder Austin Heap is left battling the flames.

Just a few months ago, Heap was the subject of glowing profiles in Newsweek magazine and The Guardian, which described how his software was allowing Iranian dissidents to travel freely around the Internet — thanks in part to high-level encryption. The Haystack founder even received an award from The Guardian for his work in helping protect freedom of speech, and the software was fast-tracked for export by the U.S. State Department. What wasn’t clear from the stories about Haystack was that the software had only been used by a handful of people in Iran, and its ability to route traffic securely had not been independently tested by anyone with knowledge of security and encryption.

When the software was finally tested, security experts apparently found it to be severely lacking, and convinced Heap to shut down the project and tell people using the software to stop. Programmer Jacob Appelbaum, who is involved with an open-source security project called Tor, called the software “total garbage.” Part of the concern was that unauthorized copies of Haystack had reportedly been circulating in Iran — driven in part by the claims about its abilities — and therefore, people’s lives could be in danger if they continued using it. Danny O’Brien of the Committee to Protect Journalists said on Twitter: “I can’t actually describe how broken @haystacknetwork is, because to do so would put people at risk.”


Some of those who have been watching the Haystack affair, such as Jillian York of Harvard’s Berkman Center for the Internet and Society and Ed Felten of Princeton’s Center for Information Technology Policy, say they blame media outlets such as Newsweek for pumping up the software and contributing to the hype around it. Others seem to blame Heap himself for making claims that couldn’t be backed up, or at least not correcting journalists who made claims about the software. It’s not clear whether the Haystack founder will go ahead with the project, or whether it’s effectively dead, since the lead developer has apparently resigned. We’ve contacted Heap and will update this post with any response.

Ironically, while Newsweek was writing about Haystack’s claims, several researchers were presenting a software project at the USENIX security conference that appears to actually do what Heap said his did: namely, hide activity from dissidents in totalitarian states inside innocuous traffic from social networks such as Twitter and image-hosting sites like Flickr. Unlike Haystack, the creators of the software known as Collage have published their work (PDF link) for anyone to review (although it’s not clear whether anyone has done so).

Related content from GigaOM Pro (sub. req’d.): As Cloud Computing Goes International, Whose Laws Matter?

Post and thumbnail photos courtesy of Flickr users Mr. Theklan and Marc Smith

Alcatel-Lucent NextGen Communications Spotlight — Learn More »

DEMO: Federated Networks takes on heavyweight Symantec for Internet Security championship

This post is by from VentureBeat

Click here to view on the original site: Original Post

Federated NetworksFederated Networks is one of 70 companies chosen by VentureBeat to launch at the DEMO Fall 2010 event taking place this week in Silicon Valley. After our selection, the companies pay a fee to present. Our coverage of them remains objective.

Today at the DEMO conference, Federated Networks plans to step up and take on one of the largest players in Internet security, Symantec, by unveiling its own cybersecurity suite designed to be cheaper and faster for the typical consumer.

The cybersecurity company will begin offering a security suite for about one-tenth the price of products like Symantec’s Norton Antivirus and McAfee’s antivirus programs.

Along the way to unseating the giants, Federated aims to replace the SSL encryption protocol that most websites use today with its Application Secure Layer Protocol. In so doing, it hopes to prevent a particular form of intrusion on e-commerce transactions called man-in-the-middle attacks, as well as better-known phishing threats, where hackers try to trick consumers with fake banking or shopping websites. The software also targets keystroke-logging and other input-logging spyware programs, which can be used to capture users’ passwords.

Federated Networks was founded in 2005 but has since worked in stealth mode under David Lowenstein, the board chairman of The Princeton Review. Lowenstein also has experience with several other public companies, including SourceCorp and Capital Environmental Services.

The software developer currently employs 11, and has raised about $5 million over several rounds of funding.

Tags: , , , , , , , , ,

Companies: , ,


HP buys ArcSight for $1.5 billion (but not the yacht-club membership)

This post is by from VentureBeat

Click here to view on the original site: Original Post

ArcSight logoSome companies freeze up when they’re between CEOs. But Hewlett-Packard, the world’s largest tech company by revenues, just keeps rolling along. On Monday, it announced it would buy security software maker ArcSight for $1.5 billion.

It’s almost as if Hewlett-Packard has something to prove — namely, that it didn’t need that Mark Hurd guy anyway.

After noisily and messily ousting Hurd as its CEO last month, HP went on to wrest storage-software company 3Par away from Dell in a heated bidding war that drove its price to $2.4 billion, enriching Silicon Valley venture capitalists like Mayfield Fund in the process.

This time, it’s Kleiner Perkins that’s hitting the jackpot. As Dan Primack notes in Fortune.com, Kleiner retained more than half of its 19 percent stake after ArcSight’s IPO in June 2009.

There’s one other bond between HP and ArcSight: questions about executive compensation. Former ArcSight CEO Robert Shaw retired, reportedly for health reasons, in early 2009, after sharp-eyed readers of SEC filings noted that the company was paying for his yacht-club membership, a rare perk that clashed with the image of a Silicon Valley startup.

Tags: , ,

Companies: , , ,

People: ,

HP Buys ArcSight to Bring Security to the Cloud

This post is by from GigaOM

Click here to view on the original site: Original Post

Hewlett-Packard has agreed to buy security software maker ArcSight for $1.5 billion in cash, as the computer giant tries to expand the range of services it offers corporate clients. Cupertino, Calif.-based ArcSight’s products are used by corporations and government agencies to detect suspicious activity on their networks. The purchase price represents a 24-percent premium to the software company’s trading price before the offer was made.

Analysts said the acquisition of ArcSight is part of HP’s move to offer more value-added services to corporations who are trusting an increasing amount of data to the cloud, whether it’s a cloud the company itself operates or one run by a number of SaaS providers. As VMWare CEO Paul Maritz said recently, this move places an increasing strain on security systems as data flows out of the corporate network and onto a variety of third-party platforms and mobile devices. In HP’s news release about the deal, HP VP Bill Veghte said “the perimeter of today’s enterprise is porous.”

Aaron Rakers, an analyst at Stifel Nicolaus, told Bloomberg that the acquisition of ArcSight will help HP serve the data-center market, which he described as necessary to the company’s growth strategy as it tries to turn its leadership in PCs into a bigger role in corporate computing. Other hardware makers are also investing in security: Intel Corp. recently agreed to pay $7.68 billion for security software maker McAfee.

HP, which is still struggling with the departure of its former CEO Mark Hurd — who has since joined competitor Oracle as a senior executive, a move that’s now the subject of a lawsuit between the two companies — has been moving into the storage and data-center market with a number of recent acquisitions, and seems to be willing to pay a hefty premium in order to do so: The company recently won a bidding war with Dell for the right to buy storage-system maker 3Par for $2.35 billion, a price more than three times the company’s market value before the bidding began.

Related GigaOM Pro Research (sub req’d): Rogue Devices: The Consumer Influence on Enterprise Mobility

Post and thumbnail photos courtesy of Flickr user wlodi

Alcatel-Lucent NextGen Communications Spotlight — Learn More »

Three Quarters of U.S. Internet Users Fall Victim to Cybercrime

This post is by from ReadWriteWeb

Click here to view on the original site: Original Post

Chances are, if you use the Internet, you are going to get hacked – it’s that simple. The New York Times told us yesterday that even a strong password may not protect us and now, today, a study by security software maker Norton tells us that cybercrime is prevalent, with a majority of Internet users both worldwide and in the U.S. falling victim.

Of course, Norton says that the obvious solution to this epidemic of crime is to use up-to-date security software (such as its own anti-virus and security suite), but the study also goes beyond self-promotion to look at our emotional reactions to hacking, getting hacked and who’s at fault in the end.


According to the report, nearly two-thirds of Internet users globally and almost three-quarters in the U.S. have fallen victim to cybercrime, with even worse numbers in China, where 83% of Internet users have been hacked. The report found that 58% of respondents felt angry, 51% annoyed, and 80% expected that those responsible would not be found or “brought to justice.” Only 3% of those surveyed said they didn’t think it would happen to them – so getting hacked is not only something we’ve come to expect, but, as Norton’s Internet safety advocate Marian Merritt told Network World, something we blame ourselves for.

“People do feel angry, but we also found that people feel pretty guilty,” said Merritt, noting that 54% of respondents said they “should have been more careful” when they responded to online scams. Twelve percent said that getting hacked was entirely their fault.

According to The Times, some of the fault lays at the feet of the security community and those sites that are most often targets, such as online commerce sites like Paypal and Amazon. One report (PDF) cited in the article found that many “busy commercial destinations” such as these “allowed relatively weak passwords,” while other sites required a maze of password requirements that also compromised security.

Beyond all of this, as ReadWriteWeb’s Adrianne Jeffries suggested the other day, a solution beyond antivirus and long, overcomplicated passwords might be the use of systems like OpenID.

For a quick look at Norton’s finding, the fact sheet (PDF) offers a glimpse of stats both in the U.S. and worldwide. The report is released concurrent with today’s release of Norton Internet Security 2011.


Firefox 3.6.9, 3.5.12 Updates Fix Critical Security Vulnerabilities [Updates]

This post is by from Lifehacker

Click here to view on the original site: Original Post

Windows/Mac/Linux: This morning is a good time to hit the Help menu in Firefox and check for updates, as Mozilla released updates for the 3.5 and 3.6 branches overnight that fix many critical vulnerabilities, including some security openings that could allow for keystroke-watching “clickjacking” attacks. Update your Firefox, or grab 3.6.9 or 3.5.12 directly. [via CNET] More »

Debate Around Password Security Overlooks Universal Logins

This post is by from ReadWriteWeb

Click here to view on the original site: Original Post

Must include at least one number. Must be longer than six characters. Cannot have more than four sequential characters from your previous seven passwords. The rules for password creation vary wildly from site to site, an effort to protect users from those who would hack their identities.

These protective measures don’t go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites.


A universal login could solve a lot of the issues around password security, from keylogging to the problem of users having their passwords discovered after writing them down.

It would also solve the problem of password-overload. Managing logins for all the Web sites that require registration is a pain, and any frequent Web user who says differently is either lying or has a photographic memory. Browsers have taken some of the pain away by remembering passwords for us, but clear your browser’s history and suddenly you have to answer secret questions and email your username to yourself for umpteen different sites.

password-security.jpgA handy chart to help you create secure passwords, from Microsoft.

One or more options for a universal login is inevitable and progress is well underway. More and more sites are supporting the easy-to-use Facebook Connect, which lets users register for a site with their Facebook profile instead of creating a site-specific username and password. As of last year, there were more than nine million websites using OpenID, the openly-developed standard that users can use to log in across multiple sites.

Standards like OpenID carry their own security problems (and other problems – see The Troubles With OpenID 2.0), the obvious being that a successful hacker can gain access to all the sites and services you use at once. But the convenience of a universal login is irresistible, especially for the myriad sites where there’s no danger if your password is hacked, such as news sites. Users who try it won’t want to go back – which is why it’s important to talk about the security issues around these new protocols for users and the sites that implement them.

How do you manage your logins?


Big surprise: Spammers find their way into Apple’s Ping social network

This post is by from VentureBeat

Click here to view on the original site: Original Post

Apple's Ping in iTunes 8Now that we’re little more than a day from the launch of Apple’s social network, Ping, reports are coming in that spammers are beginning to target the service — surprising no one.

The biggest scam right now appears to be an offer for free iPhones that is popping up on many high-profile Ping accounts, reports MacRumors. Even though Apple has said that it has 160 million iTunes accounts tied to credit cards, you can also easily create an account without one — which opens the doors for spammers to flood the service.

Before Ping, there wasn’t much harm that a spam account could do on iTunes. But now that it has a prominent social element, spammers will quickly become an eyesore.

The security software company Sophos weighed in on the issue in a blog post. “Most of the security industry has been pointing out the migration of spam from an email-only venture to blog/forum comments, Facebook, Twitter and other Web 2.0 platforms,” writes Sophos’s Chester Wisniewski. “But apparently Apple didn’t consider this when designing Ping, as the service implements no spam or URL filtering. It is no big shock that less than 24 hours after launch, Ping is drowning in scams and spams.”

Apple will surely respond to the influx of spam in due time. But it’s surprising that a company so focused on user experience couldn’t see this coming, or have minions on hand to clean up spam from popular accounts.

via The Guardian

Tags: , , ,